ACL error on first terraform apply

[wesleung]

Found a bug? Maybe our Slack Community can help.

Describe the Bug

Requires 2 terraform apply to succeed creating S3 bucket.
First pass Errors with:
AccessControlListNotSupported: The bucket does not allow ACLs

Expected Behavior

Expect S3 bucket to be created successfully on first pass without ACL error

Steps to Reproduce

Steps to reproduce the behavior:

1. Create test.tf file

module "s3_bucket" {
  source      = "cloudposse/s3-bucket/aws"
  version     = "3.0.0"
  enabled     = true
  bucket_name = "cloudposse-s3-test-acl"
}

2. terraform init (terraform version 1.4.5)
3. terraform apply
4. See error

│ Error: error creating S3 bucket ACL for cloudposse-s3-test-acl: AccessControlListNotSupported: The bucket does not allow ACLs
│ 	status code: 400, request id: XXXXXXXXXXX, host id: XXXXXXXXXXXXXXXXXX
│ 
│   with module.s3_bucket.aws_s3_bucket_acl.default[0],
│   on .terraform/modules/s3_bucket/main.tf line 159, in resource "aws_s3_bucket_acl" "default":
│  159: resource "aws_s3_bucket_acl" "default" {

5. terraform apply
   Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

terraform version
Terraform v1.4.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.55.0
+ provider registry.terraform.io/hashicorp/time v0.9.1

Additional Context

Add any other context about the problem here.

[casey-robertson-paypal]

A similar issue is surfacing for us. We are using the cdn module cloudposse/cloudfront-s3-cdn/aws. When enabling logging

cloudfront_access_logging_enabled = true

(which is true by default` we get the following error:

Error: creating Amazon S3 (Simple Storage) Bucket (xxxxxxxxxxx-dev-logs): InvalidBucketAclWithObjectOwnership: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting
	status code: 400, request id: 4FWTQ6D1S7XYR9W1, host id: xqcUPi7O6f7PMI26bILIVsr3iyDs5CUXrK1/EU2rSYJQmHpH2LHDXyd1VLl5NOk4QkqcJjPqd2w=

the cdn module calls cloudposse/s3-log-storage/aws which calls this module

For now we are choosing to disable logging - we did not attempt a 2nd run to see if the issue went away

[pamengual]

this is related to this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

[jamengual]

  type        = string
 -default     = "ObjectWriter"
  +default     = "BucketOwnerEnforced"
  description = "Specifies the S3 object ownership control. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'."
}```

[forest-code42]

This change #175 fixes this issue

[joshuaganger]

does this also require a aws_s3_bucket_public_access_block resource in addition to the aws_s3_bucket_ownership_controls required for ACL?

Did you resolve this? Landed on this page while researching the same question. Perhaps the documentation for aws_s3_bucket_logging could be updated if the example there isn't working...