Error creating S3 bucket ACL for $BUCKET: AccessControlListNotSupported: The bucket does not allow ACLs

[grommir]

Description

Get error Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs
while trying creating a S3 bucket by using a bit modified code from example

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:
  3.8.2

• Terraform version:
  Terraform v1.4.5

• Provider version(s):
  provider registry.terraform.io/hashicorp/aws v4.63.0

Reproduction Code [Required]

terraform {
  required_version = ">= 1.0.11"
}
variable "env" {
  description = "The name of the environment we are deploying to"
  type        = string
  default     = "test"
}
provider "aws" {
  region = "us-east-2"
  default_tags {
    tags = {
      Environment        = var.env
      ManagedByTerraform = true
    }
  }
}
module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.8.2"

  bucket_prefix = "test-bucket"
  acl           = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy = true # Required for ALB logs
  attach_lb_log_delivery_policy  = true # Required for ALB/NLB logs
}

Steps to reproduce the behavior:
terraform init && terraform apply

Expected behavior

Bucket with attached ACL created

Actual behavior

Got error

╷
│ Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: X2ZV32QWJ18HH28J, host id: 5fACAu8r7thf75NKzp/ol9jCtLW3Qmd9p/obgOUmDhEBhhVDeA6ONc2CBzZN8jdgSTHupclKeWg=
│
│   with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/s3_bucket_for_logs/main.tf line 40, in resource "aws_s3_bucket_acl" "this":
│   40: resource "aws_s3_bucket_acl" "this" {
│
╵

Terminal Output Screenshot(s)

[owen-wessling]

I've run into this as well. It seems to be sourced by a change AWS announced in December for this month (April 2023) wherein S3 buckets would have ACls disabled by default (https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/).

If you're setting ACL to be 'private', you can probably workaround this issue by setting the ACL property to 'null' instead.

If you're setting the ACL property in a useful manner (as the filer does) check the 'control_object_ownership' property, and then the affiliated 'object_ownership' setting. I think by setting 'control_object_ownership' to true (it defaults to false) you can restore expected behavior.

[grommir]

In fact, we avoided this by simply removing the acl entry from the module's input.
But there is one more followup issue. Adding attach_policy = true also throws an error.

╷
│ Error: Error putting S3 policy: AccessDenied: Access Denied
│ 	status code: 403, request id: WZKWPS8N7FTZCNXD, host id: P+bcTjyWh1aeFe+IEA5UBvRSVvHRULYF1mQwNahr6hmdEdcAW2bDb3n6lyaLq7tlePQ4tyTip6E=
│ 
│   with module.front_end.aws_s3_bucket_policy.read_access,
│   on .terraform/modules/front_end/modules/fe-pr-environment/main.tf line 34, in resource "aws_s3_bucket_policy" "read_access":
│   34: resource "aws_s3_bucket_policy" "read_access" {
│ 
╵

Right now I changed it to this, and it's works for me:

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.8.2"

  bucket_prefix = "${var.app_name}-${var.env}-"

  force_destroy = true

  website = {
    index_document = "index.html"
    error_document = "index.html"
  }

}

data "aws_iam_policy_document" "read_access" {
  statement {
    principals {
      type        = "*"
      identifiers = ["*"]
    }
    actions   = ["s3:GetObject"]
    resources = ["${module.s3_bucket.s3_bucket_arn}/*"]
  }
}

# Need for avoid `Error putting S3 policy: AccessDenied: Access Denied`
resource "time_sleep" "wait_2_seconds" {
  depends_on      = [module.s3_bucket.s3_bucket_website_domain]
  create_duration = "2s"
}

resource "aws_s3_bucket_policy" "read_access" {
  bucket = module.s3_bucket.s3_bucket_id
  policy = data.aws_iam_policy_document.read_access.json

  depends_on = [
    time_sleep.wait_2_seconds
  ]
}

[yoyoman21]

Description

Get error Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs while trying creating a S3 bucket by using a bit modified code from example

