From f20ecb98c0533d8a85677671582de64346e868b5 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 14:57:07 -0400 Subject: [PATCH 01/10] r/aws_s3control_object_lambda_access_point: Fix 'InvalidParameterValueException: The runtime parameter of nodejs14.x is no longer supported for creating or updating AWS Lambda functions. We recommend you use a supported runtime while creating or updating functions' in acceptance tests. --- .../s3control/object_lambda_access_point_policy_test.go | 4 ++-- .../service/s3control/object_lambda_access_point_test.go | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/service/s3control/object_lambda_access_point_policy_test.go b/internal/service/s3control/object_lambda_access_point_policy_test.go index d9ec18d1fde8..dfc5e1ba27c5 100644 --- a/internal/service/s3control/object_lambda_access_point_policy_test.go +++ b/internal/service/s3control/object_lambda_access_point_policy_test.go @@ -187,7 +187,7 @@ func testAccCheckObjectLambdaAccessPointPolicyExists(ctx context.Context, n stri } func testAccObjectLambdaAccessPointPolicyConfig_basic(rName string) string { - return acctest.ConfigCompose(testAccObjectLambdaAccessPointBaseConfig(rName), fmt.Sprintf(` + return acctest.ConfigCompose(testAccObjectLambdaAccessPointConfig_base(rName), fmt.Sprintf(` data "aws_caller_identity" "current" {} resource "aws_s3_bucket" "test" { @@ -236,7 +236,7 @@ resource "aws_s3control_object_lambda_access_point_policy" "test" { } func testAccObjectLambdaAccessPointPolicyConfig_updated(rName string) string { - return acctest.ConfigCompose(testAccObjectLambdaAccessPointBaseConfig(rName), fmt.Sprintf(` + return acctest.ConfigCompose(testAccObjectLambdaAccessPointConfig_base(rName), fmt.Sprintf(` data "aws_caller_identity" "current" {} resource "aws_s3_bucket" "test" { diff --git a/internal/service/s3control/object_lambda_access_point_test.go b/internal/service/s3control/object_lambda_access_point_test.go index c7dbd128c029..20e4e195f43c 100644 --- a/internal/service/s3control/object_lambda_access_point_test.go +++ b/internal/service/s3control/object_lambda_access_point_test.go @@ -213,20 +213,20 @@ func testAccCheckObjectLambdaAccessPointExists(ctx context.Context, n string, v } } -func testAccObjectLambdaAccessPointBaseConfig(rName string) string { +func testAccObjectLambdaAccessPointConfig_base(rName string) string { return acctest.ConfigCompose(acctest.ConfigLambdaBase(rName, rName, rName), fmt.Sprintf(` resource "aws_lambda_function" "test" { filename = "test-fixtures/lambdatest.zip" function_name = %[1]q role = aws_iam_role.iam_for_lambda.arn handler = "index.handler" - runtime = "nodejs14.x" + runtime = "nodejs20.x" } `, rName)) } func testAccObjectLambdaAccessPointConfig_basic(rName string) string { - return acctest.ConfigCompose(testAccObjectLambdaAccessPointBaseConfig(rName), fmt.Sprintf(` + return acctest.ConfigCompose(testAccObjectLambdaAccessPointConfig_base(rName), fmt.Sprintf(` resource "aws_s3_bucket" "test" { bucket = %[1]q } @@ -257,7 +257,7 @@ resource "aws_s3control_object_lambda_access_point" "test" { } func testAccObjectLambdaAccessPointConfig_optionals(rName string) string { - return acctest.ConfigCompose(testAccObjectLambdaAccessPointBaseConfig(rName), fmt.Sprintf(` + return acctest.ConfigCompose(testAccObjectLambdaAccessPointConfig_base(rName), fmt.Sprintf(` resource "aws_s3_bucket" "test" { bucket = %[1]q } From f0daac6183bb8e7100f56bdbe9195782cd08bfa6 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 15:34:39 -0400 Subject: [PATCH 02/10] r/aws_s3_account_public_access_block: Handle eventual consistency on Delete. --- internal/service/s3control/access_grant.go | 2 +- internal/service/s3control/access_grants_location.go | 6 +++--- .../service/s3control/account_public_access_block.go | 12 ++++++++++-- internal/service/s3control/consts.go | 4 +++- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/internal/service/s3control/access_grant.go b/internal/service/s3control/access_grant.go index 1b740190990e..b9a537ee55dc 100644 --- a/internal/service/s3control/access_grant.go +++ b/internal/service/s3control/access_grant.go @@ -179,7 +179,7 @@ func (r *accessGrantResource) Create(ctx context.Context, request resource.Creat input.Tags = getTagsIn(ctx) // "InvalidRequest: Invalid Grantee in the request". - outputRaw, err := tfresource.RetryWhenAWSErrMessageContains(ctx, propagationTimeout, func() (interface{}, error) { + outputRaw, err := tfresource.RetryWhenAWSErrMessageContains(ctx, s3PropagationTimeout, func() (interface{}, error) { return conn.CreateAccessGrant(ctx, input) }, errCodeInvalidRequest, "Invalid Grantee in the request") diff --git a/internal/service/s3control/access_grants_location.go b/internal/service/s3control/access_grants_location.go index 1e52ad62a337..5a03044b41fc 100644 --- a/internal/service/s3control/access_grants_location.go +++ b/internal/service/s3control/access_grants_location.go @@ -111,7 +111,7 @@ func (r *accessGrantsLocationResource) Create(ctx context.Context, request resou input.Tags = getTagsIn(ctx) - outputRaw, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, propagationTimeout, func() (interface{}, error) { + outputRaw, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, s3PropagationTimeout, func() (interface{}, error) { return conn.CreateAccessGrantsLocation(ctx, input) }, errCodeInvalidIAMRole) @@ -205,7 +205,7 @@ func (r *accessGrantsLocationResource) Update(ctx context.Context, request resou return } - _, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, propagationTimeout, func() (interface{}, error) { + _, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, s3PropagationTimeout, func() (interface{}, error) { return conn.UpdateAccessGrantsLocation(ctx, input) }, errCodeInvalidIAMRole) @@ -244,7 +244,7 @@ func (r *accessGrantsLocationResource) Delete(ctx context.Context, request resou } // "AccessGrantsLocationNotEmptyError: Please delete access grants before deleting access grants location". - _, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, propagationTimeout, func() (interface{}, error) { + _, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, s3PropagationTimeout, func() (interface{}, error) { return conn.DeleteAccessGrantsLocation(ctx, input) }, errCodeAccessGrantsLocationNotEmptyError) diff --git a/internal/service/s3control/account_public_access_block.go b/internal/service/s3control/account_public_access_block.go index 82830a525e4a..fa3e60497a01 100644 --- a/internal/service/s3control/account_public_access_block.go +++ b/internal/service/s3control/account_public_access_block.go @@ -95,7 +95,7 @@ func resourceAccountPublicAccessBlockCreate(ctx context.Context, d *schema.Resou d.SetId(accountID) - _, err = tfresource.RetryWhenNotFound(ctx, propagationTimeout, func() (interface{}, error) { + _, err = tfresource.RetryWhenNotFound(ctx, s3PropagationTimeout, func() (interface{}, error) { return findPublicAccessBlockByAccountID(ctx, conn, d.Id()) }) @@ -176,6 +176,14 @@ func resourceAccountPublicAccessBlockDelete(ctx context.Context, d *schema.Resou return sdkdiag.AppendErrorf(diags, "deleting S3 Account Public Access Block (%s): %s", d.Id(), err) } + _, err = tfresource.RetryUntilNotFound(ctx, s3PropagationTimeout, func() (interface{}, error) { + return findPublicAccessBlockByAccountID(ctx, conn, d.Id()) + }) + + if err != nil { + return sdkdiag.AppendErrorf(diags, "waiting for S3 Account Public Access Block (%s) delete: %s", d.Id(), err) + } + return diags } @@ -225,7 +233,7 @@ func waitPublicAccessBlockEqual(ctx context.Context, conn *s3control.Client, acc Pending: []string{strconv.FormatBool(false)}, Target: []string{strconv.FormatBool(true)}, Refresh: statusPublicAccessBlockEqual(ctx, conn, accountID, target), - Timeout: propagationTimeout, + Timeout: s3PropagationTimeout, MinTimeout: 5 * time.Second, ContinuousTargetOccurence: 2, } diff --git a/internal/service/s3control/consts.go b/internal/service/s3control/consts.go index bc8258ce2891..a854fd144373 100644 --- a/internal/service/s3control/consts.go +++ b/internal/service/s3control/consts.go @@ -8,5 +8,7 @@ import ( ) const ( - propagationTimeout = 2 * time.Minute + // General timeout for S3 changes to propagate. + // See https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html#ConsistencyModel. + s3PropagationTimeout = 2 * time.Minute ) From f3d464331671871bc8a9e5c2d4391bd5aadc5bf1 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 15:45:58 -0400 Subject: [PATCH 03/10] Fix 'TestAccS3BucketLifecycleConfiguration_directoryBucket'. --- internal/service/s3/bucket_lifecycle_configuration_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/s3/bucket_lifecycle_configuration_test.go