From 3380f0094e6ffc7c089998478af75b3d18cd34d6 Mon Sep 17 00:00:00 2001
From: Altay Aliyev <altush.aliyev@gmail.com>
Date: Fri, 2 Mar 2018 17:29:44 +0100
Subject: [PATCH 1/2] rebased with upstream/master

---
 aws/resource_aws_dms_endpoint.go          | 151 ++++++++++----
 aws/resource_aws_dms_endpoint_test.go     | 228 ++++++++++++++--------
 website/docs/r/dms_endpoint.html.markdown |   6 +-
 3 files changed, 272 insertions(+), 113 deletions(-)

diff --git a/aws/resource_aws_dms_endpoint.go b/aws/resource_aws_dms_endpoint.go
index 7bce1c2310c..efb952f316d 100644
--- a/aws/resource_aws_dms_endpoint.go
+++ b/aws/resource_aws_dms_endpoint.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"fmt"
 	"log"
 	"strings"
 	"time"
@@ -71,6 +72,7 @@ func resourceAwsDmsEndpoint() *schema.Resource {
 					"redshift",
 					"sybase",
 					"sqlserver",
+					"s3",
 				}, false),
 			},
 			"extra_connection_attributes": {
@@ -79,11 +81,12 @@ func resourceAwsDmsEndpoint() *schema.Resource {
 				Optional: true,
 			},
 			"kms_key_arn": {
-				Type:         schema.TypeString,
-				Computed:     true,
-				Optional:     true,
-				ForceNew:     true,
-				ValidateFunc: validateArn,
+				Type:          schema.TypeString,
+				Computed:      true,
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"bucket_name", "bucket_folder"},
+				ValidateFunc:  validateArn,
 			},
 			"password": {
 				Type:      schema.TypeString,
@@ -117,6 +120,14 @@ func resourceAwsDmsEndpoint() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"bucket_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"bucket_folder": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 		},
 	}
 }
@@ -131,12 +142,42 @@ func resourceAwsDmsEndpointCreate(d *schema.ResourceData, meta interface{}) erro
 		Tags:               dmsTagsFromMap(d.Get("tags").(map[string]interface{})),
 	}
 
+	switch d.Get("engine_name").(string) {
 	// if dynamodb then add required params
-	if d.Get("engine_name").(string) == "dynamodb" {
+	case "dynamodb":
 		request.DynamoDbSettings = &dms.DynamoDbSettings{
 			ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
 		}
-	} else {
+	case "s3":
+		request.S3Settings = &dms.S3Settings{
+			BucketName:           aws.String(d.Get("bucket_name").(string)),
+			BucketFolder:         aws.String(d.Get("bucket_folder").(string)),
+			ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
+
+			// By default extra variables (should be set):
+			CompressionType: aws.String("GZIP"),
+			CsvDelimiter:    aws.String(","),
+			CsvRowDelimiter: aws.String("\\n"),
+		}
+
+		// if extra_connection_attributes is set. Then parse the varaiables.
+		if v, ok := d.GetOk("extra_connection_attributes"); ok {
+			elems := strings.Split(v.(string), ";")
+			if len(elems) > 0 {
+				for _, elem := range elems {
+					vals := strings.Split(elem, "=")
+					if strings.Contains(strings.ToLower(vals[0]), "compressiontype") {
+						request.S3Settings.CompressionType = aws.String(vals[1])
+					} else if strings.Contains(strings.ToLower(vals[0]), "csvdelimiter") {
+						request.S3Settings.CsvDelimiter = aws.String(vals[1])
+					} else if strings.Contains(strings.ToLower(vals[0]), "csvrowdelimiter") {
+						request.S3Settings.CsvRowDelimiter = aws.String(vals[1])
+					}
+				}
+			}
+		}
+
+	default:
 		request.Password = aws.String(d.Get("password").(string))
 		request.Port = aws.Int64(int64(d.Get("port").(int)))
 		request.ServerName = aws.String(d.Get("server_name").(string))
@@ -148,17 +189,17 @@ func resourceAwsDmsEndpointCreate(d *schema.ResourceData, meta interface{}) erro
 		if v, ok := d.GetOk("extra_connection_attributes"); ok {
 			request.ExtraConnectionAttributes = aws.String(v.(string))
 		}
+		if v, ok := d.GetOk("kms_key_arn"); ok {
+			request.KmsKeyId = aws.String(v.(string))
+		}
+		if v, ok := d.GetOk("ssl_mode"); ok {
+			request.SslMode = aws.String(v.(string))
+		}
 	}
 
 	if v, ok := d.GetOk("certificate_arn"); ok {
 		request.CertificateArn = aws.String(v.(string))
 	}
-	if v, ok := d.GetOk("kms_key_arn"); ok {
-		request.KmsKeyId = aws.String(v.(string))
-	}
-	if v, ok := d.GetOk("ssl_mode"); ok {
-		request.SslMode = aws.String(v.(string))
-	}
 
 	log.Println("[DEBUG] DMS create endpoint:", request)
 
@@ -228,6 +269,11 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 	}
 	hasChanges := false
 
+	if d.HasChange("endpoint_type") {
+		request.EndpointType = aws.String(d.Get("endpoint_type").(string))
+		hasChanges = true
+	}
+
 	if d.HasChange("certificate_arn") {
 		request.CertificateArn = aws.String(d.Get("certificate_arn").(string))
 		hasChanges = true
@@ -238,26 +284,50 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 		hasChanges = true
 	}
 
-	if d.HasChange("service_access_role") {
-		request.DynamoDbSettings = &dms.DynamoDbSettings{
-			ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
-		}
-		hasChanges = true
-	}
-
-	if d.HasChange("endpoint_type") {
-		request.EndpointType = aws.String(d.Get("endpoint_type").(string))
-		hasChanges = true
-	}
-
 	if d.HasChange("engine_name") {
 		request.EngineName = aws.String(d.Get("engine_name").(string))
 		hasChanges = true
 	}
 