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:
  3.8.2
• Terraform version:
  Terraform v1.4.5
• Provider version(s):
  provider registry.terraform.io/hashicorp/aws v4.63.0

Reproduction Code [Required]

terraform {
  required_version = ">= 1.0.11"
}
variable "env" {
  description = "The name of the environment we are deploying to"
  type        = string
  default     = "test"
}
provider "aws" {
  region = "us-east-2"
  default_tags {
    tags = {
      Environment        = var.env
      ManagedByTerraform = true
    }
  }
}
module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.8.2"

  bucket_prefix = "test-bucket"
  acl           = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy = true # Required for ALB logs
  attach_lb_log_delivery_policy  = true # Required for ALB/NLB logs
}

Steps to reproduce the behavior: terraform init && terraform apply

Expected behavior

Bucket with attached ACL created

Actual behavior

Got error

╷
│ Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: X2ZV32QWJ18HH28J, host id: 5fACAu8r7thf75NKzp/ol9jCtLW3Qmd9p/obgOUmDhEBhhVDeA6ONc2CBzZN8jdgSTHupclKeWg=
│
│   with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/s3_bucket_for_logs/main.tf line 40, in resource "aws_s3_bucket_acl" "this":
│   40: resource "aws_s3_bucket_acl" "this" {
│
╵

Terminal Output Screenshot(s)

I've run into this as well. It seems to be sourced by a change AWS announced in December for this month (April 2023) wherein S3 buckets would have ACls disabled by default (https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/).

If you're setting ACL to be 'private', you can probably workaround this issue by setting the ACL property to 'null' instead.

If you're setting the ACL property in a useful manner (as the filer does) check the 'control_object_ownership' property, and then the affiliated 'object_ownership' setting. I think by setting 'control_object_ownership' to true (it defaults to false) you can restore expected behavior.

Adding 'control_object_ownership' to true changed the object ownership but it did not attach the ACL to the s3 bucket. So the solution am adding to yours is just add the depends on attribute of resource "aws_s3_bucket_ownership_controls" inside the terraform aws s3 module in resource "aws_s3_bucket_acl".So now when u do a terraform apply it will give the ownership first and then attach the provided ACL also to the bucket.

[gauransh-dzip]

@antonbabenko Please review this error, as it is crashing major of our deployments.

[antonbabenko]

Please submit a PR with the required changes. I don't have time to come up with the fix myself.

[cageyv]

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.html#object-ownership-server-access-logs

^^ migration guide from ACL to Policy

[viyullas]

We are still having issues with the module. We are on TF 1.4.5 and aws provider 4.64.0
We create a bucket to contain some logs from load balancer and cloudfront distributions. I t was working flawlesly until yesterday.

module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.9.0"
  bucket  = "${terraform.workspace}-lb-cloudfront-logs-${random_string.random_suffix.result}"
  acl     = "log-delivery-write"
  force_destroy = true
  attach_elb_log_delivery_policy = true
  lifecycle_rule = [
    {
      id      = "logs"
      enabled = true
      expiration = {
        days = local.settings.lb_logs_expiration
      }
    }
  ]
}

Error: creating CloudFront Distribution: InvalidArgument: The S3 bucket that you specified for CloudFront logs does not enable ACL access: aabella-lb-cloudfront-logs-bogx.s3.amazonaws.com
      status code: 400, request id: a0c3d318-4cac-4462-9858-6ae300777cee

  with module.landing_giro[0].aws_cloudfront_distribution.s3_distribution,
  on ../stack-landing/main.tf line 50, in resource "aws_cloudfront_distribution" "s3_distribution":
  50: resource "aws_cloudfront_distribution" "s3_distribution" {



