Add Object Ownership ACLs disabled for S3 buckets

[praddc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add ability to disable S3 bucket ACLs for a given bucket, as announced here.

(Since the rule block in aws_s3_bucket_ownership_controls is currently required, to ensure it stays backwards compatible, we can add the new setting to the rule block.

New or Affected Resource(s)

• aws_s3_bucket_ownership_controls

Potential Terraform Configuration

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    acls_disabled = true
  }
}

References

• https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/

[ewbankkit]

Relates #22010.
Relates #21980.

[lachlancooper]

This is effectively implemented via the object_ownership = "BucketOwnerEnforced" rule, which is already supported and was added to the provider documentation in #22010.

According to the upstream documentation, using the "enforced" setting has the effect of disabling ACLs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

[KyleKotowick]

Relates #22271.

[StevieBowman]

@lachlancooper This Issue is slightly different to the one in #22010. #22010 relates to the PutBucketOwnershipControls API (https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketOwnershipControls.html). A different approach is that BucketOwnerEnforced can also be set on the CreateBucket API using x-amz-object-ownership header (https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html). Where this becomes an issue is if you try implement the AWS Service Control Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireBucketOwnerFullControl",
"Action": "s3:CreateBucket",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-object-ownership": "BucketOwnerEnforced"
}
}
}
]
}

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html

Since the Deny is done on the CreateBucket API then the PutBucketOwnershipControls will fail since the API is after CreateBucket API. At it stands, it is not possible to implement this AWS Service Control Policy if using Terraform.

[nc-dirknilius]

Already there:

resource "aws_s3_bucket_ownership_controls" "disable_s3_acl" {
  bucket = "your-bucket"

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls

[lachlancooper]

This issue was raised against the aws_s3_bucket_ownership_controls resource specifically. Since it's already supported, I think this can be closed.

However, as noted by @StevieBowman, being able to create a bucket with a specific object ownership setting from the beginning is necessary if a user wants to disable ACLs on all buckets as AWS recommend. This would need to be implemented as an argument on the aws_s3_bucket resource, so perhaps it's best to create a separate issue for that enhancement.

[gerardokaztro]

I put my comment on another issue: #22271 (comment)

[justinretzolk]

Since this was resolved (see #22069 (comment) above), I'll mark this issue as closed and continue the additional discussions as needed over on #22271. If you feel I've done this in error, please do let me know.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.