r/aws_s3_bucket: Tagging fallback acceptance test

[jar-b]

Description

#45251 introduced ABAC support for general purpose buckets, including modifications to the tagging logic which now attempt to use the S3 control tagging APIs before falling back to the pre-existing logic using the S3 tagging APIs instead. To ensure no regressions in the fallback logic, an acceptance test should be created to exercise the fallback procedure.

Important Facts and References

Relates #45251 (comment)

IAM role setup:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 6.0"
    }
  }
}

# Configure the AWS Provider
provider "aws" {}

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
  arn = data.aws_caller_identity.current.arn
}

data "aws_iam_policy_document" "test_assume_role" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole",
      "sts:SetSourceIdentity",
    ]
    principals {
      type = "AWS"
      identifiers = [
        data.aws_iam_session_context.current.issuer_arn,
      ]
    }
  }
}

data "aws_iam_policy_document" "test" {
  statement {
    sid    = "AllowAllS3"
    effect = "Allow"
    actions = [
      "s3:*",
    ]
    resources = [
      "arn:aws:s3:::*",
    ]
  }
  statement {
    sid    = "ForceTaggingFallback"
    effect = "Deny"
    actions = [
      "s3:TagResource",
      "s3:UntagResource",
      "s3:ListTagsForResource",
    ]
    resources = [
      "arn:aws:s3:::*",
    ]
  }

  statement {
    actions = [
      "sts:GetCallerIdentity",
    ]
    resources = [
      "*",
    ]
  }
}

resource "aws_iam_policy" "test" {
  name   = "jb-test-s3-bucket-no-tag-perms"
  policy = data.aws_iam_policy_document.test.json
}

resource "aws_iam_role" "test" {
  name               = "jb-test-s3-bucket-no-tag-perms"
  assume_role_policy = data.aws_iam_policy_document.test_assume_role.json
}

resource "aws_iam_role_policy_attachment" "test" {
  role       = aws_iam_role.test.name
  policy_arn = aws_iam_policy.test.arn
}

output "role_arn" {
  value = aws_iam_role.test.arn
}

Exercising the fallback by assuming the role from above:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 6.0"
    }
  }
}

# Configure the AWS Provider
provider "aws" {
  assume_role {
    role_arn = "arn:aws:iam::>redacted>:role/jb-test-s3-bucket-no-tag-perms"
  }
}

resource "aws_s3_bucket" "test" {
  bucket = "jb-test-s3-bucket-no-tag-perms"

  tags = {
    foo = "bar"
    # Subsequent steps add and remove tags
    # baz = "qux"
  }
}

Would you like to implement a relevant change?

Yes

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v6.24.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!