removed the bucket acl, use bucket policy instead

Author: joseph-wortmann

main.tf

@@ -7,11 +7,6 @@ resource "aws_s3_bucket" "log" {
   tags = var.tags
 }
 
-resource "aws_s3_bucket_acl" "log" {
-  bucket = aws_s3_bucket.log.id
-  acl    = "log-delivery-write"
-}
-
 resource "aws_s3_bucket_server_side_encryption_configuration" "log" {
   bucket = aws_s3_bucket.log.bucket
 
@@ -44,6 +39,9 @@ resource "aws_s3_bucket_lifecycle_configuration" "log" {
 data "aws_elb_service_account" "main" {
 }
 
+data "aws_caller_identity" "current" {
+}
+
 data "aws_iam_policy_document" "log" {
   statement {
     actions = [
@@ -85,6 +83,25 @@ data "aws_iam_policy_document" "log" {
     ]
     sid = "DenyUnsecuredTransport"
   }
+
+  statement {
+    actions = [
+      "s3:PutObject",
+    ]
+    condition {
+      test = "StringEquals"
+      values = [data.aws_caller_identity.current.account_id]
+      variable = "aws:SourceAccount"
+    }
+    principals {
+      identifiers = ["logging.s3.amazonaws.com"]
+      type = "Service"
+    }
+    resources = [
+      "${aws_s3_bucket.log.arn}/s3/*"
+    ]
+    sid = "EnableS3Logging"
+  }
 }
 
 resource "aws_s3_bucket_policy" "log" {
@@ -98,4 +115,4 @@ resource "aws_s3_bucket_public_access_block" "log" {
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
-}
+}