Implementation of acl grants #3728
Conversation
bflad
added
enhancement
|
@antonbabenko could you please take a look |
|
Hi Andrey! @bflad is the best person who can take a look at the code and prioritize this feature over others. The feature you are proposing makes perfect sense to be added, but since it is not so small and entirely obvious, it may take some time to be reviewed and merged. Best regards, |
|
Hi Anton, Thanks, let's wait. Just didn't think that the queue is so long |
|
Luckily (not unfortunately), there are a lot of people who are using Terraform. Here you can get a basic understanding of the priorities - https://github.com/terraform-providers/terraform-provider-aws/pulls?q=is%3Apr+is%3Aopen+sort%3Areactions-%2B1-desc Remember that this is one of at least 3 priority queues which I know a team is picking from. https://www.hashicorp.com/jobs/1288355 - I will just leave it here, if you want to join. :) |
|
@bflad can you give an ETA for the review of this PR? setting the current ACL ( |
|
Hi @eredi93 👋 Sorry this one is not on my personal short list, but I cannot speak for other maintainers. We encourage upvoting via 👍 reactions on the original PR though to help prioritize. As mentioned above, S3 ACL management is non-trivial and may require some design cycles to get correct. |
|
Alright @bflad, by number of votes this PR is currently #5 of 198 open PRs. Hope to see that status reflected in the review/merge priority. |
|
It is now #4 of 207 open PRs. Twenty-five PRs -- all with less than a quarter of this PRs upvotes -- have been merged in the last week alone. I fear the maintainers do not actually sort by @antonbabenko's link when reviewing and this 300 line will live for well over a year before being addressed. Very slow pace. |
|
@pauldraper Anton did say that is one of 3 different priority lists. Also - this is both a |
ghost
added
size/XL
| ConflictsWith: []string{"grant"}, | ||
| }, | ||
|
|
||
| "grant": { |
There was a problem hiding this comment.
To prevent issues with setting the state during Read and other unforeseen issues with the initial implementation, I would recommend adding Computed: true to this attribute for now. We can always adjust this in the future and add a note in the documentation for now, e.g. To enable drift detection for this configuration, it must be configured.
There was a problem hiding this comment.
Computed: true leads to non-tacking in case of removal from TF resource, is it really needed?
It will work only if it was set explicitly, I don't see the way to track it always now (answered blow).
Of course I can miss some, but on tests Computed: true make the situation worse.
There was a problem hiding this comment.
Day passed and I understand the idea of using Computed: true and always save the state, it will work. And if you'll say that it is better way - I change the PR to this version.
The only thing I miss - that it will no the way back from computed, because it will make a lot of changes in state files
aws/resource_aws_s3_bucket.go
Outdated
|
|
||
| log.Printf("[DEBUG] S3 bucket: %s, read ACL grants policy before set: %+v", d.Id(), grants) | ||
| //if ACL grants contains bucket owner FULL_CONTROL only - it's "private" acl, skip the state | ||
| if len(grants) == 1 && grants[0]["id"].(string) == *ap.Owner.ID && |
There was a problem hiding this comment.
I believe this conditional can be removed if we prefer to always save to state
aws/resource_aws_s3_bucket.go
Outdated
| grantMap := rawGrant.(map[string]interface{}) | ||
| for _, rawPermission := range grantMap["permission"].([]interface{}) { | ||
| ge := &s3.Grantee{} | ||
| if i := grantMap["id"].(string); i != "" { |
There was a problem hiding this comment.
To prevent potential panics, we should perform a type assertion check here and below:
| if i := grantMap["id"].(string); i != "" { | |
| if i, ok := grantMap["id"].(string); ok && i != "" { |
bflad
added
the
waiting-response
|
Hi @bflad, thank you for the review, I thought that it hang. |
ghost
removed
the
waiting-response
# Conflicts: # aws/validators.go
bflad
added
the
waiting-response
|
Any updates on this request? |
ghost
removed
the
waiting-response
|
be super nice to have this. |
|
We could really make use of this and get rid of some Also, @Chhed13 @bflad, I think I know how to address the |
|
Any updates for this? It would be very useful to have for enterprise use cases. |
|
@Chhed13 there are merge conflicts on this PR, can you please resolve them? It also looks like there are some acceptance test failures. |
|
@gdavison ok, I'll take a look |
…-acl-policies # Conflicts: # aws/resource_aws_s3_bucket_test.go # website/docs/r/s3_bucket.html.markdown
There was a problem hiding this comment.
