aws/resource_aws_s3_bucket_inventory: Prevent import if SSE-S3 encryp…

…tion is enabled This prevents importing a resource that has the feature enabled so that future updates don't accidentally stomp on the data. The SDK currently fails to marshal this option correctly in a create/update request. The risk is minimal since the create/update request fails anyway, but this will avoid a user being surprised by a failed update _after_ they've imported it into their state. See: aws/aws-sdk-go#2015
danielwhite · Jun 29, 2018 · 2c4b05b · 2c4b05b
1 parent 42bbf33
commit 2c4b05b
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/aws/resource_aws_s3_bucket_inventory.go b/aws/resource_aws_s3_bucket_inventory.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -325,6 +326,14 @@ func resourceAwsS3BucketInventoryRead(d *schema.ResourceData, meta interface{})
 	}
 
 	if output.InventoryConfiguration.Destination != nil {
+		// Flag the existence of SSE-S3 encryption because it cannot be marshaled when updating a resource.
+		// Allowing import would risk disabling encryption inadvertently when applying updates.
+		if output.InventoryConfiguration.Destination.S3BucketDestination.Encryption != nil {
+			if output.InventoryConfiguration.Destination.S3BucketDestination.Encryption.SSES3 != nil {
+				return errors.New("sse_s3 encryption is unsupported")
+			}
+		}
+
 		destination := map[string]interface{}{
 			"bucket": flattenS3InventoryS3BucketDestination(output.InventoryConfiguration.Destination.S3BucketDestination),
 		}

diff --git a/aws/resource_aws_s3_bucket_inventory_test.go b/aws/resource_aws_s3_bucket_inventory_test.go
@@ -60,6 +60,8 @@ func TestAccAWSS3BucketInventory_basic(t *testing.T) {
 }
 
 func TestAccAWSS3BucketInventory_encryptWithSSES3(t *testing.T) {
+	t.Skip("SSE-S3 is not supported by the SDK.")
+
 	var conf s3.InventoryConfiguration
 	rString := acctest.RandString(8)
 	resourceName := "aws_s3_bucket_inventory.test"

diff --git a/website/docs/r/s3_bucket_inventory.html.markdown b/website/docs/r/s3_bucket_inventory.html.markdown
@@ -111,6 +111,8 @@ The `bucket` configuration supports the following:
 
 The `encryption` configuration supports the following:
 
+~> **NOTE:** `sse_s3` is currently unsupported.
+
 * `sse_kms` - (Optional) Specifies to use server-side encryption with AWS KMS-managed keys to encrypt the inventory file (documented below).
 * `sse_s3` - (Optional) Specifies to use server-side encryption with Amazon S3-managed keys (SSE-S3) to encrypt the inventory file.