Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/s3_bucket_server_side_encryption_configuration: new resource #22609

Merged
merged 8 commits into from
Feb 3, 2022
Merged

r/s3_bucket_server_side_encryption_configuration: new resource #22609

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1dbfe8a
r/s3_bucket_server_side_encryption_configuration: new resource
anGie44 Jan 26, 2022
c1de972
Update CHANGELOG for #22609
anGie44 Jan 16, 2022
dd8b653
fix with terrafmt
anGie44 Jan 16, 2022
7288456
add missing error code
anGie44 Feb 3, 2022
2ad9cd4
update imports referencing tfawserr
anGie44 Feb 3, 2022
b0f9184
r/s3_bucket_server_side_encryption_configuration: re-use share id cre…
anGie44 Feb 3, 2022
42e02c2
provider: add back in the new resource
anGie44 Feb 3, 2022
c86f571
run gofmt after rebase
anGie44 Feb 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/22609.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:new-resource
aws_s3_bucket_server_side_encryption_configuration
```
43 changes: 22 additions & 21 deletions internal/provider/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1620,27 +1620,28 @@ func Provider() *schema.Provider {
"aws_route53_resolver_rule": route53resolver.ResourceRule(),
"aws_route53_resolver_rule_association": route53resolver.ResourceRuleAssociation(),

"aws_s3_bucket": s3.ResourceBucket(),
"aws_s3_bucket_accelerate_configuration": s3.ResourceBucketAccelerateConfiguration(),
"aws_s3_bucket_analytics_configuration": s3.ResourceBucketAnalyticsConfiguration(),
"aws_s3_bucket_cors_configuration": s3.ResourceBucketCorsConfiguration(),
"aws_s3_bucket_intelligent_tiering_configuration": s3.ResourceBucketIntelligentTieringConfiguration(),
"aws_s3_bucket_inventory": s3.ResourceBucketInventory(),
"aws_s3_bucket_lifecycle_configuration": s3.ResourceBucketLifecycleConfiguration(),
"aws_s3_bucket_logging": s3.ResourceBucketLogging(),
"aws_s3_bucket_metric": s3.ResourceBucketMetric(),
"aws_s3_bucket_notification": s3.ResourceBucketNotification(),
"aws_s3_bucket_object_lock_configuration": s3.ResourceBucketObjectLockConfiguration(),
"aws_s3_bucket_ownership_controls": s3.ResourceBucketOwnershipControls(),
"aws_s3_bucket_policy": s3.ResourceBucketPolicy(),
"aws_s3_bucket_public_access_block": s3.ResourceBucketPublicAccessBlock(),
"aws_s3_bucket_replication_configuration": s3.ResourceBucketReplicationConfiguration(),
"aws_s3_bucket_request_payment_configuration": s3.ResourceBucketRequestPaymentConfiguration(),
"aws_s3_bucket_versioning": s3.ResourceBucketVersioning(),
"aws_s3_bucket_website_configuration": s3.ResourceBucketWebsiteConfiguration(),
"aws_s3_object": s3.ResourceObject(),
"aws_s3_object_copy": s3.ResourceObjectCopy(),
"aws_s3_bucket_object": s3.ResourceBucketObject(), // DEPRECATED: use aws_s3_object instead
"aws_s3_bucket": s3.ResourceBucket(),
"aws_s3_bucket_accelerate_configuration": s3.ResourceBucketAccelerateConfiguration(),
"aws_s3_bucket_analytics_configuration": s3.ResourceBucketAnalyticsConfiguration(),
"aws_s3_bucket_cors_configuration": s3.ResourceBucketCorsConfiguration(),
"aws_s3_bucket_intelligent_tiering_configuration": s3.ResourceBucketIntelligentTieringConfiguration(),
"aws_s3_bucket_inventory": s3.ResourceBucketInventory(),
"aws_s3_bucket_lifecycle_configuration": s3.ResourceBucketLifecycleConfiguration(),
"aws_s3_bucket_logging": s3.ResourceBucketLogging(),
"aws_s3_bucket_metric": s3.ResourceBucketMetric(),
"aws_s3_bucket_notification": s3.ResourceBucketNotification(),
