MissingSecurityHeader error for S3 bucket ACL

Question

I have the following s3 bucket defined:

module "bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.1.0"

  bucket = local.test-bucket-name
  acl    = null

  grant = [{
    type       = "CanonicalUser"
    permission = "FULL_CONTROL"
    id         =  data.aws_canonical_user_id.current.id
    }, {
    type       = "CanonicalUser"
    permission = "FULL_CONTROL"
    id         = data.aws_cloudfront_log_delivery_canonical_user_id.cloudfront.id
    }
  ]
  object_ownership = "BucketOwnerPreferred"
}

But when I try to terraform apply this, I get the error:

Error: error updating S3 bucket ACL (logs,private): MissingSecurityHeader: Your request was missing a required header status code: 400

This error message is not very specific. Am I missing some type of header?

Answer 1

I hit this when updating the AWS provider from 4.x to 5.3.0 where some buckets previously had an ACL of private and it was wanting to set them to null, like the previous answer.

However, the issue for me was just transitive - running terraform apply a second time came back No changes. Your infrastructure matches the configuration. I didn't need to modify any ACLs manually.

A bug report has been opened with the AWS provider to avoid the need to do terraform apply a second time. See here: https://github.com/hashicorp/terraform-provider-aws/issues/31633

Answer 2

I came across the same issue. I was trying to update an ACL on a bucket which had previously had private set as the ACL and then modifying my terraform code to match manually created entries on the ACL that someone had done via the GUI.

To get it working for me, I removed one of the ACL entries from the S3 bucket manually of which I was trying to add to the bucket and then re-ran the terraform and it worked without an error

I see the same error in cloudtrail also.

Its like you cant set private acl to null without adding an ACL entry