ACL on S3 bucket objects with Terraform
Is widely acknowledged that nowadays Terraform is one of the most used tools of IaaC.
Most of the time we’re writing our infrastructure using Terraform, and due to the complexity of the infrastructure, we come across situations where the resource you want to implement is not yet 100% available in the terraform resources.
Based on situations like these we end up using not-so-conventional resources, or simply making use of alternative scripts alongside steps in the pipeline, increasing the number of processes and turning the process not as clean as we would like.
I recently needed to create some resources in AWS via Terraform, and one of them was a bucket with some objects. In this scenario, the objects would need to be available to other AWS accounts, but of course, couldn’t be public.
It took me a few hours of reading and re-reading the terraform documentation, then I saw that the AWS Terraform module does not have (so far) the ability to configure ACLs for objects based on canonical IDs. There are just a few options when it came to ACL for objects.
What came at first to my mind was using a script in the pipeline where I could apply the ACL via S3api using AWS CLI, it would solve the problem however it wouldn’t be the most beautiful solution, then I thought about Terraform null resources.
Since I had used null resources a few times before, I saw that I could run a command through it and It works for real!
At first glance, it looked like this:
Although it worked, this would still not meet 100% of my need, considering that I need to apply those rules to ACLs based on multiple accounts that would need access to my objects, nonetheless, I would need something dynamic.
Given that, now I would have to include some kind of loop in this scope, so I decided to use the count meta-argument!
Basically what I am doing here is creating a null resource via Terraform to call the S3api via AWS CLI, which will be executed by Terraform on a host with the proper permissions on AWS. The command will loop according to the list of canonical IDs defined in my variables.tf file and execute each one individually, adding the rule to the object’s ACL one by one, and guess what?
Problem solved!
