S3 module upgrade fails with AccessControlListNotSupported when bucket_ownership is set to BucketOwnerEnforced #674

sewmiuraj · 2023-03-01T16:00:08Z

sewmiuraj
Mar 1, 2023

Hello,

I am currently upgrading my S3 modules to v.0.95.1. In this version, it is shown in the plan that it wishes to create an acl:

# module.s3_bucket_primary.aws_s3_bucket_acl.bucket[0] will be created
  + resource "aws_s3_bucket_acl" "bucket" {
      + acl    = "private"
      + bucket = "xxx"
      + id     = (known after apply)

      + access_control_policy {
          + grant {
              + permission = (known after apply)

              + grantee {
                  + display_name  = (known after apply)
                  + email_address = (known after apply)
                  + id            = (known after apply)
                  + type          = (known after apply)
                  + uri           = (known after apply)
                }
            }

          + owner {
              + display_name = (known after apply)
              + id           = (known after apply)
            }
        }
    }

However, upon apply I am recieving the error:

Error: error creating S3 bucket ACL for xxx: AccessControlListNotSupported: The bucket does not allow ACLs.

This is probably because we have set: bucket_ownership = "BucketOwnerEnforced"

Is there a way for me to not create this acl by default when bucket ownership is set to BucketOwnerEnforced?

Tracked in ticket #109942

Answered by Etiene

Mar 3, 2023

Hi sewmiuraj, it seems that the child module private-s3-bucket has a var.acl variable that can be set to null. This variable doesn't seem to be exposed in the service catalog yet. I'll see if I have the time to spin a PR to address this, but you could also try, in the meantime, modifying the module to pass acl as null.

View full answer

Etiene · 2023-03-03T15:14:58Z

Etiene
Mar 3, 2023

Hi sewmiuraj, it seems that the child module private-s3-bucket has a var.acl variable that can be set to null. This variable doesn't seem to be exposed in the service catalog yet. I'll see if I have the time to spin a PR to address this, but you could also try, in the meantime, modifying the module to pass acl as null.

0 replies

marinalimeira · 2023-04-12T14:04:18Z

marinalimeira
Apr 12, 2023

Issue fixed in the private-s3-bucket: https://github.com/gruntwork-io/terraform-aws-security/pull/751

1 reply

drafie Jun 27, 2023

I bumped _envcommon/data-stores/s3.hcl to v0.68.1 but still get this error.

source = "git::[email protected]:gruntwork-io/terraform-aws-security.git//modules/private-s3-bucket?ref=v0.68.1"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Gruntwork

S3 module upgrade fails with AccessControlListNotSupported when bucket_ownership is set to BucketOwnerEnforced #674

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Gruntwork

S3 module upgrade fails with AccessControlListNotSupported when bucket_ownership is set to BucketOwnerEnforced #674

sewmiuraj Mar 1, 2023

Replies: 2 comments · 1 reply

Etiene Mar 3, 2023

marinalimeira Apr 12, 2023

drafie Jun 27, 2023

sewmiuraj
Mar 1, 2023

Replies: 2 comments 1 reply

Etiene
Mar 3, 2023

marinalimeira
Apr 12, 2023