"aws_s3_bucket_object_lock_configuration": s3.ResourceBucketObjectLockConfiguration(),
"aws_s3_bucket_ownership_controls": s3.ResourceBucketOwnershipControls(),
"aws_s3_bucket_policy": s3.ResourceBucketPolicy(),
"aws_s3_bucket_public_access_block": s3.ResourceBucketPublicAccessBlock(),
"aws_s3_bucket_replication_configuration": s3.ResourceBucketReplicationConfiguration(),
"aws_s3_bucket_request_payment_configuration": s3.ResourceBucketRequestPaymentConfiguration(),
"aws_s3_bucket_server_side_encryption_configuration": s3.ResourceBucketServerSideEncryptionConfiguration(),
"aws_s3_bucket_versioning": s3.ResourceBucketVersioning(),
"aws_s3_bucket_website_configuration": s3.ResourceBucketWebsiteConfiguration(),
"aws_s3_object": s3.ResourceObject(),
"aws_s3_object_copy": s3.ResourceObjectCopy(),
"aws_s3_bucket_object": s3.ResourceBucketObject(), // DEPRECATED: use aws_s3_object instead

"aws_s3_access_point": s3control.ResourceAccessPoint(),
"aws_s3control_access_point_policy": s3control.ResourceAccessPointPolicy(),
Expand Down
4 changes: 2 additions & 2 deletions internal/service/s3/bucket.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -836,7 +836,7 @@ func resourceBucketUpdate(d *schema.ResourceData, meta interface{}) error {
}

if d.HasChange("server_side_encryption_configuration") {
if err := resourceBucketServerSideEncryptionConfigurationUpdate(conn, d); err != nil {
if err := resourceBucketInternalServerSideEncryptionConfigurationUpdate(conn, d); err != nil {
return err
}
}
Expand Down Expand Up @@ -1947,7 +1947,7 @@ func resourceBucketRequestPayerUpdate(conn *s3.S3, d *schema.ResourceData) error
return nil
}

func resourceBucketServerSideEncryptionConfigurationUpdate(conn *s3.S3, d *schema.ResourceData) error {
func resourceBucketInternalServerSideEncryptionConfigurationUpdate(conn *s3.S3, d *schema.ResourceData) error {
bucket := d.Get("bucket").(string)
serverSideEncryptionConfiguration := d.Get("server_side_encryption_configuration").([]interface{})
if len(serverSideEncryptionConfiguration) == 0 {
Expand Down
312 changes: 312 additions & 0 deletions internal/service/s3/bucket_server_side_encryption_configuration.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,312 @@
package s3

import (
"context"
"fmt"
"log"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/hashicorp/terraform-provider-aws/internal/conns"
"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
"github.com/hashicorp/terraform-provider-aws/internal/verify"
)

func ResourceBucketServerSideEncryptionConfiguration() *schema.Resource {
return &schema.Resource{
CreateContext: resourceBucketServerSideEncryptionConfigurationCreate,
ReadContext: resourceBucketServerSideEncryptionConfigurationRead,
UpdateContext: resourceBucketServerSideEncryptionConfigurationUpdate,
DeleteContext: resourceBucketServerSideEncryptionConfigurationDelete,
Importer: &schema.ResourceImporter{
StateContext: schema.ImportStatePassthroughContext,
},

Schema: map[string]*schema.Schema{
"bucket": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validation.StringLenBetween(1, 63),
},
"expected_bucket_owner": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ValidateFunc: verify.ValidAccountID,
},
"rule": {
Type: schema.TypeSet,
Required: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"apply_server_side_encryption_by_default": {
Type: schema.TypeList,
MaxItems: 1,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"kms_master_key_id": {
