-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resource/aws_s3_bucket_object: Fix object deletion for non-versioned objects #10352
Conversation
8d5ff9e
to
e649169
Compare
…objects Acceptance test before change ``` --- FAIL: TestAccAWSS3BucketObject_NonVersioned (32.38s) testing.go:630: Error destroying resource! WARNING: Dangling resources may exist. The full state and error is shown below. Error: errors during apply: Failed listing S3 object versions: AccessDenied: Access Denied ``` Acceptance test after change ``` --- PASS: TestAccAWSS3BucketObject_NonVersioned (32.16s) ```
There is a test case for S3 that is only reproducible for IAM users that have restricted permissions on bucket objects. This change introduces a simple test Provider configuration that can be used for assuming a restricted policy at runtime. This change introduces a testAccAssumeRoleARNPreCheck function that can be used for validating that a TF_ACC_ASSUME_ROLE_ARN environment variable is set for any tests using the testAccProviderConfigAssumeRolePolicy provider configuration block. testAccAssumeRoleARNPreCheck unset ``` > make testacc TEST=./aws TESTARGS='-run=TestAccAWSS3BucketObject_NonVersioned' --- SKIP: TestAccAWSS3BucketObject_NonVersioned (1.56s) provider_test.go:756: skipping tests; TF_ACC_ASSUME_ROLE_ARN must be ``` testAccAssumeRoleARNPreCheck set ``` TF_ACC_ASSUME_ROLE_ARN=... make testacc TEST=./aws TESTARGS='-run=TestAccAWSS3BucketObject_NonVersioned' --- PASS: TestAccAWSS3BucketObject_NonVersioned (32.47s) ``` Acceptance tests after change ``` --- SKIP: TestAccAWSS3BucketObject_NonVersioned (2.03s) provider_test.go:756: skipping tests; TF_ACC_ASSUME_ROLE_ARN must be set === CONT TestAccAWSS3BucketObject_tagsLeadingSlash --- PASS: TestAccAWSS3BucketObject_noNameNoKey (3.53s) --- PASS: TestAccAWSS3BucketObject_empty (32.55s) --- PASS: TestAccAWSS3BucketObject_source (36.75s) --- PASS: TestAccAWSS3BucketObject_withContentCharacteristics (37.46s) --- PASS: TestAccAWSS3BucketObject_content (37.75s) --- PASS: TestAccAWSS3BucketObject_etagEncryption (37.78s) --- PASS: TestAccAWSS3BucketObject_sse (37.78s) --- PASS: TestAccAWSS3BucketObject_contentBase64 (37.90s) --- PASS: TestAccAWSS3BucketObject_kms (61.81s) --- PASS: TestAccAWSS3BucketObject_updates (61.91s) --- PASS: TestAccAWSS3BucketObject_updatesWithVersioning (62.52s) --- PASS: TestAccAWSS3BucketObject_updateSameFile (62.80s) --- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithOn (63.18s) --- PASS: TestAccAWSS3BucketObject_metadata (82.99s) --- PASS: TestAccAWSS3BucketObject_acl (86.10s) --- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithNone (86.15s) --- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithNone (87.09s) --- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithSet (105.55s) --- PASS: TestAccAWSS3BucketObject_tagsLeadingSlash (105.43s) --- PASS: TestAccAWSS3BucketObject_tags (107.64s) --- PASS: TestAccAWSS3BucketObject_storageClass (127.35s) ```
e649169
to
030d001
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with a non-blocking nit and documentation request below. 😄 🚀
Output from acceptance testing:
--- PASS: TestAccAWSS3BucketObject_noNameNoKey (6.04s)
--- PASS: TestAccAWSS3BucketObject_empty (15.99s)
--- PASS: TestAccAWSS3BucketObject_etagEncryption (20.96s)
--- PASS: TestAccAWSS3BucketObject_contentBase64 (21.43s)
--- PASS: TestAccAWSS3BucketObject_source (21.75s)
--- PASS: TestAccAWSS3BucketObject_content (21.73s)
--- PASS: TestAccAWSS3BucketObject_sse (21.93s)
--- PASS: TestAccAWSS3BucketObject_withContentCharacteristics (22.08s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithOn (28.94s)
--- PASS: TestAccAWSS3BucketObject_updatesWithVersioning (30.45s)
--- PASS: TestAccAWSS3BucketObject_updateSameFile (30.61s)
--- PASS: TestAccAWSS3BucketObject_updates (32.19s)
--- PASS: TestAccAWSS3BucketObject_metadata (34.61s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockLegalHoldStartWithNone (36.61s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithNone (34.98s)
--- PASS: TestAccAWSS3BucketObject_acl (37.31s)
--- PASS: TestAccAWSS3BucketObject_kms (40.56s)
--- PASS: TestAccAWSS3BucketObject_tagsLeadingSlash (42.77s)
--- PASS: TestAccAWSS3BucketObject_tags (43.37s)
--- PASS: TestAccAWSS3BucketObject_ObjectLockRetentionStartWithSet (37.47s)
--- PASS: TestAccAWSS3BucketObject_storageClass (46.97s)
func testAccAssumeRoleARNPreCheck(t *testing.T) { | ||
v := os.Getenv("TF_ACC_ASSUME_ROLE_ARN") | ||
if v == "" { | ||
t.Skip("skipping tests; TF_ACC_ASSUME_ROLE_ARN must be set") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: In the future, we may want to augment this skip message to include more details about what this is and how to create it, e.g.
t.Skip("skipping tests; TF_ACC_ASSUME_ROLE_ARN must be set") | |
t.Skip("skipping tests; TF_ACC_ASSUME_ROLE_ARN environment variable must be set.\n" + | |
"This acceptance test expects the ARN of an IAM Role with full permissions " + | |
"in the testing AWS account that can be assumed with a restrictive session " + | |
"policy to verify resource functionality with those restrictive permissions.") |
} | ||
} | ||
|
||
func testAccProviderConfigAssumeRolePolicy(policy string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a really neat setup. Do you have time to document this awesome new way of "acceptance testing resources with restricted IAM permissions" in the contributing guide? I'm sure there are other resources that could benefit from something like this. ❤️
This has been released in version 2.31.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Closes #10191
Release note for CHANGELOG:
Acceptance test before change
Acceptance test after change
The test case for S3 is only reproducible for IAM users that have restricted permissions on bucket objects. This change introduces a simple test Provider configuration that can be used for assuming a restricted policy at runtime. This change introduces a testAccAssumeRoleARNPreCheck function that can be used for validating that a TF_ACC_ASSUME_ROLE_ARN environment variable is set for any tests using the testAccProviderConfigAssumeRolePolicy provider configuration block.
testAccAssumeRoleARNPreCheck unset
testAccAssumeRoleARNPreCheck set
Acceptance tests after change