b/internal/service/s3/bucket_lifecycle_configuration_test.go index 7b262211f9ac..d22a2f315238 100644 --- a/internal/service/s3/bucket_lifecycle_configuration_test.go +++ b/internal/service/s3/bucket_lifecycle_configuration_test.go @@ -1061,7 +1061,7 @@ func TestAccS3BucketLifecycleConfiguration_directoryBucket(t *testing.T) { Steps: []resource.TestStep{ { Config: testAccBucketLifecycleConfigurationConfig_directoryBucket(rName), - ExpectError: regexache.MustCompile(`directory buckets are not supported`), + ExpectError: regexache.MustCompile(`MethodNotAllowed: The specified method is not allowed against this resource`), }, }, }) From 9a0de0a5a25e318351145c21da6cd9b2f6c56df4 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 15:46:37 -0400 Subject: [PATCH 04/10] Fix 'TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket'. --- .../s3/bucket_server_side_encryption_configuration_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/s3/bucket_server_side_encryption_configuration_test.go b/internal/service/s3/bucket_server_side_encryption_configuration_test.go index ecfeafdd185f..a7d8926bba7a 100644 --- a/internal/service/s3/bucket_server_side_encryption_configuration_test.go +++ b/internal/service/s3/bucket_server_side_encryption_configuration_test.go @@ -455,7 +455,7 @@ func TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket(t *testing Steps: []resource.TestStep{ { Config: testAccBucketServerSideEncryptionConfigurationConfig_directoryBucket(rName), - ExpectError: regexache.MustCompile(`directory buckets are not supported`), + ExpectError: regexache.MustCompile(`MethodNotAllowed: The specified method is not allowed against this resource`), }, }, }) From 98b4a1c193c8a2a23f363389d7b32b56c4b4b960 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 16:22:16 -0400 Subject: [PATCH 05/10] r/aws_s3_bucket_server_side_encryption_configuration: S3 Directory Bucket support. --- ...et_server_side_encryption_configuration.go | 4 -- ...rver_side_encryption_configuration_test.go | 38 +++++++++++++++---- ...ide_encryption_configuration.html.markdown | 2 - 3 files changed, 30 insertions(+), 14 deletions(-) diff --git a/internal/service/s3/bucket_server_side_encryption_configuration.go b/internal/service/s3/bucket_server_side_encryption_configuration.go index e675d20de1e2..ff5ed8e32ead 100644 --- a/internal/service/s3/bucket_server_side_encryption_configuration.go +++ b/internal/service/s3/bucket_server_side_encryption_configuration.go @@ -102,10 +102,6 @@ func resourceBucketServerSideEncryptionConfigurationCreate(ctx context.Context, return conn.PutBucketEncryption(ctx, input) }, errCodeNoSuchBucket, errCodeOperationAborted) - if tfawserr.ErrMessageContains(err, errCodeInvalidArgument, "ServerSideEncryptionConfiguration is not valid, expected CreateBucketConfiguration") { - err = errDirectoryBucket(err) - } - if err != nil { return sdkdiag.AppendErrorf(diags, "creating S3 Bucket (%s) Server-side Encryption Configuration: %s", bucket, err) } diff --git a/internal/service/s3/bucket_server_side_encryption_configuration_test.go b/internal/service/s3/bucket_server_side_encryption_configuration_test.go index a7d8926bba7a..8823524c403d 100644 --- a/internal/service/s3/bucket_server_side_encryption_configuration_test.go +++ b/internal/service/s3/bucket_server_side_encryption_configuration_test.go @@ -8,7 +8,6 @@ import ( "fmt" "testing" - "github.com/YakDriver/regexache" "github.com/aws/aws-sdk-go-v2/service/s3/types" sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -32,7 +31,7 @@ func TestAccS3BucketServerSideEncryptionConfiguration_basic(t *testing.T) { Steps: []resource.TestStep{ { Config: testAccBucketServerSideEncryptionConfigurationConfig_basic(rName), - Check: resource.ComposeTestCheckFunc( + Check: resource.ComposeAggregateTestCheckFunc( testAccCheckBucketServerSideEncryptionConfigurationExists(ctx, resourceName), resource.TestCheckResourceAttrPair(resourceName, names.AttrBucket, "aws_s3_bucket.test", names.AttrBucket), resource.TestCheckResourceAttr(resourceName, acctest.CtRulePound, acctest.Ct1), @@ -446,6 +445,7 @@ func TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange(t *test func TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket(t *testing.T) { ctx := acctest.Context(t) rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + resourceName := "aws_s3_bucket_server_side_encryption_configuration.test" resource.ParallelTest(t, resource.TestCase{ PreCheck: func() { acctest.PreCheck(ctx, t) }, @@ -454,8 +454,24 @@ func TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket(t *testing CheckDestroy: acctest.CheckDestroyNoop, Steps: []resource.TestStep{ { - Config: testAccBucketServerSideEncryptionConfigurationConfig_directoryBucket(rName), - ExpectError: regexache.MustCompile(`MethodNotAllowed: The specified method is not allowed against this resource`), + Config: testAccBucketServerSideEncryptionConfigurationConfig_directoryBucket(rName), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckBucketServerSideEncryptionConfigurationExists(ctx, resourceName), + resource.TestCheckResourceAttrPair(resourceName, names.AttrBucket, "aws_s3_directory_bucket.test", names.AttrBucket), + resource.TestCheckResourceAttr(resourceName, acctest.CtRulePound, acctest.Ct1), + resource.TestCheckResourceAttr(resourceName, "rule.0.apply_server_side_encryption_by_default.#", acctest.Ct1), + resource.TestCheckResourceAttrPair(resourceName, "rule.0.apply_server_side_encryption_by_default.0.kms_master_key_id", "aws_kms_key.test", names.AttrARN), + resource.TestCheckResourceAttr(resourceName, "rule.0.apply_server_side_encryption_by_default.0.sse_algorithm", string(types.ServerSideEncryptionAwsKms)), + resource.TestCheckResourceAttr(resourceName, "rule.0.bucket_key_enabled", "true"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "rule.0.bucket_key_enabled", + }, }, }, }) @@ -631,7 +647,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "test" { } func testAccBucketServerSideEncryptionConfigurationConfig_directoryBucket(rName string) string { - return acctest.ConfigCompose(testAccDirectoryBucketConfig_base(rName), ` + return acctest.ConfigCompose(testAccDirectoryBucketConfig_base(rName), fmt.Sprintf(` resource "aws_s3_directory_bucket" "test" { bucket = local.bucket @@ -640,15 +656,21 @@ resource "aws_s3_directory_bucket" "test" { } } +resource "aws_kms_key" "test" { + description = %[1]q + deletion_window_in_days = 7 +} + resource "aws_s3_bucket_server_side_encryption_configuration" "test" { bucket = aws_s3_directory_bucket.test.bucket rule { - # This is Amazon S3 bucket default encryption. apply_server_side_encryption_by_default { - sse_algorithm = "AES256" + kms_master_key_id = aws_kms_key.test.arn + sse_algorithm = "aws:kms" } + bucket_key_enabled = true } } -`) +`, rName)) } diff --git a/website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown b/website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown index 5cbb5c45f8a9..c42192abc199 100644 --- a/website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown +++ b/website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown @@ -12,8 +12,6 @@ Provides a S3 bucket server-side encryption configuration resource. ~> **NOTE:** Destroying an `aws_s3_bucket_server_side_encryption_configuration` resource resets the bucket to [Amazon S3 bucket default encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html). --> This resource cannot be used with S3 directory buckets. - ## Example Usage ```terraform From e512be9d8bd98d6bfad72b2c56adb74086f73e66 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 16:22:25 -0400 Subject: [PATCH 06/10] Acceptance test output: % make testacc TESTARGS='-run=TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket' PKG=s3 ACCTEST_PARALLELISM=3 make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.23.0 test ./internal/service/s3/... -v -count 1 -parallel 3 -run=TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket -timeout 360m === RUN TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket === PAUSE TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket === CONT TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket --- PASS: TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket (16.84s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/s3 21.909s From ca5ad3401c64bcfae4489db69990df6953ed8e86 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 28 Aug 2024 16:25:31 -0400 Subject: [PATCH 07/10] Add CHANGELOG entry. --- .changelog/#####.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/#####.txt diff --git a/.changelog/#####.txt b/.changelog/#####.txt new file mode 100644 index 000000000000..8f38bcb396e0 --- /dev/null +++ b/.changelog/#####.