feat: Updated S3 Bucket Block Public Access and ACL(Object Ownership) defaults to work since April 2023 (#226)

Co-authored-by: Anton Babenko <[email protected]>

Author: yoyoman21

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.77.3
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

README.md

@@ -28,10 +28,12 @@ module "s3_bucket" {
   bucket = "my-s3-bucket"
   acl    = "private"
 
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
+
   versioning = {
     enabled = true
   }
-
 }
 ```
 
@@ -47,6 +49,9 @@ module "s3_bucket_for_logs" {
   # Allow deletion of non-empty bucket
   force_destroy = true
 
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
+
   attach_elb_log_delivery_policy = true
 }
 ```
@@ -63,6 +68,9 @@ module "s3_bucket_for_logs" {
   # Allow deletion of non-empty bucket
   force_destroy = true
 
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
+
   attach_elb_log_delivery_policy = true  # Required for ALB logs
   attach_lb_log_delivery_policy  = true  # Required for ALB/NLB logs
 }
@@ -182,8 +190,8 @@ No modules.
 | <a name="input_attach_policy"></a> [attach\_policy](#input\_attach\_policy) | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no |
 | <a name="input_attach_public_policy"></a> [attach\_public\_policy](#input\_attach\_public\_policy) | Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) | `bool` | `true` | no |
 | <a name="input_attach_require_latest_tls_policy"></a> [attach\_require\_latest\_tls\_policy](#input\_attach\_require\_latest\_tls\_policy) | Controls if S3 bucket should require the latest version of TLS | `bool` | `false` | no |
-| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no |
-| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `false` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `true` | no |
 | <a name="input_bucket"></a> [bucket](#input\_bucket) | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no |
 | <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | `string` | `null` | no |
 | <a name="input_control_object_ownership"></a> [control\_object\_ownership](#input\_control\_object\_ownership) | Whether to manage S3 Bucket Ownership Controls on this bucket. | `bool` | `false` | no |
@@ -192,7 +200,7 @@ No modules.
 | <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | The account ID of the expected bucket owner | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | <a name="input_grant"></a> [grant](#input\_grant) | An ACL policy grant. Conflicts with `acl` | `any` | `[]` | no |
-| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `true` | no |
 | <a name="input_intelligent_tiering"></a> [intelligent\_tiering](#input\_intelligent\_tiering) | Map containing intelligent tiering configuration. | `any` | `{}` | no |
 | <a name="input_inventory_configuration"></a> [inventory\_configuration](#input\_inventory\_configuration) | Map containing S3 inventory configuration. | `any` | `{}` | no |
 | <a name="input_inventory_self_source_destination"></a> [inventory\_self\_source\_destination](#input\_inventory\_self\_source\_destination) | Whether or not the inventory source bucket is also the destination bucket. | `bool` | `false` | no |
@@ -203,13 +211,13 @@ No modules.
 | <a name="input_metric_configuration"></a> [metric\_configuration](#input\_metric\_configuration) | Map containing bucket metric configuration. | `any` | `[]` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | Map containing S3 object locking configuration. | `any` | `{}` | no |
 | <a name="input_object_lock_enabled"></a> [object\_lock\_enabled](#input\_object\_lock\_enabled) | Whether S3 bucket should have an Object Lock configuration enabled. | `bool` | `false` | no |
-| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | `string` | `"ObjectWriter"` | no |
+| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | `string` | `"BucketOwnerEnforced"` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | Bucket owner's display name and ID. Conflicts with `acl` | `map(string)` | `{}` | no |
 | <a name="input_policy"></a> [policy](#input\_policy) | (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | `string` | `null` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
 | <a name="input_replication_configuration"></a> [replication\_configuration](#input\_replication\_configuration) | Map containing cross-region replication configuration. | `any` | `{}` | no |
 | <a name="input_request_payer"></a> [request\_payer](#input\_request\_payer) | (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | `string` | `null` | no |
-| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | `false` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | `true` | no |
 | <a name="input_server_side_encryption_configuration"></a> [server\_side\_encryption\_configuration](#input\_server\_side\_encryption\_configuration) | Map containing server-side encryption configuration. | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the bucket. | `map(string)` | `{}` | no |
 | <a name="input_versioning"></a> [versioning](#input\_versioning) | Map containing versioning configuration. | `map(string)` | `{}` | no |

examples/complete-legacy/main.tf

@@ -66,6 +66,9 @@ module "log_bucket" {
   acl           = "log-delivery-write"
   force_destroy = true
 
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
+
   attach_elb_log_delivery_policy        = true
   attach_lb_log_delivery_policy         = true
   attach_deny_insecure_transport_policy = true
@@ -206,11 +209,11 @@ module "s3_bucket" {
     }
   }
 
