r/aws_s3_bucket: support SSE-KMS replication configuration

[modax]

Fixes #2200, #2226

It would be great to get this merged soon. Thanks!

make testacc TESTARGS="-run 'TestAccAWSS3Bucket_'"                                                   
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run 'TestAccAWSS3Bucket_' -timeout 120m
?       github.com/terraform-providers/terraform-provider-aws   [no test files]
=== RUN   TestAccAWSS3Bucket_importBasic
--- PASS: TestAccAWSS3Bucket_importBasic (79.48s)
=== RUN   TestAccAWSS3Bucket_importWithPolicy
--- PASS: TestAccAWSS3Bucket_importWithPolicy (86.50s)
=== RUN   TestAccAWSS3Bucket_basic
--- PASS: TestAccAWSS3Bucket_basic (65.44s)
=== RUN   TestAccAWSS3Bucket_namePrefix
--- PASS: TestAccAWSS3Bucket_namePrefix (65.88s)
=== RUN   TestAccAWSS3Bucket_generatedName
--- PASS: TestAccAWSS3Bucket_generatedName (66.26s)
=== RUN   TestAccAWSS3Bucket_region
--- PASS: TestAccAWSS3Bucket_region (39.46s)
=== RUN   TestAccAWSS3Bucket_acceleration
--- PASS: TestAccAWSS3Bucket_acceleration (73.89s)
=== RUN   TestAccAWSS3Bucket_RequestPayer
--- PASS: TestAccAWSS3Bucket_RequestPayer (123.23s)
=== RUN   TestAccAWSS3Bucket_Policy
--- PASS: TestAccAWSS3Bucket_Policy (168.01s)
=== RUN   TestAccAWSS3Bucket_UpdateAcl
--- PASS: TestAccAWSS3Bucket_UpdateAcl (120.25s)
=== RUN   TestAccAWSS3Bucket_Website_Simple
--- PASS: TestAccAWSS3Bucket_Website_Simple (183.89s)
=== RUN   TestAccAWSS3Bucket_WebsiteRedirect
--- PASS: TestAccAWSS3Bucket_WebsiteRedirect (185.42s)
=== RUN   TestAccAWSS3Bucket_WebsiteRoutingRules
--- PASS: TestAccAWSS3Bucket_WebsiteRoutingRules (128.49s)
=== RUN   TestAccAWSS3Bucket_enableDefaultEncryption_whenTypical
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenTypical (109.67s)
=== RUN   TestAccAWSS3Bucket_enableDefaultEncryption_whenAES256IsUsed
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenAES256IsUsed (67.26s)
=== RUN   TestAccAWSS3Bucket_disableDefaultEncryption_whenDefaultEncryptionIsEnabled
--- PASS: TestAccAWSS3Bucket_disableDefaultEncryption_whenDefaultEncryptionIsEnabled (124.96s)
=== RUN   TestAccAWSS3Bucket_shouldFailNotFound
--- PASS: TestAccAWSS3Bucket_shouldFailNotFound (36.49s)
=== RUN   TestAccAWSS3Bucket_Versioning
--- PASS: TestAccAWSS3Bucket_Versioning (178.60s)
=== RUN   TestAccAWSS3Bucket_Cors
--- PASS: TestAccAWSS3Bucket_Cors (131.24s)
=== RUN   TestAccAWSS3Bucket_Logging
--- PASS: TestAccAWSS3Bucket_Logging (103.32s)
=== RUN   TestAccAWSS3Bucket_Lifecycle
--- PASS: TestAccAWSS3Bucket_Lifecycle (176.16s)
=== RUN   TestAccAWSS3Bucket_Replication
--- PASS: TestAccAWSS3Bucket_Replication (254.52s)
=== RUN   TestAccAWSS3Bucket_ReplicationWithoutStorageClass
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutStorageClass (98.22s)
=== RUN   TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError
--- PASS: TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError (50.31s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       2716.962s

[modax]

Glad to see a release with #2472. This one would have made a nice pairing (and it still does)!

[johvet]

We'd also love to see this coming soon.

[handlerbot]

@radeksimko Any chance this can make the 1.8.0 milestone? (Or is that one full up? 🙏)

[handlerbot]

@bflad @Ninir Any chance this can make the 1.8.0 milestone? 🔮 :-)

[cornfeedhobo]

@jen20 @radeksimko any hope here?

[cornfeedhobo]

can haz merge?

[cornfeedhobo]

@modax Looks like you might have to take another pass here. Thanks for owning this!

[jrstarke]

@modax: looks like this has conflicts now

[jrstarke]

Looks like there are some conflicts. If we get the conflicts resolved, can we get this merged?

[modax]

Fixed conflicts (removed two commits addressing other related problems that already been fixed in master), reran acc tests.

However, it is really unfortunate that PR merging cycle takes such a long time...

[tombuildsstuff]

hey @modax

Thanks for this PR (and rebasing it) - apologies for the delayed review here!

I've taken a look through and raised one comment around the hash function which needs @radeksimko or @bflad to confirm is ok, but this otherwise LGTM 👍 I'll kick off the test suite now to confirm the tests are still good after the rebase

Thanks!

[tombuildsstuff]

Given this is adding an existing field to the hashcode function - this will appear as a diff to existing resources, I believe that should be fine, but @radeksimko / @bflad can confirm for sure

[radeksimko]

In that case I think we should add state migration, so the diff doesn't appear for existing users who just upgraded and not use any new functionality.

[modax]

hi, @radeksimko,

I have just confirmed that neither of these:

1. terraform apply
2. terraform apply -refresh=false
3. terraform refresh

report any changes after provider upgrade. Rule hash value changes in the state file after all of them though. Frankly, I have also expected 2) to report changes but for some reason it does not happen (must be related to how set hash is compared probably, i.e. always upfront or something).

Here is the tf code if you want to test yourself: https://gist.github.com/modax/9e13db22565ab2f1a26821e5ee5995e5

[tombuildsstuff]

confirmed that scenario ^ - LGTM 👍

[tombuildsstuff]

Tests pass:

[modax]

@tombuildsstuff Thanks for review. Sorry for the late change, but I've just realized that my testAccCheckAWSS3BucketReplicationRules was still using old "provider for loop" which deemed to be deprecated and was refactored in testAccCheckAWSS3BucketExistsWithProvider with specific provider function. So I have refactored my func in the spirit of the new testAccCheckAWSS3BucketExistsWithProvider as well: 2b643af

Hopefully this does not delay merge...

$ make testacc TESTARGS="-run 'TestAccAWSS3Bucket_Replication'" 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run 'TestAccAWSS3Bucket_Replication' -timeout 120m
?       github.com/terraform-providers/terraform-provider-aws   [no test files]
=== RUN   TestAccAWSS3Bucket_Replication
--- PASS: TestAccAWSS3Bucket_Replication (271.27s)
=== RUN   TestAccAWSS3Bucket_ReplicationWithoutStorageClass
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutStorageClass (104.66s)
=== RUN   TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError
--- PASS: TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError (54.79s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       430.744s

[bflad]

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[cornfeedhobo]

This seriously might make my quarter. Thank you @modax for getting this in!!

[jrstarke]

Oh man, this has me super bummed. I thought that this was exactly what I needed, but it turns out I also need the Account and AccessControlTranslation arguments. Without those, all of the files getting replicated to my replication account are un-usable, unless the owner account explicitly grants access to all of them.

https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html

[jnoss]

+1 for #3575 to get this working for cross-account replication, too

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!