Support disabling bucket ACL

sdickenson · sdickenson · commit 236a8c94f52d · 2023-11-17T21:52:39.000-05:00
diff --git a/main.tf b/main.tf
@@ -22,6 +22,8 @@ resource "aws_s3_bucket" "this" {
 }
 
 resource "aws_s3_bucket_acl" "this" {
+  count = var.object_ownership == "BucketOwnerEnforced" ? 0 : 1
+
   bucket = aws_s3_bucket.this.id
   acl    = "log-delivery-write"
 }
@@ -73,6 +75,14 @@ resource "aws_s3_bucket_public_access_block" "this" {
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  rule {
+    object_ownership = var.object_ownership
+  }
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
   bucket = aws_s3_bucket.this.bucket
 
diff --git a/variables.tf b/variables.tf
@@ -51,6 +51,11 @@ variable "lifecycle_rules" {
   }))
 }
 
+variable "object_ownership" {
+  default     = "BucketOwnerPreferred"
+  description = "Specifies S3 object ownership control. Defaults to BucketOwnerPreferred for backwards-compatibility. Recommended value is BucketOwnerEnforced."
+}
+
 variable "tags" {
   default     = {}
   description = "Tags to add to supported resources"