-	if d.HasChange("extra_connection_attributes") {
-		request.ExtraConnectionAttributes = aws.String(d.Get("extra_connection_attributes").(string))
-		hasChanges = true
+	switch d.Get("engine_name").(string) {
+	case "dynamodb":
+		if d.HasChange("service_access_role") {
+			request.DynamoDbSettings = &dms.DynamoDbSettings{
+				ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
+			}
+			hasChanges = true
+		}
+	case "s3":
+		if d.HasChange("service_access_role") || d.HasChange("bucket_name") || d.HasChange("bucket_folder") || d.HasChange("extra_connection_attributes") {
+			request.S3Settings = &dms.S3Settings{
+				ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
+				BucketFolder:         aws.String(d.Get("bucket_folder").(string)),
+				BucketName:           aws.String(d.Get("bucket_name").(string)),
+			}
+
+			elems := strings.Split(d.Get("extra_connection_attributes").(string), ";")
+			if len(elems) > 0 {
+				for _, elem := range elems {
+					vals := strings.Split(elem, "=")
+					if strings.Contains(strings.ToLower(vals[0]), "compressiontype") {
+						request.S3Settings.CompressionType = aws.String(vals[1])
+					} else if strings.Contains(strings.ToLower(vals[0]), "csvdelimiter") {
+						request.S3Settings.CsvDelimiter = aws.String(vals[1])
+					} else if strings.Contains(strings.ToLower(vals[0]), "csvrowdelimiter") {
+						request.S3Settings.CsvRowDelimiter = aws.String(vals[1])
+					}
+				}
+			}
+
+			hasChanges = true
+
+			goto DONE
+		}
+	default:
+		if d.HasChange("extra_connection_attributes") {
+			request.ExtraConnectionAttributes = aws.String(d.Get("extra_connection_attributes").(string))
+			hasChanges = true
+		}
 	}
 
 	if d.HasChange("password") {
@@ -292,6 +362,7 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 		}
 	}
 
+DONE:
 	if hasChanges {
 		log.Println("[DEBUG] DMS update endpoint:", request)
 
@@ -333,22 +404,36 @@ func resourceAwsDmsEndpointSetState(d *schema.ResourceData, endpoint *dms.Endpoi
 	d.Set("endpoint_type", strings.ToLower(*endpoint.EndpointType))
 	d.Set("engine_name", endpoint.EngineName)
 
-	if *endpoint.EngineName == "dynamodb" {
+	switch *endpoint.EngineName {
+	case "dynamodb":
 		if endpoint.DynamoDbSettings != nil {
 			d.Set("service_access_role", endpoint.DynamoDbSettings.ServiceAccessRoleArn)
 		} else {
 			d.Set("service_access_role", "")
 		}
-	} else {
+	case "s3":
+		if endpoint.S3Settings != nil {
+			d.Set("service_access_role", endpoint.S3Settings.ServiceAccessRoleArn)
+			d.Set("bucket_folder", endpoint.S3Settings.BucketFolder)
+			d.Set("bucket_name", endpoint.S3Settings.BucketName)
+			d.Set("extra_connection_attributes",
+				aws.String(fmt.Sprintf("compressionType=%s;csvDelimiter=%s;csvRowDelimiter=%s",
+					*endpoint.S3Settings.CompressionType, *endpoint.S3Settings.CsvDelimiter, *endpoint.S3Settings.CsvRowDelimiter)))
+		} else {
+			d.Set("service_access_role", "")
+			d.Set("bucket_folder", "")
+			d.Set("bucket_name", "")
+			d.Set("extra_connection_attributes", "")
+		}
+	default:
 		d.Set("database_name", endpoint.DatabaseName)
 		d.Set("extra_connection_attributes", endpoint.ExtraConnectionAttributes)
 		d.Set("port", endpoint.Port)
 		d.Set("server_name", endpoint.ServerName)
 		d.Set("username", endpoint.Username)
+		d.Set("kms_key_arn", endpoint.KmsKeyId)
+		d.Set("ssl_mode", endpoint.SslMode)
 	}
 
-	d.Set("kms_key_arn", endpoint.KmsKeyId)
-	d.Set("ssl_mode", endpoint.SslMode)
-
 	return nil
 }
diff --git a/aws/resource_aws_dms_endpoint_test.go b/aws/resource_aws_dms_endpoint_test.go
index b094e4b5eb8..6097e557268 100644
--- a/aws/resource_aws_dms_endpoint_test.go
+++ b/aws/resource_aws_dms_endpoint_test.go
@@ -50,7 +50,39 @@ func TestAccAWSDmsEndpointBasic(t *testing.T) {
 	})
 }
 
-func TestAccAWSDmsEndpointDynamoDb(t *testing.T) {
+func TestAccAwsDmsEndpointS3(t *testing.T) {
+	resourceName := "aws_dms_endpoint.dms_point"
+	randId := acctest.RandString(8) + "-s3"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: dmsEndpointDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: dmsEndpointS3Config(randId),
+				Check: resource.ComposeTestCheckFunc(
+					checkDmsEndpointExists(resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "endpoint_arn"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"password"},
+			},
+			{
+				Config: dmsEndpointS3ConfigUpdate(randId),
+				Check: resource.ComposeTestCheckFunc(
+					checkDmsEndpointExists(resourceName),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAwsDmsEndpointDynamoDb(t *testing.T) {
 	resourceName := "aws_dms_endpoint.dms_endpoint"
 	randId := acctest.RandString(8) + "-dynamodb"
 
@@ -174,125 +206,165 @@ resource "aws_dms_endpoint" "dms_endpoint" {
 `, randId)
 }
 
-func dmsEndpointDynamoDbConfig(randId string) string {
+func dmsEndpointTargetConfig(randId string, engineName string, actionList string) string {
 	return fmt.Sprintf(`
 resource "aws_dms_endpoint" "dms_endpoint" {
-	endpoint_id = "tf-test-dms-endpoint-%[1]s"
-	endpoint_type = "target"
-	engine_name = "dynamodb"
-	service_access_role = "${aws_iam_role.iam_role.arn}"
-	ssl_mode = "none"
-	tags {
-		Name = "tf-test-dynamodb-endpoint-%[1]s"
-		Update = "to-update"
-		Remove = "to-remove"
-	}
+endpoint_id = "tf-test-dms-endpoint-%[1]s"
+endpoint_type = "target"
+engine_name = "%[2]s"
+service_access_role = "${aws_iam_role.iam_role.arn}"
+ssl_mode = "none"
+tags {
+	Name = "tf-test-%[2]s-endpoint-%[1]s"
+	Update = "to-update"
+	Remove = "to-remove"
+}
 
