I’ve recently been converting a SAM script to Terraform

I’ve been using tutorials, including https://developer.hashicorp.com/terraform/tutorials/aws/aws-iam-policy which allows you to assign an IAM policy to an S3 bucket (aws_s3_bucket). I’ve been successfully creating S3 buckets with policies :)

But I started getting an error when I (deliberately) went through the Hashicorp aws-iam-policy tutorial (as a reference point).

Running through the tutorial (the main.tf is below), and doing a “terraform apply”:

$ terraform apply
[snip]

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_s3_bucket.bucket: Creating...
aws_s3_bucket.bucket: Creation complete after 2s [id=milesd-checker-bucket]
data.aws_iam_policy_document.example: Reading...
aws_s3_bucket_acl.bucket: Creating...
data.aws_iam_policy_document.example: Read complete after 0s [id=***********]
aws_iam_policy.policy: Creating...
aws_iam_policy.policy: Creation complete after 2s [id=arn:aws:iam::**************:policy/milesd-checker-bucket-policy]
╷
│ Error: error creating S3 bucket ACL for milesd-checker-bucket: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: *******************, host id: **********************
│
│   with aws_s3_bucket_acl.bucket,
│   on main.tf line 19, in resource "aws_s3_bucket_acl" "bucket":
│   19: resource "aws_s3_bucket_acl" "bucket" {
│
╵

The bucket does not allow ACLs

I’ve done some investigation and have found https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/223

Specifically “AWS announced in December for this month (April 2023) wherein S3 buckets would have ACls disabled by default:” (https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/).

As soon as I find a fix, I will post an update.

Here is my main.tf:

provider "aws" {
  region = var.region

  default_tags {
    tags = {
      Hashicorp-Learn = "aws-iam-policy"
    }
  }

}

resource "aws_s3_bucket" "bucket" {
  bucket = "milesd-checker-bucket"
}

resource "aws_s3_bucket_acl" "bucket" {
  bucket = aws_s3_bucket.bucket.id
  acl = "private"
}



data "aws_iam_policy_document" "example" {
  statement {
    actions   = ["s3:ListAllMyBuckets"]
    resources = ["arn:aws:s3:::*"]
    effect = "Allow"
  }
  statement {
    actions   = ["s3:*"]
    resources = [aws_s3_bucket.bucket.arn]
    effect = "Allow"
  }
}

resource "aws_iam_policy" "policy" {
  name        = "${aws_s3_bucket.bucket.id}-policy"
  description = "My test policy"

  policy = data.aws_iam_policy_document.example.json
}