Merge pull request #25098 from Simple-Analysis/b-aws_s3_bucket-object…

…_lock-default-refactor b/aws_s3_bucket-object_lock-default-refactor
hashicorp · Jul 25, 2022 · 99eac74 · 99eac74
2 parents 8f2d842 + 3001218
commit 99eac74
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/.changelog/25098.txt b/.changelog/25098.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_s3_bucket: Refactored `object_lock_enabled` parameter's default assignment behavior to protect partitions without Object Lock available.
+```
diff --git a/internal/service/s3/bucket.go b/internal/service/s3/bucket.go
@@ -714,8 +714,10 @@ func resourceBucketCreate(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[DEBUG] S3 bucket create: %s", bucket)
 
 	req := &s3.CreateBucketInput{
-		Bucket:                     aws.String(bucket),
-		ObjectLockEnabledForBucket: aws.Bool(d.Get("object_lock_enabled").(bool)),
+		Bucket: aws.String(bucket),
+		// NOTE: Please, do not add any other fields here unless the field is
+		// supported in *all* AWS partitions (including ISO partitions) and by
+		// 3rd party S3 providers.
 	}
 
 	if acl, ok := d.GetOk("acl"); ok {
@@ -743,6 +745,11 @@ func resourceBucketCreate(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error validating S3 Bucket (%s) name: %w", bucket, err)
 	}
 
+	// S3 Object Lock is not supported on all partitions.
+	if v, ok := d.GetOk("object_lock_enabled"); ok {
+		req.ObjectLockEnabledForBucket = aws.Bool(v.(bool))
+	}
+
 	// S3 Object Lock can only be enabled on bucket creation.
 	objectLockConfiguration := expandObjectLockConfiguration(d.Get("object_lock_configuration").([]interface{}))
 	if objectLockConfiguration != nil && aws.StringValue(objectLockConfiguration.ObjectLockEnabled) == s3.ObjectLockEnabledEnabled {
@@ -1282,7 +1289,7 @@ func resourceBucketRead(d *schema.ResourceData, meta interface{}) error {
 			return fmt.Errorf("error setting object_lock_configuration: %w", err)
 		}
 	} else {
-		d.Set("object_lock_enabled", false)
+		d.Set("object_lock_enabled", nil)
 		d.Set("object_lock_configuration", nil)
 	}
 

diff --git a/website/docs/r/s3_bucket.html.markdown b/website/docs/r/s3_bucket.html.markdown
@@ -465,7 +465,7 @@ The following arguments are supported:
   Use the resource [`aws_s3_bucket_lifecycle_configuration`](s3_bucket_lifecycle_configuration.html) instead.
 * `logging` - (Optional, **Deprecated**) A configuration of [S3 bucket logging](https://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html) parameters. See [Logging](#logging) below for details. Terraform will only perform drift detection if a configuration value is provided.
   Use the resource [`aws_s3_bucket_logging`](s3_bucket_logging.html.markdown) instead.
-* `object_lock_enabled` - (Optional, Default:`false`, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled. Valid values are `true` or `false`.
+* `object_lock_enabled` - (Optional, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled. Valid values are `true` or `false`. This argument is not supported in all regions or partitions.
 * `object_lock_configuration` - (Optional, **Deprecated**) A configuration of [S3 object locking](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html). See [Object Lock Configuration](#object-lock-configuration) below for details.
   Terraform wil only perform drift detection if a configuration value is provided.
   Use the `object_lock_enabled` parameter and the resource [`aws_s3_bucket_object_lock_configuration`](s3_bucket_object_lock_configuration.html.markdown) instead.