Skip to content

r/aws_s3_bucket: ABAC support #45251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jar-b merged 13 commits into from
Nov 26, 2025
Merged

r/aws_s3_bucket: ABAC support #45251

jar-b merged 13 commits into from
Nov 26, 2025

Conversation

@jar-b
Copy link
Member

@jar-b jar-b commented Nov 25, 2025
edited
Loading

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

This change introduces ABAC (Attribute Based Access Control) support for general purpose S3 buckets to the Terraform AWS provider. Specifically,

  • A new aws_s3_bucket_abac resource is added for managing the ABAC status of an existing bucket.
  • The aws_s3_bucket resource will attempt to send tags in the CreateBucket request, falling back to a separate tag update request post-creation if the calling principal is missing the s3:TagResource IAM permission.
  • The aws_s3_bucket resource will to attempt to use the S3 Control tagging APIs for read and update operations before falling back to the S3 tagging APIs. The S3 Control APIs are required for ABAC to function correctly.

Tag on Create

The aws_s3_bucket resource will now attempt to send tags in the CreateBucket request, falling back to the pre-existing "tag after create" behavior when permissions errors are returned. Principals missing permissions to the new APIs should still be able to create tagged buckets without issue as long as ABAC is not enabled on the bucket.

Tag Updates

Tag updates for the aws_s3_bucket resource will now attempt to use the TagResource and UntagResource APIs from the S3 control service first, falling back to the pre-existing PutBucketTagging and DeleteBucketTagging APIs when permission errors are returned. This change is to support the newly released S3 ABAC (attribute based access control) feature, which requires use of the new tagging APIs to function correctly. Principals missing permissions to the new APIs should still be able to manage tags without issue as long as ABAC is not enabled on the bucket.

Tag Reads

Tag reads for the aws_s3_bucket resource will now attempt to use the ListTagsForResource API from the S3 control service first, falling back to the pre-existing GetBucketTagging API when permission errors are returned. This change is to support the newly released S3 ABAC (attribute based access control) feature, which requires use of the new tagging APIs to function correctly. The GetBucketTagging tagging API itself is functional whether or not ABAC is enabled, but ListTagsForResource will still be preferred as it belongs to the same service as the tag update APIs which are required for ABAC.

