Ability to manage S3 Bucket Ownership Controls

[sshvetsov]

Is your request related to a new offering from AWS?

Yes: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#enable-object-ownership

I would like to ensure that objects placed into an S3 bucket in one AWS account by a principal from another AWS account are set to be owned by the bucket owner, even if AWS principal from another account did not explicitly set the bucket-owner-full-control canned ACL on the object during upload.

Feature supported by AWS provider for Terraform since v3.10.0:

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls

Is your request related to a problem? Please describe.

Creating the aws_s3_bucket_ownership_controls resource outside of this module causes a race condition with aws_s3_bucket_public_access_block resource and possibly aws_s3_bucket_policy, that are optionally created by this module, requiring two-step apply.

Describe the solution you'd like.

I'd like to see an optional aws_s3_bucket_ownership_controls resource added to this module, creation and configuration of which can be controlled by an input variable.

Describe alternatives you've considered.

I have tried creating the aws_s3_bucket_ownership_controls resource outside of this module, but it tends to have a race condition with aws_s3_bucket_public_access_block resource optionally created by this module, requiring two-step apply. Currently there's no way to wait for the aws_s3_bucket_public_access_block or aws_s3_bucket_policy creation, since they are not exposed as output, so I feel adding optional aws_s3_bucket_ownership_controls resource to this module would be a cleaner solution, allowing for explicit dependencies to be specified.

Additional context

Possible module variable:

Name	Description	Type	Default	Required
object_ownership	(Optional) Object ownership. Valid values: BucketOwnerPreferred or ObjectWriter	string	null	no

[bigmacdaddy75]

As a work around for the race condition could you use depends_on for creating the aws_s3-bucket_ownership_controls resource outside of the module?

[sshvetsov]

As a work around for the race condition could you use depends_on for creating the aws_s3-bucket_ownership_controls resource outside of the module?

As I have mentioned on the description, yes, I have considered using depends_on as a workaround, but none of the resources that cause the issue are exposed by the module. Unless I'm missing something, what do you recommend to use as a target for depends_on meta argument?

[carnei-ro]

I am also waiting for this feature. I've made this PR #101. Feel free to edit if necessary.

[antonbabenko]

#101 has been just merged and v2.8.0 has been just released.

I also added depends_on and tested in various combinations to make sure that we don't hit the issue hashicorp/terraform-provider-aws#7628

[ypicard]

Setting control_object_ownership to false does not disable ACLs on my bucket. Is this expected?

[sshvetsov]

Setting control_object_ownership to false does not disable ACLs on my bucket. Is this expected?

Note, AWS added new functionality related to S3 object ownership during 2021 re:invent, which allows enforcing object ownership. The implementation in this module was created three months prior and does not yet support enforcement.

[ypicard]

Understood. Is there an issue open concerning this feature request I could subscribe to?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.