Type: schema.TypeString,
Optional: true,
},
"sse_algorithm": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice(s3.ServerSideEncryption_Values(), false),
},
},
},
},
"bucket_key_enabled": {
Type: schema.TypeBool,
Optional: true,
},
},
},
},
},
}
}

func resourceBucketServerSideEncryptionConfigurationCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
conn := meta.(*conns.AWSClient).S3Conn

bucket := d.Get("bucket").(string)
expectedBucketOwner := d.Get("expected_bucket_owner").(string)

input := &s3.PutBucketEncryptionInput{
Bucket: aws.String(bucket),
ServerSideEncryptionConfiguration: &s3.ServerSideEncryptionConfiguration{
Rules: expandBucketServerSideEncryptionConfigurationRules(d.Get("rule").(*schema.Set).List()),
},
}

if expectedBucketOwner != "" {
input.ExpectedBucketOwner = aws.String(expectedBucketOwner)
}

_, err := tfresource.RetryWhenAWSErrCodeEquals(
propagationTimeout,
func() (interface{}, error) {
return conn.PutBucketEncryptionWithContext(ctx, input)
},
s3.ErrCodeNoSuchBucket,
ErrCodeOperationAborted,
)

if err != nil {
return diag.FromErr(fmt.Errorf("error creating S3 bucket (%s) server-side encryption configuration: %w", bucket, err))
}

d.SetId(CreateResourceID(bucket, expectedBucketOwner))

return resourceBucketServerSideEncryptionConfigurationRead(ctx, d, meta)
}

func resourceBucketServerSideEncryptionConfigurationRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
conn := meta.(*conns.AWSClient).S3Conn

bucket, expectedBucketOwner, err := ParseResourceID(d.Id())
if err != nil {
return diag.FromErr(err)
}

input := &s3.GetBucketEncryptionInput{
Bucket: aws.String(bucket),
}

if expectedBucketOwner != "" {
input.ExpectedBucketOwner = aws.String(expectedBucketOwner)
}

resp, err := verify.RetryOnAWSCode(s3.ErrCodeNoSuchBucket, func() (interface{}, error) {
return conn.GetBucketEncryptionWithContext(ctx, input)
})

if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, s3.ErrCodeNoSuchBucket, ErrCodeServerSideEncryptionConfigurationNotFound) {
log.Printf("[WARN] S3 Bucket Server-Side Encryption Configuration (%s) not found, removing from state", d.Id())
d.SetId("")
return nil
}

if err != nil {
return diag.FromErr(fmt.Errorf("error reading S3 bucket server-side encryption configuration (%s): %w", d.Id(), err))
}

output, ok := resp.(*s3.GetBucketEncryptionOutput)
if !ok || output.ServerSideEncryptionConfiguration == nil {
if d.IsNewResource() {
return diag.FromErr(fmt.Errorf("error reading S3 bucket server-side encryption configuration (%s): empty output", d.Id()))
}
log.Printf("[WARN] S3 Bucket Server-Side Encryption Configuration (%s) not found, removing from state", d.Id())
d.SetId("")
return nil
}

sse := output.ServerSideEncryptionConfiguration

d.Set("bucket", bucket)
d.Set("expected_bucket_owner", expectedBucketOwner)
if err := d.Set("rule", flattenBucketServerSideEncryptionConfigurationRules(sse.Rules)); err != nil {
return diag.FromErr(fmt.Errorf("error setting rule: %w", err))
}

return nil
}

func resourceBucketServerSideEncryptionConfigurationUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
conn := meta.(*conns.AWSClient).S3Conn

bucket, expectedBucketOwner, err := ParseResourceID(d.Id())
if err != nil {
return diag.FromErr(err)
}

input := &s3.PutBucketEncryptionInput{
Bucket: aws.String(bucket),
ServerSideEncryptionConfiguration: &s3.ServerSideEncryptionConfiguration{
Rules: expandBucketServerSideEncryptionConfigurationRules(d.Get("rule").(*schema.Set).List()),
