"The bucket does not allow ACLs"

[mpalmer]

Describe the bug

When attempting to apply the secure-baseline to a newly-created account, I'm getting the following errors:

 Error: error creating S3 bucket ACL for <prefix>-audit-logs-access-logs: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: <redacted>, host id: <redacted>
│
│   with module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket_acl.access_log,
│   on .terraform/modules/secure_baseline/modules/secure-bucket/main.tf line 28, in resource "aws_s3_bucket_acl" "access_log":
│   28: resource "aws_s3_bucket_acl" "access_log" {
│
╵
╷
│ Error: error creating S3 bucket ACL for <prefix>-audit-logs: AccessControlListNotSupported: The bucket does not allow ACLs
│       status code: 400, request id: <redacted>, host id: <redacted>
│
│   with module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket_acl.content,
│   on .terraform/modules/secure_baseline/modules/secure-bucket/main.tf line 89, in resource "aws_s3_bucket_acl" "content":
│   89: resource "aws_s3_bucket_acl" "content" {

Versions

• Terraform: v1.4.5
• Provider: v4.64.0
• Module: 2.1.0

Reproduction

Apply secure-baseline to a new account, or at least in an account where it needs to create a new S3 bucket. It may currently be region-specific (I ran it in ap-southeast-2), but eventually it'll soon be happening with any new S3 bucket, due to the changes to new bucket defaults.

Expected behavior

No terraform errors.

Actual behavior

Error as described above.

Additional context

Manually jiggering the bucket settings to enable ACLs allows a re-run of the terraform config to succeed.

[richbecks]

This requires the adding of something along the lines of the below to enable ACLs now they are by default off...

resource "aws_s3_bucket_ownership_controls" "my-bucket" {
  bucket = aws_s3_bucket.my-bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}