-  # S3 bucket-level Public Access Block configuration
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+  # S3 bucket-level Public Access Block configuration (by default now AWS has made this default as true for S3 bucket-level block public access)
+  # block_public_acls       = true
+  # block_public_policy     = true
+  # ignore_public_acls      = true
+  # restrict_public_buckets = true
 
   # S3 Bucket Ownership Controls
   control_object_ownership = true

examples/complete/main.tf

@@ -70,6 +70,9 @@ module "log_bucket" {
   acl           = "log-delivery-write"
   force_destroy = true
 
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
+
   attach_elb_log_delivery_policy        = true
   attach_lb_log_delivery_policy         = true
   attach_deny_insecure_transport_policy = true
@@ -79,7 +82,9 @@ module "log_bucket" {
 module "cloudfront_log_bucket" {
   source = "../../"
 
-  bucket = "cloudfront-logs-${random_pet.this.id}"
+  bucket                   = "cloudfront-logs-${random_pet.this.id}"
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
 
   grant = [{
     type       = "CanonicalUser"
@@ -130,11 +135,11 @@ module "s3_bucket" {
   attach_deny_insecure_transport_policy = true
   attach_require_latest_tls_policy      = true
 
-  # S3 bucket-level Public Access Block configuration
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+  # S3 bucket-level Public Access Block configuration (by default now AWS has made this default as true for S3 bucket-level block public access)
+  # block_public_acls       = true
+  # block_public_policy     = true
+  # ignore_public_acls      = true
+  # restrict_public_buckets = true
 
   # S3 Bucket Ownership Controls
   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls

variables.tf

@@ -235,25 +235,25 @@ variable "object_lock_enabled" {
 variable "block_public_acls" {
   description = "Whether Amazon S3 should block public ACLs for this bucket."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "block_public_policy" {
   description = "Whether Amazon S3 should block public bucket policies for this bucket."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "ignore_public_acls" {
   description = "Whether Amazon S3 should ignore public ACLs for this bucket."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "restrict_public_buckets" {
   description = "Whether Amazon S3 should restrict public bucket policies for this bucket."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "control_object_ownership" {
@@ -265,7 +265,7 @@ variable "control_object_ownership" {
 variable "object_ownership" {
   description = "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL."
   type        = string
-  default     = "ObjectWriter"
+  default     = "BucketOwnerEnforced"
 }
 
 variable "putin_khuylo" {

wrappers/main.tf

@@ -42,11 +42,11 @@ module "wrapper" {
   analytics_source_bucket_arn           = try(each.value.analytics_source_bucket_arn, var.defaults.analytics_source_bucket_arn, null)
   analytics_self_source_destination     = try(each.value.analytics_self_source_destination, var.defaults.analytics_self_source_destination, false)
   object_lock_enabled                   = try(each.value.object_lock_enabled, var.defaults.object_lock_enabled, false)
-  block_public_acls                     = try(each.value.block_public_acls, var.defaults.block_public_acls, false)
-  block_public_policy                   = try(each.value.block_public_policy, var.defaults.block_public_policy, false)
-  ignore_public_acls                    = try(each.value.ignore_public_acls, var.defaults.ignore_public_acls, false)
-  restrict_public_buckets               = try(each.value.restrict_public_buckets, var.defaults.restrict_public_buckets, false)
+  block_public_acls                     = try(each.value.block_public_acls, var.defaults.block_public_acls, true)
+  block_public_policy                   = try(each.value.block_public_policy, var.defaults.block_public_policy, true)
+  ignore_public_acls                    = try(each.value.ignore_public_acls, var.defaults.ignore_public_acls, true)
+  restrict_public_buckets               = try(each.value.restrict_public_buckets, var.defaults.restrict_public_buckets, true)
   control_object_ownership              = try(each.value.control_object_ownership, var.defaults.control_object_ownership, false)
-  object_ownership                      = try(each.value.object_ownership, var.defaults.object_ownership, "ObjectWriter")
+  object_ownership                      = try(each.value.object_ownership, var.defaults.object_ownership, "BucketOwnerEnforced")
   putin_khuylo                          = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
 }

wrappers/notification/outputs.tf

@@ -1,5 +1,5 @@
 output "wrapper" {
   description = "Map of outputs of a wrapper."
   value       = module.wrapper
-  # sensitive = false  # No sensitive module output found
+  # sensitive = false # No sensitive module output found
 }

wrappers/object/outputs.tf

@@ -1,5 +1,5 @@
 output "wrapper" {
   description = "Map of outputs of a wrapper."
   value       = module.wrapper
-  # sensitive = false  # No sensitive module output found
+  # sensitive = false # No sensitive module output found
 }

wrappers/outputs.tf

@@ -1,5 +1,5 @@
 output "wrapper" {
   description = "Map of outputs of a wrapper."
   value       = module.wrapper
-  # sensitive = false  # No sensitive module output found
+  # sensitive = false # No sensitive module output found
 }