Bootstrapping terraform reference engine on new AWS account has bucket error (possibly due to new default create bucket policies)

[simachriaws]

Steps to reproduce

1. Create new aws account, create admin role
2. Read/Follow pre-req's to install tools (go, python etc)
3. ./bin/bash/deploy-tre.sh -r <region>

Observed error

The CloudFormation logical id resource LoggingBucket fails with:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: S3, Status Code: 400... and rolls back.

Inspecting /tmp/tre-sam-deploy-command.out also confirms this to be the case, showing the exact same error.

Possible Mechanisms to fix

• Short term: to look into the bucket creation parameters and adjust as needed
• A pipeline to create new account and run /tmp/tre-sam-deploy-command.out at a regular cadence to confirm `./bin/bash/deploy-tre.sh -r <region> remains good on new accounts

[simachriaws]

See also https://repost.aws/knowledge-center/cloudformation-objectownership-acl-error

[simachriaws]

Apologies the observed error was happening on an early version of service-catalog-engine-for-terraform-os, since now we have

  LoggingBucketPolicy:
    Type: AWS::S3::BucketPolicy

The LoggingBucket create failure issue does not occur (checked 059dc57ae692b7f80871d3b1ad4a6eaf50dce44d )