remote/s3: Add support for ACL

state/remote/s3.go

@@ -4,6 +4,7 @@ import (
  "bytes"
  "fmt"
  "io"
+ "log"
  "os"
  "strconv"
 
@@ -45,6 +46,11 @@ func s3Factory(conf map[string]string) (Client, error) {
  serverSideEncryption = v
  }
 
+ acl := ""
+ if raw, ok := conf["acl"]; ok {
+ acl = raw
+ }
+
  accessKeyId := conf["access_key"]
  secretAccessKey := conf["secret_key"]
 
@@ -77,6 +83,7 @@ func s3Factory(conf map[string]string) (Client, error) {
  bucketName: bucketName,
  keyName: keyName,
  serverSideEncryption: serverSideEncryption,
+ acl: acl,
  }, nil
 }
 
@@ -85,6 +92,7 @@ type S3Client struct {
  bucketName string
  keyName string
  serverSideEncryption bool
+ acl string
 }
 
 func (c *S3Client) Get() (*Payload, error) {
@@ -140,6 +148,12 @@ func (c *S3Client) Put(data []byte) error {
  i.ServerSideEncryption = aws.String("AES256")
  }
 
+ if c.acl != "" {
+ i.ACL = aws.String(c.acl)
+ }
+
+ log.Printf("[DEBUG] Uploading remote state to S3: %#v", i)
+
  if _, err := c.nativeClient.PutObject(i); err == nil {
  return nil
  } else {

website/source/docs/commands/remote-config.html.markdown

@@ -57,6 +57,13 @@ The following backends are supported:
  in the `access_key`, `secret_key` and `region` variables
  respectively, but passing credentials this way is not recommended since they
  will be included in cleartext inside the persisted state.
+ Other supported parameters include:
+ * `bucket` - the name of the S3 bucket
+ * `key` - path where to place/look for state file inside the bucket
+ * `encrypt` - whether to enable [server side encryption](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)
+ of the state file
+ * `acl` - [Canned ACL](http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)
+ to be applied to the state file.
 
 * HTTP - Stores the state using a simple REST client. State will be fetched
  via GET, updated via POST, and purged with DELETE. Requires the `address` variable.