Relations

Closes #45190

References

Output from Acceptance Testing

% make t K=s3 T=TestAccS3BucketABAC_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3BucketABAC_'  -timeout 360m -vet=off
2025/11/24 15:38:45 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/24 15:38:45 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3BucketABAC_disappears_Bucket (16.41s)
--- PASS: TestAccS3BucketABAC_basic (20.51s)
--- PASS: TestAccS3BucketABAC_update (42.23s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 48.706s
% make t K=s3 T=TestAccS3Bucket_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_'  -timeout 360m -vet=off
2025/11/25 14:37:16 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 14:37:16 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Bucket_Replication_expectVersioningValidationError (30.92s)
=== CONT  TestAccS3Bucket_Replication_twoDestination
--- PASS: TestAccS3Bucket_Security_corsDelete (42.07s)
=== CONT  TestAccS3Bucket_Replication_multipleDestinationsNonEmptyFilter
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectVersionsUnusualKeyBytes (43.22s)
=== CONT  TestAccS3Bucket_Replication_multipleDestinationsEmptyFilter
--- PASS: TestAccS3Bucket_Security_corsEmptyOrigin (50.73s)
=== CONT  TestAccS3Bucket_Replication_basic
--- PASS: TestAccS3Bucket_Security_enableDefaultEncryptionWhenAES256IsUsed (50.75s)
=== CONT  TestAccS3Bucket_Manage_versioningAndMFADeleteDisabled
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (53.38s)
=== CONT  TestAccS3Bucket_Manage_MFADeleteDisabled
--- PASS: TestAccS3Bucket_Security_logging (54.36s)
=== CONT  TestAccS3Bucket_Manage_versioningDisabled
--- PASS: TestAccS3Bucket_Replication_schemaV2SameRegion (56.50s)
=== CONT  TestAccS3Bucket_Manage_versioning
--- PASS: TestAccS3Bucket_Security_enableDefaultEncryptionWhenTypical (58.99s)
=== CONT  TestAccS3Bucket_Manage_objectLockWithVersioning_deprecatedEnabled
--- PASS: TestAccS3Bucket_Security_disableDefaultEncryptionWhenDefaultEncryptionIsEnabled (75.18s)
=== CONT  TestAccS3Bucket_Manage_objectLockWithVersioning
--- PASS: TestAccS3Bucket_Web_routingRules (76.07s)
=== CONT  TestAccS3Bucket_Manage_objectLock_migrate
=== CONT  TestAccS3Bucket_Manage_objectLock_deprecatedEnabled
--- PASS: TestAccS3Bucket_Identity_Basic (78.91s)
--- PASS: TestAccS3Bucket_Replication_withoutPrefix (92.52s)
=== CONT  TestAccS3Bucket_Manage_objectLock
--- PASS: TestAccS3Bucket_Security_corsUpdate (95.91s)
=== CONT  TestAccS3Bucket_Manage_lifecycleRemove
--- PASS: TestAccS3Bucket_Manage_versioningAndMFADeleteDisabled (52.46s)
=== CONT  TestAccS3Bucket_Manage_lifecycleRuleAbortIncompleteMultipartUploadDaysNoExpiration
--- PASS: TestAccS3Bucket_Manage_MFADeleteDisabled (57.17s)
=== CONT  TestAccS3Bucket_Manage_lifecycleRuleExpirationEmptyBlock
--- PASS: TestAccS3Bucket_Web_redirect (113.82s)
=== CONT  TestAccS3Bucket_Manage_lifecycleExpireMarkerOnly
--- PASS: TestAccS3Bucket_Manage_versioningDisabled (59.48s)
=== CONT  TestAccS3Bucket_Manage_lifecycleBasic
--- PASS: TestAccS3Bucket_Web_simple (117.29s)
=== CONT  TestAccS3Bucket_tags_ignoreTags
--- PASS: TestAccS3Bucket_Manage_objectLockWithVersioning_deprecatedEnabled (67.76s)
=== CONT  TestAccS3Bucket_tags_withSystemTags
--- PASS: TestAccS3Bucket_Replication_twoDestination (104.75s)
=== CONT  TestAccS3Bucket_Duplicate_UsEast1AltAccount
    bucket_test.go:589: skipping test because at least one environment variable of [AWS_ALTERNATE_PROFILE AWS_ALTERNATE_ACCESS_KEY_ID] must be set. Usage: credentials for running acceptance testing in alternate AWS account.
--- SKIP: TestAccS3Bucket_Duplicate_UsEast1AltAccount (0.00s)
=== CONT  TestAccS3Bucket_Duplicate_UsEast1
--- PASS: TestAccS3Bucket_Manage_objectLock_deprecatedEnabled (63.04s)
=== CONT  TestAccS3Bucket_Duplicate_basic
--- PASS: TestAccS3Bucket_Replication_multipleDestinationsNonEmptyFilter (102.03s)
=== CONT  TestAccS3Bucket_disappears
--- PASS: TestAccS3Bucket_Manage_objectLockWithVersioning (70.45s)
=== CONT  TestAccS3Bucket_Basic_upgradeFromV5
--- PASS: TestAccS3Bucket_Replication_multipleDestinationsEmptyFilter (105.35s)
=== CONT  TestAccS3Bucket_Basic_requestPayer
--- PASS: TestAccS3Bucket_Duplicate_UsEast1 (19.81s)
=== CONT  TestAccS3Bucket_Basic_keyEnabled
--- PASS: TestAccS3Bucket_Manage_lifecycleRuleExpirationEmptyBlock (45.70s)
=== CONT  TestAccS3Bucket_Basic_acceleration
--- PASS: TestAccS3Bucket_Replication_ruleDestinationAddAccessControlTranslation (157.55s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled
--- PASS: TestAccS3Bucket_Replication_ruleDestinationAccessControlTranslation (161.57s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes
--- PASS: TestAccS3Bucket_Manage_lifecycleRuleAbortIncompleteMultipartUploadDaysNoExpiration (58.48s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnCreate
--- PASS: TestAccS3Bucket_Manage_objectLock_migrate (87.11s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly
--- PASS: TestAccS3Bucket_Manage_versioning (108.40s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly
--- PASS: TestAccS3Bucket_Duplicate_basic (24.44s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_overlapping
--- PASS: TestAccS3Bucket_Manage_lifecycleRemove (77.29s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nonOverlapping
--- PASS: TestAccS3Bucket_Manage_objectLock (94.52s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_providerOnly
--- PASS: TestAccS3Bucket_disappears (44.43s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace
--- PASS: TestAccS3Bucket_tags_ignoreTags (89.62s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add
--- PASS: TestAccS3Bucket_Manage_lifecycleBasic (95.58s)
=== CONT  TestAccS3Bucket_Security_corsSingleMethodAndEmptyOrigin
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes (51.93s)
=== CONT  TestAccS3Bucket_tags
--- PASS: TestAccS3Bucket_Manage_lifecycleExpireMarkerOnly (100.12s)
=== CONT  TestAccS3Bucket_tags_AddOnUpdate
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled (57.93s)
=== CONT  TestAccS3Bucket_tags_EmptyMap
--- PASS: TestAccS3Bucket_Basic_keyEnabled (69.11s)
=== CONT  TestAccS3Bucket_tags_null
--- PASS: TestAccS3Bucket_Basic_requestPayer (95.64s)
=== CONT  TestAccS3Bucket_Replication_withoutStorageClass
--- PASS: TestAccS3Bucket_Basic_upgradeFromV5 (109.18s)
=== CONT  TestAccS3Bucket_Identity_ExistingResource
--- PASS: TestAccS3Bucket_Replication_RTC_valid (259.71s)
=== CONT  TestAccS3Bucket_Identity_ExistingResource_NoRefresh_NoChange
--- PASS: TestAccS3Bucket_Basic_acceleration (104.46s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag
--- PASS: TestAccS3Bucket_Security_corsSingleMethodAndEmptyOrigin (64.31s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectVersions
--- PASS: TestAccS3Bucket_Replication_basic (225.30s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (114.12s)
=== CONT  TestAccS3Bucket_Basic_forceDestroy
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (118.78s)
=== CONT  TestAccS3Bucket_Basic_namePrefix
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (131.03s)
=== CONT  TestAccS3Bucket_Basic_nameGenerated
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (111.54s)
=== CONT  TestAccS3Bucket_Basic_emptyString
--- PASS: TestAccS3Bucket_Basic_forceDestroy (43.40s)
=== CONT  TestAccS3Bucket_Basic_basic
--- PASS: TestAccS3Bucket_tags_EmptyMap (105.69s)
=== CONT  TestAccS3Bucket_Identity_RegionOverride
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes (47.38s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnCreate
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (116.41s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
--- PASS: TestAccS3Bucket_tags_null (105.92s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectVersions (57.89s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add
--- PASS: TestAccS3Bucket_tags_withSystemTags (211.13s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag
--- PASS: TestAccS3Bucket_Basic_namePrefix (57.55s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag
--- PASS: TestAccS3Bucket_Replication_withoutStorageClass (103.59s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
--- PASS: TestAccS3Bucket_Identity_ExistingResource_NoRefresh_NoChange (93.66s)
--- PASS: TestAccS3Bucket_Basic_nameGenerated (62.39s)
--- PASS: TestAccS3Bucket_Replication_schemaV2 (358.56s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (192.97s)
--- PASS: TestAccS3Bucket_Basic_emptyString (62.51s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (193.57s)
--- PASS: TestAccS3Bucket_Basic_basic (54.37s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (170.61s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (61.98s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (53.05s)
--- PASS: TestAccS3Bucket_Identity_RegionOverride (71.77s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (53.79s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (48.58s)
--- PASS: TestAccS3Bucket_Identity_ExistingResource (142.27s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (143.06s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (218.60s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (80.64s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (79.82s)
--- PASS: TestAccS3Bucket_tags (201.08s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (88.89s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 426.215s

