Allow to enforce object ownership on S3 buckets

[wiegandf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We would like to follow the best practices by AWS and disable ACL and enforce object ownership. See references below. I know that we could set it with aws_s3_bucket_ownership_controls, but this would not allow to enforce bucket creation with e.g. BucketOwnerEnforced (as described in the AWS example).

New or Affected Resource(s)

• aws_s3_bucket

Potential Terraform Configuration

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  object_ownership = "BucketOwnerEnforced"
}

This could also be the default value when leaving acl undefined. Currently, acl is deprecated but is private by default.

References

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html#object-ownership-requiring-bucket-owner-enforced

[teddylear]

I can try to take a look at this if that's alright.

[gdavison]

@wiegandf does the following not work? If not, that's a bug

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
}

resource "aws_s3_bucket_ownership_controls" "b" {
  bucket = aws_s3_bucket.b.bucket

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

[wiegandf]

Creating them in separate resources doesn't work when you want to enforce BucketOwnerEnforced on all new s3 buckets.

[teddylear]

Hey sorry haven't had time to work on this if someone else wants to.

@wiegandf One question for someone else that wants to pick this up, should there be a default value for this (or is one set by AWS?) if this is not set on bucket creation?

[wiegandf]

If you go to the AWS console, you can see that BucketOwnerEnforced is the default object ownership when creating s3 buckets (with ACLs disabled).

[gflex]

28353
Hope that since AWS officially posted this, we'll get a higher attention

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.