Skip to content

Resource: awsS3BucketAcl

Provides an S3 bucket ACL resource.

\~> Note: terraformDestroy does not delete the S3 Bucket ACL but does remove the resource from Terraform state.

Example Usage

With ACL

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "my-tf-example-bucket",
});
new aws.s3BucketAcl.S3BucketAcl(this, "example_bucket_acl", {
  acl: "private",
  bucket: awsS3BucketExample.id,
});

With Grants

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "my-tf-example-bucket",
});
const dataAwsCanonicalUserIdCurrent =
  new aws.dataAwsCanonicalUserId.DataAwsCanonicalUserId(this, "current", {});
const awsS3BucketAclExample = new aws.s3BucketAcl.S3BucketAcl(
  this,
  "example_2",
  {
    accessControlPolicy: {
      grant: [
        {
          grantee: {
            id: dataAwsCanonicalUserIdCurrent.id,
            type: "CanonicalUser",
          },
          permission: "READ",
        },
        {
          grantee: {
            type: "Group",
            uri: "http://acs.amazonaws.com/groups/s3/LogDelivery",
          },
          permission: "READ_ACP",
        },
      ],
      owner: {
        id: dataAwsCanonicalUserIdCurrent.id,
      },
    },
    bucket: awsS3BucketExample.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketAclExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • acl - (Optional, Conflicts with accessControlPolicy) Canned ACL to apply to the bucket.
  • accessControlPolicy - (Optional, Conflicts with acl) Configuration block that sets the ACL permissions for an object per grantee. See below.
  • bucket - (Required, Forces new resource) Name of the bucket.
  • expectedBucketOwner - (Optional, Forces new resource) Account ID of the expected bucket owner.

accessControlPolicy

The accessControlPolicy configuration block supports the following arguments:

  • grant - (Required) Set of grant configuration blocks. See below.
  • owner - (Required) Configuration block of the bucket owner's display name and ID. See below.

grant

The grant configuration block supports the following arguments:

  • grantee - (Required) Configuration block for the person being granted permissions. See below.
  • permission - (Required) Logging permissions assigned to the grantee for the bucket.

owner

The owner configuration block supports the following arguments:

  • id - (Required) ID of the owner.
  • displayName - (Optional) Display name of the owner.

grantee

The grantee configuration block supports the following arguments:

  • emailAddress - (Optional) Email address of the grantee. See Regions and Endpoints for supported AWS regions where this argument can be specified.
  • id - (Optional) Canonical user ID of the grantee.
  • type - (Required) Type of grantee. Valid values: canonicalUser, amazonCustomerByEmail, group.
  • uri - (Optional) URI of the grantee group.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The bucket, expectedBucketOwner (if configured), and acl (if configured) separated by commas (,).

Import

S3 bucket ACL can be imported in one of four ways.

If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), the S3 bucket ACL resource should be imported using the bucket e.g.,

$ terraform import aws_s3_bucket_acl.example bucket-name

If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), the S3 bucket ACL resource should be imported using the bucket and acl separated by a comma (,), e.g.

$ terraform import aws_s3_bucket_acl.example bucket-name,private

If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, and the source bucket is not configured with a canned ACL (i.e. predefined grant), the S3 bucket ACL resource should be imported using the bucket and expectedBucketOwner separated by a comma (,) e.g.,

$ terraform import aws_s3_bucket_acl.example bucket-name,123456789012

If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, and the source bucket is configured with a canned ACL (i.e. predefined grant), the S3 bucket ACL resource should be imported using the bucket, expectedBucketOwner, and acl separated by commas (,), e.g.,

$ terraform import aws_s3_bucket_acl.example bucket-name,123456789012,private