v0.44.0
Allow specifying aws_s3_bucket_ownership_controls @max-lobur (#109)
what
- Allow setting aws_s3_bucket_ownership_controls
why
- Per docs this setting will let object uploader decide ownership. If
bucket-owner-full-controlACL is specified, the bucket account take ownership, otherwise the writer account keeps ownership. Bucket on its side may enforce presence of thebucket-owner-full-controlACL which we already do when needed. So this setting was the only missing piece to make ownership work like we expected - I found no use cases for the other value of this resource:
ObjectWriter. It corresponds to legacy S3 behavior which was broken for us. - However, giving the broad use of this module, I suspect there might be use cases that rely on previous S3 behavior: They set the ACL
bucket-owner-full-controlin their request and then still expect to own the object. To preserve legacy behavior I made this a variable, and the default corresponds to S3 legacy behavior. This is a new feature of AWS and we should wait for some time before enforcing the new default.
references
- https://aws.amazon.com/blogs/storage/enforcing-ownership-of-amazon-s3-objects-in-a-multi-account-environment/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls#ObjectWriter
Contributors
max-lobur