-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple canned ACLs for AWS S3 buckets #144
Comments
any update on this |
@maxrothman Does the new |
No it does not. AWS supports both ACL policy grants and canned ACLs, and if you use canned ACLs, AWS supports assigning more than one to a bucket. If AWS supports it, Terraform should too. |
Bumping this issue. Right now the provider only take a non-comma separated string as value for the See below:
|
Funnily enough this is exactly what I'm trying to do. Creating a new bucket for logs but it needs to be private. Is this possible in the current version? |
We cannot specify more than one Canned ACL according to note in the end. Though my issue with Grant block is it conflicts with ACL which for example acl = null
grant {
permissions = ["READ_ACP", "WRITE"]
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
permissions = ["READ_ACP"]
type = "Group"
uri = "http://acs.amazonaws.com/groups/global/AllUsers"
}
grant {
id = "someid"
permissions = ["READ", "READ_ACP", "WRITE", "WRITE_ACP"]
type = "CanonicalUser"
}
# skipped ... it generates the following diff + acl = "private"
# skipped ... and this wipes the grants from the previous |
Thanks @wanieldilson, This issue only arises when importing the existing bucket it doesn't seem to honor the so my question is how can we avoid ACL when the grant is specified while importing (it shouldn't show any diff) sorry to hijack this thread, I've created a new #17791 for this |
Relates #4418 |
Bumping this issue.
OR - Be able to create a second aws_s3_bucket_acl resource to append the previous(if in previous we will have only "acl = "private")
AWS has such option to add two canned ACL's but in two separate requests
Thank's in advance! |
@valera-yakovenko I think for this you need an |
Full example for
|
@sousmangoosta I Agree, this is a way how to aim the goal and provide the permissions needed, but the question\ask here is to do it with canned acl instead of the Also, consider that AWS supports multiple ACLs for one bucket. |
@valera-yakovenko I tested it again and it's not possible currently by using the S3 API, the only way to do this is to create the access_control_policies in the terraform provider code and to manage all changes made by amazon with a new version of the provider. I'm not sure the maintainers would accept that, the positive thing I think, would be that we would be able to delete the ACL, as it's not currently possible. |
@sousmangoosta I am not sure how you were testing it, but as I showed in the previous comment it is possible to add two canned ACL's in two separate |
@valera-yakovenko Yeah I tried with the API, I don't say it's not possible doing this with the API, but not with a simple PUT API call on bucket like in the doc |
I will try to have a look in debug mode see what is the difference on the calls from cli and from terraform |
@valera-yakovenko For your example it works in both terraform and CLI with this example :
but on both terraform and cli, if I add the aws-exec-read canned ACL, it remove the log one
So I cannot add this in the terraform
|
@sousmangoosta This Seems to be true. I also managed to add a second acl resource with canned acl "log-delivery-write".
AND
It is really strange that I didn't notice this before, I may sware that I was trying to add the second canned acl with a second tf resource(but something went wrong there I assume). |
@sousmangoosta Thanks for your replies, and for pointing me to the proper solution! |
…#144) * No issue: Correct integration tests on MDFParser component In this commit the integration tests of the MDFParser compoenent were correct. For the tests correction the following was done: * A refactor was done on the code responsible for loading the service configuration. This was done in order to abstract how the config was loading. Needed for testing Co-authored-by: Michael Krebs <[email protected]>
This issue was originally opened by @maxrothman as hashicorp/terraform#6139. It was migrated here as part of the provider split. The original body of the issue is below.
The
aws_s3_bucket
resource'sacl
field currently accepts a string. AWS supports multiple grants to multiple users (ref). Perhaps theacl
field could take a map or even broken out into a separate resource.The text was updated successfully, but these errors were encountered: