resource/aws_s3_bucket_object: Ignore changes due to default bucket e…

[mattburgess]

…ncryption (#10200)

When an object is uploaded to a bucket that has default encryption configured, the object inherits the kms_key_id from the bucket. We therefore need to ignore changes to that attribute, which the user won't have specified. Setting this attribute to "" has the effect of re-encrypting the object with the default aws/s3 key, which is not what the user intended or expected.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #10200

Release note for CHANGELOG:

Prevent an object's encryption key changing from the bucket's default encryption key to the `aws/s3` key (#10200)

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSS3BucketObject'
--- FAIL: TestAccAWSS3BucketObject_etagEncryption (2.36s) # latent failure!
--- PASS: TestAccAWSS3BucketObject_noNameNoKey (6.97s)
--- PASS: TestAccAWSS3BucketObject_source (49.36s)
--- PASS: TestAccAWSS3BucketObject_withContentCharacteristics (49.68s)
--- PASS: TestAccAWSS3BucketObject_contentBase64 (50.97s)
--- PASS: TestAccAWSS3BucketObject_sse (51.77s)
--- PASS: TestAccAWSS3BucketObject_kms (52.95s)
--- PASS: TestAccAWSS3BucketObject_empty (47.45s)
--- PASS: TestAccAWSS3BucketObject_defaultBucketSSE (61.72s)
--- PASS: TestAccAWSS3BucketObject_updateSameFile (94.87s)
--- PASS: TestAccAWSS3BucketObject_updates (95.25s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithOn (95.37s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioning (96.11s)
--- PASS: TestAccAWSS3BucketObject_content (59.72s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioningViaAccessPoint (109.58s)
--- PASS: TestAccAWSS3BucketObject_metadata (135.60s)
--- PASS: TestAccAWSS3BucketObject_acl (140.76s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithNone (138.73s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithNone (156.56s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithSet (176.58s)
--- PASS: TestAccAWSS3BucketObject_tags (181.06s)
--- PASS: TestAccAWSS3BucketObject_tagsLeadingSlash (190.08s)
--- PASS: TestAccAWSS3BucketObject_storageClass (224.34s)

[bflad]

Hi @mattburgess 👋 Thank you for contributing this and adding the covering test. 👍 Please reach out if you have any questions or do not have time to implement the change.

[bflad]

To properly signal to Terraform that this schema attribute may be without a configuration value, but then have a value set in the state by the provider, we need to use Computed: true here. Future versions of Terraform core will be much more sensitive about returning an error when Computed is not used properly. 👍

Computed: true,

We should also add some documentation in website/docs/r/s3_bucket_object.html.markdown around this updated behavior:

* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of the KMS Key to use for object encryption. If the S3 Bucket has server-side encryption enabled, that value will automatically be used. If referencing the `aws_kms_key` resource, use the `arn` attribute. If referencing the `aws_kms_alias` data source or resource, use the `target_key_arn` attribute. Terraform will only perform drift detection if a configuration value is provided.

[mattburgess]

Thanks for the review @bflad. I've pushed your suggested changes.

[bflad]

Thanks so much, @mattburgess 🚀

Output from acceptance testing:

--- PASS: TestAccAWSS3BucketObject_noNameNoKey (25.78s)
--- PASS: TestAccAWSS3BucketObject_withContentCharacteristics (75.89s)
--- PASS: TestAccAWSS3BucketObject_etagEncryption (74.91s)
--- PASS: TestAccAWSS3BucketObject_content (76.02s)
--- PASS: TestAccAWSS3BucketObject_kms (75.76s)
--- PASS: TestAccAWSS3BucketObject_sse (78.57s)
--- PASS: TestAccAWSS3BucketObject_contentBase64 (77.32s)
--- PASS: TestAccAWSS3BucketObject_source (77.75s)
--- PASS: TestAccAWSS3BucketObject_empty (80.10s)
--- PASS: TestAccAWSS3BucketObject_NonVersioned (78.98s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioningViaAccessPoint (119.25s)
--- PASS: TestAccAWSS3BucketObject_updates (118.41s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioning (117.78s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithOn (95.08s)
--- PASS: TestAccAWSS3BucketObject_updateSameFile (121.01s)
--- PASS: TestAccAWSS3BucketObject_defaultBucketSSE (46.34s)
--- PASS: TestAccAWSS3BucketObject_acl (141.31s)
--- PASS: TestAccAWSS3BucketObject_metadata (140.61s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithNone (142.97s)
--- PASS: TestAccAWSS3BucketObject_tags (155.87s)
--- PASS: TestAccAWSS3BucketObject_tagsLeadingSlash (155.11s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithNone (83.04s)
--- PASS: TestAccAWSS3BucketObject_storageClass (164.84s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithSet (96.31s)

[ghost]

This has been released in version 3.10.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!