@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/s3 Issues and PRs that pertain to the s3 service. generators Relates to code generators. size/XL Managed by automation to categorize the size of a PR. labels Nov 25, 2025
ewbankkit
ewbankkit reviewed Nov 25, 2025
View reviewed changes
jar-b added 5 commits November 25, 2025 13:30
@jar-b
r/aws_s3_bucket_abac: new resource
8d9bdc0 
```console
% make t K=s3 T=TestAccS3BucketABAC_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3BucketABAC_'  -timeout 360m -vet=off
2025/11/24 15:38:45 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/24 15:38:45 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3BucketABAC_disappears_Bucket (16.41s)
--- PASS: TestAccS3BucketABAC_basic (20.51s)
--- PASS: TestAccS3BucketABAC_update (42.23s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 48.706s
```
@jar-b
r/aws_s3_bucket: prefer TagResource and UntagResource APIs
a71c2a2 
Tag updates for the `aws_s3_bucket` resource will now attempt to use the [`TagResource`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html) and [`UntagResource`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html) APIs from the S3 control service first, falling back to the pre-existing [`PutBucketTagging`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketTagging.html) and [`DeleteBucketTagging`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketTagging.html) APIs when permission errors are returned. This change is to support the newly released [S3 ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/buckets-tagging-enable-abac.html) (attribute based access control) feature, which requires use of the new tagging APIs to function correctly. Principals missing permissions to the new APIs should still be able to manage tags without issue as long as ABAC is not enabled on the bucket.

```console
% make t K=s3 T=TestAccS3Bucket_tags
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_tags'  -timeout 360m -vet=off
2025/11/24 19:37:20 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/24 19:37:20 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (48.06s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nonOverlapping
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (51.86s)
=== CONT  TestAccS3Bucket_tags_null
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (53.68s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_providerOnly
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (56.18s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (56.49s)
--- PASS: TestAccS3Bucket_tags_ignoreTags (62.86s)
--- PASS: TestAccS3Bucket_tags_EmptyMap (70.69s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (74.83s)
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (78.97s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (79.41s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (79.51s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (79.84s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (82.04s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (87.03s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (92.59s)
--- PASS: TestAccS3Bucket_tags_null (46.89s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (99.52s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (99.97s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (107.83s)
--- PASS: TestAccS3Bucket_tags_withSystemTags (122.32s)
--- PASS: TestAccS3Bucket_tags (122.62s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (76.56s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (91.25s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 151.544s
```
@jar-b
r/aws_s3_bucket: prefer ListTagsForResource API
754afd8 
Tag reads for the `aws_s3_bucket` resource will now attempt to use the [`ListTagsForResource`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html) API from the S3 control service first, falling back to the pre-existing [`GetBucketTagging`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketTagging.html) API when permission errors are returned. This change is to support the newly released [S3 ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/buckets-tagging-enable-abac.html) (attribute based access control) feature, which requires use of the new tagging APIs to function correctly. The `GetBucketTagging` tagging API itself is functional whether or not ABAC is enabled, but `ListTagsForResource` will still be preferred as it belongs to the same service as the tag update APIs which are required for ABAC.

```console
% make t K=s3 T=TestAccS3Bucket_tags
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_tags'  -timeout 360m -vet=off
2025/11/25 10:35:47 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 10:35:47 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (48.59s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (54.33s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_providerOnly
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (56.57s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (57.33s)
--- PASS: TestAccS3Bucket_tags_ignoreTags (64.16s)
--- PASS: TestAccS3Bucket_tags_EmptyMap (70.56s)
--- PASS: TestAccS3Bucket_tags_null (71.98s)
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (75.77s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (79.22s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (79.77s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (81.75s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (83.67s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (83.86s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (84.94s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (35.84s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (101.83s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (104.47s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (110.37s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (110.48s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (65.19s)
