Handle the case were each grant could be part of a canned ACL but the…

… whole grants combination does not match a canned ACL
hashicorp · Dec 1, 2021 · b290c70 · b290c70
1 parent eeed952
commit b290c70
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/internal/service/s3/bucket.go b/internal/service/s3/bucket.go
@@ -2959,6 +2959,9 @@ func flattenCannedACL(d *schema.ResourceData, ap *s3.GetBucketAclOutput) bool {
 		d.Set("acl", "aws-exec-read")
 	case owner_full_control && !all_users_read && !all_users_write && !authenticated_users_read && !ec2_read && logdelivery_read_acp && logdelivery_write:
 		d.Set("acl", "log-delivery-write")
+	default:
+		// No combination matched a canned ACL
+		return false
 	}
 	return true
 }

diff --git a/internal/service/s3/bucket_test.go b/internal/service/s3/bucket_test.go
@@ -625,6 +625,36 @@ func TestAccS3Bucket_Security_updateGrant(t *testing.T) {
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"force_destroy"},
 			},
+			{
+				Config: testAccBucketWithGrantsEnsureNotCanned(bucketName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckBucketExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "grant.#", "3"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "grant.*", map[string]string{
+						"permissions.#": "1",
+						"type":          "CanonicalUser",
+					}),
+					resource.TestCheckTypeSetElemAttr(resourceName, "grant.*.permissions.*", "FULL_CONTROL"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "grant.*", map[string]string{
+						"permissions.#": "1",
+						"type":          "Group",
+						"uri":           "http://acs.amazonaws.com/groups/global/AllUsers",
+					}),
+					resource.TestCheckTypeSetElemAttr(resourceName, "grant.*.permissions.*", "READ"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "grant.*", map[string]string{
+						"permissions.#": "1",
+						"type":          "Group",
+						"uri":           "http://acs.amazonaws.com/groups/s3/LogDelivery",
+					}),
+					resource.TestCheckTypeSetElemAttr(resourceName, "grant.*.permissions.*", "READ_ACP"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"force_destroy"},
+			},
 			{
 				Config: testAccBucketConfig_Basic(bucketName),
 				Check: resource.ComposeTestCheckFunc(
@@ -3934,6 +3964,36 @@ resource "aws_s3_bucket" "bucket" {
 `, bucketName)
 }
 
+func testAccBucketWithGrantsEnsureNotCanned(bucketName string) string {
+	return fmt.Sprintf(`
+data "aws_canonical_user_id" "current" {}
+
+# This is a mix of several grant combinations that could make canned ACLs
+# but as a result do not match a single canned ACL.
+resource "aws_s3_bucket" "bucket" {
+  bucket = %[1]q
+
+  grant {
+    id          = data.aws_canonical_user_id.current.id
+    type        = "CanonicalUser"
+    permissions = ["FULL_CONTROL"]
+  }
+
+  grant {
+    type        = "Group"
+    permissions = ["READ"]
+    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
+  }
+
+  grant {
+    type        = "Group"
+    permissions = ["READ_ACP"]
+    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+  }
+}
+`, bucketName)
+}
+
 func testAccBucketWithLoggingConfig(bucketName string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "log_bucket" {