From 2a30255c08f8f6707c31cd7c56c02052613fb635 Mon Sep 17 00:00:00 2001
From: j4y <36337+j4y@users.noreply.github.com>
Date: Fri, 26 Dec 2025 10:35:32 -0500
Subject: [PATCH] fix: enable ACLs and permissions required for CloudFront log
 delivery

Added ownership controls to re-enable ACLs on the log bucket and applied the
"log-delivery-write" ACL so CloudFront can successfully write access logs.
---
 terraform/website/main.tf | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/terraform/website/main.tf b/terraform/website/main.tf
index 46b3356..f886b42 100644
--- a/terraform/website/main.tf
+++ b/terraform/website/main.tf
@@ -13,6 +13,15 @@ resource "aws_s3_bucket" "logs" {
   bucket = "${var.domain}-logs"
 }
 
+# Enable ACLs on the log bucket so CloudFront can write access logs
+resource "aws_s3_bucket_ownership_controls" "logs" {
+  bucket = aws_s3_bucket.logs.id
+
+  rule {
+    object_ownership = "ObjectWriter"
+  }
+}
+
 resource "aws_s3_bucket_ownership_controls" "bucket" {
   bucket = aws_s3_bucket.bucket.id
   rule {
@@ -39,6 +48,14 @@ resource "aws_s3_bucket_acl" "bucket" {
   acl    = "public-read"
 }
 
+# Grant CloudFront permission to write access logs to this bucket
+resource "aws_s3_bucket_acl" "logs" {
+  depends_on = [aws_s3_bucket_ownership_controls.logs]
+
+  bucket = aws_s3_bucket.logs.id
+  acl    = "log-delivery-write"
+}
+
 # Configure website settings
 resource "aws_s3_bucket_website_configuration" "bucket" {
   bucket = aws_s3_bucket.bucket.id
@@ -83,7 +100,7 @@ resource "aws_cloudfront_distribution" "distribution" {
 
   logging_config {
     include_cookies = false
-    bucket          = "${aws_s3_bucket.logs.bucket_regional_domain_name}"
+    bucket          = aws_s3_bucket.logs.bucket_regional_domain_name
     prefix          = "cloudfront/"
   }