How to disable s3 bucket ACL using Terraform scripts?

Question

The new recommendation from AWS is to disable ACL by default such that Object ownership defaults to Bucket owner. How can I achieve this with aws_s3_bucket resource using Terraform?

I tried doing the following without success

resource "aws_s3_bucket_acl" "example_bucket_acl" {
  bucket                = aws_s3_bucket.s3-bucket.id
  acl                   = "private"
  expected_bucket_owner = data.aws_caller_identity.current.account_id
}

data "aws_caller_identity" "current" {}

This code sets the ACL such that only bucket owner can read and write the bucket and the objects within the bucket, but the object ownership configuration is still set to "object writer". Furthermore, ACL is not disabled as a result of setting this.

From the Terraform's documentation on S3 ACL, it does not state any examples nor provide any arguments that support disabling ACL.

I tried to brute force the solution by running terraform plan after manually changing the settings in AWS to see what differences I would get from the plan, but it says my infrastructure matches the configuration.

Does anyone have any ideas how this can be done? I'm currently using Terraform CLI v1.3.5 and AWS provider v4.40.0.

Answer 1

This is set using aws_s3_bucket_ownership_controls, not with aws_s3_bucket_acl. You can set the control to BucketOwnerEnforced.