-	depends_on = ["aws_iam_role_policy.dms_dynamodb_access"]
+depends_on = ["aws_iam_role_policy.dms_%[2]s_access"]
 }
 resource "aws_iam_role" "iam_role" {
-  name = "tf-test-iam-dynamodb-role-%[1]s"
+name = "tf-test-iam-%[2]s-role-%[1]s"
 
-  assume_role_policy = <<EOF
+assume_role_policy = <<EOF
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "dms.amazonaws.com"
-      },
-      "Effect": "Allow"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+	{
+		"Action": "sts:AssumeRole",
+		"Principal": {
+			"Service": "dms.amazonaws.com"
+		},
+		"Effect": "Allow"
+	}
+]
 }
 EOF
 }
 
-resource "aws_iam_role_policy" "dms_dynamodb_access" {
-  name = "tf-test-iam-dynamodb-role-policy-%[1]s"
-  role = "${aws_iam_role.iam_role.name}"
+resource "aws_iam_role_policy" "dms_%[2]s_access" {
+name = "tf-test-iam-%[2]s-role-policy-%[1]s"
+role = "${aws_iam_role.iam_role.name}"
 
-  policy = <<EOF
+policy = <<EOF
 {
 "Version": "2012-10-17",
 "Statement": [
 {
-    "Effect": "Allow",
-    "Action": [
-        "dynamodb:PutItem",
-        "dynamodb:CreateTable",
-        "dynamodb:DescribeTable",
-        "dynamodb:DeleteTable",
-        "dynamodb:DeleteItem",
-        "dynamodb:ListTables"
-    ],
-    "Resource": "*"
+	"Effect": "Allow",
+	"Action": [
+			%[3]s
+	],
+	"Resource": "*"
 }
 ]
 }
 EOF
 }
 
-`, randId)
+`, randId, engineName, actionList)
 }
 
-func dmsEndpointDynamoDbConfigUpdate(randId string) string {
+func dmsEndpointTargetUpdateConfig(randId string, engineName string, actionList string) string {
 	return fmt.Sprintf(`
 resource "aws_dms_endpoint" "dms_endpoint" {
-	endpoint_id = "tf-test-dms-endpoint-%[1]s"
-	endpoint_type = "target"
-	engine_name = "dynamodb"
-	service_access_role = "${aws_iam_role.iam_role.arn}"
-	ssl_mode = "none"
-	tags {
-		Name = "tf-test-dynamodb-endpoint-%[1]s"
-		Update = "updated"
-		Add = "added"
-	}
+endpoint_id = "tf-test-dms-endpoint-%[1]s"
+endpoint_type = "target"
+engine_name = "%[2]s"
+service_access_role = "${aws_iam_role.iam_role.arn}"
+ssl_mode = "none"
+tags {
+	Name = "tf-test-%[2]s-endpoint-%[1]s"
+	Update = "updated"
+	Add = "added"
+}
 }
 resource "aws_iam_role" "iam_role" {
-  name = "tf-test-iam-dynamodb-role-%[1]s"
+name = "tf-test-iam-%[2]s-role-%[1]s"
 
-  assume_role_policy = <<EOF
+assume_role_policy = <<EOF
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "dms.amazonaws.com"
-      },
-      "Effect": "Allow"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+	{
+		"Action": "sts:AssumeRole",
+		"Principal": {
+			"Service": "dms.amazonaws.com"
+		},
+		"Effect": "Allow"
+	}
+]
 }
 EOF
 }
 
-resource "aws_iam_role_policy" "dms_dynamodb_access" {
-  name = "tf-test-iam-dynamodb-role-policy-%[1]s"
-  role = "${aws_iam_role.iam_role.name}"
+resource "aws_iam_role_policy" "dms_%[2]s_access" {
+name = "tf-test-iam-%[2]s-role-policy-%[1]s"
+role = "${aws_iam_role.iam_role.name}"
 
-  policy = <<EOF
+policy = <<EOF
 {
 "Version": "2012-10-17",
 "Statement": [
 {
-    "Effect": "Allow",
-    "Action": [
-        "dynamodb:PutItem",
-        "dynamodb:CreateTable",
-        "dynamodb:DescribeTable",
-        "dynamodb:DeleteTable",
-        "dynamodb:DeleteItem",
-        "dynamodb:ListTables"
-    ],
-    "Resource": "*"
+	"Effect": "Allow",
+	"Action": [
+			%[3]s
+	],
+	"Resource": "*"
 }
 ]
 }
 EOF
 }
-`, randId)
+`, randId, engineName, actionList)
+}
+
+func dmsEndpointDynamoDbConfig(randId string) string {
+	return dmsEndpointTargetConfig(randId, "dynamodb", `
+		"dynamodb:PutItem",
+		"dynamodb:CreateTable",
+		"dynamodb:DescribeTable",
+		"dynamodb:DeleteTable",
+		"dynamodb:DeleteItem",
+		"dynamodb:ListTables"`)
+}
+
+func dmsEndpointDynamoDbConfigUpdate(randId string) string {
+	return dmsEndpointTargetUpdateConfig(randId, "dynamodb", `
+		"dynamodb:PutItem",
+		"dynamodb:CreateTable",
+		"dynamodb:DescribeTable",
+		"dynamodb:DeleteTable",
+		"dynamodb:DeleteItem",
+		"dynamodb:ListTables"`)
+}
+
+func dmsEndpointS3Config(randId string) string {
+	return dmsEndpointTargetConfig(randId, "s3", `
+		"s3:CreateBucket",
+		"s3:ListBucket",
+		"s3:DeleteBucket",
+		"s3:GetBucketLocation",
+		"s3:GetObject",
+		"s3:PutObject",
+		"s3:DeleteObject",
+		"s3:GetObjectVersion",
+		"s3:GetBucketPolicy",
+		"s3:PutBucketPolicy",
+		"s3:DeleteBucketPolicy"`)
+}
+
+func dmsEndpointS3ConfigUpdate(randId string) string {
+	return dmsEndpointTargetUpdateConfig(randId, "s3", `
+		"s3:CreateBucket",
+		"s3:ListBucket",
+		"s3:DeleteBucket",
+		"s3:GetBucketLocation",
+		"s3:GetObject",
+		"s3:PutObject",
+		"s3:DeleteObject",
+		"s3:GetObjectVersion",
+		"s3:GetBucketPolicy",
+		"s3:PutBucketPolicy",
+		"s3:DeleteBucketPolicy"`)
 }
diff --git a/website/docs/r/dms_endpoint.html.markdown b/website/docs/r/dms_endpoint.html.markdown
index d43e9fcfeed..42f83f86053 100644
--- a/website/docs/r/dms_endpoint.html.markdown
+++ b/website/docs/r/dms_endpoint.html.markdown
@@ -53,7 +53,7 @@ The following arguments are supported:
     - Must not contain two consecutive hyphens
 