--- PASS: TestAccS3Bucket_tags_withSystemTags (124.72s)
--- PASS: TestAccS3Bucket_tags (126.15s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (94.47s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 155.366s
```
@jar-b
chore: changelog
a4ea464
@jar-b
r/aws_s3_bucket: prefer existing bucketARN helper
6ba2334 
Removes the `newBucketARN` helper in favor of the existing function with similar functionality.

```console
% make t K=s3 T=TestAccS3Bucket_tags
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_tags'  -timeout 360m -vet=off
2025/11/25 13:23:40 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 13:23:40 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (55.97s)
=== CONT  TestAccS3Bucket_tags_null
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (59.32s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag
--- PASS: TestAccS3Bucket_tags_ignoreTags (65.13s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
--- PASS: TestAccS3Bucket_tags_EmptyMap (77.94s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (83.01s)
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (83.74s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (85.14s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (85.33s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (87.83s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (88.45s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (90.18s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (92.46s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (39.46s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (98.93s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (37.12s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (108.39s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (108.84s)
--- PASS: TestAccS3Bucket_tags_null (53.31s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (117.13s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (118.15s)
--- PASS: TestAccS3Bucket_tags_withSystemTags (131.42s)
--- PASS: TestAccS3Bucket_tags (136.07s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (136.86s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 143.621s
```
jar-b added 7 commits November 25, 2025 13:59
@jar-b
r/aws_s3_bucket(doc): describe ABAC behavior in a callout
6e99408
@jar-b
r/aws_s3_bucket: support tag-on-create
07f46ca 
This resource will now attempt to include tags within the `CreateBucket` request. If the request fails with an error indicating the `s3:TagResource` permission is missing, the provider will fall back to the previous behavior of tagging post-creation.

```console
% make t K=s3 T=TestAccS3Bucket_tags
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_tags'  -timeout 360m -vet=off
2025/11/25 13:53:24 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 13:53:24 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (53.83s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (54.48s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (54.58s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnCreate
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (54.60s)
--- PASS: TestAccS3Bucket_tags_ignoreTags (64.28s)
--- PASS: TestAccS3Bucket_tags_EmptyMap (75.94s)
--- PASS: TestAccS3Bucket_tags_null (78.34s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (79.20s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (82.38s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (84.05s)
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (84.19s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (85.63s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (89.70s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (41.37s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (102.82s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (106.25s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (58.24s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (113.94s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (113.95s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (63.93s)
--- PASS: TestAccS3Bucket_tags (127.58s)
--- PASS: TestAccS3Bucket_tags_withSystemTags (128.66s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (131.07s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 137.596s
```
@jar-b
r/aws_s3_bucket(doc): include tag-on-create behavior in docs, changelog
fccede0
@jar-b
r/aws_s3_bucket: fix tag-on-create logic
24235b5 
```console
% make t K=s3 T=TestAccS3Bucket_
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_'  -timeout 360m -vet=off
2025/11/25 14:37:16 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 14:37:16 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccS3Bucket_Replication_expectVersioningValidationError (30.92s)
=== CONT  TestAccS3Bucket_Replication_twoDestination
--- PASS: TestAccS3Bucket_Security_corsDelete (42.07s)
=== CONT  TestAccS3Bucket_Replication_multipleDestinationsNonEmptyFilter
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectVersionsUnusualKeyBytes (43.22s)
=== CONT  TestAccS3Bucket_Replication_multipleDestinationsEmptyFilter
--- PASS: TestAccS3Bucket_Security_corsEmptyOrigin (50.73s)
=== CONT  TestAccS3Bucket_Replication_basic
--- PASS: TestAccS3Bucket_Security_enableDefaultEncryptionWhenAES256IsUsed (50.75s)
=== CONT  TestAccS3Bucket_Manage_versioningAndMFADeleteDisabled
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (53.38s)
=== CONT  TestAccS3Bucket_Manage_MFADeleteDisabled
--- PASS: TestAccS3Bucket_Security_logging (54.36s)
