#refarch (2023-05)

Cloud Posse Reference Architecture

2023-05-05

Michael Dizon avatar
Michael Dizon
03:08:45 PM

is there an eta on when this PR is going to be merged? https://github.com/cloudposse/terraform-aws-s3-bucket/pull/176

#176 Add: ACL depends on ownership_controls

what

• aws_s3_bucket_ownership_controls is set first, followed by bucket ACL.

why

• Starting April 2023, AWS has changed default ObjectOwnership = Bucket Owner Preferred.
So to add ACL aws_s3_bucket_ownership_controls must be set to ObjectWriter (or) BucketOwnerPreferred first.
In this PR, aws_s3_bucket_acl depends_on aws_s3_bucket_ownership_controls resource block.
aws_s3_bucket_ownership_controls default set to BucketOwnerEnforced

references

• Ref: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
02:56:56 AM

We are planning to address the s3 issues next week. It may be a new PR, but we must address multiple modules

#176 Add: ACL depends on ownership_controls

what

• aws_s3_bucket_ownership_controls is set first, followed by bucket ACL.

why

• Starting April 2023, AWS has changed default ObjectOwnership = Bucket Owner Preferred.
So to add ACL aws_s3_bucket_ownership_controls must be set to ObjectWriter (or) BucketOwnerPreferred first.
In this PR, aws_s3_bucket_acl depends_on aws_s3_bucket_ownership_controls resource block.
aws_s3_bucket_ownership_controls default set to BucketOwnerEnforced

references

• Ref: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
02:59:09 AM

We had an internal review today to discuss the options

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
03:33:21 AM

This is now fixed in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/178

#178 Make compatible with new S3 defaults. Add user permissions boundary.

what

• Make compatible with new S3 defaults by setting S3 Object Ownership before setting ACL and disabling ACL if Ownership is “BucketOwnerEnforced” • Add optional permissions boundary input for IAM user created by this module • Create aws_s3_bucket_accelerate_configuration and aws_s3_bucket_versioning resources even when the feature is disabled, to enable drift detection

why

• S3 buckets with ACLs were failing to be provisioned because the ACL was set before the bucket ownership was changed • Requested feature • See #171

references

• Closes #174 • Supersedes and closes #175 • Supersedes and closes #176

1
1
    keyboard_arrow_up