 * `endpoint_type` - (Required) The type of endpoint. Can be one of `source | target`.
-* `engine_name` - (Required) The type of engine for the endpoint. Can be one of `mysql | oracle | postgres | mariadb | aurora | redshift | sybase | sqlserver | dynamodb`.
+* `engine_name` - (Required) The type of engine for the endpoint. Can be one of `mysql | oracle | postgres | mariadb | aurora | redshift | sybase | sqlserver | dynamodb | s3`.
 * `extra_connection_attributes` - (Optional) Additional attributes associated with the connection. For available attributes see [Using Extra Connection Attributes with AWS Database Migration Service](http://docs.aws.amazon.com/dms/latest/userguide/CHAP_Introduction.ConnectionAttributes.html).
 * `kms_key_arn` - (Optional) The Amazon Resource Name (ARN) for the KMS key that will be used to encrypt the connection parameters. If you do not specify a value for `kms_key_arn`, then AWS DMS will use your default encryption key. AWS KMS creates the default encryption key for your AWS account. Your AWS account has a different default encryption key for each AWS region.
 * `password` - (Optional) The password to be used to login to the endpoint database.
@@ -62,7 +62,9 @@ The following arguments are supported:
 * `ssl_mode` - (Optional, Default: none) The SSL mode to use for the connection. Can be one of `none | require | verify-ca | verify-full`
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 * `username` - (Optional) The user name to be used to login to the endpoint database.
-* `service_access_role` (Optional) The Amazon Resource Name (ARN) used by the service access IAM role for dynamodb endpoints.
+* `service_access_role` (Optional) The Amazon Resource Name (ARN) used by the service access IAM role for `dynamodb | s3` endpoints.
+* `bucket_name` - (Optional) The S3 bucket name.
+* `bucket_folder` - (Optional) If provided, tables are created in the path <bucket_folder>/<schema_name>/<table_name>/.
 
 ## Attributes Reference
 

From 0944223ff6451f3b84ec1b6482e8c8a3cae3f0fd Mon Sep 17 00:00:00 2001
From: Sangho Na <microamp@protonmail.com>
Date: Fri, 4 May 2018 12:14:58 +1200
Subject: [PATCH 2/2] Add support for S3 as a DMS target endpoint (continued)

---
 aws/resource_aws_dms_endpoint.go          | 216 +++++++------
 aws/resource_aws_dms_endpoint_test.go     | 366 ++++++++++++++--------
 website/docs/r/dms_endpoint.html.markdown |   5 +-
 3 files changed, 364 insertions(+), 223 deletions(-)

diff --git a/aws/resource_aws_dms_endpoint.go b/aws/resource_aws_dms_endpoint.go
index b5c33e2ac39..bb96a8c9bf0 100644
--- a/aws/resource_aws_dms_endpoint.go
+++ b/aws/resource_aws_dms_endpoint.go
@@ -82,12 +82,11 @@ func resourceAwsDmsEndpoint() *schema.Resource {
 				Optional: true,
 			},
 			"kms_key_arn": {
-				Type:          schema.TypeString,
-				Computed:      true,
-				Optional:      true,
-				ForceNew:      true,
-				ConflictsWith: []string{"bucket_name", "bucket_folder"},
-				ValidateFunc:  validateArn,
+				Type:         schema.TypeString,
+				Computed:     true,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: validateArn,
 			},
 			"password": {
 				Type:      schema.TypeString,
@@ -167,13 +166,55 @@ func resourceAwsDmsEndpoint() *schema.Resource {
 					},
 				},
 			},
-			"bucket_name": {
-				Type:     schema.TypeString,
-				Optional: true,
-			},
-			"bucket_folder": {
-				Type:     schema.TypeString,
+			"s3_settings": {
+				Type:     schema.TypeList,
 				Optional: true,
+				MaxItems: 1,
+				DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+					if old == "1" && new == "0" {
+						return true
+					}
+					return false
+				},
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"service_access_role_arn": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "",
+						},
+						"external_table_definition": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "",
+						},
+						"csv_row_delimiter": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "\\n",
+						},
+						"csv_delimiter": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  ",",
+						},
+						"bucket_folder": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "",
+						},
+						"bucket_name": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "",
+						},
+						"compression_type": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "NONE",
+						},
+					},
+				},
 			},
 		},
 	}
@@ -212,33 +253,14 @@ func resourceAwsDmsEndpointCreate(d *schema.ResourceData, meta interface{}) erro
 		}
 	case "s3":
 		request.S3Settings = &dms.S3Settings{
-			BucketName:           aws.String(d.Get("bucket_name").(string)),
-			BucketFolder:         aws.String(d.Get("bucket_folder").(string)),
-			ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
-
-			// By default extra variables (should be set):
-			CompressionType: aws.String("GZIP"),
-			CsvDelimiter:    aws.String(","),
-			CsvRowDelimiter: aws.String("\\n"),
+			ServiceAccessRoleArn:    aws.String(d.Get("s3_settings.0.service_access_role_arn").(string)),
+			ExternalTableDefinition: aws.String(d.Get("s3_settings.0.external_table_definition").(string)),
+			CsvRowDelimiter:         aws.String(d.Get("s3_settings.0.csv_row_delimiter").(string)),
+			CsvDelimiter:            aws.String(d.Get("s3_settings.0.csv_delimiter").(string)),
+			BucketFolder:            aws.String(d.Get("s3_settings.0.bucket_folder").(string)),
+			BucketName:              aws.String(d.Get("s3_settings.0.bucket_name").(string)),
+			CompressionType:         aws.String(d.Get("s3_settings.0.compression_type").(string)),
 		}
-
-		// if extra_connection_attributes is set. Then parse the varaiables.
-		if v, ok := d.GetOk("extra_connection_attributes"); ok {
-			elems := strings.Split(v.(string), ";")
-			if len(elems) > 0 {
-				for _, elem := range elems {
-					vals := strings.Split(elem, "=")
-					if strings.Contains(strings.ToLower(vals[0]), "compressiontype") {
-						request.S3Settings.CompressionType = aws.String(vals[1])
-					} else if strings.Contains(strings.ToLower(vals[0]), "csvdelimiter") {
-						request.S3Settings.CsvDelimiter = aws.String(vals[1])
-					} else if strings.Contains(strings.ToLower(vals[0]), "csvrowdelimiter") {
-						request.S3Settings.CsvRowDelimiter = aws.String(vals[1])
-					}
-				}
-			}
-		}
-
 	default:
 		request.Password = aws.String(d.Get("password").(string))
 		request.Port = aws.Int64(int64(d.Get("port").(int)))
@@ -254,14 +276,14 @@ func resourceAwsDmsEndpointCreate(d *schema.ResourceData, meta interface{}) erro
 		if v, ok := d.GetOk("kms_key_arn"); ok {
 			request.KmsKeyId = aws.String(v.(string))
 		}
-		if v, ok := d.GetOk("ssl_mode"); ok {
-			request.SslMode = aws.String(v.(string))
-		}
 	}
 
