Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error creating S3 bucket ACL for $BUCKET: AccessControlListNotSupported: The bucket does not allow ACLs #223

Closed
1 task done
grommir opened this issue Apr 19, 2023 · 12 comments · Fixed by #226 or aws-ia/terraform-aws-mwaa#39

Comments

@grommir
Copy link

grommir commented Apr 19, 2023

Description

Get error Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs
while trying creating a S3 bucket by using a bit modified code from example

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]:
    3.8.2

  • Terraform version:
    Terraform v1.4.5

  • Provider version(s):
    provider registry.terraform.io/hashicorp/aws v4.63.0

Reproduction Code [Required]

terraform {
  required_version = ">= 1.0.11"
}
variable "env" {
  description = "The name of the environment we are deploying to"
  type        = string
  default     = "test"
}
provider "aws" {
  region = "us-east-2"
  default_tags {
    tags = {
      Environment        = var.env
      ManagedByTerraform = true
    }
  }
}
module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.8.2"

  bucket_prefix = "test-bucket"
  acl           = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy = true # Required for ALB logs
  attach_lb_log_delivery_policy  = true # Required for ALB/NLB logs
}

Steps to reproduce the behavior:
terraform init && terraform apply

Expected behavior

Bucket with attached ACL created

Actual behavior

Got error

╷
│ Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: X2ZV32QWJ18HH28J, host id: 5fACAu8r7thf75NKzp/ol9jCtLW3Qmd9p/obgOUmDhEBhhVDeA6ONc2CBzZN8jdgSTHupclKeWg=
│
│   with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/s3_bucket_for_logs/main.tf line 40, in resource "aws_s3_bucket_acl" "this":
│   40: resource "aws_s3_bucket_acl" "this" {
│
╵

Terminal Output Screenshot(s)

image

@owen-wessling
Copy link

owen-wessling commented Apr 20, 2023

I've run into this as well. It seems to be sourced by a change AWS announced in December for this month (April 2023) wherein S3 buckets would have ACls disabled by default (https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/).

If you're setting ACL to be 'private', you can probably workaround this issue by setting the ACL property to 'null' instead.

If you're setting the ACL property in a useful manner (as the filer does) check the 'control_object_ownership' property, and then the affiliated 'object_ownership' setting. I think by setting 'control_object_ownership' to true (it defaults to false) you can restore expected behavior.

@grommir
Copy link
Author

grommir commented Apr 20, 2023

In fact, we avoided this by simply removing the acl entry from the module's input.
But there is one more followup issue. Adding attach_policy = true also throws an error.

╷
│ Error: Error putting S3 policy: AccessDenied: Access Denied
│ 	status code: 403, request id: WZKWPS8N7FTZCNXD, host id: P+bcTjyWh1aeFe+IEA5UBvRSVvHRULYF1mQwNahr6hmdEdcAW2bDb3n6lyaLq7tlePQ4tyTip6E=
│ 
│   with module.front_end.aws_s3_bucket_policy.read_access,
│   on .terraform/modules/front_end/modules/fe-pr-environment/main.tf line 34, in resource "aws_s3_bucket_policy" "read_access":
│   34: resource "aws_s3_bucket_policy" "read_access" {
│ 
╵

Right now I changed it to this, and it's works for me:

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.8.2"

  bucket_prefix = "${var.app_name}-${var.env}-"

  force_destroy = true

  website = {
    index_document = "index.html"
    error_document = "index.html"
  }

}

data "aws_iam_policy_document" "read_access" {
  statement {
    principals {
      type        = "*"
      identifiers = ["*"]
    }
    actions   = ["s3:GetObject"]
    resources = ["${module.s3_bucket.s3_bucket_arn}/*"]
  }
}

# Need for avoid `Error putting S3 policy: AccessDenied: Access Denied`
resource "time_sleep" "wait_2_seconds" {
  depends_on      = [module.s3_bucket.s3_bucket_website_domain]
  create_duration = "2s"
}

resource "aws_s3_bucket_policy" "read_access" {
  bucket = module.s3_bucket.s3_bucket_id
  policy = data.aws_iam_policy_document.read_access.json

  depends_on = [
    time_sleep.wait_2_seconds
  ]
}

@yoyoman21
Copy link
Contributor

yoyoman21 commented Apr 21, 2023

Description

Get error Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs while trying creating a S3 bucket by using a bit modified code from example