=== CONT  TestAccS3Bucket_Manage_versioningDisabled
--- PASS: TestAccS3Bucket_Replication_schemaV2SameRegion (56.50s)
=== CONT  TestAccS3Bucket_Manage_versioning
--- PASS: TestAccS3Bucket_Security_enableDefaultEncryptionWhenTypical (58.99s)
=== CONT  TestAccS3Bucket_Manage_objectLockWithVersioning_deprecatedEnabled
--- PASS: TestAccS3Bucket_Security_disableDefaultEncryptionWhenDefaultEncryptionIsEnabled (75.18s)
=== CONT  TestAccS3Bucket_Manage_objectLockWithVersioning
--- PASS: TestAccS3Bucket_Web_routingRules (76.07s)
=== CONT  TestAccS3Bucket_Manage_objectLock_migrate
=== CONT  TestAccS3Bucket_Manage_objectLock_deprecatedEnabled
--- PASS: TestAccS3Bucket_Identity_Basic (78.91s)
--- PASS: TestAccS3Bucket_Replication_withoutPrefix (92.52s)
=== CONT  TestAccS3Bucket_Manage_objectLock
--- PASS: TestAccS3Bucket_Security_corsUpdate (95.91s)
=== CONT  TestAccS3Bucket_Manage_lifecycleRemove
--- PASS: TestAccS3Bucket_Manage_versioningAndMFADeleteDisabled (52.46s)
=== CONT  TestAccS3Bucket_Manage_lifecycleRuleAbortIncompleteMultipartUploadDaysNoExpiration
--- PASS: TestAccS3Bucket_Manage_MFADeleteDisabled (57.17s)
=== CONT  TestAccS3Bucket_Manage_lifecycleRuleExpirationEmptyBlock
--- PASS: TestAccS3Bucket_Web_redirect (113.82s)
=== CONT  TestAccS3Bucket_Manage_lifecycleExpireMarkerOnly
--- PASS: TestAccS3Bucket_Manage_versioningDisabled (59.48s)
=== CONT  TestAccS3Bucket_Manage_lifecycleBasic
--- PASS: TestAccS3Bucket_Web_simple (117.29s)
=== CONT  TestAccS3Bucket_tags_ignoreTags
--- PASS: TestAccS3Bucket_Manage_objectLockWithVersioning_deprecatedEnabled (67.76s)
=== CONT  TestAccS3Bucket_tags_withSystemTags
--- PASS: TestAccS3Bucket_Replication_twoDestination (104.75s)
=== CONT  TestAccS3Bucket_Duplicate_UsEast1AltAccount
    bucket_test.go:589: skipping test because at least one environment variable of [AWS_ALTERNATE_PROFILE AWS_ALTERNATE_ACCESS_KEY_ID] must be set. Usage: credentials for running acceptance testing in alternate AWS account.
--- SKIP: TestAccS3Bucket_Duplicate_UsEast1AltAccount (0.00s)
=== CONT  TestAccS3Bucket_Duplicate_UsEast1
--- PASS: TestAccS3Bucket_Manage_objectLock_deprecatedEnabled (63.04s)
=== CONT  TestAccS3Bucket_Duplicate_basic
--- PASS: TestAccS3Bucket_Replication_multipleDestinationsNonEmptyFilter (102.03s)
=== CONT  TestAccS3Bucket_disappears
--- PASS: TestAccS3Bucket_Manage_objectLockWithVersioning (70.45s)
=== CONT  TestAccS3Bucket_Basic_upgradeFromV5
--- PASS: TestAccS3Bucket_Replication_multipleDestinationsEmptyFilter (105.35s)
=== CONT  TestAccS3Bucket_Basic_requestPayer
--- PASS: TestAccS3Bucket_Duplicate_UsEast1 (19.81s)
=== CONT  TestAccS3Bucket_Basic_keyEnabled
--- PASS: TestAccS3Bucket_Manage_lifecycleRuleExpirationEmptyBlock (45.70s)
=== CONT  TestAccS3Bucket_Basic_acceleration
--- PASS: TestAccS3Bucket_Replication_ruleDestinationAddAccessControlTranslation (157.55s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled
--- PASS: TestAccS3Bucket_Replication_ruleDestinationAccessControlTranslation (161.57s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes
--- PASS: TestAccS3Bucket_Manage_lifecycleRuleAbortIncompleteMultipartUploadDaysNoExpiration (58.48s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnCreate
--- PASS: TestAccS3Bucket_Manage_objectLock_migrate (87.11s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly
--- PASS: TestAccS3Bucket_Manage_versioning (108.40s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly
--- PASS: TestAccS3Bucket_Duplicate_basic (24.44s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_overlapping
--- PASS: TestAccS3Bucket_Manage_lifecycleRemove (77.29s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nonOverlapping
--- PASS: TestAccS3Bucket_Manage_objectLock (94.52s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_providerOnly
--- PASS: TestAccS3Bucket_disappears (44.43s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace
--- PASS: TestAccS3Bucket_tags_ignoreTags (89.62s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add
--- PASS: TestAccS3Bucket_Manage_lifecycleBasic (95.58s)
=== CONT  TestAccS3Bucket_Security_corsSingleMethodAndEmptyOrigin
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes (51.93s)
=== CONT  TestAccS3Bucket_tags
--- PASS: TestAccS3Bucket_Manage_lifecycleExpireMarkerOnly (100.12s)
=== CONT  TestAccS3Bucket_tags_AddOnUpdate
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled (57.93s)
=== CONT  TestAccS3Bucket_tags_EmptyMap
--- PASS: TestAccS3Bucket_Basic_keyEnabled (69.11s)
=== CONT  TestAccS3Bucket_tags_null
--- PASS: TestAccS3Bucket_Basic_requestPayer (95.64s)
=== CONT  TestAccS3Bucket_Replication_withoutStorageClass
--- PASS: TestAccS3Bucket_Basic_upgradeFromV5 (109.18s)
=== CONT  TestAccS3Bucket_Identity_ExistingResource
--- PASS: TestAccS3Bucket_Replication_RTC_valid (259.71s)
=== CONT  TestAccS3Bucket_Identity_ExistingResource_NoRefresh_NoChange
--- PASS: TestAccS3Bucket_Basic_acceleration (104.46s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag
--- PASS: TestAccS3Bucket_Security_corsSingleMethodAndEmptyOrigin (64.31s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectVersions
--- PASS: TestAccS3Bucket_Replication_basic (225.30s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (114.12s)
=== CONT  TestAccS3Bucket_Basic_forceDestroy
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (118.78s)
=== CONT  TestAccS3Bucket_Basic_namePrefix
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (131.03s)
=== CONT  TestAccS3Bucket_Basic_nameGenerated
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (111.54s)
=== CONT  TestAccS3Bucket_Basic_emptyString
--- PASS: TestAccS3Bucket_Basic_forceDestroy (43.40s)
=== CONT  TestAccS3Bucket_Basic_basic
--- PASS: TestAccS3Bucket_tags_EmptyMap (105.69s)
