Add support for ACL policy grants on S3 objects

antonysouthworth-halter commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The aws_s3_bucket_object resource type allows us to manage individual objects in an S3 bucket with Terraform. However, one part which is missing from this resource is the ability to set specific ACLs for the object. The resource type only allows you to specify a canned ACL (e.g. private/public-read/bucket-owner-full-control, docs). There does not appear to be a way to set more specific ACLs.

Use case: Creating an Elasticache Redis cluster from a local backup file. This requires uploading the backup file to S3 and ensuring the bucket and object have sufficient ACLs such that the Elasticache service can read the file.

At the moment, I get around this by using the AWS CLI with provisioner "local-exec", which is not ideal because Terraform doesn't know anything about what local-exec does.

provisioner "local-exec" {
    command = <<EOF
aws s3api put-object-acl \
  --bucket "${aws_s3_bucket.db_export.id}" \
  --grant-read "id=${local.canonical_user_id_elasticache},id=${local.canonical_user_id_sandbox}" \
  --grant-read-acp "id=${local.canonical_user_id_elasticache},id=${local.canonical_user_id_sandbox}" \
  --grant-write "id=${local.canonical_user_id_sandbox}" \
  --grant-write-acp "id=${local.canonical_user_id_sandbox}" \
  --key "${aws_s3_bucket_object.test_redis_snapshot.id}"
EOF
}

I guess the ideal would be to add a grant directive that basically behaves like the one for aws_s3_bucket.

New or Affected Resource(s)

aws_s3_bucket_object

Potential Terraform Configuration

resource "aws_s3_bucket_object" "my_object" {
  bucket = aws_s3_bucket.my_bucket.id
  key = "some-prefix/my_object.txt"
  content = file("my_local_file.txt")

  # these examples taken from the Bucket ACL grants in the docs
  grant {
    id          = data.aws_canonical_user_id.current_user.id
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
}

References

(none)

github-actions[bot] commented 1 year ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 11 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-aws