Provides an S3 bucket ACL resource.
private
ACLresource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_ownership_controls" "example" {
bucket = aws_s3_bucket.example.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_acl" "example" {
depends_on = [aws_s3_bucket_ownership_controls.example]
bucket = aws_s3_bucket.example.id
acl = "private"
}
public-read
ACLresource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_ownership_controls" "example" {
bucket = aws_s3_bucket.example.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_public_access_block" "example" {
bucket = aws_s3_bucket.example.id
block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}
resource "aws_s3_bucket_acl" "example" {
depends_on = [
aws_s3_bucket_ownership_controls.example,
aws_s3_bucket_public_access_block.example,
]
bucket = aws_s3_bucket.example.id
acl = "public-read"
}
data "aws_canonical_user_id" "current" {}
resource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_ownership_controls" "example" {
bucket = aws_s3_bucket.example.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_acl" "example" {
depends_on = [aws_s3_bucket_ownership_controls.example]
bucket = aws_s3_bucket.example.id
access_control_policy {
grant {
grantee {
id = data.aws_canonical_user_id.current.id
type = "CanonicalUser"
}
permission = "READ"
}
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
permission = "READ_ACP"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}
This resource supports the following arguments:
acl
- (Optional, One of acl
or access_control_policy
is required) Canned ACL to apply to the bucket.access_control_policy
- (Optional, One of access_control_policy
or acl
is required) Configuration block that sets the ACL permissions for an object per grantee. See below.bucket
- (Required, Forces new resource) Bucket to which to apply the ACL.expected_bucket_owner
- (Optional, Forces new resource) Account ID of the expected bucket owner.The access_control_policy
configuration block supports the following arguments:
grant
- (Required) Set of grant
configuration blocks. See below.owner
- (Required) Configuration block for the bucket owner's display name and ID. See below.The grant
configuration block supports the following arguments:
grantee
- (Required) Configuration block for the person being granted permissions. See below.permission
- (Required) Logging permissions assigned to the grantee for the bucket. Valid values: FULL_CONTROL
, WRITE
, WRITE_ACP
, READ
, READ_ACP
. See What permissions can I grant? for more details about what each permission means in the context of buckets.The owner
configuration block supports the following arguments:
id
- (Required) ID of the owner.display_name
- (Optional) Display name of the owner.The grantee
configuration block supports the following arguments:
email_address
- (Optional) Email address of the grantee. See Regions and Endpoints for supported AWS regions where this argument can be specified.id
- (Optional) Canonical user ID of the grantee.type
- (Required) Type of grantee. Valid values: CanonicalUser
, AmazonCustomerByEmail
, Group
.uri
- (Optional) URI of the grantee group.This resource exports the following attributes in addition to the arguments above:
id
- The bucket
, expected_bucket_owner
(if configured), and acl
(if configured) separated by commas (,
).In Terraform v1.5.0 and later, use an import
block to import S3 bucket ACL using bucket
, expected_bucket_owner
, and/or acl
, depending on your situation. For example:
If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is not configured with a
canned ACL (i.e. predefined grant), import using the bucket
:
import {
to = aws_s3_bucket_acl.example
id = "bucket-name"
}
If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is configured with a
canned ACL (i.e. predefined grant), import using the bucket
and acl
separated by a comma (,
):
import {
to = aws_s3_bucket_acl.example
id = "bucket-name,private"
}
If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), imported using the bucket
and expected_bucket_owner
separated by a comma (,
):
import {
to = aws_s3_bucket_acl.example
id = "bucket-name,123456789012"
}
If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is configured with a
canned ACL (i.e. predefined grant), imported using the bucket
, expected_bucket_owner
, and acl
separated by commas (,
):
import {
to = aws_s3_bucket_acl.example
id = "bucket-name,123456789012,private"
}
Using terraform import
to import using bucket
, expected_bucket_owner
, and/or acl
, depending on your situation. For example:
If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is not configured with a
canned ACL (i.e. predefined grant), import using the bucket
:
% terraform import aws_s3_bucket_acl.example bucket-name
If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), import using the bucket
and acl
separated by a comma (,
):
% terraform import aws_s3_bucket_acl.example bucket-name,private
If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), imported using the bucket
and expected_bucket_owner
separated by a comma (,
):
% terraform import aws_s3_bucket_acl.example bucket-name,123456789012
If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), imported using the bucket
, expected_bucket_owner
, and acl
separated by commas (,
):
% terraform import aws_s3_bucket_acl.example bucket-name,123456789012,private