Merge pull request #100 from answerdigital/route53-redirect-bucket-ownership

cmbuckley · web-flow · commit 911452f2a9d0 · 2023-10-13T11:31:53.000+01:00
Add Object Ownership to enable ACLs for redirect bucket
diff --git a/modules/aws/route53/README.md b/modules/aws/route53/README.md
@@ -33,6 +33,7 @@ The module also simplifies a few boilerplate records at the apex for security pu
 | [aws_route53_zone.redirect_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_s3_bucket.redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_ownership_controls.redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_website_configuration.redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 
 ## Inputs
diff --git a/modules/aws/route53/aliases.tf b/modules/aws/route53/aliases.tf
@@ -3,10 +3,19 @@ resource "aws_s3_bucket" "redirect" {
   bucket   = each.key
 }
 
-resource "aws_s3_bucket_acl" "redirect" {
+resource "aws_s3_bucket_ownership_controls" "redirect" {
   for_each = toset(concat(var.aliases, [for a in var.aliases : "www.${a}"]))
   bucket   = aws_s3_bucket.redirect[each.key].bucket
-  acl      = "private"
+  rule {
+    object_ownership = "ObjectWriter"
+  }
+}
+
+resource "aws_s3_bucket_acl" "redirect" {
+  for_each   = toset(concat(var.aliases, [for a in var.aliases : "www.${a}"]))
+  depends_on = [aws_s3_bucket_ownership_controls.redirect]
+  bucket     = aws_s3_bucket.redirect[each.key].bucket
+  acl        = "private"
 }
 
 resource "aws_s3_bucket_website_configuration" "redirect" {