I've added a number of changes to make.
Also, can you run the full set of S3 acceptance tests, please?
- You can ignore failures with "After applying this step, the plan was not empty", since they're related to eventual consistency problems with S3.
- You'll get a number of "ImportStateVerify attributes not equivalent" errors. I think most of these are related to our default test cases mostly defining
acl = "public-read"for some reason; this can be changed to the default, IMO 😄
|
@gdavison thanks for the review. |
There was a problem hiding this comment.
LGTM 🚀
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithFilter_Empty (5.05s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithStorageClassAnalysis_Empty (5.34s)
--- PASS: TestAccAWSS3BucketMetric_WithEmptyFilter (23.88s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithStorageClassAnalysis_Full (25.69s)
--- PASS: TestAccAWSS3BucketInventory_encryptWithSSES3 (25.87s)
--- PASS: TestAccAWSS3BucketMetric_basic (26.39s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_basic (26.78s)
--- PASS: TestAccAWSS3BucketInventory_basic (27.48s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithStorageClassAnalysis_Default (27.61s)
--- PASS: TestAccAWSS3BucketObject_noNameNoKey (7.64s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_removed (37.39s)
--- PASS: TestAccAWSS3BucketMetric_WithFilterPrefixAndSingleTag (39.30s)
--- PASS: TestAccAWSS3BucketMetric_WithFilterPrefix (39.08s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithFilter_Remove (39.24s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithFilter_SingleTag (39.43s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithFilter_PrefixAndTags (39.32s)
--- PASS: TestAccAWSS3BucketMetric_WithFilterPrefixAndMultipleTags (39.54s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithFilter_MultipleTags (39.85s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_WithFilter_Prefix (39.73s)
--- PASS: TestAccAWSS3BucketMetric_WithFilterMultipleTags (36.44s)
--- PASS: TestAccAWSS3BucketMetric_WithFilterSingleTag (36.30s)
--- PASS: TestAccAWSS3BucketInventory_encryptWithSSEKMS (44.41s)
--- PASS: TestAccAWSS3BucketNotification_Queue (24.65s)
--- PASS: TestAccAWSS3BucketObject_empty (17.83s)
--- PASS: TestAccAWSS3BucketNotification_Topic_Multiple (27.11s)
--- PASS: TestAccAWSS3BucketAnalyticsConfiguration_updateBasic (54.21s)
--- PASS: TestAccAWSS3BucketNotification_Topic (27.58s)
--- PASS: TestAccAWSS3BucketObject_source (19.51s)
--- PASS: TestAccAWSS3BucketObject_content (20.88s)
--- PASS: TestAccAWSS3BucketObject_withContentCharacteristics (21.33s)
--- PASS: TestAccAWSS3BucketObject_etagEncryption (21.77s)
--- PASS: TestAccAWSS3BucketObject_NonVersioned (21.67s)
--- PASS: TestAccAWSS3BucketObject_contentBase64 (22.38s)
--- PASS: TestAccAWSS3BucketObject_sse (22.37s)
--- PASS: TestAccAWSS3BucketNotification_update (39.35s)
--- PASS: TestAccAWSS3BucketNotification_LambdaFunction (45.93s)
--- PASS: TestAccAWSS3BucketNotification_LambdaFunction_LambdaFunctionArn_Alias (49.77s)
--- PASS: TestAccAWSS3BucketObject_updateSameFile (35.97s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioning (36.27s)
--- PASS: TestAccAWSS3BucketObject_updates (36.46s)
--- PASS: TestAccAWSS3BucketObject_kms (37.58s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioningViaAccessPoint (38.37s)
--- PASS: TestAccAWSS3BucketPolicy_basic (26.20s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_bucketDisappears (18.48s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_disappears (22.42s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_basic (26.80s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithOn (39.81s)