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]:
    3.8.2
  • Terraform version:
    Terraform v1.4.5
  • Provider version(s):
    provider registry.terraform.io/hashicorp/aws v4.63.0

Reproduction Code [Required]

terraform {
  required_version = ">= 1.0.11"
}
variable "env" {
  description = "The name of the environment we are deploying to"
  type        = string
  default     = "test"
}
provider "aws" {
  region = "us-east-2"
  default_tags {
    tags = {
      Environment        = var.env
      ManagedByTerraform = true
    }
  }
}
module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.8.2"

  bucket_prefix = "test-bucket"
  acl           = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy = true # Required for ALB logs
  attach_lb_log_delivery_policy  = true # Required for ALB/NLB logs
}

Steps to reproduce the behavior: terraform init && terraform apply

Expected behavior

Bucket with attached ACL created

Actual behavior

Got error

╷
│ Error: error creating S3 bucket ACL for test-bucket20230419084229361100000001: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: X2ZV32QWJ18HH28J, host id: 5fACAu8r7thf75NKzp/ol9jCtLW3Qmd9p/obgOUmDhEBhhVDeA6ONc2CBzZN8jdgSTHupclKeWg=
│
│   with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/s3_bucket_for_logs/main.tf line 40, in resource "aws_s3_bucket_acl" "this":
│   40: resource "aws_s3_bucket_acl" "this" {
│
╵

Terminal Output Screenshot(s)

image

I've run into this as well. It seems to be sourced by a change AWS announced in December for this month (April 2023) wherein S3 buckets would have ACls disabled by default (https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/).

If you're setting ACL to be 'private', you can probably workaround this issue by setting the ACL property to 'null' instead.

If you're setting the ACL property in a useful manner (as the filer does) check the 'control_object_ownership' property, and then the affiliated 'object_ownership' setting. I think by setting 'control_object_ownership' to true (it defaults to false) you can restore expected behavior.

Adding 'control_object_ownership' to true changed the object ownership but it did not attach the ACL to the s3 bucket. So the solution am adding to yours is just add the depends on attribute of resource "aws_s3_bucket_ownership_controls" inside the terraform aws s3 module in resource "aws_s3_bucket_acl".So now when u do a terraform apply it will give the ownership first and then attach the provided ACL also to the bucket.

@gauransh-dzip
Copy link

@antonbabenko Please review this error, as it is crashing major of our deployments.

@antonbabenko
Copy link
Member

Please submit a PR with the required changes. I don't have time to come up with the fix myself.

@cageyv
Copy link
Contributor

cageyv commented Apr 24, 2023

@viyullas
Copy link

viyullas commented Apr 27, 2023

We are still having issues with the module. We are on TF 1.4.5 and aws provider 4.64.0
We create a bucket to contain some logs from load balancer and cloudfront distributions. I t was working flawlesly until yesterday.

module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.9.0"
  bucket  = "${terraform.workspace}-lb-cloudfront-logs-${random_string.random_suffix.result}"
  acl     = "log-delivery-write"
  force_destroy = true
  attach_elb_log_delivery_policy = true
  lifecycle_rule = [
    {
      id      = "logs"
      enabled = true
      expiration = {
        days = local.settings.lb_logs_expiration
      }
    }
  ]
}
Error: creating CloudFront Distribution: InvalidArgument: The S3 bucket that you specified for CloudFront logs does not enable ACL access: aabella-lb-cloudfront-logs-bogx.s3.amazonaws.com
      status code: 400, request id: a0c3d318-4cac-4462-9858-6ae300777cee

  with module.landing_giro[0].aws_cloudfront_distribution.s3_distribution,
  on ../stack-landing/main.tf line 50, in resource "aws_cloudfront_distribution" "s3_distribution":
  50: resource "aws_cloudfront_distribution" "s3_distribution" {



Error: Error putting S3 policy: AccessDenied: Access Denied
      status code: 403, request id: R6R69YT94E6MD3MB, host id: +YgEQYwYVJEU/871fE+3iAfuq6G6b/UbwQjdUPPy0PX8Yu01BQ63mBtWxIZWWOtZzznPxU+66MQ=

  with module.landing_giro[0].aws_s3_bucket_policy.landing,
  on ../stack-landing/main.tf line 162, in resource "aws_s3_bucket_policy" "landing":
 162: resource "aws_s3_bucket_policy" "landing" {



