Merge pull request #22 from Snowflake-Labs/fix-s3-bucket-with-acl-usage

Fix s3 bucket acl usage.
Snowflake-Labs · May 25, 2023 · 75d998e · 75d998e
2 parents 2e3ae49 + f4531ce
commit 75d998e
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 0 deletions.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -11,6 +11,7 @@ module "storage_integration" {
 
   # Snowflake
   snowflake_integration_user_roles = var.snowflake_integration_user_roles
+  bucket_object_ownership_settings = var.bucket_object_ownership_settings
 
   providers = {
     snowflake.storage_integration_role = snowflake.storage_integration_role

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -44,6 +44,12 @@ variable "arn_format" {
   default     = "aws"
 }
 
+variable "bucket_object_ownership_settings" {
+  type        = string
+  description = "The settings that will impact ACLs and ownership of objects within the bucket."
+  default     = "BucketOwnerEnforced"
+}
+
 data "aws_caller_identity" "current" {}
 
 locals {

diff --git a/s3.tf b/s3.tf
@@ -2,9 +2,19 @@ resource "aws_s3_bucket" "geff_bucket" {
   bucket = local.s3_bucket_name
 }
 
+resource "aws_s3_bucket_ownership_controls" "geff_bucket_ownership_controls" {
+  bucket = aws_s3_bucket.geff_bucket.id
+
+  rule {
+    object_ownership = var.bucket_object_ownership_settings
+  }
+}
+
 resource "aws_s3_bucket_acl" "geff_bucket_acl" {
   bucket = aws_s3_bucket.geff_bucket.id
   acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.geff_bucket_ownership_controls]
 }
 
 resource "aws_s3_object" "geff_meta_folder" {

diff --git a/variables.tf b/variables.tf
@@ -40,6 +40,12 @@ variable "arn_format" {
   default     = "aws"
 }
 
+variable "bucket_object_ownership_settings" {
+  type        = string
+  description = "The settings that will impact ACLs and ownership of objects within the bucket."
+  default     = "BucketOwnerEnforced"
+}
+
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 data "aws_partition" "current" {}