},
}

if expectedBucketOwner != "" {
input.ExpectedBucketOwner = aws.String(expectedBucketOwner)
}

_, err = tfresource.RetryWhenAWSErrCodeEquals(
propagationTimeout,
func() (interface{}, error) {
return conn.PutBucketEncryptionWithContext(ctx, input)
},
s3.ErrCodeNoSuchBucket,
ErrCodeOperationAborted,
)

if err != nil {
return diag.FromErr(fmt.Errorf("error updating S3 bucket (%s) server-side encryption configuration: %w", d.Id(), err))
}

return resourceBucketServerSideEncryptionConfigurationRead(ctx, d, meta)
}

func resourceBucketServerSideEncryptionConfigurationDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
conn := meta.(*conns.AWSClient).S3Conn

bucket, expectedBucketOwner, err := ParseResourceID(d.Id())
if err != nil {
return diag.FromErr(err)
}

input := &s3.DeleteBucketEncryptionInput{
Bucket: aws.String(bucket),
}

if expectedBucketOwner != "" {
input.ExpectedBucketOwner = aws.String(expectedBucketOwner)
}

_, err = conn.DeleteBucketEncryptionWithContext(ctx, input)

if tfawserr.ErrCodeEquals(err, s3.ErrCodeNoSuchBucket, ErrCodeServerSideEncryptionConfigurationNotFound) {
return nil
}

if err != nil {
return diag.FromErr(fmt.Errorf("error deleting S3 bucket server-side encryption configuration (%s): %w", d.Id(), err))
}

return nil
}

func expandBucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault(l []interface{}) *s3.ServerSideEncryptionByDefault {
if len(l) == 0 || l[0] == nil {
return nil
}

tfMap, ok := l[0].(map[string]interface{})
if !ok {
return nil
}

sse := &s3.ServerSideEncryptionByDefault{}

if v, ok := tfMap["kms_master_key_id"].(string); ok && v != "" {
sse.KMSMasterKeyID = aws.String(v)
}

if v, ok := tfMap["sse_algorithm"].(string); ok && v != "" {
sse.SSEAlgorithm = aws.String(v)
}

return sse
}

func expandBucketServerSideEncryptionConfigurationRules(l []interface{}) []*s3.ServerSideEncryptionRule {
var rules []*s3.ServerSideEncryptionRule

for _, tfMapRaw := range l {
tfMap, ok := tfMapRaw.(map[string]interface{})
if !ok {
continue
}

rule := &s3.ServerSideEncryptionRule{}

if v, ok := tfMap["apply_server_side_encryption_by_default"].([]interface{}); ok && len(v) > 0 && v[0] != nil {
rule.ApplyServerSideEncryptionByDefault = expandBucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault(v)
}

if v, ok := tfMap["bucket_key_enabled"].(bool); ok {
rule.BucketKeyEnabled = aws.Bool(v)
}
rules = append(rules, rule)
}

return rules
}

func flattenBucketServerSideEncryptionConfigurationRules(rules []*s3.ServerSideEncryptionRule) []interface{} {
var results []interface{}

for _, rule := range rules {
if rule == nil {
continue
}

m := make(map[string]interface{})

if rule.ApplyServerSideEncryptionByDefault != nil {
m["apply_server_side_encryption_by_default"] = flattenBucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault(rule.ApplyServerSideEncryptionByDefault)
}
if rule.BucketKeyEnabled != nil {
m["bucket_key_enabled"] = aws.BoolValue(rule.BucketKeyEnabled)
}

results = append(results, m)
}

return results
}

func flattenBucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault(sse *s3.ServerSideEncryptionByDefault) []interface{} {
if sse == nil {
return []interface{}{}
}

m := make(map[string]interface{})

if sse.KMSMasterKeyID != nil {
m["kms_master_key_id"] = aws.StringValue(sse.KMSMasterKeyID)
}

if sse.SSEAlgorithm != nil {
m["sse_algorithm"] = aws.StringValue(sse.SSEAlgorithm)
}

return []interface{}{m}
}
Loading