Handling aws_s3_bucket.acl deprecation

Terraform Providers AWS
1

Hopefully this is a simple issue that I’ve not understood from the documentation.

I’ve currently got

resource "aws_s3_bucket" "cf_s3_bucket" {
  bucket = "my-bucket"
  acl    = "public-read"
  ...
}

and I’m in the process of upgrading the configuration so that I can remove the deprecated property/blocks in favour of the new resources. The documentation does say that having both the deprecated elements and the new resources is a bad thing and so removal of the deprecated elements is where I’m trying to end up.

And so, I’ve got this resource

resource "aws_s3_bucket_acl" "cf_s3_bucket" {
  bucket                = aws_s3_bucket.cf_s3_bucket.id
  acl                   = "public-read"
  expected_bucket_owner = var.account_id
}

I’ve run the relevant terraform imports of the existing ACL config and the plan is clean.

If I now remove the deprecated acl property,

resource "aws_s3_bucket" "cf_s3_bucket" {
  bucket = "my-bucket"
#  acl    = "public-read"
  ...
}

the plan now says that this is going back to a private acl

  # module.my-website.aws_s3_bucket.cf_s3_bucket will be updated in-place
  ~ resource "aws_s3_bucket" "cf_s3_bucket" {
      ~ acl = "public-read" -> "private"
        id  = "my-bucket"
...

So I am unsure how to proceed. Leaving both the deprecated property and the new resource in play is a bad move. Removing the deprecated property results in a inappropriate configuration change in the plan.

But, leaving the property with a big comment saying that it must match the new resource does seem to “work”, once the terraform import is done.

1 Like
2

I’m stuck on the exact same thing. Did you figure this out?

3

@rquadling @rgreenberg
As already mentioned this in line with the AWS ACL deprecation notice .
For resources being created with terraform , you would need to explicitly add an aws_s3_bucket_ownership_controls resource which is added when we need to set an object_ownership other than the default which is BucketOwnerEnforced.
You would need to add something like THIS.

Your code should look something like this post changes :

resource “aws_s3_bucket” “cf_s3_bucket” {
bucket = “my-bucket”

}

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.cf_s3_bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.cf_s3_bucket.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "example" {
  depends_on = [
    aws_s3_bucket_ownership_controls.example,
    aws_s3_bucket_public_access_block.example,
  ]

  bucket = aws_s3_bucket.cf_s3_bucket.id
  acl    = "public-read"
}

Hope this helps .

Anuj :slight_smile:

1 Like