From 3479f4afd89c73207823be3ae387a8f894b75556 Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Fri, 17 Oct 2025 12:20:40 +0200
Subject: [PATCH] AWS: Update S3 ACL resource for kOps state store

Ensure E2E tests can push objects to the bucket state store.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
---
 infra/aws/terraform/kops-infra-ci/main.tf | 51 -------------
 infra/aws/terraform/kops-infra-ci/s3.tf   | 87 +++++++++++++++++++++++
 2 files changed, 87 insertions(+), 51 deletions(-)
 create mode 100644 infra/aws/terraform/kops-infra-ci/s3.tf

diff --git a/infra/aws/terraform/kops-infra-ci/main.tf b/infra/aws/terraform/kops-infra-ci/main.tf
index ca6c5e7773c..b6fae394d75 100644
--- a/infra/aws/terraform/kops-infra-ci/main.tf
+++ b/infra/aws/terraform/kops-infra-ci/main.tf
@@ -34,54 +34,3 @@ resource "aws_iam_openid_connect_provider" "google_prow_idp" {
     "region" = data.aws_region.current.region
   })
 }
-
-## Used by kOps to store the state of the kOps created
-resource "aws_s3_bucket" "kops_state_store" {
-  provider = aws.kops-infra-ci
-  bucket   = "k8s-kops-ci-prow-state-store"
-  tags = merge(var.tags, var.janitor_tags, {
-    "region" = data.aws_region.current.region
-  })
-}
-
-resource "aws_s3_bucket_ownership_controls" "kops_state_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_state_store.id
-  rule {
-    object_ownership = "BucketOwnerEnforced"
-  }
-}
-
-
-## Used by kOps for hosting OIDC documents
-resource "aws_s3_bucket" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = "k8s-kops-ci-prow"
-  tags = merge(var.tags, var.janitor_tags, {
-    "region" = data.aws_region.current.region
-  })
-}
-
-resource "aws_s3_bucket_ownership_controls" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_oidc_store.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_oidc_store.id
-
-  block_public_acls       = false
-  block_public_policy     = false
-  ignore_public_acls      = false
-  restrict_public_buckets = false
-}
-
-resource "aws_s3_bucket_acl" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_oidc_store.id
-  acl      = "public-read"
-}
diff --git a/infra/aws/terraform/kops-infra-ci/s3.tf b/infra/aws/terraform/kops-infra-ci/s3.tf
new file mode 100644
index 00000000000..393da2fcfa6
--- /dev/null
+++ b/infra/aws/terraform/kops-infra-ci/s3.tf
@@ -0,0 +1,87 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+## Used by kOps to store the state of the kOps created
+resource "aws_s3_bucket" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = "k8s-kops-ci-prow-state-store"
+  tags = merge(var.tags, var.janitor_tags, {
+    "region" = data.aws_region.current.region
+  })
+}
+
+resource "aws_s3_bucket_ownership_controls" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_state_store.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_state_store.id
+  acl      = "public-read"
+
+  depends_on = [
+    aws_s3_bucket_ownership_controls.kops_state_store,
+    aws_s3_bucket_public_access_block.kops_state_store
+  ]
+}
+
+resource "aws_s3_bucket_public_access_block" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_state_store.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+
+## Used by kOps for hosting OIDC documents
+resource "aws_s3_bucket" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = "k8s-kops-ci-prow"
+  tags = merge(var.tags, var.janitor_tags, {
+    "region" = data.aws_region.current.region
+  })
+}
+
+resource "aws_s3_bucket_ownership_controls" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_oidc_store.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_oidc_store.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_oidc_store.id
+  acl      = "public-read"
+}