us-east-1 S3 buckets created prior to 3/1/2018 can have uppercase letters and underscores, but aws_s3_bucket_acl resource does not allow for them

[kpkrishnamoorthy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_s3_bucket_acl

Expected Behavior

The aws_s3_bucket_acl resource should support all buckets that can currently exist on AWS, including ones with uppercase letters and underscores in their names.

Actual Behavior

aws_s3_bucket_acl throws the error unexpected format for ID (studioone_logs), expected BUCKET or BUCKET,EXPECTED_BUCKET_OWNER or BUCKET,ACL or BUCKET,EXPECTED_BUCKET_OWNER,ACL when ACLs connected to buckets with underscores or uppercase letters in their names are applied or imported.

Steps to Reproduce

1. Locate an S3 bucket in the us-east-1 AWS region that contains either uppercase letters or underscores in the name. These were allowed in bucket names prior to 3/1/2018 ONLY in the us-east-1 region.
2. Add an aws_s3_bucket_acl resource for the bucket, for example:

resource "aws_s3_bucket_acl" "example" {
  bucket = "my_EXAMPLE_bucket"
  access_control_policy {
    grant {
      grantee {
        uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
        type        = "Group"
      }
      permission = "READ"
    }

    owner {
      id = data.aws_canonical_user_id.current_user.id
    }
  }
}

3. Run a terraform plan - the plan should show output suggesting that it wants to create the ACL as defined.
4. Attempt to run a terraform apply (or, if the ACL is already defined in the bucket, attempt to run terraform import <resource_path> my_EXAMPLE_bucket
5. Both the apply and import will fail, with the error unexpected format for ID (studioone_logs), expected BUCKET or BUCKET,EXPECTED_BUCKET_OWNER or BUCKET,ACL or BUCKET,EXPECTED_BUCKET_OWNER,ACL

Important Factoids

This issue appears to be present because the regex checking the bucket ID input does not allow underscore and uppercase characters to be part of the bucket name. This prevents assigning ACLs to any bucket whose name has these characters, even though the aws_s3_bucket resource itself supports these characters in the name.

Regex location in provider code:

terraform-provider-aws/internal/service/s3/bucket_acl.go

Line 463 in cf6dd26

bucketRegex := regexp.MustCompile(`^[a-z0-9.-]{1,63}$`)

AWS documentation regarding the deprecating naming rule (read the Note after the bullet-points):
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#:~:text=Note,all%20other%20Regions.

[kpkrishnamoorthy]

Beautiful. Thank you so much for the quick action on this.

[anGie44]

Sure thing @kpkrishnamoorthy , thanks for spotting this and providing a detailed write-up!

[github-actions]

This functionality has been released in v4.6.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.