Error: error creating S3 bucket ACL for aabella-lb-cloudfront-logs-bogx: AccessControlListNotSupported: The bucket does not allow ACLs
      status code: 400, request id: MPAM2DGVP5A228FG, host id: AkqAYA2I0bh2rOwzMcad+IvHslxxKJvYgtUhS3E+SajzfYRTjEaIyqrODVWWzN1gTRuBoNAN+6dv8cYl/EisyQ==

  with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
  on .terraform/modules/s3_bucket_for_logs/main.tf line 41, in resource "aws_s3_bucket_acl" "this":
  41: resource "aws_s3_bucket_acl" "this" {

@yoyoman21
Copy link
Contributor

We are still having issues with the module. We are on TF 1.4.5 and aws provider 4.64.0 We create a bucket to contain some logs from load balancer and cloudfront distributions. I t was working flawlesly until yesterday.

module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.9.0"
  bucket  = "${terraform.workspace}-lb-cloudfront-logs-${random_string.random_suffix.result}"
  acl     = "log-delivery-write"
  force_destroy = true
  attach_elb_log_delivery_policy = true
  lifecycle_rule = [
    {
      id      = "logs"
      enabled = true
      expiration = {
        days = local.settings.lb_logs_expiration
      }
    }
  ]
}
Error: creating CloudFront Distribution: InvalidArgument: The S3 bucket that you specified for CloudFront logs does not enable ACL access: aabella-lb-cloudfront-logs-bogx.s3.amazonaws.com
      status code: 400, request id: a0c3d318-4cac-4462-9858-6ae300777cee

  with module.landing_giro[0].aws_cloudfront_distribution.s3_distribution,
  on ../stack-landing/main.tf line 50, in resource "aws_cloudfront_distribution" "s3_distribution":
  50: resource "aws_cloudfront_distribution" "s3_distribution" {



Error: Error putting S3 policy: AccessDenied: Access Denied
      status code: 403, request id: R6R69YT94E6MD3MB, host id: +YgEQYwYVJEU/871fE+3iAfuq6G6b/UbwQjdUPPy0PX8Yu01BQ63mBtWxIZWWOtZzznPxU+66MQ=

  with module.landing_giro[0].aws_s3_bucket_policy.landing,
  on ../stack-landing/main.tf line 162, in resource "aws_s3_bucket_policy" "landing":
 162: resource "aws_s3_bucket_policy" "landing" {



Error: error creating S3 bucket ACL for aabella-lb-cloudfront-logs-bogx: AccessControlListNotSupported: The bucket does not allow ACLs
      status code: 400, request id: MPAM2DGVP5A228FG, host id: AkqAYA2I0bh2rOwzMcad+IvHslxxKJvYgtUhS3E+SajzfYRTjEaIyqrODVWWzN1gTRuBoNAN+6dv8cYl/EisyQ==

  with module.s3_bucket_for_logs.aws_s3_bucket_acl.this[0],
  on .terraform/modules/s3_bucket_for_logs/main.tf line 41, in resource "aws_s3_bucket_acl" "this":
  41: resource "aws_s3_bucket_acl" "this" {

u need to add control object ownership = true and object_ownership ="ObjectWriter" .Refer the examples

@viyullas
Copy link

You are right, thanks a lot.

@armenr
Copy link

armenr commented May 12, 2023

Came here for the same exact problem. For anyone else that lands here, here's the fix:

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

@antpaw
Copy link

antpaw commented May 16, 2023

for buckets to store cdn/application logs use this

resource "aws_s3_bucket" "application_logs" {
  bucket = "x"
}

resource "aws_s3_bucket_ownership_controls" "application_logs" {
  bucket = aws_s3_bucket.application_logs.id

  rule {
    object_ownership = "ObjectWriter"
  }
}

ffilippopoulos added a commit to utilitywarehouse/system-terraform-modules that referenced this issue May 17, 2023
AWS disabled ACLs on buckets by default:
https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
and applying results to:
```
Error creating S3 bucket ACL for $BUCKET: AccessControlListNotSupported: The bucket does not allow ACLs
```
We need to explicitly enable objects ownership to be able to set ACLs on buckets
terraform-aws-modules/terraform-aws-s3-bucket#223 (comment)
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 16, 2023
maiconrocha added a commit to maiconrocha/terraform-aws-mwaa-1 that referenced this issue Sep 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
9 participants