Merge pull request #27197 from lomluca/b-allow-no-acl-s3-object

No default value for acl attribute in s3 object
hashicorp · May 24, 2023 · 554b904 · 554b904
2 parents 2369eec + c2e05f8
commit 554b904
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 8 deletions.
diff --git a/.changelog/27197.txt b/.changelog/27197.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+resource/aws_s3_object: Remove `acl` default in order to work with S3 buckets that have ACL disabled
+```
+
+```release-note:bug
+resource/aws_s3_object_copy: Remove `acl` default in order to work with S3 buckets that have ACL disabled
+```
diff --git a/internal/service/s3/object.go b/internal/service/s3/object.go
@@ -56,7 +56,6 @@ func ResourceObject() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"acl": {
 				Type:         schema.TypeString,
-				Default:      s3.ObjectCannedACLPrivate,
 				Optional:     true,
 				ValidateFunc: validation.StringInSlice(s3.ObjectCannedACL_Values(), false),
 			},
@@ -440,12 +439,15 @@ func resourceObjectUpload(ctx context.Context, d *schema.ResourceData, meta inte
 	key := d.Get("key").(string)
 
 	input := &s3manager.UploadInput{
-		ACL:    aws.String(d.Get("acl").(string)),
 		Body:   body,
 		Bucket: aws.String(bucket),
 		Key:    aws.String(key),
 	}
 
+	if v, ok := d.GetOk("acl"); ok {
+		input.ACL = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("storage_class"); ok {
 		input.StorageClass = aws.String(v.(string))
 	}

diff --git a/internal/service/s3/object_copy.go b/internal/service/s3/object_copy.go
@@ -37,7 +37,6 @@ func ResourceObjectCopy() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"acl": {
 				Type:          schema.TypeString,
-				Default:       s3.ObjectCannedACLPrivate,
 				Optional:      true,
 				ValidateFunc:  validation.StringInSlice(s3.ObjectCannedACL_Values(), false),
 				ConflictsWith: []string{"grant"},

diff --git a/internal/service/s3/object_test.go b/internal/service/s3/object_test.go
@@ -1847,7 +1847,8 @@ resource "aws_s3_object" "object" {
 func testAccObjectConfig_tags(rName, key, content string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
-  bucket = %[1]q
+  bucket        = %[1]q
+  force_destroy = true
 }
 
 resource "aws_s3_bucket_versioning" "test" {
@@ -1875,7 +1876,8 @@ resource "aws_s3_object" "object" {
 func testAccObjectConfig_updatedTags(rName, key, content string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
-  bucket = %[1]q
+  bucket        = %[1]q
+  force_destroy = true
 }
 
 resource "aws_s3_bucket_versioning" "test" {
@@ -1904,7 +1906,8 @@ resource "aws_s3_object" "object" {
 func testAccObjectConfig_noTags(rName, key, content string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
-  bucket = %[1]q
+  bucket        = %[1]q
+  force_destroy = true
 }
 
 resource "aws_s3_bucket_versioning" "test" {

diff --git a/website/docs/guides/version-5-upgrade.html.md b/website/docs/guides/version-5-upgrade.html.md
@@ -68,6 +68,8 @@ Upgrade topics:
 - [resource/aws_redshift_security_group](#resourceaws_redshift_security_group)
 - [resource/aws_route](#resourceaws_route)
 - [resource/aws_route_table](#resourceaws_route_table)
+- [resource/aws_s3_object](#resourceaws_s3_object)
+- [resource/aws_s3_object_copy](#resourceaws_s3_object_copy)
 - [resource/aws_secretsmanager_secret](#resourceaws_secretsmanager_secret)
 - [resource/aws_security_group](#resourceaws_security_group)
 - [resource/aws_security_group_rule](#resourceaws_security_group_rule)
@@ -528,6 +530,14 @@ resource "aws_route_table" "example" {
 }
 ```
 
+## resource/aws_s3_object
+
+The `acl` attribute no longer has a default value. Previously this was set to `private` when omitted. Objects requiring a private ACL should now explicitly set this attribute.
+
+## resource/aws_s3_object_copy
+
+The `acl` attribute no longer has a default value. Previously this was set to `private` when omitted. Object copies requiring a private ACL should now explicitly set this attribute.
+
 ## resource/aws_secretsmanager_secret
 
 Remove `rotation_enabled`, `rotation_lambda_arn` and `rotation_rules` from configurations as they no longer exist.

diff --git a/website/docs/r/s3_object.html.markdown b/website/docs/r/s3_object.html.markdown
@@ -140,7 +140,7 @@ The following arguments are required:
 
 The following arguments are optional:
 
-* `acl` - (Optional) [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply. Valid values are `private`, `public-read`, `public-read-write`, `aws-exec-read`, `authenticated-read`, `bucket-owner-read`, and `bucket-owner-full-control`. Defaults to `private`.
+* `acl` - (Optional) [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply. Valid values are `private`, `public-read`, `public-read-write`, `aws-exec-read`, `authenticated-read`, `bucket-owner-read`, and `bucket-owner-full-control`.
 * `bucket_key_enabled` - (Optional) Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS.
 * `cache_control` - (Optional) Caching behavior along the request/reply chain Read [w3c cache_control](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9) for further details.
 * `content_base64` - (Optional, conflicts with `source` and `content`) Base64-encoded data that will be decoded and uploaded as raw bytes for the object content. This allows safely uploading non-UTF8 binary data, but is recommended only for small content such as the result of the `gzipbase64` function with small text strings. For larger objects, use `source` to stream the content from a disk file.

diff --git a/website/docs/r/s3_object_copy.html.markdown b/website/docs/r/s3_object_copy.html.markdown
@@ -36,7 +36,7 @@ The following arguments are required:
 
 The following arguments are optional:
 
-* `acl` - (Optional) [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply. Defaults to `private`. Valid values are `private`, `public-read`, `public-read-write`, `authenticated-read`, `aws-exec-read`, `bucket-owner-read`, and `bucket-owner-full-control`. Conflicts with `grant`.
+* `acl` - (Optional) [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply. Valid values are `private`, `public-read`, `public-read-write`, `authenticated-read`, `aws-exec-read`, `bucket-owner-read`, and `bucket-owner-full-control`. Conflicts with `grant`.
 * `cache_control` - (Optional) Specifies caching behavior along the request/reply chain Read [w3c cache_control](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9) for further details.
 * `content_disposition` - (Optional) Specifies presentational information for the object. Read [w3c content_disposition](http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1) for further information.
 * `content_encoding` - (Optional) Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. Read [w3c content encoding](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11) for further information.