Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"The bucket does not allow ACLs" #317

Open
mpalmer opened this issue Apr 23, 2023 · 1 comment · May be fixed by #333
Open

"The bucket does not allow ACLs" #317

mpalmer opened this issue Apr 23, 2023 · 1 comment · May be fixed by #333
Labels
bug Something isn't working

Comments

@mpalmer
Copy link

mpalmer commented Apr 23, 2023

Describe the bug

When attempting to apply the secure-baseline to a newly-created account, I'm getting the following errors:

 Error: error creating S3 bucket ACL for <prefix>-audit-logs-access-logs: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: <redacted>, host id: <redacted>
│
│   with module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket_acl.access_log,
│   on .terraform/modules/secure_baseline/modules/secure-bucket/main.tf line 28, in resource "aws_s3_bucket_acl" "access_log":
│   28: resource "aws_s3_bucket_acl" "access_log" {
│
╵
╷
│ Error: error creating S3 bucket ACL for <prefix>-audit-logs: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: <redacted>, host id: <redacted>
│
│   with module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket_acl.content,
│   on .terraform/modules/secure_baseline/modules/secure-bucket/main.tf line 89, in resource "aws_s3_bucket_acl" "content":
│   89: resource "aws_s3_bucket_acl" "content" {

Versions

  • Terraform: v1.4.5
  • Provider: v4.64.0
  • Module: 2.1.0

Reproduction

Apply secure-baseline to a new account, or at least in an account where it needs to create a new S3 bucket. It may currently be region-specific (I ran it in ap-southeast-2), but eventually it'll soon be happening with any new S3 bucket, due to the changes to new bucket defaults.

Expected behavior

No terraform errors.

Actual behavior

Error as described above.

Additional context

Manually jiggering the bucket settings to enable ACLs allows a re-run of the terraform config to succeed.

@mpalmer mpalmer added the bug Something isn't working label Apr 23, 2023
@richbecks
Copy link

This requires the adding of something along the lines of the below to enable ACLs now they are by default off...

resource "aws_s3_bucket_ownership_controls" "my-bucket" {
  bucket = aws_s3_bucket.my-bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
2 participants