From cf5588e45d0a357494fdd820e5409c46329f26e4 Mon Sep 17 00:00:00 2001
From: Brandon Achu <brandon.achu@expel.io>
Date: Thu, 25 May 2023 15:56:27 -0400
Subject: [PATCH] TME-2253: Refactor New CloudTrail ACL Configurations

---
 README.md |  3 +--
 s3.tf     | 28 +++++++++++++++++++---------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 6ab6d41..4a1d679 100644
--- a/README.md
+++ b/README.md
@@ -91,10 +91,9 @@ Please contact your Engagement Manager if you have an existing CloudTrail with a
 | [aws_kms_key.notification_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.cloudtrail_access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.cloudtrail_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.cloudtrail_access_log_bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.cloudtrail_bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.cloudtrail_bucket_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_notification.cloudtrail_bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_s3_bucket_policy.cloudtrail_access_log_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.cloudtrail_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.cloudtrail_access_log_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.cloudtrail_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
diff --git a/s3.tf b/s3.tf
index cdfeb6e..6504bad 100644
--- a/s3.tf
+++ b/s3.tf
@@ -12,13 +12,6 @@ resource "aws_s3_bucket" "cloudtrail_bucket" {
   tags = local.tags
 }
 
-resource "aws_s3_bucket_acl" "cloudtrail_bucket_acl" {
-  count = var.existing_cloudtrail_bucket_name == null ? 1 : 0
-
-  bucket = aws_s3_bucket.cloudtrail_bucket[0].id
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_versioning" "cloudtrail_bucket_versioning" {
   count = var.existing_cloudtrail_bucket_name == null && var.enable_bucket_versioning ? 1 : 0
 
@@ -58,11 +51,28 @@ resource "aws_s3_bucket" "cloudtrail_access_log_bucket" {
   tags = local.tags
 }
 
-resource "aws_s3_bucket_acl" "cloudtrail_access_log_bucket_acl" {
+resource "aws_s3_bucket_policy" "cloudtrail_access_log_bucket_policy" {
   count = var.existing_cloudtrail_bucket_name == null && var.enable_bucket_access_logging ? 1 : 0
 
   bucket = aws_s3_bucket.cloudtrail_access_log_bucket[0].id
-  acl    = "log-delivery-write"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "LogDeliveryPermissions",
+        Effect = "Allow",
+        Principal = {
+          Service = "logs.amazonaws.com"
+        },
+        Action = ["s3:PutObject", "s3:GetBucketAcl"],
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.cloudtrail_access_log_bucket[0].id}/*",
+          "arn:aws:s3:::${aws_s3_bucket.cloudtrail_access_log_bucket[0].id}",
+        ]
+      }
+    ]
+  })
 }
 
 resource "aws_s3_bucket_versioning" "cloudtrail_access_log_bucket_versioning" {