From 168302f91ccce6202d7e4ee6fccce8996fc3b9c9 Mon Sep 17 00:00:00 2001
From: Bayron Carranza <bayron.carranza@gmail.com>
Date: Tue, 21 Jun 2022 17:41:42 -0600
Subject: [PATCH] Feat bucket-owner-enforce s3 (#341)

---
 terraform-modules/aws/s3_bucket/main.tf      |  8 ++++++++
 terraform-modules/aws/s3_bucket/variables.tf | 13 +++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/terraform-modules/aws/s3_bucket/main.tf b/terraform-modules/aws/s3_bucket/main.tf
index 48da48c4d..082c7e626 100644
--- a/terraform-modules/aws/s3_bucket/main.tf
+++ b/terraform-modules/aws/s3_bucket/main.tf
@@ -57,3 +57,11 @@ resource "aws_s3_bucket_logging" "logging" {
   target_bucket = var.logging_bucket_name
   target_prefix = "log/"
 }
+
+resource "aws_s3_bucket_ownership_controls" "bucket_ownership_controls" {
+  count = var.enable_bucket_owner_enforced ? 1 : 0
+  bucket = aws_s3_bucket.bucket.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
diff --git a/terraform-modules/aws/s3_bucket/variables.tf b/terraform-modules/aws/s3_bucket/variables.tf
index 2ffb39c85..4d0327a61 100644
--- a/terraform-modules/aws/s3_bucket/variables.tf
+++ b/terraform-modules/aws/s3_bucket/variables.tf
@@ -79,3 +79,16 @@ variable "logging_bucket_prefix" {
   description = "The prefix to add to the logs"
   default     = "s3-log/"
 }
+
+variable "enable_bucket_owner_enforced" {
+  type        = bool
+  description = "BucketOwnerEnforced choice of object ownership, which is used to disable ACL-s."
+  #Bucket owner enforced (recommended) – ACLs are disabled, and the bucket
+  #owner automatically owns and has full control over every object in the bucket. 
+  #ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies 
+  #to define access control.
+  #https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
+  default     = true 
+
+}
+