terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard
verified publisher icon hashicorp

Allow to enforce object ownership on S3 buckets

Open wiegandf opened this issue 3 years ago • 7 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We would like to follow the best practices by AWS and disable ACL and enforce object ownership. See references below. I know that we could set it with aws_s3_bucket_ownership_controls, but this would not allow to enforce bucket creation with e.g. BucketOwnerEnforced (as described in the AWS example).

New or Affected Resource(s)

  • aws_s3_bucket

Potential Terraform Configuration

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  object_ownership = "BucketOwnerEnforced"
}

This could also be the default value when leaving acl undefined. Currently, acl is deprecated but is private by default.

References

  • https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html#object-ownership-requiring-bucket-owner-enforced

wiegandf avatar Aug 31 '22 09:08 wiegandf

I can try to take a look at this if that's alright.

teddylear avatar Sep 01 '22 21:09 teddylear

@wiegandf does the following not work? If not, that's a bug

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
}

resource "aws_s3_bucket_ownership_controls" "b" {
  bucket = aws_s3_bucket.b.bucket

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

gdavison avatar Sep 14 '22 16:09 gdavison

Creating them in separate resources doesn't work when you want to enforce BucketOwnerEnforced on all new s3 buckets.

wiegandf avatar Sep 15 '22 05:09 wiegandf

Hey sorry haven't had time to work on this if someone else wants to.

@wiegandf One question for someone else that wants to pick this up, should there be a default value for this (or is one set by AWS?) if this is not set on bucket creation?

teddylear avatar Oct 05 '22 21:10 teddylear

If you go to the AWS console, you can see that BucketOwnerEnforced is the default object ownership when creating s3 buckets (with ACLs disabled).

wiegandf avatar Oct 19 '22 06:10 wiegandf

28353 Hope that since AWS officially posted this, we'll get a higher attention

gflex avatar Dec 14 '22 22:12 gflex

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] avatar Dec 04 '24 17:12 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Feb 04 '25 02:02 github-actions[bot]