add acl validator to aws s3 bucket resource

[NikolaeVarius]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #15304

Release note for CHANGELOG:

- Adds in canned acls that apply to buckets documented in https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl specifically "aws-exec-read" and "log-delivery-write" as valid acls

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

[github-actions]

Thank you for your contribution! 🚀

Please note that typically Go dependency changes are handled in this repository by Renovate Bot or the maintainers. This is to prevent pull request merge conflicts and further delay reviews of contributions. Remove any changes to the go.mod, go.sum, and vendor/ files and commit them into this pull request.

Additional details:

• Check open pull requests with the dependencies label to view other dependency updates.
• If this pull request includes an update the AWS Go SDK (or any other dependency) version, only updates submitted via Renovate Bot will be merged. This pull request will need to remove these changes and will need to be rebased after the existing dependency update via Renovate Bot has been merged for this pull request to be reviewed.
• If this pull request is for supporting a new AWS service:
  • Ensure the new AWS service changes are following the Contributing Guide section on new services, in particular that the dependency addition and initial provider support are in a separate pull request from other changes (e.g. new resources). Contributions not following this item will not be reviewed until the changes are split.
  • If this pull request is already a separate pull request from the above item, you can ignore this message.

[reedloden]

Instead of hardcoding them, how about just using s3.BucketCannedACL_Values()?

[NikolaeVarius]

I dont really have a preference. But, looking at other validation functions, they seem to list out all the values. I dont think I want to go against the style?

https://github.com/terraform-providers/terraform-provider-aws/blob/0544ae1fe0f788616cc483df8d0e68d3dd36a0ed/aws/resource_aws_s3_bucket.go#L120
https://github.com/terraform-providers/terraform-provider-aws/blob/0544ae1fe0f788616cc483df8d0e68d3dd36a0ed/aws/resource_aws_s3_bucket.go#L406
https://github.com/terraform-providers/terraform-provider-aws/blob/0544ae1fe0f788616cc483df8d0e68d3dd36a0ed/aws/resource_aws_s3_bucket.go#L453

[gdavison]

Hi @NikolaeVarius. We've actually been changing over to the _Values() functions so that new values are automatically picked up when we update the AWS SDK. We're tracking this in #14601

The _Values() functions were actually added by one of our maintainers in aws/aws-sdk-go#3447 🙂

[reedloden]

This doesn't seem to exist?

[NikolaeVarius]

[NikolaeVarius]

as in the other comment, yeah you're correct

[reedloden]

I don't think this exists for buckets... For objects, there's ObjectCannedACLAwsExecRead.

[NikolaeVarius]

https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl

It seems to say it works on both

[reedloden]

The SDK doesn't seem to support it. See https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#pkg-constants. Or if you look at the code directly (https://raw.githubusercontent.com/aws/aws-sdk-go/master/service/s3/api.go), you can take a look at the BucketCannedACL_Values() function.

[NikolaeVarius]

I see you're correct. Those values are exist at the ObjectCannedACL_Values() function. I dont know the behavior just yet, and would need to test, but in this case, would it be wise to add this validator in if the upstream SDK doesn't support all possible values for a bucket? Wouldn't want to return a validation error when the ACL is perfectly valid.

// ObjectCannedACL_Values returns all elements of the ObjectCannedACL enum
func ObjectCannedACL_Values() []string {
	return []string{
		ObjectCannedACLPrivate,
		ObjectCannedACLPublicRead,
		ObjectCannedACLPublicReadWrite,
		ObjectCannedACLAuthenticatedRead,
		ObjectCannedACLAwsExecRead,
		ObjectCannedACLBucketOwnerRead,
		ObjectCannedACLBucketOwnerFullControl,
	}
}

[NikolaeVarius]

It seems the outdated canned acls in the go SDK are a known issue

aws/aws-sdk-go#2683

Further linked report terraform-linters/tflint#341 (comment)

[gdavison]

Unfortunately, we can't make changes in the vendored dependencies, because they'll be wiped out the next time we update the AWS SDK. When we run into missing constants, the first thing to do is double-check that they haven't been added in a new version of the SDK. If they haven't, then we can define our own constants in the directory aws/internal/service/s3 and also file an issue with AWS either on the SDK or with support

[gdavison]

HI @NikolaeVarius, this PR looks like a good start. Is there anything you need from us to move it forward?

[ghost]

This has been released in version 3.15.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!