=== CONT  TestAccS3Bucket_Identity_RegionOverride
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes (47.38s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnCreate
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (116.41s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
--- PASS: TestAccS3Bucket_tags_null (105.92s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectVersions (57.89s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add
--- PASS: TestAccS3Bucket_tags_withSystemTags (211.13s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag
--- PASS: TestAccS3Bucket_Basic_namePrefix (57.55s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag
--- PASS: TestAccS3Bucket_Replication_withoutStorageClass (103.59s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
--- PASS: TestAccS3Bucket_Identity_ExistingResource_NoRefresh_NoChange (93.66s)
--- PASS: TestAccS3Bucket_Basic_nameGenerated (62.39s)
--- PASS: TestAccS3Bucket_Replication_schemaV2 (358.56s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (192.97s)
--- PASS: TestAccS3Bucket_Basic_emptyString (62.51s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (193.57s)
--- PASS: TestAccS3Bucket_Basic_basic (54.37s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (170.61s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (61.98s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (53.05s)
--- PASS: TestAccS3Bucket_Identity_RegionOverride (71.77s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (53.79s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (48.58s)
--- PASS: TestAccS3Bucket_Identity_ExistingResource (142.27s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (143.06s)
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (218.60s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (80.64s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (79.82s)
--- PASS: TestAccS3Bucket_tags (201.08s)
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (88.89s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 426.215s
```
@jar-b
chore: tweak changelog
88671eb
@jar-b
r/aws_s3_bucket_abac(doc): fix example resource reference
ffb164d
@jar-b
chore: make clean-tidy
e487607
@jar-b jar-b marked this pull request as ready for review November 25, 2025 21:01
@jar-b jar-b requested a review from a team as a code owner November 25, 2025 21:01
ewbankkit
ewbankkit previously approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccS3BucketABAC_\|TestAccS3Bucket_Basic_\|TestAccS3Bucket_tags' PKG=s3 ACCTEST_PARALLELISM=4
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3_abac 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 4  -run=TestAccS3BucketABAC_\|TestAccS3Bucket_Basic_\|TestAccS3Bucket_tags -timeout 360m -vet=off
2025/11/25 16:38:14 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 16:38:14 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccS3BucketABAC_basic
=== PAUSE TestAccS3BucketABAC_basic
=== RUN   TestAccS3BucketABAC_disappears_Bucket
=== PAUSE TestAccS3BucketABAC_disappears_Bucket
=== RUN   TestAccS3BucketABAC_update
=== PAUSE TestAccS3BucketABAC_update
=== RUN   TestAccS3Bucket_tags
=== PAUSE TestAccS3Bucket_tags
=== RUN   TestAccS3Bucket_tags_null
=== PAUSE TestAccS3Bucket_tags_null
=== RUN   TestAccS3Bucket_tags_EmptyMap
=== PAUSE TestAccS3Bucket_tags_EmptyMap
=== RUN   TestAccS3Bucket_tags_AddOnUpdate
=== PAUSE TestAccS3Bucket_tags_AddOnUpdate
=== RUN   TestAccS3Bucket_tags_EmptyTag_OnCreate
=== PAUSE TestAccS3Bucket_tags_EmptyTag_OnCreate
=== RUN   TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add
=== PAUSE TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add
=== RUN   TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace
=== PAUSE TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace
=== RUN   TestAccS3Bucket_tags_DefaultTags_providerOnly
=== PAUSE TestAccS3Bucket_tags_DefaultTags_providerOnly
=== RUN   TestAccS3Bucket_tags_DefaultTags_nonOverlapping
=== PAUSE TestAccS3Bucket_tags_DefaultTags_nonOverlapping
=== RUN   TestAccS3Bucket_tags_DefaultTags_overlapping
=== PAUSE TestAccS3Bucket_tags_DefaultTags_overlapping
=== RUN   TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly
=== PAUSE TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly
=== RUN   TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly
=== PAUSE TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly
=== RUN   TestAccS3Bucket_tags_DefaultTags_emptyResourceTag
=== PAUSE TestAccS3Bucket_tags_DefaultTags_emptyResourceTag
=== RUN   TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
=== PAUSE TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
=== RUN   TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag
=== PAUSE TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag
=== RUN   TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag
=== PAUSE TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag
=== RUN   TestAccS3Bucket_tags_ComputedTag_OnCreate
=== PAUSE TestAccS3Bucket_tags_ComputedTag_OnCreate
=== RUN   TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add
=== PAUSE TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add
=== RUN   TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace
=== PAUSE TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace
=== RUN   TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
=== PAUSE TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
=== RUN   TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag
=== PAUSE TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag
=== RUN   TestAccS3Bucket_Basic_basic
=== PAUSE TestAccS3Bucket_Basic_basic
=== RUN   TestAccS3Bucket_Basic_emptyString
=== PAUSE TestAccS3Bucket_Basic_emptyString
