From 6d891a07d1defd9cc2db918e00198e93714bf9f5 Mon Sep 17 00:00:00 2001
From: Hugo Shaka <hugo.hervieux@goteleport.com>
Date: Mon, 24 Apr 2023 16:33:32 -0400
Subject: [PATCH] terraform: enable ACLs in the certs bucket

---
 examples/aws/terraform/ha-autoscale-cluster/s3.tf | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/examples/aws/terraform/ha-autoscale-cluster/s3.tf b/examples/aws/terraform/ha-autoscale-cluster/s3.tf
index 1880b7cf10541..ac406fecad7e9 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/s3.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/s3.tf
@@ -7,8 +7,9 @@ resource "aws_s3_bucket" "certs" {
 }
 
 resource "aws_s3_bucket_acl" "certs" {
-  bucket = aws_s3_bucket.certs.bucket
-  acl    = "private"
+  depends_on = [aws_s3_bucket_ownership_controls.certs]
+  bucket     = aws_s3_bucket.certs.bucket
+  acl        = "private"
 }
 
 // For demo purposes, CMK is not needed
@@ -23,6 +24,14 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "certs" {
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "certs" {
+  bucket = aws_s3_bucket.certs.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_versioning" "certs" {
   bucket = aws_s3_bucket.certs.bucket