0
votes

I have an S3 bucket which is used as Access logging bucket.

Here is my current module and resource TF code for that:

module "access_logging_bucket" {
    source = "../../resources/s3_bucket"
    environment = "${var.environment}"
    region = "${var.region}"
    acl = "log-delivery-write"

    encryption_key_alias = "alias/ab-data-key"

    name = "access-logging"
    name_tag = "Access logging bucket"
}

resource "aws_s3_bucket" "default" {
    bucket = "ab-${var.environment}-${var.name}-${random_id.bucket_suffix.hex}"
    acl = "${var.acl}"

    depends_on = [data.template_file.dependencies]

    tags = {
        name = "${var.name_tag}"
        . . .
    }

    lifecycle {
        ignore_changes = [ "server_side_encryption_configuration" ]
    }
}

The default value of variable acl is variable "acl" { default = "private" } in my case. And also as stated in Terraform S3 bucket attribute reference doc.

And for this bucket it is set to log-delivery-write.

I want to update it to add following grants and remove acl as they conflict with each other:

grant {
    permissions = ["READ_ACP", "WRITE"]
    type = "Group"
    uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
    id = data.aws_canonical_user_id.current.id
    permissions = ["FULL_CONTROL"]
    type = "CanonicalUser"
}

My Questions are:

  1. Is removing the acl attribute and adding the above mentioned grants still maintain the correct access control for the bucket. i.e. is that grant configuration still good to have this as an Access Logging bucket.
  2. If I remove the acl from the resource config, it will make it private which is the default value. Is that the correct thing to do or should it be made null or something?

On checking some documentation for Log Delivery group found this which leads me to think I can go ahead with replacing the acl with the grants I mentioned:

Log Delivery group – Represented by http://acs.amazonaws.com/groups/s3/LogDelivery . WRITE permission on a bucket enables this group to write server access logs (see Amazon S3 server access logging) to the bucket. When using ACLs, a grantee can be an AWS account or one of the predefined Amazon S3 groups.

1

1 Answers

0
votes

Based on the grant-log-delivery-permissions-general documentation, I went ahead and ran the terraform apply.

On first run it set the Bucket owner permission correctly but removed the S3 log delivery group. So, I ran the terraform plan again and it showed the following acl grant differences. I am thinking it's most likely that it first updated the acl value which removed the grant for log delivery group.

Thus I re-ran the terraform apply and it worked fine and corrected the log delivery group as well.

  # module.buckets.module.access_logging_bucket.aws_s3_bucket.default will be updated in-place
  ~ resource "aws_s3_bucket" "default" {
        acl                         = "private"
        bucket                      = "ml-mxs-stage-access-logging-9d8e94ff"
        force_destroy               = false
        . . .
        tags                        = {
            "name"                                = "Access logging bucket"
            . . .
        }

      + grant {
          + permissions = [
              + "READ_ACP",
              + "WRITE",
            ]
          + type        = "Group"
          + uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
        }
      + grant {
          + id          = "ID_VALUE"
          + permissions = [
              + "FULL_CONTROL",
            ]
          + type        = "CanonicalUser"
        }
        . . .
    }

Plan: 0 to add, 1 to change, 0 to destroy.