feat: add bucket acl policy grants

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.31.0
+    rev: v1.39.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
       - id: check-merge-conflict

README.md

@@ -98,7 +98,7 @@ module "s3_bucket" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | acceleration\_status | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | `string` | `null` | no |
-| acl | (Optional) The canned ACL to apply. Defaults to 'private'. | `string` | `"private"` | no |
+| acl | (Optional) The canned ACL to apply. Defaults to 'private'. Conflicts with `grant` | `string` | `"private"` | no |
 | attach\_elb\_log\_delivery\_policy | Controls if S3 bucket should have ELB log delivery policy attached | `bool` | `false` | no |
 | attach\_policy | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no |
 | attach\_public\_policy | Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) | `bool` | `true` | no |
@@ -109,6 +109,7 @@ module "s3_bucket" {
 | cors\_rule | List of maps containing rules for Cross-Origin Resource Sharing. | `list(any)` | `[]` | no |
 | create\_bucket | Controls if S3 bucket should be created | `bool` | `true` | no |
 | force\_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
+| grant | An ACL policy grant. Conflicts with `acl` | `list(any)` | `[]` | no |
 | ignore\_public\_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no |
 | lifecycle\_rule | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
 | logging | Map containing access bucket logging configuration. | `map(string)` | `{}` | no |

examples/complete/main.tf

@@ -2,6 +2,8 @@ locals {
   bucket_name = "s3-bucket-${random_pet.this.id}"
 }
 
+data "aws_canonical_user_id" "current" {}
+
 resource "random_pet" "this" {
   length = 2
 }
@@ -55,6 +57,25 @@ module "log_bucket" {
   attach_elb_log_delivery_policy = true
 }
 
+module "cloudfront_log_bucket" {
+  source = "../../"
+
+  bucket = "cloudfront-logs-${random_pet.this.id}"
+  acl    = null # conflicts with default of `acl = "private"` so set to null to use grants
+  grant = [{
+    type        = "CanonicalUser"
+    permissions = ["FULL_CONTROL"]
+    id          = data.aws_canonical_user_id.current.id
+    }, {
+    type        = "CanonicalUser"
+    permissions = ["FULL_CONTROL"]
+    id          = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+    # Ref. https://github.com/terraform-providers/terraform-provider-aws/issues/12512
+    # Ref. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
+  }]
+  force_destroy = true
+}
+
 module "s3_bucket" {
   source = "../../"
 

main.tf

@@ -50,6 +50,17 @@ resource "aws_s3_bucket" "this" {
     }
   }
 
+  dynamic "grant" {
+    for_each = var.grant
+
+    content {
+      id          = lookup(grant.value, "id", null)
+      type        = grant.value.type
+      permissions = grant.value.permissions
+      uri         = lookup(grant.value, "uri", null)
+    }
+  }
+
   dynamic "lifecycle_rule" {
     for_each = var.lifecycle_rule
 

variables.tf

@@ -35,7 +35,7 @@ variable "bucket_prefix" {
 }
 
 variable "acl" {
-  description = "(Optional) The canned ACL to apply. Defaults to 'private'."
+  description = "(Optional) The canned ACL to apply. Defaults to 'private'. Conflicts with `grant`"
   type        = string
   default     = "private"
 }
@@ -94,6 +94,12 @@ variable "logging" {
   default     = {}
 }
 
+variable "grant" {
+  description = "An ACL policy grant. Conflicts with `acl`"
+  type        = list(any)
+  default     = []
+}
+
 variable "lifecycle_rule" {
   description = "List of maps containing configuration of object lifecycle management."
   type        = any