Resource: aws_s3_bucket_acl#
Provides an S3 bucket ACL resource.
For more information about access rights for buckets, see user documentation.
~> Note terraform destroy does not delete the S3 Bucket ACL but does remove the resource from Terraform state.
Example Usage#
With ACL#
resource "aws_s3_bucket" "example" {
bucket = "tf-example"
# Use the predefined provider configuration to connect to object storage
# https://docs.k2.cloud/en/api/tools/terraform.html#providers-tf
provider = aws.noregion
}
resource "aws_s3_bucket_acl" "example_bucket_acl" {
bucket = aws_s3_bucket.example.id
acl = "private"
}
With Grants#
data "aws_canonical_user_id" "current" {}
resource "aws_s3_bucket" "example" {
bucket = "tf-example"
# Use the predefined provider configuration to connect to object storage
# https://docs.k2.cloud/en/api/tools/terraform.html#providers-tf
provider = aws.noregion
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
access_control_policy {
grant {
grantee {
id = data.aws_canonical_user_id.current.id
type = "CanonicalUser"
}
permission = "READ"
}
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/global/AllUsers"
}
permission = "READ_ACP"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}
Argument Reference#
The following arguments are supported:
acl- (Optional, Conflicts withaccess_control_policy) The canned ACL to apply to the bucket. Valid values areprivate,public-read,public-read-write,authenticated-read.access_control_policy- (Optional, Conflicts withacl) A configuration block that sets the ACL permissions for an object per grantee documented below.bucket- (Required, Forces new resource) The name of the bucket.
access_control_policy#
The access_control_policy configuration block supports the following arguments:
grant- (Required) Set ofgrantconfiguration blocks documented below.owner- (Required) Configuration block of the bucket owner's display name and ID documented below.
grant#
The grant configuration block supports the following arguments:
grantee- (Required) Configuration block for the person being granted permissions documented below.permission- (Required) Logging permissions assigned to the grantee for the bucket. Valid values areREAD,WRITE,READ_ACP,WRITE_ACP,FULL_CONTROL.
owner#
The owner configuration block supports the following arguments:
id- (Required) The ID of the owner.display_name- (Optional) The display name of the owner.
grantee#
The grantee configuration block supports the following arguments:
email_address- (Optional) Email address of the grantee (S3 Project email). Used only whentypeisAmazonCustomerByEmail.id- (Optional) The canonical user ID of the grantee (S3 User ID). Used only whentypeisCanonicalUser.type- (Required) Type of grantee. Valid values:CanonicalUser,AmazonCustomerByEmail,Group.uri- (Optional) URI of the grantee group. Supported groups arehttp://acs.amazonaws.com/groups/global/AllUsersandhttp://acs.amazonaws.com/groups/global/AuthenticatedUsers. Used only whentypeisGroup.
Attributes Reference#
Supported attributes#
In addition to all arguments above, the following attributes are exported:
id- Thebucketandacl(if configured) separated by commas (,).
Unsupported attributes#
~> Note These attributes may be present in the terraform.tfstate file but they have preset values and cannot be specified in configuration files.
The following attributes are not currently supported: expected_bucket_owner.
Import#
S3 bucket ACL can be imported in one of two ways.
If the source bucket is not configured with a canned ACL (i.e. predefined grant),
the S3 bucket ACL resource should be imported using the bucket e.g.,
$ terraform import aws_s3_bucket_acl.example bucket-name
If the source bucket is configured with a canned ACL (i.e. predefined grant),
the S3 bucket ACL resource should be imported using the bucket and acl separated by a comma (,), e.g.
$ terraform import aws_s3_bucket_acl.example bucket-name,private