From db071c4dd6f863f6359cae7f47c8896e554bcd8d Mon Sep 17 00:00:00 2001
From: Martin Galeano Galeano <martin.galeano@zentagroup.com>
Date: Mon, 16 Oct 2023 16:54:52 -0300
Subject: [PATCH] Enable bucket acl

---
 bucket_notification.tf |  2 +-
 kms_encription.tf      | 38 ++++++++++++++++++++++++++++++++++++++
 main.tf                |  9 +++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/bucket_notification.tf b/bucket_notification.tf
index 4861a4e..17e328e 100644
--- a/bucket_notification.tf
+++ b/bucket_notification.tf
@@ -79,4 +79,4 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
       events    = var.notifications_events
     }
   }
-}
\ No newline at end of file
+}
diff --git a/kms_encription.tf b/kms_encription.tf
index 942d4fe..cf3c8ad 100644
--- a/kms_encription.tf
+++ b/kms_encription.tf
@@ -69,6 +69,25 @@ data "aws_iam_policy_document" "primary" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.notifications_sns ? [1] : []
+    content {
+      sid       = "Allow access for Key User (S3 Service Principal)"
+      effect    = "Allow"
+      resources = [aws_kms_key.primary[0].arn]
+
+      actions = [
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+      ]
+
+      principals {
+        type        = "Service"
+        identifiers = ["s3.amazonaws.com"]
+      }
+    }
+  }
 }
 
 data "aws_iam_policy_document" "secondary" {
@@ -133,6 +152,25 @@ data "aws_iam_policy_document" "secondary" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.notifications_sns ? [1] : []
+    content {
+      sid       = "Allow access for Key User (S3 Service Principal)"
+      effect    = "Allow"
+      resources = [aws_kms_key.primary[0].arn]
+
+      actions = [
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+      ]
+
+      principals {
+        type        = "Service"
+        identifiers = ["s3.amazonaws.com"]
+      }
+    }
+  }
+
 
 }
 
diff --git a/main.tf b/main.tf
index c2299a6..5752f25 100644
--- a/main.tf
+++ b/main.tf
@@ -24,6 +24,15 @@ resource "aws_s3_bucket_acl" "default" {
   provider = aws.primary
   bucket   = aws_s3_bucket.default.id
   acl      = var.acl
+
+  depends_on = [aws_s3_bucket_ownership_controls.default]
+}
+
+resource "aws_s3_bucket_ownership_controls" "default" {
+  bucket = aws_s3_bucket.default.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "default" {