diff --git a/README.md b/README.md
index 5448d0d..7c4e126 100644
--- a/README.md
+++ b/README.md
@@ -141,13 +141,15 @@ Available targets:
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13.0 |
-| [aws](#requirement\_aws) | >= 2.0 |
+| [aws](#requirement\_aws) | >= 3.0 |
+| [time](#requirement\_time) | >= 0.7 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.0 |
+| [aws](#provider\_aws) | >= 3.0 |
+| [time](#provider\_time) | >= 0.7 |
## Modules
@@ -161,9 +163,11 @@ Available targets:
|------|------|
| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_sqs_queue.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.aggregated_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/docs/terraform.md b/docs/terraform.md
index cf84a09..dd0e8d4 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -4,13 +4,15 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13.0 |
-| [aws](#requirement\_aws) | >= 2.0 |
+| [aws](#requirement\_aws) | >= 3.0 |
+| [time](#requirement\_time) | >= 0.7 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.0 |
+| [aws](#provider\_aws) | >= 3.0 |
+| [time](#provider\_time) | >= 0.7 |
## Modules
@@ -24,9 +26,11 @@
|------|------|
| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_sqs_queue.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.aggregated_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/main.tf b/main.tf
index 4632762..10d49a5 100644
--- a/main.tf
+++ b/main.tf
@@ -178,3 +178,25 @@ resource "aws_s3_bucket_public_access_block" "default" {
ignore_public_acls = var.ignore_public_acls
restrict_public_buckets = var.restrict_public_buckets
}
+
+# Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
+# It is safe to always set to BucketOwnerPreferred. The bucket owner will own the object
+# if the object is uploaded with the bucket-owner-full-control canned ACL. Without
+# this setting and canned ACL, the object is uploaded and remains owned by the uploading account.
+resource "aws_s3_bucket_ownership_controls" "default" {
+ count = module.this.enabled ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+
+ rule {
+ object_ownership = "BucketOwnerPreferred"
+ }
+ depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
+}
+
+# Workaround S3 eventual consistency for settings objects
+resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
+ count = module.this.enabled ? 1 : 0
+ depends_on = [aws_s3_bucket_public_access_block.default, aws_s3_bucket_policy.default]
+ create_duration = "30s"
+ destroy_duration = "30s"
+}
diff --git a/versions.tf b/versions.tf
index 5b2c49b..ac1455d 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,11 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 2.0"
+ version = ">= 3.0"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.7"
}
}
}