Giters

terraform-aws-modules / terraform-aws-s3-bucket

Terraform module to create AWS S3 resources πŸ‡ΊπŸ‡¦

Home Page:https://registry.terraform.io/modules/terraform-aws-modules/s3-bucket/aws

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

'public-read' ACL failing due 403 error

Maraket opened this issue Β· comments

commented

Description

When attempting to create a bucket with a basic 'public-read' acl, the bucket fails to create due to a 403 issue, despite being run by an admin account.

  • βœ‹ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]:

  • Terraform version:
    Terraform v1.8.4
    on darwin_amd64

  • Provider version(s):
    Terraform v1.8.4
    on darwin_amd64

  • provider registry.terraform.io/hashicorp/aws v5.52.0
  • provider registry.terraform.io/hashicorp/local v2.5.1
  • provider registry.terraform.io/hashicorp/random v3.6.2
  • provider registry.terraform.io/hashicorp/template v2.2.0
  • provider registry.terraform.io/hashicorp/time v0.11.2

Reproduction Code [Required]

Steps to reproduce the behavior:

  • Create workspace
  • Use main.tf file
terraform {
  required_version = ">= 1.8.4"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.52.0"
    }
  }
  backend "remote" {}
}

module "s3_bucket" {
  source           = "terraform-aws-modules/s3-bucket/aws"
  version          = "4.1.2"
  bucket_prefix    = "myapp-uploads"
  acl              = "public-read"
  object_ownership = "BucketOwnerPreferred"
}
  • run terraform init -backend-config="token=$TERRAFORM_TOKEN" -backend-config=variables/backend.hcl.json
  • run terraform plan -out=plan/myplan.zip
  • run terraform apply -input=false -auto-approve plan/myplan.zip

Expected behavior

A new bucket would be created with the public-read acl set on it with the name app-uploads<prefix>

Actual behavior

The resources fail to build, and a 403 error is thrown

Terminal Output Screenshot(s)

$ terraform init -backend-config="token=$TERRAFORM_TOKEN" -backend-config=variables/backend.hcl.json

Initializing the backend...
Initializing modules...

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.52.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

$ terraform plan -out=plan/myplan.zip
module.s3_bucket.data.aws_canonical_user_id.this[0]: Reading...
module.s3_bucket.data.aws_caller_identity.current: Reading...
module.s3_bucket.data.aws_region.current: Reading...
module.s3_bucket.data.aws_partition.current: Reading...
module.s3_bucket.data.aws_partition.current: Read complete after 0s [id=aws]
module.s3_bucket.data.aws_region.current: Read complete after 0s [id=ap-southeast-2]
module.s3_bucket.data.aws_caller_identity.current: Read complete after 0s [id=016049862402]
module.s3_bucket.data.aws_canonical_user_id.this[0]: Read complete after 1s [id=9137fc91452bf96df4dd92623ae0c08affa5eb69ca55de5b540b2be7de859866]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.s3_bucket.aws_s3_bucket.this[0] will be created
  + resource "aws_s3_bucket" "this" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = (known after apply)
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = "myapp-uploads"
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = false
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # module.s3_bucket.aws_s3_bucket_acl.this[0] will be created
  + resource "aws_s3_bucket_acl" "this" {
      + acl    = "public-read"
      + bucket = (known after apply)
      + id     = (known after apply)
    }

  # module.s3_bucket.aws_s3_bucket_public_access_block.this[0] will be created
  + resource "aws_s3_bucket_public_access_block" "this" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

Plan: 3 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan/myplan.zip

To perform exactly these actions, run the following command to apply:
    terraform apply "plan/myplan.zip"

$ terraform apply -input=false -auto-approve plan/myplan.zip
module.s3_bucket.aws_s3_bucket.this[0]: Creating...
module.s3_bucket.aws_s3_bucket.this[0]: Creation complete after 2s [id=myapp-uploads20240603031333578000000001]
module.s3_bucket.aws_s3_bucket_public_access_block.this[0]: Creating...
module.s3_bucket.aws_s3_bucket_public_access_block.this[0]: Creation complete after 1s [id=myapp-uploads20240603031333578000000001]
module.s3_bucket.aws_s3_bucket_acl.this[0]: Creating...
β•·
β”‚ Error: creating S3 Bucket (myapp-uploads20240603031333578000000001) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 403, RequestID: CAGQCJ82TX5AHPEV, HostID: 6n1BhmSSR8D2BzTYSIys+Q47Xm3a9M/j1nsr1JmuR8sIJI3Q1b0ORbvJZjlcAj74bBx1IcsrhkI=, api error AccessDenied: Access Denied
β”‚ 
β”‚   with module.s3_bucket.aws_s3_bucket_acl.this[0],
β”‚   on .terraform/modules/s3_bucket/main.tf line 66, in resource "aws_s3_bucket_acl" "this":
β”‚   66: resource "aws_s3_bucket_acl" "this" {
β”‚
commented

I did find #242 (comment) which appears to be a solution to the issue, though this being automated rather then needing to dig until finding an answer would be appreciated