Feat: Add Support for S3 Object Ownership Controls

[korenyoni]

what

• Add support for S3 object ownership controls.
• Misc: add BridgeCrew exceptions.

why

S3 object ownership controls should be configurable for the origin bucket behind the CloudFront distribution. If the origin bucket is used within CI pipelines, cross-account writes to the bucket will result in the object being owned by that account. This can result in 403's when attempting to access content in the CF distribution, unless the S3 object ownership setting is set to BucketOwnerEnforced.

By default, when another AWS account uploads an object to your S3 bucket, that account (the object writer) owns the object, has access to it, and can grant other users access to it through ACLs.

The new S3 object ownership variable has as a default value that has the same effect if the new s3_bucket_ownership_controls were not to exist at all. Thus, this is a backwards-compatible release.

references

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
• Allow specifying aws_s3_bucket_ownership_controls terraform-aws-s3-bucket#109

[bridgecrew]

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

[bridgecrew]

⚠️   Due to 42a9ec7 - Auto Format - 2 errors were fixed.

Change details

Error ID	Change	Path	Resource
BC_AWS_NETWORKING_65	Fixed	/main.tf	aws_cloudfront_distribution.default
BC_AWS_NETWORKING_63	Fixed	/main.tf	aws_cloudfront_distribution.default

[korenyoni]

/test all

[korenyoni]

Breaking because of new plan-time validation in https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.71.0

EDIT: fixed by #208

This Pull Request has been updated, so we're dismissing all reviews.

[korenyoni]

/test all