Skip to content

Commit

Permalink
Only attempt to force destroy S3 bucket objects if the bucket has Obj…
Browse files Browse the repository at this point in the history 
…ect Lock enabled.
  • Loading branch information
@ewbankkit
ewbankkit committed Sep 6, 2019
1 parent 7754826 commit ced3fa0
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 3 deletions.
7 changes: 6 additions & 1 deletion aws/resource_aws_s3_bucket.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1261,7 +1261,12 @@ func resourceAwsS3BucketDelete(d *schema.ResourceData, meta interface{}) error {

// Delete everything including locked objects.
// Don't ignore any object errors or we could recurse infinitely.
err = deleteAllS3ObjectVersions(s3conn, d.Id(), "", true, false)
objectLockEnabled := false
objectLockConfiguration := expandS3ObjectLockConfiguration(d.Get("object_lock_configuration").([]interface{}))
if objectLockConfiguration != nil && aws.StringValue(objectLockConfiguration.ObjectLockEnabled) == s3.ObjectLockEnabledEnabled {
objectLockEnabled = true
}
err = deleteAllS3ObjectVersions(s3conn, d.Id(), "", objectLockEnabled, false)

if err != nil {
return fmt.Errorf("error S3 Bucket force_destroy: %s", err)
Expand Down
2 changes: 1 addition & 1 deletion aws/resource_aws_s3_bucket_object.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -516,7 +516,7 @@ func resourceAwsS3BucketObjectCustomizeDiff(d *schema.ResourceDiff, meta interfa

// deleteAllS3ObjectVersions deletes all versions of a specified key from an S3 bucket.
// If key is empty then all versions of all objects are deleted.
// Set force to true to override any S3 object lock protections.
// Set force to true to override any S3 object lock protections on object lock enabled buckets.
func deleteAllS3ObjectVersions(conn *s3.S3, bucketName, key string, force, ignoreObjectErrors bool) error {
input := &s3.ListObjectVersionsInput{
Bucket: aws.String(bucketName),
Expand Down
9 changes: 8 additions & 1 deletion aws/resource_aws_s3_bucket_object_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,15 @@ func testSweepS3BucketObjects(region string) error {
continue
}

objectLockEnabled, err := testS3BucketObjectLockEnabled(conn, bucketName)

if err != nil {
log.Printf("[ERROR] Error getting S3 Bucket (%s) Object Lock: %s", bucketName, err)
continue
}

// Delete everything including locked objects. Ignore any object errors.
err = deleteAllS3ObjectVersions(conn, bucketName, "", true, true)
err = deleteAllS3ObjectVersions(conn, bucketName, "", objectLockEnabled, true)

if err != nil {
return fmt.Errorf("error listing S3 Bucket (%s) Objects: %s", bucketName, err)
Expand Down
18 changes: 18 additions & 0 deletions aws/resource_aws_s3_bucket_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,24 @@ func testS3BucketRegion(conn *s3.S3, bucket string) (string, error) {
return aws.StringValue(output.LocationConstraint), nil
}

func testS3BucketObjectLockEnabled(conn *s3.S3, bucket string) (bool, error) {
input := &s3.GetObjectLockConfigurationInput{
Bucket: aws.String(bucket),
}

output, err := conn.GetObjectLockConfiguration(input)

if isAWSErr(err, "ObjectLockConfigurationNotFoundError", "") {
return false, nil
}

if err != nil {
return false, err
}

return aws.StringValue(output.ObjectLockConfiguration.ObjectLockEnabled) == s3.ObjectLockEnabledEnabled, nil
}

func TestAccAWSS3Bucket_basic(t *testing.T) {
rInt := acctest.RandInt()
arnRegexp := regexp.MustCompile(`^arn:aws[\w-]*:s3:::`)
Expand Down

0 comments on commit ced3fa0

Please sign in to comment.