Ignore ACL setting if ACLs are not in use on the S3 bucket
Warn that an ACL has been defined and request the user to remove the ACL and/or use the default ACL (currently private)
I believe what should happen is that when the bucket has ACL switched off, then the objects should be created with the default ACL of private albeit this is quite confusing, as if the bucket has no ACL, then I think the objects have no ACLs - but there is no option in aws_s3_object to not set an ACL.
Actual Behavior
First apply fails saying the bucket does not support ACL, however the resource in the statefile is still updated and then the second apply works.
The resource (ie, the object/file on S3) in AWS does not alter.
Relevant Error/Panic Output Snippet
aws_s3_object.s3file: Modifying... [id=file]
╷
│ Error: putting S3 object ACL: AccessControlListNotSupported: The bucket does not allow ACLs
│ status code: 400, request id: DDC9GMHY718VYJ0G, host id: +P4lHZCjZlHf6NEp6pCf7UIp8p6FKEehKBSiZ5luxt5m1LTH7x96hJN7IB7sz3LfBejWHPaMAgI=
│
│ with aws_s3_object.s3file,
│ on terraform.tf line 22, in resource "aws_s3_object" "s3file":
│ 22: resource "aws_s3_object" "s3file" {
Setup the code as above (define your own bucket name).
Run the code twice.
First run will error, but will still set the statefile to say the aws_s3_object resource has a acl = "public-read-write"
Rerun the apply and it will be successful.
Note that various issues can occur, eg if the ACL is set incorrectly and then later corrected (to private), then the first apply still has an error as above, and the second apply works.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.4.6
AWS Provider Version
4.67.0
Affected Resource(s)
aws_s3_object
Expected Behavior
Either:
I believe what should happen is that when the bucket has ACL switched off, then the objects should be created with the default ACL of
private
albeit this is quite confusing, as if the bucket has no ACL, then I think the objects have no ACLs - but there is no option inaws_s3_object
to not set an ACL.Actual Behavior
First apply fails saying the bucket does not support ACL, however the resource in the statefile is still updated and then the second apply works.
The resource (ie, the object/file on S3) in AWS does not alter.
Relevant Error/Panic Output Snippet
Terraform configuration files
Steps to Reproduce
Setup the code as above (define your own bucket name).
Run the code twice.
First run will error, but will still set the statefile to say the
aws_s3_object
resource has aacl = "public-read-write"
Rerun the apply and it will be successful.
Note that various issues can occur, eg if the ACL is set incorrectly and then later corrected (to private), then the first apply still has an error as above, and the second apply works.