Feature: parameterise bucket ACL

iam-policy-documents.tf

@@ -8,7 +8,7 @@ data "aws_iam_policy_document" "backend_assume_role_all" {
 
     principals {
       type        = "AWS"
-      identifiers = length(var.all_workspaces_details) > 0 ? var.all_workspaces_details : [data.aws_caller_identity.current.account_id]
+      identifiers = length(var.all_workspaces_details) > 0 ? var.all_workspaces_details : tolist([data.aws_caller_identity.current.account_id])
     }
   }
 }
@@ -38,7 +38,7 @@ data "aws_iam_policy_document" "backend_assume_role_restricted" {
 
     principals {
       type        = "AWS"
-      identifiers = length(each.value) > 0 ? each.value : [data.aws_caller_identity.current.account_id]
+      identifiers = length(each.value) > 0 ? each.value : tolist([data.aws_caller_identity.current.account_id])
     }
   }
 }

outputs.tf

@@ -9,3 +9,7 @@ output "dynamo_lock_table" {
 output "iam_roles" {
   value = concat(aws_iam_role.backend_all[*].arn, values(aws_iam_role.backend_restricted)[*].arn)
 }
+
+output "kms_key_id"{
+    value = var.enable_customer_kms_key ? aws_kms_key.backend[0].arn: null
+}

s3.tf

@@ -34,6 +34,16 @@ resource "aws_s3_bucket" "backend" {
   tags = var.tags
 }
 
+# Setting object_ownership="BucketOwnerEnforced" will effectively disable ACL on the bucket
+# default option is to keep it enabled.
+resource "aws_s3_bucket_ownership_controls" "acl_set" {
+  count  = var.disable_acl ? 1 : 0
+  bucket = aws_s3_bucket.backend.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "backend" {
   bucket = aws_s3_bucket.backend.id
 

tests/main.tf

@@ -74,3 +74,18 @@ module "tf-backend4" {
     Department = "Bar"
   }
 }
+
+# all default bucket acl disabled
+module "tf-backend2" {
+  source = "../"
+
+  resource_prefix = "backend-ci-test4-${var.resource_suffix}"
+
+  disable_acl = true
+
+  workspace_details = {
+    "prod"    = []
+    "nonprod" = []
+    "sandpit" = []
+  }
+}

variables.tf

@@ -37,3 +37,9 @@ variable "all_workspaces_details" {
   description = "A list of aws principles that will be allowed to assume the backend-all role"
   default     = []
 }
+
+variable "disable_acl" {
+  type        = string
+  description = "The ACL to apply to the S3 bucket"
+  default     = false
+}

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.70.0"
+      version = ">= 3.69.0"
     }
   }
 }