 	if v, ok := d.GetOk("certificate_arn"); ok {
 		request.CertificateArn = aws.String(v.(string))
 	}
+	if v, ok := d.GetOk("ssl_mode"); ok {
+		request.SslMode = aws.String(v.(string))
+	}
 
 	log.Println("[DEBUG] DMS create endpoint:", request)
 
@@ -356,45 +378,9 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 		hasChanges = true
 	}
 
-	switch d.Get("engine_name").(string) {
-	case "dynamodb":
-		if d.HasChange("service_access_role") {
-			request.DynamoDbSettings = &dms.DynamoDbSettings{
-				ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
-			}
-			hasChanges = true
-		}
-	case "s3":
-		if d.HasChange("service_access_role") || d.HasChange("bucket_name") || d.HasChange("bucket_folder") || d.HasChange("extra_connection_attributes") {
-			request.S3Settings = &dms.S3Settings{
-				ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
-				BucketFolder:         aws.String(d.Get("bucket_folder").(string)),
-				BucketName:           aws.String(d.Get("bucket_name").(string)),
-			}
-
-			elems := strings.Split(d.Get("extra_connection_attributes").(string), ";")
-			if len(elems) > 0 {
-				for _, elem := range elems {
-					vals := strings.Split(elem, "=")
-					if strings.Contains(strings.ToLower(vals[0]), "compressiontype") {
-						request.S3Settings.CompressionType = aws.String(vals[1])
-					} else if strings.Contains(strings.ToLower(vals[0]), "csvdelimiter") {
-						request.S3Settings.CsvDelimiter = aws.String(vals[1])
-					} else if strings.Contains(strings.ToLower(vals[0]), "csvrowdelimiter") {
-						request.S3Settings.CsvRowDelimiter = aws.String(vals[1])
-					}
-				}
-			}
-
-			hasChanges = true
-
-			goto DONE
-		}
-	default:
-		if d.HasChange("extra_connection_attributes") {
-			request.ExtraConnectionAttributes = aws.String(d.Get("extra_connection_attributes").(string))
-			hasChanges = true
-		}
+	if d.HasChange("extra_connection_attributes") {
+		request.ExtraConnectionAttributes = aws.String(d.Get("extra_connection_attributes").(string))
+		hasChanges = true
 	}
 
 	if d.HasChange("ssl_mode") {
@@ -410,6 +396,13 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 	}
 
 	switch d.Get("engine_name").(string) {
+	case "dynamodb":
+		if d.HasChange("service_access_role") {
+			request.DynamoDbSettings = &dms.DynamoDbSettings{
+				ServiceAccessRoleArn: aws.String(d.Get("service_access_role").(string)),
+			}
+			hasChanges = true
+		}
 	case "mongodb":
 		if d.HasChange("username") ||
 			d.HasChange("password") ||
@@ -439,6 +432,26 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 			request.EngineName = aws.String(d.Get("engine_name").(string)) // Must be included (should be 'mongodb')
 			hasChanges = true
 		}
+	case "s3":
+		if d.HasChange("s3_settings.0.service_access_role_arn") ||
+			d.HasChange("s3_settings.0.external_table_definition") ||
+			d.HasChange("s3_settings.0.csv_row_delimiter") ||
+			d.HasChange("s3_settings.0.csv_delimiter") ||
+			d.HasChange("s3_settings.0.bucket_folder") ||
+			d.HasChange("s3_settings.0.bucket_name") ||
+			d.HasChange("s3_settings.0.compression_type") {
+			request.S3Settings = &dms.S3Settings{
+				ServiceAccessRoleArn:    aws.String(d.Get("s3_settings.0.service_access_role_arn").(string)),
+				ExternalTableDefinition: aws.String(d.Get("s3_settings.0.external_table_definition").(string)),
+				CsvRowDelimiter:         aws.String(d.Get("s3_settings.0.csv_row_delimiter").(string)),
+				CsvDelimiter:            aws.String(d.Get("s3_settings.0.csv_delimiter").(string)),
+				BucketFolder:            aws.String(d.Get("s3_settings.0.bucket_folder").(string)),
+				BucketName:              aws.String(d.Get("s3_settings.0.bucket_name").(string)),
+				CompressionType:         aws.String(d.Get("s3_settings.0.compression_type").(string)),
+			}
+			request.EngineName = aws.String(d.Get("engine_name").(string)) // Must be included (should be 's3')
+			hasChanges = true
+		}
 	default:
 		if d.HasChange("database_name") {
 			request.DatabaseName = aws.String(d.Get("database_name").(string))
@@ -466,7 +479,6 @@ func resourceAwsDmsEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 		}
 	}
 
-DONE:
 	if hasChanges {
 		log.Println("[DEBUG] DMS update endpoint:", request)
 
