And this is where I’m a bit stuck because terraform tells me that grant is an unsupported block type here.
I understand the reason why, but how can I proceed then? I know I could use a local-exec provisioner to call the AWS CLI myself but I was wondering if there was a solution with only Terraform.
As the bucket is not managed by Terraform you aren’t able to do anything other than retrieve information via the data source.
You either need to change the bucket to be managed by Terraform (terraform import and a resource in your code) or make the change you are wanting using whatever mechanism you are currently using to manage that bucket.
Ok, that’s what I thought.
Sad thing is that had the grant been an object in and of themselves, I could have added them via terraform, like what can be done with the link between an IAM policy and an IAM role.
What is and isn’t separated into separate resource types is often determined by the design of the underlying remote API: if the API doesn’t have a separate operation for creating, updating, and deleting just the sub-object then a Terraform provider typically can’t safely provide that operation separately either.
If this “grant” block type does represent something that has extra management actions in the S3 API then the AWS provider team may be open to supporting it as a separate resource type, if you share your use-case in their GitHub repository.