--- PASS: TestAccAWSS3BucketObject_acl (50.40s)
--- PASS: TestAccAWSS3BucketObject_metadata (48.90s)
--- PASS: TestAccAWSS3BucketPolicy_policyUpdate (41.59s)
--- PASS: TestAccAWSS3Bucket_basic (24.52s)
--- PASS: TestAccAWSS3Bucket_Bucket_EmptyString (25.96s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithNone (53.22s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithNone (52.64s)
--- PASS: TestAccAWSS3Bucket_namePrefix (24.11s)
--- PASS: TestAccAWSS3MultiBucket_withTags (28.72s)
--- PASS: TestAccAWSS3BucketObject_tags (67.07s)
--- PASS: TestAccAWSS3BucketObject_tagsLeadingSlash (66.80s)
--- PASS: TestAccAWSS3Bucket_generatedName (23.94s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithSet (64.50s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_BlockPublicAcls (53.95s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_IgnorePublicAcls (53.71s)
--- PASS: TestAccAWSS3BucketObject_storageClass (76.53s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_BlockPublicPolicy (55.08s)
--- PASS: TestAccAWSS3BucketPublicAccessBlock_RestrictPublicBuckets (54.49s)
--- PASS: TestAccAWSS3Bucket_RequestPayer (39.06s)
--- PASS: TestAccAWSS3Bucket_acceleration (42.97s)
--- PASS: TestAccAWSS3Bucket_UpdateAcl (39.30s)
--- PASS: TestAccAWSS3Bucket_shouldFailNotFound (19.73s)
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenAES256IsUsed (24.57s)
--- PASS: TestAccAWSS3Bucket_AclToGrant (40.27s)
--- PASS: TestAccAWSS3Bucket_tagsWithNoSystemTags (67.02s)
--- PASS: TestAccAWSS3Bucket_Cors_Delete (23.43s)
--- PASS: TestAccAWSS3Bucket_Policy (52.54s)
--- PASS: TestAccAWSS3Bucket_GrantToAcl (41.98s)
--- PASS: TestAccAWSS3Bucket_WebsiteRoutingRules (40.11s)
--- PASS: TestAccAWSS3Bucket_region (60.21s)
--- PASS: TestAccAWSS3Bucket_UpdateGrant (56.40s)
--- PASS: TestAccAWSS3Bucket_disableDefaultEncryption_whenDefaultEncryptionIsEnabled (38.36s)
--- PASS: TestAccAWSS3Bucket_Cors_EmptyOrigin (27.17s)
--- PASS: TestAWSS3BucketName (0.00s)
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenTypical (45.79s)
--- PASS: TestBucketRegionalDomainName (0.00s)
--- PASS: TestAccAWSS3Bucket_Cors_Update (41.58s)
--- PASS: TestAccAWSS3Bucket_Website_Simple (53.36s)
--- PASS: TestAccAWSS3Bucket_WebsiteRedirect (52.89s)
--- PASS: TestAccAWSS3Bucket_Logging (29.42s)
--- PASS: TestAccAWSS3Bucket_Versioning (46.22s)
--- PASS: TestAccAWSS3Bucket_forceDestroy (18.01s)
--- PASS: TestAccAWSS3Bucket_forceDestroyWithEmptyPrefixes (14.46s)
--- PASS: TestAccAWSS3Bucket_LifecycleExpireMarkerOnly (32.52s)
--- PASS: TestAccAWSS3Bucket_forceDestroyWithObjectLockEnabled (16.24s)
--- PASS: TestAccAWSS3Bucket_objectLock (26.73s)
--- PASS: TestAccAWSS3Bucket_LifecycleBasic (43.35s)
--- PASS: TestAccAWSS3Bucket_tagsWithSystemTags (105.05s)
--- PASS: TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError (43.45s)
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutStorageClass (65.29s)
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutPrefix (73.67s)
--- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AccessControlTranslation (127.63s)
--- PASS: TestAccAWSS3Bucket_ReplicationSchemaV2 (165.38s)
--- PASS: TestAccAWSS3Bucket_Replication (187.17s)
|
This has been released in version 2.52.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
It implements ACL policy grants requested in #989.
Type
AmazonCustomerByEmailis not implemented due to it can only be set, but get is only in form of CannonicalUser.Canned
aclalso can only be set, but not get and it also add some conditionals.