=== RUN   TestAccS3Bucket_Basic_nameGenerated
=== PAUSE TestAccS3Bucket_Basic_nameGenerated
=== RUN   TestAccS3Bucket_Basic_namePrefix
=== PAUSE TestAccS3Bucket_Basic_namePrefix
=== RUN   TestAccS3Bucket_Basic_forceDestroy
=== PAUSE TestAccS3Bucket_Basic_forceDestroy
=== RUN   TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes
=== PAUSE TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes
=== RUN   TestAccS3Bucket_Basic_forceDestroyWithObjectVersions
=== PAUSE TestAccS3Bucket_Basic_forceDestroyWithObjectVersions
=== RUN   TestAccS3Bucket_Basic_forceDestroyWithObjectVersionsUnusualKeyBytes
=== PAUSE TestAccS3Bucket_Basic_forceDestroyWithObjectVersionsUnusualKeyBytes
=== RUN   TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes
=== PAUSE TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes
=== RUN   TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled
=== PAUSE TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled
=== RUN   TestAccS3Bucket_Basic_acceleration
=== PAUSE TestAccS3Bucket_Basic_acceleration
=== RUN   TestAccS3Bucket_Basic_keyEnabled
=== PAUSE TestAccS3Bucket_Basic_keyEnabled
=== RUN   TestAccS3Bucket_Basic_requestPayer
=== PAUSE TestAccS3Bucket_Basic_requestPayer
=== RUN   TestAccS3Bucket_Basic_upgradeFromV5
=== PAUSE TestAccS3Bucket_Basic_upgradeFromV5
=== RUN   TestAccS3Bucket_tags_withSystemTags
=== PAUSE TestAccS3Bucket_tags_withSystemTags
=== RUN   TestAccS3Bucket_tags_ignoreTags
=== PAUSE TestAccS3Bucket_tags_ignoreTags
=== CONT  TestAccS3BucketABAC_basic
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnCreate
=== CONT  TestAccS3Bucket_tags_DefaultTags_providerOnly
--- PASS: TestAccS3BucketABAC_basic (20.06s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnCreate (24.46s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Add (38.17s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_overlapping
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToResourceOnly (31.99s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nonOverlapping
--- PASS: TestAccS3Bucket_tags_DefaultTags_updateToProviderOnly (34.06s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullOverlappingResourceTag (19.60s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag
--- PASS: TestAccS3Bucket_tags_DefaultTags_providerOnly (92.03s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectVersions
--- PASS: TestAccS3Bucket_tags_DefaultTags_overlapping (56.00s)
=== CONT  TestAccS3Bucket_tags_ignoreTags
--- PASS: TestAccS3Bucket_tags_DefaultTags_nullNonOverlappingResourceTag (19.68s)
=== CONT  TestAccS3Bucket_tags_withSystemTags
--- PASS: TestAccS3Bucket_tags_DefaultTags_nonOverlapping (54.93s)
=== CONT  TestAccS3Bucket_Basic_upgradeFromV5
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectVersions (20.11s)
=== CONT  TestAccS3Bucket_Basic_requestPayer
--- PASS: TestAccS3Bucket_tags_ignoreTags (29.82s)
=== CONT  TestAccS3Bucket_Basic_keyEnabled
--- PASS: TestAccS3Bucket_Basic_requestPayer (32.26s)
=== CONT  TestAccS3Bucket_Basic_acceleration
--- PASS: TestAccS3Bucket_Basic_keyEnabled (25.21s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes
=== CONT  TestAccS3Bucket_tags_DefaultTags_emptyResourceTag
--- PASS: TestAccS3Bucket_Basic_upgradeFromV5 (52.37s)
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithEmptyPrefixes (15.33s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectVersionsUnusualKeyBytes
--- PASS: TestAccS3Bucket_Basic_acceleration (33.13s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyResourceTag (19.65s)
=== CONT  TestAccS3Bucket_tags_EmptyMap
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectVersionsUnusualKeyBytes (18.79s)
=== CONT  TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag
--- PASS: TestAccS3Bucket_tags_withSystemTags (86.66s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithObjectLockEnabled (19.51s)
=== CONT  TestAccS3Bucket_tags_AddOnUpdate
--- PASS: TestAccS3Bucket_tags_DefaultTags_emptyProviderOnlyTag (20.26s)
=== CONT  TestAccS3Bucket_Basic_emptyString
--- PASS: TestAccS3Bucket_tags_EmptyMap (29.31s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Replace (33.47s)
=== CONT  TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes
--- PASS: TestAccS3Bucket_Basic_emptyString (18.40s)
=== CONT  TestAccS3Bucket_Basic_basic
--- PASS: TestAccS3Bucket_tags_AddOnUpdate (33.17s)
=== CONT  TestAccS3Bucket_Basic_forceDestroy
--- PASS: TestAccS3Bucket_Basic_forceDestroyWithUnusualKeyBytes (14.73s)
=== CONT  TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag
--- PASS: TestAccS3Bucket_Basic_basic (18.21s)
=== CONT  TestAccS3Bucket_Basic_namePrefix
--- PASS: TestAccS3Bucket_Basic_forceDestroy (15.09s)
=== CONT  TestAccS3Bucket_tags
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_DefaultTag (41.05s)
=== CONT  TestAccS3Bucket_Basic_nameGenerated
--- PASS: TestAccS3Bucket_Basic_namePrefix (18.33s)
=== CONT  TestAccS3Bucket_tags_null
--- PASS: TestAccS3Bucket_Basic_nameGenerated (18.47s)
=== CONT  TestAccS3BucketABAC_update
--- PASS: TestAccS3Bucket_tags_IgnoreTags_Overlap_ResourceTag (47.37s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add
--- PASS: TestAccS3Bucket_tags_null (29.00s)
=== CONT  TestAccS3BucketABAC_disappears_Bucket
--- PASS: TestAccS3BucketABAC_disappears_Bucket (14.97s)
=== CONT  TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace
--- PASS: TestAccS3BucketABAC_update (40.73s)
=== CONT  TestAccS3Bucket_tags_EmptyTag_OnCreate
--- PASS: TestAccS3Bucket_tags (72.40s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnUpdate_Add (50.64s)
--- PASS: TestAccS3Bucket_tags_ComputedTag_OnUpdate_Replace (36.58s)
--- PASS: TestAccS3Bucket_tags_EmptyTag_OnCreate (37.52s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/s3	351.887s