Error: Error putting S3 policy: AccessDenied: Access Denied
      status code: 403, request id: R6R69YT94E6MD3MB, host id: +YgEQYwYVJEU/871fE+3iAfuq6G6b/UbwQjdUPPy0PX8Yu01BQ63mBtWxIZWWOtZzznPxU+66MQ=

  with module.landing_giro[0].aws_s3_bucket_policy.landing,
  on ../stack-landing/main.tf line 162, in resource "aws_s3_bucket_policy" "landing":
 162: resource "aws_s3_bucket_policy" "landing" {



Error: error creating S3 bucket ACL for aabella-lb-cloudfront-logs-bogx: AccessControlListNotSupported: The bucket does not allow ACLs
      status code: 400, request id: MPAM2DGVP5A228FG, host id: AkqAYA2I0bh2rOwzMcad+IvHslxxKJvYgtUhS3E+SajzfYRTjEaIyqrODVWWzN1gTRuBoNAN+6dv8cYl/EisyQ==

  with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
  on .terraform/modules/s3_bucket_for_logs/main.tf line 41, in resource "aws_s3_bucket_acl" "this":
  41: resource "aws_s3_bucket_acl" "this" {

[yoyoman21]

We are still having issues with the module. We are on TF 1.4.5 and aws provider 4.64.0 We create a bucket to contain some logs from load balancer and cloudfront distributions. I t was working flawlesly until yesterday.

module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.9.0"
  bucket  = "${terraform.workspace}-lb-cloudfront-logs-${random_string.random_suffix.result}"
  acl     = "log-delivery-write"
  force_destroy = true
  attach_elb_log_delivery_policy = true
  lifecycle_rule = [
    {
      id      = "logs"
      enabled = true
      expiration = {
        days = local.settings.lb_logs_expiration
      }
    }
  ]
}

Error: creating CloudFront Distribution: InvalidArgument: The S3 bucket that you specified for CloudFront logs does not enable ACL access: aabella-lb-cloudfront-logs-bogx.s3.amazonaws.com
      status code: 400, request id: a0c3d318-4cac-4462-9858-6ae300777cee

  with module.landing_giro[0].aws_cloudfront_distribution.s3_distribution,
  on ../stack-landing/main.tf line 50, in resource "aws_cloudfront_distribution" "s3_distribution":
  50: resource "aws_cloudfront_distribution" "s3_distribution" {



Error: Error putting S3 policy: AccessDenied: Access Denied
      status code: 403, request id: R6R69YT94E6MD3MB, host id: +YgEQYwYVJEU/871fE+3iAfuq6G6b/UbwQjdUPPy0PX8Yu01BQ63mBtWxIZWWOtZzznPxU+66MQ=

  with module.landing_giro[0].aws_s3_bucket_policy.landing,
  on ../stack-landing/main.tf line 162, in resource "aws_s3_bucket_policy" "landing":
 162: resource "aws_s3_bucket_policy" "landing" {



Error: error creating S3 bucket ACL for aabella-lb-cloudfront-logs-bogx: AccessControlListNotSupported: The bucket does not allow ACLs
      status code: 400, request id: MPAM2DGVP5A228FG, host id: AkqAYA2I0bh2rOwzMcad+IvHslxxKJvYgtUhS3E+SajzfYRTjEaIyqrODVWWzN1gTRuBoNAN+6dv8cYl/EisyQ==

  with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
  on .terraform/modules/s3_bucket_for_logs/main.tf line 41, in resource "aws_s3_bucket_acl" "this":
  41: resource "aws_s3_bucket_acl" "this" {

u need to add control object ownership = true and object_ownership ="ObjectWriter" .Refer the examples

[viyullas]

You are right, thanks a lot.

[armenr]

Came here for the same exact problem. For anyone else that lands here, here's the fix:

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

[antpaw]

for buckets to store cdn/application logs use this

resource "aws_s3_bucket" "application_logs" {
  bucket = "x"
}

resource "aws_s3_bucket_ownership_controls" "application_logs" {
  bucket = aws_s3_bucket.application_logs.id

  rule {
    object_ownership = "ObjectWriter"
  }
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.