I have an S3 bucket which is used as Access logging bucket.
Here is my current module and resource TF code for that:
module "access_logging_bucket" {
source = "../../resources/s3_bucket"
environment = "${var.environment}"
region = "${var.region}"
acl = "log-delivery-write"
encryption_key_alias = "alias/ab-data-key"
name = "access-logging"
name_tag = "Access logging bucket"
}
resource "aws_s3_bucket" "default" {
bucket = "ab-${var.environment}-${var.name}-${random_id.bucket_suffix.hex}"
acl = "${var.acl}"
depends_on = [data.template_file.dependencies]
tags = {
name = "${var.name_tag}"
. . .
}
lifecycle {
ignore_changes = [ "server_side_encryption_configuration" ]
}
}
The default value of variable acl is variable "acl" { default = "private" }
in my case. And also as stated in Terraform S3 bucket attribute reference doc.
And for this bucket it is set to log-delivery-write
.
I want to update it to add following grants and remove acl as they conflict with each other:
grant {
permissions = ["READ_ACP", "WRITE"]
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
id = data.aws_canonical_user_id.current.id
permissions = ["FULL_CONTROL"]
type = "CanonicalUser"
}
My Questions are:
- Is removing the
acl
attribute and adding the above mentionedgrants
still maintain the correct access control for the bucket. i.e. is that grant configuration still good to have this as an Access Logging bucket. - If I remove the acl from the resource config, it will make it
private
which is the default value. Is that the correct thing to do or should it be made null or something?
On checking some documentation for Log Delivery group
found this which leads me to think I can go ahead with replacing the acl with the grants I mentioned:
Log Delivery group – Represented by http://acs.amazonaws.com/groups/s3/LogDelivery . WRITE permission on a bucket enables this group to write server access logs (see Amazon S3 server access logging) to the bucket. When using ACLs, a grantee can be an AWS account or one of the predefined Amazon S3 groups.