From 374bb8dd41a613ead822ec47183457f89be504b1 Mon Sep 17 00:00:00 2001
From: rpoluri <38321430+rpoluri@users.noreply.github.com>
Date: Fri, 30 Oct 2020 11:46:10 -0500
Subject: [PATCH] Feature/s3 object ownership (#177)

* aws_s3_bucket_ownership_controls

* update changelog

* add inventory bucket

Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
---
 CHANGELOG.md |  4 ++++
 s3-other.tf  |  9 +++++++++
 s3.tf        | 11 +++++++++++
 3 files changed, 24 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6870297..f9230e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.6.0] - 2020-10-30
+### Added
+- Configure bucket ownership controls on apiary managed buckets,cross account object writes will be owned by bucket instead of writer.
+
 ## [6.5.3] - 2020-10-09
 ### Added
 - Add metastore load balancer outputs.
diff --git a/s3-other.tf b/s3-other.tf
index 642d02e..71a62c9 100644
--- a/s3-other.tf
+++ b/s3-other.tf
@@ -49,6 +49,15 @@ resource "aws_s3_bucket_public_access_block" "apiary_inventory_bucket" {
   ignore_public_acls  = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "apiary_inventory_bucket" {
+  count  = var.s3_enable_inventory == true ? 1 : 0
+  bucket = aws_s3_bucket.apiary_inventory_bucket[0].bucket
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket" "apiary_managed_logs_bucket" {
   count  = local.enable_apiary_s3_log_management ? 1 : 0
   bucket = local.apiary_s3_logs_bucket
diff --git a/s3.tf b/s3.tf
index bf15d31..e03407f 100644
--- a/s3.tf
+++ b/s3.tf
@@ -106,6 +106,17 @@ resource "aws_s3_bucket_public_access_block" "apiary_bucket" {
   ignore_public_acls  = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "apiary_bucket" {
+  for_each = {
+    for schema in local.schemas_info : "${schema["schema_name"]}" => schema
+  }
+  bucket = aws_s3_bucket.apiary_data_bucket[each.key].id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_notification" "data_events" {
   for_each = var.enable_data_events ? {
     for schema in local.schemas_info : "${schema["schema_name"]}" => schema if lookup(schema, "enable_data_events_sqs", "0") == "0"