@@ -517,29 +529,18 @@ func resourceAwsDmsEndpointSetState(d *schema.ResourceData, endpoint *dms.Endpoi
 			d.Set("server_name", endpoint.MongoDbSettings.ServerName)
 			d.Set("port", endpoint.MongoDbSettings.Port)
 			d.Set("database_name", endpoint.MongoDbSettings.DatabaseName)
-
-			if err := d.Set("mongodb_settings", flattenDmsMongoDbSettings(endpoint.MongoDbSettings)); err != nil {
-				return fmt.Errorf("Error setting mongodb_settings for DMS: %s", err)
-			}
 		} else {
 			d.Set("username", endpoint.Username)
 			d.Set("server_name", endpoint.ServerName)
 			d.Set("port", endpoint.Port)
 			d.Set("database_name", endpoint.DatabaseName)
 		}
+		if err := d.Set("mongodb_settings", flattenDmsMongoDbSettings(endpoint.MongoDbSettings)); err != nil {
+			return fmt.Errorf("Error setting mongodb_settings for DMS: %s", err)
+		}
 	case "s3":
-		if endpoint.S3Settings != nil {
-			d.Set("service_access_role", endpoint.S3Settings.ServiceAccessRoleArn)
-			d.Set("bucket_folder", endpoint.S3Settings.BucketFolder)
-			d.Set("bucket_name", endpoint.S3Settings.BucketName)
-			d.Set("extra_connection_attributes",
-				aws.String(fmt.Sprintf("compressionType=%s;csvDelimiter=%s;csvRowDelimiter=%s",
-					*endpoint.S3Settings.CompressionType, *endpoint.S3Settings.CsvDelimiter, *endpoint.S3Settings.CsvRowDelimiter)))
-		} else {
-			d.Set("service_access_role", "")
-			d.Set("bucket_folder", "")
-			d.Set("bucket_name", "")
-			d.Set("extra_connection_attributes", "")
+		if err := d.Set("s3_settings", flattenDmsS3Settings(endpoint.S3Settings)); err != nil {
+			return fmt.Errorf("Error setting s3_settings for DMS: %s", err)
 		}
 	default:
 		d.Set("database_name", endpoint.DatabaseName)
@@ -548,9 +549,10 @@ func resourceAwsDmsEndpointSetState(d *schema.ResourceData, endpoint *dms.Endpoi
 		d.Set("server_name", endpoint.ServerName)
 		d.Set("username", endpoint.Username)
 		d.Set("kms_key_arn", endpoint.KmsKeyId)
-		d.Set("ssl_mode", endpoint.SslMode)
 	}
 
+	d.Set("ssl_mode", endpoint.SslMode)
+
 	return nil
 }
 
@@ -570,3 +572,21 @@ func flattenDmsMongoDbSettings(settings *dms.MongoDbSettings) []map[string]inter
 
 	return []map[string]interface{}{m}
 }
+
+func flattenDmsS3Settings(settings *dms.S3Settings) []map[string]interface{} {
+	if settings == nil {
+		return []map[string]interface{}{}
+	}
+
+	m := map[string]interface{}{
+		"service_access_role_arn":   aws.StringValue(settings.ServiceAccessRoleArn),
+		"external_table_definition": aws.StringValue(settings.ExternalTableDefinition),
+		"csv_row_delimiter":         aws.StringValue(settings.CsvRowDelimiter),
+		"csv_delimiter":             aws.StringValue(settings.CsvDelimiter),
+		"bucket_folder":             aws.StringValue(settings.BucketFolder),
+		"bucket_name":               aws.StringValue(settings.BucketName),
+		"compression_type":          aws.StringValue(settings.CompressionType),
+	}
+
+	return []map[string]interface{}{m}
+}
diff --git a/aws/resource_aws_dms_endpoint_test.go b/aws/resource_aws_dms_endpoint_test.go
index 44dd83468a3..d832843b314 100644
--- a/aws/resource_aws_dms_endpoint_test.go
+++ b/aws/resource_aws_dms_endpoint_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/hashicorp/terraform/terraform"
 )
 
-func TestAccAWSDmsEndpointBasic(t *testing.T) {
+func TestAccAwsDmsEndpointBasic(t *testing.T) {
 	resourceName := "aws_dms_endpoint.dms_endpoint"
 	randId := acctest.RandString(8) + "-basic"
 
@@ -51,7 +51,7 @@ func TestAccAWSDmsEndpointBasic(t *testing.T) {
 }
 
 func TestAccAwsDmsEndpointS3(t *testing.T) {
-	resourceName := "aws_dms_endpoint.dms_point"
+	resourceName := "aws_dms_endpoint.dms_endpoint"
 	randId := acctest.RandString(8) + "-s3"
 
 	resource.Test(t, resource.TestCase{
@@ -76,6 +76,14 @@ func TestAccAwsDmsEndpointS3(t *testing.T) {
 				Config: dmsEndpointS3ConfigUpdate(randId),
 				Check: resource.ComposeTestCheckFunc(
 					checkDmsEndpointExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "extra_connection_attributes", "key=value;"),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.0.external_table_definition", "new-external_table_definition"),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.0.csv_row_delimiter", "\\r"),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.0.csv_delimiter", "."),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.0.bucket_folder", "new-bucket_folder"),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.0.bucket_name", "new-bucket_name"),
+					resource.TestCheckResourceAttr(resourceName, "s3_settings.0.compression_type", "GZIP"),
 				),
 			},
 		},
@@ -114,7 +122,7 @@ func TestAccAwsDmsEndpointDynamoDb(t *testing.T) {
 	})
 }
 
-func TestAccAWSDmsEndpointMongoDb(t *testing.T) {
+func TestAccAwsDmsEndpointMongoDb(t *testing.T) {
 	resourceName := "aws_dms_endpoint.dms_endpoint"
 	randId := acctest.RandString(8) + "-mongodb"
 
@@ -133,6 +141,7 @@ func TestAccAWSDmsEndpointMongoDb(t *testing.T) {
 			{
 				ResourceName:            resourceName,
 				ImportState:             true,
+				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"password"},
 			},
 			{
@@ -249,167 +258,280 @@ resource "aws_dms_endpoint" "dms_endpoint" {
 `, randId)
 }
 
-func dmsEndpointTargetConfig(randId string, engineName string, actionList string) string {
+func dmsEndpointDynamoDbConfig(randId string) string {
 	return fmt.Sprintf(`
 resource "aws_dms_endpoint" "dms_endpoint" {
-endpoint_id = "tf-test-dms-endpoint-%[1]s"
-endpoint_type = "target"
-engine_name = "%[2]s"
-service_access_role = "${aws_iam_role.iam_role.arn}"
-ssl_mode = "none"
-tags {
-	Name = "tf-test-%[2]s-endpoint-%[1]s"
-	Update = "to-update"
-	Remove = "to-remove"
-}
+	endpoint_id = "tf-test-dms-endpoint-%[1]s"
+	endpoint_type = "target"
+	engine_name = "dynamodb"
+	service_access_role = "${aws_iam_role.iam_role.arn}"
+	ssl_mode = "none"
+	tags {
+		Name = "tf-test-dynamodb-endpoint-%[1]s"
+		Update = "to-update"
+		Remove = "to-remove"
+	}
 