@ewbankkit ewbankkit added new-resource Introduces a new resource. tags Pertains to resource tagging. labels Nov 25, 2025
@jar-b
Copy link
Member Author

jar-b commented Nov 25, 2025

There is a conflict between the "go mod" and "go generate" CI checks at the moment. The former thinks that github.com/dlclark/regexp2 should be removed when tidying modules, but the latter fails due to a missing dependency when it is.

Error: ../../generate/tagstests/main.go:24:2: no required module provides package github.com/dlclark/regexp2; to add it:
	go get github.com/dlclark/regexp2

I'm going to revert the last commit which tidied modules for now, and open a follow-up issue to address this outside the scope of this PR. Once reverted the "go mod" CI check will fail again.

@jar-b jar-b mentioned this pull request Nov 25, 2025
Closed
ewbankkit
ewbankkit approved these changes Nov 26, 2025
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

@jar-b
Copy link
Member Author

jar-b commented Nov 26, 2025

I've manually verified the fallback behavior using a role with missing S3 control tagging permissions including:

  • creating a bucket with tags (CreateBucket fallback to remove tags from request input)
  • adding tags (TagResource and ListTagsForResource fallback)
  • removing tags (UntagResource and ListTagsForResource fallback)

I'm intending to convert this to an acceptance test, but as it requires a non-standard setup to create a principal with limited S3 permissions this will be done in a follow up PR.

@jar-b jar-b merged commit 6d0e749 into main Nov 26, 2025
65 checks passed
@jar-b jar-b deleted the f-s3_abac branch November 26, 2025 16:19
@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@github-actions github-actions bot added this to the v6.23.0 milestone Nov 26, 2025
terraform-aws-provider bot pushed a commit that referenced this pull request Nov 26, 2025
Update CHANGELOG.md for #45251
b46bd8a
@jar-b jar-b mentioned this pull request Nov 26, 2025
Closed
@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Nov 26, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025

This functionality has been released in v6.23.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

This was referenced Dec 1, 2025
Merged
Open
@osibanda osibanda mentioned this pull request Dec 9, 2025
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewbankkit ewbankkit ewbankkit approved these changes

Assignees

No one assigned

Labels

documentation Introduces or discusses updates to documentation. generators Relates to code generators. new-resource Introduces a new resource. service/s3 Issues and PRs that pertain to the s3 service. size/XL Managed by automation to categorize the size of a PR. tags Pertains to resource tagging. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

v6.23.0

Development

Successfully merging this pull request may close these issues.

S3 ABAC

2 participants

@jar-b @ewbankkit