scott-doyland-burrows commented 1 year ago

Terraform Core Version

1.4.6

AWS Provider Version

4.67.0

Affected Resource(s)

aws_s3_object

Expected Behavior

Either:

Error on each apply
Ignore ACL setting if ACLs are not in use on the S3 bucket
Warn that an ACL has been defined and request the user to remove the ACL and/or use the default ACL (currently private)

I believe what should happen is that when the bucket has ACL switched off, then the objects should be created with the default ACL of private albeit this is quite confusing, as if the bucket has no ACL, then I think the objects have no ACLs - but there is no option in aws_s3_object to not set an ACL.

Actual Behavior

First apply fails saying the bucket does not support ACL, however the resource in the statefile is still updated and then the second apply works.

The resource (ie, the object/file on S3) in AWS does not alter.

Relevant Error/Panic Output Snippet

aws_s3_object.s3file: Modifying... [id=file]
╷
│ Error: putting S3 object ACL: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: DDC9GMHY718VYJ0G, host id: +P4lHZCjZlHf6NEp6pCf7UIp8p6FKEehKBSiZ5luxt5m1LTH7x96hJN7IB7sz3LfBejWHPaMAgI=
│
│   with aws_s3_object.s3file,
│   on terraform.tf line 22, in resource "aws_s3_object" "s3file":
│   22: resource "aws_s3_object" "s3file" {

Terraform configuration files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.67.0"
    }
  }
}

resource "aws_s3_bucket" "s3" {
  bucket = "doyland-test"
}

resource "aws_s3_bucket_ownership_controls" "s3" {
  bucket = aws_s3_bucket.s3.id

  rule {
    object_ownership = "BucketOwnerEnforced"
  }
}

resource "aws_s3_object" "s3file" {
  depends_on = [
    aws_s3_bucket_ownership_controls.s3
  ]

  bucket       = aws_s3_bucket.s3.id
  acl          = "public-read-write"
  key          = "file"
  content_type = "application/x-directory"
}

Steps to Reproduce

Setup the code as above (define your own bucket name).

Run the code twice.

First run will error, but will still set the statefile to say the aws_s3_object resource has a acl = "public-read-write"

Rerun the apply and it will be successful.

Note that various issues can occur, eg if the ACL is set incorrectly and then later corrected (to private), then the first apply still has an error as above, and the second apply works.

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

good92 commented 1 year ago

https://github.com/hashicorp/terraform-provider-aws/issues/28353

hashicorp / terraform-provider-aws

aws_s3_object - issues with ACL settings #31460