Resource: aws_s3_bucket_acl

Provides an S3 bucket ACL resource.

Example Usage

With private ACL

resource "aws_s3_bucket" "example" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_acl" "example" {
  depends_on = [aws_s3_bucket_ownership_controls.example]

  bucket = aws_s3_bucket.example.id
  acl    = "private"
}

With public-read ACL

resource "aws_s3_bucket" "example" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "example" {
  depends_on = [
    aws_s3_bucket_ownership_controls.example,
    aws_s3_bucket_public_access_block.example,
  ]

  bucket = aws_s3_bucket.example.id
  acl    = "public-read"
}

With Grants

data "aws_canonical_user_id" "current" {}

resource "aws_s3_bucket" "example" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_acl" "example" {
  depends_on = [aws_s3_bucket_ownership_controls.example]

  bucket = aws_s3_bucket.example.id
  access_control_policy {
    grant {
      grantee {
        id   = data.aws_canonical_user_id.current.id
        type = "CanonicalUser"
      }
      permission = "READ"
    }

    grant {
      grantee {
        type = "Group"
        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
      }
      permission = "READ_ACP"
    }

    owner {
      id = data.aws_canonical_user_id.current.id
    }
  }
}

Argument Reference

This resource supports the following arguments:

access_control_policy

The access_control_policy configuration block supports the following arguments:

grant

The grant configuration block supports the following arguments:

owner

The owner configuration block supports the following arguments:

grantee

The grantee configuration block supports the following arguments:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import S3 bucket ACL using bucket, expected_bucket_owner, and/or acl, depending on your situation. For example:

If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), import using the bucket:

import {
  to = aws_s3_bucket_acl.example
  id = "bucket-name"
}

If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), import using the bucket and acl separated by a comma (,):

import {
  to = aws_s3_bucket_acl.example
  id = "bucket-name,private"
}

If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), imported using the bucket and expected_bucket_owner separated by a comma (,):

import {
  to = aws_s3_bucket_acl.example
  id = "bucket-name,123456789012"
}

If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), imported using the bucket, expected_bucket_owner, and acl separated by commas (,):

import {
  to = aws_s3_bucket_acl.example
  id = "bucket-name,123456789012,private"
}

Using terraform import to import using bucket, expected_bucket_owner, and/or acl, depending on your situation. For example:

If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), import using the bucket:

% terraform import aws_s3_bucket_acl.example bucket-name

If the owner (account ID) of the source bucket is the _same_ account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), import using the bucket and acl separated by a comma (,):

% terraform import aws_s3_bucket_acl.example bucket-name,private

If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), imported using the bucket and expected_bucket_owner separated by a comma (,):

% terraform import aws_s3_bucket_acl.example bucket-name,123456789012

If the owner (account ID) of the source bucket _differs_ from the account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), imported using the bucket, expected_bucket_owner, and acl separated by commas (,):

% terraform import aws_s3_bucket_acl.example bucket-name,123456789012,private