Handling aws_s3_bucket.acl deprecation

rquadling · July 21, 2022, 3:05pm

Hopefully this is a simple issue that I’ve not understood from the documentation.

I’ve currently got

resource "aws_s3_bucket" "cf_s3_bucket" {
  bucket = "my-bucket"
  acl    = "public-read"
  ...
}

and I’m in the process of upgrading the configuration so that I can remove the deprecated property/blocks in favour of the new resources. The documentation does say that having both the deprecated elements and the new resources is a bad thing and so removal of the deprecated elements is where I’m trying to end up.

And so, I’ve got this resource

resource "aws_s3_bucket_acl" "cf_s3_bucket" {
  bucket                = aws_s3_bucket.cf_s3_bucket.id
  acl                   = "public-read"
  expected_bucket_owner = var.account_id
}

I’ve run the relevant terraform imports of the existing ACL config and the plan is clean.

If I now remove the deprecated acl property,

resource "aws_s3_bucket" "cf_s3_bucket" {
  bucket = "my-bucket"
#  acl    = "public-read"
  ...
}

the plan now says that this is going back to a private acl

  # module.my-website.aws_s3_bucket.cf_s3_bucket will be updated in-place
  ~ resource "aws_s3_bucket" "cf_s3_bucket" {
      ~ acl = "public-read" -> "private"
        id  = "my-bucket"
...

So I am unsure how to proceed. Leaving both the deprecated property and the new resource in play is a bad move. Removing the deprecated property results in a inappropriate configuration change in the plan.

But, leaving the property with a big comment saying that it must match the new resource does seem to “work”, once the terraform import is done.

rgreenberg · April 26, 2023, 11:17pm

I’m stuck on the exact same thing. Did you figure this out?

AnujNautiyal1956 · May 30, 2023, 11:27am

@rquadling @rgreenberg
As already mentioned this in line with the AWS ACL deprecation notice .
For resources being created with terraform , you would need to explicitly add an aws_s3_bucket_ownership_controls resource which is added when we need to set an object_ownership other than the default which is BucketOwnerEnforced.
You would need to add something like THIS.

Your code should look something like this post changes :

resource “aws_s3_bucket” “cf_s3_bucket” {
bucket = “my-bucket”
…
}

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.cf_s3_bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.cf_s3_bucket.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "example" {
  depends_on = [
    aws_s3_bucket_ownership_controls.example,
    aws_s3_bucket_public_access_block.example,
  ]

  bucket = aws_s3_bucket.cf_s3_bucket.id
  acl    = "public-read"
}

Hope this helps .

Anuj

Topic		Replies	Views
Deprecated option working, but non-deprecated variant is not working AWS	0	267	July 11, 2022
`aws_s3_bucket` refactor, AFTER moving from AWS v `3.7.x` to `4.3.x`. also creating a prevent destroy lifecycle rule AWS	0	533	October 27, 2022
Terraform resource with this ID doesn't exist Terraform	2	2824	September 15, 2020
Confused by the wording on aws_default_network_acl Terraform	0	589	March 26, 2021
Adding a sub object to a data resource Terraform	4	539	December 14, 2021

Handling aws_s3_bucket.acl deprecation

Related topics