-depends_on = ["aws_iam_role_policy.dms_%[2]s_access"]
+	depends_on = ["aws_iam_role_policy.dms_dynamodb_access"]
 }
+
 resource "aws_iam_role" "iam_role" {
-name = "tf-test-iam-%[2]s-role-%[1]s"
+	name = "tf-test-iam-dynamodb-role-%[1]s"
 
-assume_role_policy = <<EOF
+	assume_role_policy = <<EOF
 {
-"Version": "2012-10-17",
-"Statement": [
-	{
-		"Action": "sts:AssumeRole",
-		"Principal": {
-			"Service": "dms.amazonaws.com"
-		},
-		"Effect": "Allow"
-	}
-]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "sts:AssumeRole",
+			"Principal": {
+				"Service": "dms.amazonaws.com"
+			},
+			"Effect": "Allow"
+		}
+	]
 }
 EOF
 }
 
-resource "aws_iam_role_policy" "dms_%[2]s_access" {
-name = "tf-test-iam-%[2]s-role-policy-%[1]s"
-role = "${aws_iam_role.iam_role.name}"
+resource "aws_iam_role_policy" "dms_dynamodb_access" {
+	name = "tf-test-iam-dynamodb-role-policy-%[1]s"
+	role = "${aws_iam_role.iam_role.name}"
 
-policy = <<EOF
-{
-"Version": "2012-10-17",
-"Statement": [
+	policy = <<EOF
 {
-	"Effect": "Allow",
-	"Action": [
-			%[3]s
-	],
-	"Resource": "*"
-}
-]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"dynamodb:PutItem",
+				"dynamodb:CreateTable",
+				"dynamodb:DescribeTable",
+				"dynamodb:DeleteTable",
+				"dynamodb:DeleteItem",
+				"dynamodb:ListTables"
+			],
+			"Resource": "*"
+		}
+	]
 }
 EOF
 }
-
-`, randId, engineName, actionList)
+`, randId)
 }
 
-func dmsEndpointTargetUpdateConfig(randId string, engineName string, actionList string) string {
+func dmsEndpointDynamoDbConfigUpdate(randId string) string {
 	return fmt.Sprintf(`
 resource "aws_dms_endpoint" "dms_endpoint" {
-endpoint_id = "tf-test-dms-endpoint-%[1]s"
-endpoint_type = "target"
-engine_name = "%[2]s"
-service_access_role = "${aws_iam_role.iam_role.arn}"
-ssl_mode = "none"
-tags {
-	Name = "tf-test-%[2]s-endpoint-%[1]s"
-	Update = "updated"
-	Add = "added"
-}
+	endpoint_id = "tf-test-dms-endpoint-%[1]s"
+	endpoint_type = "target"
+	engine_name = "dynamodb"
+	service_access_role = "${aws_iam_role.iam_role.arn}"
+	ssl_mode = "none"
+	tags {
+		Name = "tf-test-dynamodb-endpoint-%[1]s"
+		Update = "updated"
+		Add = "added"
+	}
 }
+
 resource "aws_iam_role" "iam_role" {
-name = "tf-test-iam-%[2]s-role-%[1]s"
+	name = "tf-test-iam-dynamodb-role-%[1]s"
 
-assume_role_policy = <<EOF
+	assume_role_policy = <<EOF
 {
-"Version": "2012-10-17",
-"Statement": [
-	{
-		"Action": "sts:AssumeRole",
-		"Principal": {
-			"Service": "dms.amazonaws.com"
-		},
-		"Effect": "Allow"
-	}
-]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "sts:AssumeRole",
+			"Principal": {
+				"Service": "dms.amazonaws.com"
+			},
+			"Effect": "Allow"
+		}
+	]
 }
 EOF
 }
 
-resource "aws_iam_role_policy" "dms_%[2]s_access" {
-name = "tf-test-iam-%[2]s-role-policy-%[1]s"
-role = "${aws_iam_role.iam_role.name}"
+resource "aws_iam_role_policy" "dms_dynamodb_access" {
+	name = "tf-test-iam-dynamodb-role-policy-%[1]s"
+	role = "${aws_iam_role.iam_role.name}"
 
-policy = <<EOF
-{
-"Version": "2012-10-17",
-"Statement": [
+	policy = <<EOF
 {
-	"Effect": "Allow",
-	"Action": [
-			%[3]s
-	],
-	"Resource": "*"
-}
-]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"dynamodb:PutItem",
+				"dynamodb:CreateTable",
+				"dynamodb:DescribeTable",
+				"dynamodb:DeleteTable",
+				"dynamodb:DeleteItem",
+				"dynamodb:ListTables"
+			],
+			"Resource": "*"
+		}
+	]
 }
 EOF
 }
-`, randId, engineName, actionList)
+`, randId)
 }
 
-func dmsEndpointDynamoDbConfig(randId string) string {
-	return dmsEndpointTargetConfig(randId, "dynamodb", `
-		"dynamodb:PutItem",
-		"dynamodb:CreateTable",
-		"dynamodb:DescribeTable",
-		"dynamodb:DeleteTable",
-		"dynamodb:DeleteItem",
-		"dynamodb:ListTables"`)
+func dmsEndpointS3Config(randId string) string {
+	return fmt.Sprintf(`
+resource "aws_dms_endpoint" "dms_endpoint" {
+	endpoint_id = "tf-test-dms-endpoint-%[1]s"
+	endpoint_type = "target"
+	engine_name = "s3"
+	ssl_mode = "none"
+	extra_connection_attributes = ""
+	tags {
+		Name = "tf-test-s3-endpoint-%[1]s"
+		Update = "to-update"
+		Remove = "to-remove"
+	}
+	s3_settings {
+		service_access_role_arn = "${aws_iam_role.iam_role.arn}"
+		external_table_definition = ""
+		csv_row_delimiter = "\\n"
+		csv_delimiter = ","
+		bucket_folder = ""
+		bucket_name = ""
+		compression_type = "NONE"
+	}
+
+	depends_on = ["aws_iam_role_policy.dms_s3_access"]
 }
 
