Enable bucket acl

binbashar · Oct 18, 2023 · db071c4 · db071c4
1 parent f79b021
commit db071c4
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/bucket_notification.tf b/bucket_notification.tf
@@ -79,4 +79,4 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
       events    = var.notifications_events
     }
   }
-}
+}
diff --git a/kms_encription.tf b/kms_encription.tf
@@ -69,6 +69,25 @@ data "aws_iam_policy_document" "primary" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.notifications_sns ? [1] : []
+    content {
+      sid       = "Allow access for Key User (S3 Service Principal)"
+      effect    = "Allow"
+      resources = [aws_kms_key.primary[0].arn]
+
+      actions = [
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+      ]
+
+      principals {
+        type        = "Service"
+        identifiers = ["s3.amazonaws.com"]
+      }
+    }
+  }
 }
 
 data "aws_iam_policy_document" "secondary" {
@@ -133,6 +152,25 @@ data "aws_iam_policy_document" "secondary" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.notifications_sns ? [1] : []
+    content {
+      sid       = "Allow access for Key User (S3 Service Principal)"
+      effect    = "Allow"
+      resources = [aws_kms_key.primary[0].arn]
+
+      actions = [
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+      ]
+
+      principals {
+        type        = "Service"
+        identifiers = ["s3.amazonaws.com"]
+      }
+    }
+  }
+
 
 }
 

diff --git a/main.tf b/main.tf
@@ -24,6 +24,15 @@ resource "aws_s3_bucket_acl" "default" {
   provider = aws.primary
   bucket   = aws_s3_bucket.default.id
   acl      = var.acl
+
+  depends_on = [aws_s3_bucket_ownership_controls.default]
+}
+
+resource "aws_s3_bucket_ownership_controls" "default" {
+  bucket = aws_s3_bucket.default.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "default" {