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_s3_bucket_server_side_encryption_configuration: S3 directory buckets now support SSE-KMS +``` \ No newline at end of file From 27be71440ededa3ff9b866de8ec8f71ab4a41b3b Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 17 Sep 2024 17:48:34 -0400 Subject: [PATCH 08/10] Correct CHANGELOG entry file name. --- .changelog/{#####.txt => 39366.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .changelog/{#####.txt => 39366.txt} (100%) diff --git a/.changelog/#####.txt b/.changelog/39366.txt similarity index 100% rename from .changelog/#####.txt rename to .changelog/39366.txt From 4c8d208e4fd66d9cbd1e5acdde9da6e7c016eb51 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 18 Sep 2024 08:03:05 -0400 Subject: [PATCH 09/10] Run 'make fix-constants PKG=s3'. --- .../s3/bucket_server_side_encryption_configuration_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/s3/bucket_server_side_encryption_configuration_test.go b/internal/service/s3/bucket_server_side_encryption_configuration_test.go index 8823524c403d..7ed5a10313d8 100644 --- a/internal/service/s3/bucket_server_side_encryption_configuration_test.go +++ b/internal/service/s3/bucket_server_side_encryption_configuration_test.go @@ -462,7 +462,7 @@ func TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket(t *testing resource.TestCheckResourceAttr(resourceName, "rule.0.apply_server_side_encryption_by_default.#", acctest.Ct1), resource.TestCheckResourceAttrPair(resourceName, "rule.0.apply_server_side_encryption_by_default.0.kms_master_key_id", "aws_kms_key.test", names.AttrARN), resource.TestCheckResourceAttr(resourceName, "rule.0.apply_server_side_encryption_by_default.0.sse_algorithm", string(types.ServerSideEncryptionAwsKms)), - resource.TestCheckResourceAttr(resourceName, "rule.0.bucket_key_enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "rule.0.bucket_key_enabled", acctest.CtTrue), ), }, { From 54567d03db11690cc25a4f7e1bc4912a4b0641d5 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 18 Sep 2024 08:16:21 -0400 Subject: [PATCH 10/10] Add 'TestAccS3Object_DirectoryBucket_kmsSSE'. --- internal/service/s3/object_test.go | 50 ++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/internal/service/s3/object_test.go b/internal/service/s3/object_test.go index 0cb1cb8b7647..a56a6ed35cbc 100644 --- a/internal/service/s3/object_test.go +++ b/internal/service/s3/object_test.go @@ -1769,6 +1769,40 @@ func TestAccS3Object_DirectoryBucket_DefaultTags_providerOnly(t *testing.T) { }) } +func TestAccS3Object_DirectoryBucket_kmsSSE(t *testing.T) { + ctx := acctest.Context(t) + var obj s3.GetObjectOutput + resourceName := "aws_s3_object.object" + rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) + + source := testAccObjectCreateTempFile(t, "{anything will do }") + defer os.Remove(source) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acctest.PreCheck(ctx, t) }, + ErrorCheck: acctest.ErrorCheck(t, names.S3ServiceID), + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, + CheckDestroy: testAccCheckObjectDestroy(ctx), + Steps: []resource.TestStep{ + { + Config: testAccObjectConfig_directoryBucketKMSSSE(rName, source), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckObjectExists(ctx, resourceName, &obj), + testAccCheckObjectSSE(ctx, resourceName, "aws:kms"), + testAccCheckObjectBody(&obj, "{anything will do }"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{names.AttrForceDestroy, "override_provider", names.AttrSource}, + ImportStateIdFunc: testAccObjectImportStateIdFunc(resourceName), + }, + }, + }) +} + // https://github.com/hashicorp/terraform-provider-aws/issues/32385. func TestAccS3Object_prefix(t *testing.T) { ctx := acctest.Context(t) @@ -2945,6 +2979,22 @@ resource "aws_s3_object" "object" { `) } +func testAccObjectConfig_directoryBucketKMSSSE(rName, source string) string { + return acctest.ConfigCompose(testAccBucketServerSideEncryptionConfigurationConfig_directoryBucket(rName), fmt.Sprintf(` +resource "aws_s3_object" "object" { + bucket = aws_s3_directory_bucket.test.bucket + key = "test-key" + source = %[1]q + + override_provider { + default_tags { + tags = {} + } + } +} +`, source)) +} + func testAccObjectConfig_prefix(rName string) string { return fmt.Sprintf(` resource "aws_s3_bucket" "test" {