Skip to content

Commit f1b6ec3

Browse files
max-loburcloudpossebotnitrocode
authored
Add S3 bucket ownership controls (#61)
* Add S3 bucket ownership controls * Auto Format * fix count * use sane name * Auto Format * Fix dependency * add time version * add count * Auto Format * increase timeout * copy from s3 bucket * Auto Format * Update versions.tf Co-authored-by: nitrocode <[email protected]> * Auto Format * Update versions.tf Co-authored-by: nitrocode <[email protected]> * Auto Format Co-authored-by: cloudpossebot <[email protected]> Co-authored-by: nitrocode <[email protected]>
1 parent 2c2fac8 commit f1b6ec3

File tree

4 files changed

+39
-5
lines changed

4 files changed

+39
-5
lines changed

README.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -141,13 +141,15 @@ Available targets:
141141
| Name | Version |
142142
|------|---------|
143143
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
144-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
144+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
145+
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |
145146

146147
## Providers
147148

148149
| Name | Version |
149150
|------|---------|
150-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
151+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
152+
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |
151153

152154
## Modules
153155

@@ -161,9 +163,11 @@ Available targets:
161163
|------|------|
162164
| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
163165
| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
166+
| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
164167
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
165168
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
166169
| [aws_sqs_queue.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
170+
| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
167171
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
168172
| [aws_iam_policy_document.aggregated_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
169173
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

docs/terraform.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,15 @@
44
| Name | Version |
55
|------|---------|
66
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
7-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
7+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
8+
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |
89

910
## Providers
1011

1112
| Name | Version |
1213
|------|---------|
13-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
14+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
15+
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |
1416

1517
## Modules
1618

@@ -24,9 +26,11 @@
2426
|------|------|
2527
| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
2628
| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
29+
| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
2730
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
2831
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
2932
| [aws_sqs_queue.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
33+
| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
3034
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
3135
| [aws_iam_policy_document.aggregated_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
3236
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

main.tf

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,3 +178,25 @@ resource "aws_s3_bucket_public_access_block" "default" {
178178
ignore_public_acls = var.ignore_public_acls
179179
restrict_public_buckets = var.restrict_public_buckets
180180
}
181+
182+
# Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
183+
# It is safe to always set to BucketOwnerPreferred. The bucket owner will own the object
184+
# if the object is uploaded with the bucket-owner-full-control canned ACL. Without
185+
# this setting and canned ACL, the object is uploaded and remains owned by the uploading account.
186+
resource "aws_s3_bucket_ownership_controls" "default" {
187+
count = module.this.enabled ? 1 : 0
188+
bucket = join("", aws_s3_bucket.default.*.id)
189+
190+
rule {
191+
object_ownership = "BucketOwnerPreferred"
192+
}
193+
depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
194+
}
195+
196+
# Workaround S3 eventual consistency for settings objects
197+
resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
198+
count = module.this.enabled ? 1 : 0
199+
depends_on = [aws_s3_bucket_public_access_block.default, aws_s3_bucket_policy.default]
200+
create_duration = "30s"
201+
destroy_duration = "30s"
202+
}

versions.tf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,11 @@ terraform {
44
required_providers {
55
aws = {
66
source = "hashicorp/aws"
7-
version = ">= 2.0"
7+
version = ">= 3.0"
8+
}
9+
time = {
10+
source = "hashicorp/time"
11+
version = ">= 0.7"
812
}
913
}
1014
}

0 commit comments

Comments
 (0)