-func dmsEndpointDynamoDbConfigUpdate(randId string) string {
-	return dmsEndpointTargetUpdateConfig(randId, "dynamodb", `
-		"dynamodb:PutItem",
-		"dynamodb:CreateTable",
-		"dynamodb:DescribeTable",
-		"dynamodb:DeleteTable",
-		"dynamodb:DeleteItem",
-		"dynamodb:ListTables"`)
+resource "aws_iam_role" "iam_role" {
+	name = "tf-test-iam-s3-role-%[1]s"
+
+	assume_role_policy = <<EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "sts:AssumeRole",
+			"Principal": {
+				"Service": "dms.amazonaws.com"
+			},
+			"Effect": "Allow"
+		}
+	]
+}
+EOF
 }
 
-func dmsEndpointS3Config(randId string) string {
-	return dmsEndpointTargetConfig(randId, "s3", `
-		"s3:CreateBucket",
-		"s3:ListBucket",
-		"s3:DeleteBucket",
-		"s3:GetBucketLocation",
-		"s3:GetObject",
-		"s3:PutObject",
-		"s3:DeleteObject",
-		"s3:GetObjectVersion",
-		"s3:GetBucketPolicy",
-		"s3:PutBucketPolicy",
-		"s3:DeleteBucketPolicy"`)
+resource "aws_iam_role_policy" "dms_s3_access" {
+	name = "tf-test-iam-s3-role-policy-%[1]s"
+	role = "${aws_iam_role.iam_role.name}"
+
+	policy = <<EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:CreateBucket",
+				"s3:ListBucket",
+				"s3:DeleteBucket",
+				"s3:GetBucketLocation",
+				"s3:GetObject",
+				"s3:PutObject",
+				"s3:DeleteObject",
+				"s3:GetObjectVersion",
+				"s3:GetBucketPolicy",
+				"s3:PutBucketPolicy",
+				"s3:DeleteBucketPolicy"
+			],
+			"Resource": "*"
+		}
+	]
+}
+EOF
+}
+`, randId)
 }
 
 func dmsEndpointS3ConfigUpdate(randId string) string {
-	return dmsEndpointTargetUpdateConfig(randId, "s3", `
-		"s3:CreateBucket",
-		"s3:ListBucket",
-		"s3:DeleteBucket",
-		"s3:GetBucketLocation",
-		"s3:GetObject",
-		"s3:PutObject",
-		"s3:DeleteObject",
-		"s3:GetObjectVersion",
-		"s3:GetBucketPolicy",
-		"s3:PutBucketPolicy",
-		"s3:DeleteBucketPolicy"`)
+	return fmt.Sprintf(`
+resource "aws_dms_endpoint" "dms_endpoint" {
+	endpoint_id = "tf-test-dms-endpoint-%[1]s"
+	endpoint_type = "target"
+	engine_name = "s3"
+	ssl_mode = "none"
+	extra_connection_attributes = "key=value;"
+	tags {
+		Name = "tf-test-s3-endpoint-%[1]s"
+		Update = "updated"
+		Add = "added"
+	}
+	s3_settings {
+		service_access_role_arn = "${aws_iam_role.iam_role.arn}"
+		external_table_definition = "new-external_table_definition"
+		csv_row_delimiter = "\\r"
+		csv_delimiter = "."
+		bucket_folder = "new-bucket_folder"
+		bucket_name = "new-bucket_name"
+		compression_type = "GZIP"
+	}
+}
+
+resource "aws_iam_role" "iam_role" {
+	name = "tf-test-iam-s3-role-%[1]s"
+
+	assume_role_policy = <<EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "sts:AssumeRole",
+			"Principal": {
+				"Service": "dms.amazonaws.com"
+			},
+			"Effect": "Allow"
+		}
+	]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "dms_s3_access" {
+	name = "tf-test-iam-s3-role-policy-%[1]s"
+	role = "${aws_iam_role.iam_role.name}"
+
+	policy = <<EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:CreateBucket",
+				"s3:ListBucket",
+				"s3:DeleteBucket",
+				"s3:GetBucketLocation",
+				"s3:GetObject",
+				"s3:PutObject",
+				"s3:DeleteObject",
+				"s3:GetObjectVersion",
+				"s3:GetBucketPolicy",
+				"s3:PutBucketPolicy",
+				"s3:DeleteBucketPolicy"
+			],
+			"Resource": "*"
+		}
+	]
+}
+EOF
+}
+`, randId)
 }
 
 func dmsEndpointMongoDbConfig(randId string) string {
diff --git a/website/docs/r/dms_endpoint.html.markdown b/website/docs/r/dms_endpoint.html.markdown
index 2e2f17e73f1..bfa11d15f42 100644
--- a/website/docs/r/dms_endpoint.html.markdown
+++ b/website/docs/r/dms_endpoint.html.markdown
@@ -62,10 +62,9 @@ The following arguments are supported:
 * `ssl_mode` - (Optional, Default: none) The SSL mode to use for the connection. Can be one of `none | require | verify-ca | verify-full`
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 * `username` - (Optional) The user name to be used to login to the endpoint database.
-* `service_access_role` - (Optional) The Amazon Resource Name (ARN) used by the service access IAM role for `dynamodb | s3` endpoints.
+* `service_access_role` - (Optional) The Amazon Resource Name (ARN) used by the service access IAM role for dynamodb endpoints.
 * `mongodb_settings` - (Optional) Settings for the source MongoDB endpoint. Available settings are `auth_type` (default: `PASSWORD`), `auth_mechanism` (default: `DEFAULT`), `nesting_level` (default: `NONE`), `extract_doc_id` (default: `false`), `docs_to_investigate` (default: `1000`) and `auth_source` (default: `admin`). For more details, see [Using MongoDB as a Source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.MongoDB.html).
-* `bucket_name` - (Optional) The S3 bucket name.
-* `bucket_folder` - (Optional) If provided, tables are created in the path <bucket_folder>/<schema_name>/<table_name>/.
+* `s3_settings` - (Optional) Settings for the target S3 endpoint. Available settings are `service_access_role_arn`, `external_table_definition`, `csv_row_delimiter` (default: `\\n`), `csv_delimiter` (default: `,`), `bucket_folder`, `bucket_name` and `compression_type` (default: `NONE`). For more details, see [Using Amazon S3 as a Target for AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.S3.html).
 
 ## Attributes Reference