From 406a4d31dfe3e34ed7cdb53ae7f43b91a2556556 Mon Sep 17 00:00:00 2001
From: Adam Bennett <adam.bennett@globant.com>
Date: Thu, 28 Feb 2019 12:04:03 -0700
Subject: [PATCH 1/2] Add aws_s3_bucket_policy data source

---
 aws/data_source_aws_s3_bucket_policy.go       | 49 +++++++++++++++
 aws/data_source_aws_s3_bucket_policy_test.go  | 61 +++++++++++++++++++
 aws/provider.go                               |  1 +
 website/docs/d/s3_bucket_policy.html.markdown | 61 +++++++++++++++++++
 4 files changed, 172 insertions(+)
 create mode 100644 aws/data_source_aws_s3_bucket_policy.go
 create mode 100644 aws/data_source_aws_s3_bucket_policy_test.go
 create mode 100644 website/docs/d/s3_bucket_policy.html.markdown

diff --git a/aws/data_source_aws_s3_bucket_policy.go b/aws/data_source_aws_s3_bucket_policy.go
new file mode 100644
index 000000000000..89a273b581f2
--- /dev/null
+++ b/aws/data_source_aws_s3_bucket_policy.go
@@ -0,0 +1,49 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/s3"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func dataSourceAwsS3BucketPolicy() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwsS3BucketPolicyRead,
+
+		Schema: map[string]*schema.Schema{
+			"bucket": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"policy": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceAwsS3BucketPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).s3conn
+
+	bucket := d.Get("bucket").(string)
+
+	input := &s3.GetBucketPolicyInput{
+		Bucket: aws.String(bucket),
+	}
+
+	log.Printf("[DEBUG] Reading S3 bucket policy: %s", input)
+	result, err := conn.GetBucketPolicy(input)
+
+	if err != nil {
+		return fmt.Errorf("Failed getting S3 bucket policy: %s Bucket: %q", err, bucket)
+	}
+
+	d.SetId(bucket)
+	d.Set("policy", *result.Policy)
+
+	return err
+}
diff --git a/aws/data_source_aws_s3_bucket_policy_test.go b/aws/data_source_aws_s3_bucket_policy_test.go
new file mode 100644
index 000000000000..fe90ace1edd2
--- /dev/null
+++ b/aws/data_source_aws_s3_bucket_policy_test.go
@@ -0,0 +1,61 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccDataSourceS3BucketPolicy(t *testing.T) {
+	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
+	partition := testAccGetPartition()
+
+	policy := fmt.Sprintf(`{
+	"Version": "2012-10-17",
+	"Statement": [{
+		"Sid": "",
+		"Effect": "Allow",
+		"Principal": {"AWS":"*"},
+		"Action": "s3:*",
+		"Resource": ["arn:%s:s3:::%s/*","arn:%s:s3:::%s"]
+	}]
+}`, partition, name, partition, name)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDataSourceS3BucketPolicyConfig(name, policy),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSS3BucketExists("data.aws_s3_bucket_policy.bucket"),
+					testAccCheckAWSS3BucketHasPolicy("data.aws_s3_bucket_policy.bucket", policy),
+				),
+			},
+		},
+	})
+}
+
+func testAccAWSDataSourceS3BucketPolicyConfig(bucketName string, bucketPolicy string) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "bucket" {
+	bucket = "%s"
+	tags = {
+		TestName = "TestAccAWSDataSourceS3BucketPolicy"
+	}
+}
+
+resource "aws_s3_bucket_policy" "bucket" {
+	bucket = "${aws_s3_bucket.bucket.id}"
+	policy = <<POLICY
+%s
+POLICY
+}
+
+data "aws_s3_bucket_policy" "bucket" {
+	bucket = "${aws_s3_bucket_policy.bucket.bucket}"
+}
+`, bucketName, bucketPolicy)
+}
diff --git a/aws/provider.go b/aws/provider.go
index 4246e2c4c7f7..c1ec6a833445 100644
--- a/aws/provider.go
+++ b/aws/provider.go
@@ -244,6 +244,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_route53_zone":                       dataSourceAwsRoute53Zone(),
 			"aws_s3_bucket":                          dataSourceAwsS3Bucket(),
 			"aws_s3_bucket_object":                   dataSourceAwsS3BucketObject(),
+			"aws_s3_bucket_policy":                   dataSourceAwsS3BucketPolicy(),
 			"aws_secretsmanager_secret":              dataSourceAwsSecretsManagerSecret(),
 			"aws_secretsmanager_secret_version":      dataSourceAwsSecretsManagerSecretVersion(),
 			"aws_sns_topic":                          dataSourceAwsSnsTopic(),
diff --git a/website/docs/d/s3_bucket_policy.html.markdown b/website/docs/d/s3_bucket_policy.html.markdown
new file mode 100644
index 000000000000..29736981125b
--- /dev/null
+++ b/website/docs/d/s3_bucket_policy.html.markdown
@@ -0,0 +1,61 @@
+---
+layout: "aws"
+page_title: "AWS: aws_s3_bucket_policy"
+sidebar_current: "docs-aws-datasource-s3-bucket-policy"
+description: |-
+  Provides details about a specific S3 bucket policy
+---
+
+# Data Source: aws_s3_bucket_policy
+
+Provides details about a specific S3 bucket policy.
+
+## Example Usage
+
+### Merge bucket policy statements
+
+```hcl
+data "aws_s3_bucket" "example" {
+  bucket = "bucket.test.com"
+}
+
+data "aws_s3_bucket_policy" "example" {
+  bucket = "${data.aws_s3_bucket.example.id}"
+}
+
+data "aws_iam_policy_document" "example" {
+
+  # use the bucket policy as the source
+  source_json = "${data.aws_s3_bucket_policy.example.policy}"
+
+  # overwrite any statements in the source policy which have matching statement IDs (sid)
+  statement {
+    sid = "ExampleStatement"
+    actions   = ["s3:GetObject"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["1234567890"]
+    }
+  }
+}
+
+# update the bucket policy with the merged policy document
+resource "aws_s3_bucket_policy" "example" {
+  bucket = "${data.aws_s3_bucket.example.id}"
+  policy = "${data.aws_iam_policy_document.example.json}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `bucket` - (Required) The name of the bucket
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `policy` - The policy for the bucket

From 9527cce275ed9171903a5271174a562ed061b312 Mon Sep 17 00:00:00 2001
From: Adam Bennett <adam.bennett@pointsource.com>
Date: Wed, 13 Mar 2019 14:47:08 -0600
Subject: [PATCH 2/2] Handle buckets without a policy and add corresponding
 test

---
 aws/data_source_aws_s3_bucket_policy.go      | 22 ++++++++++--
 aws/data_source_aws_s3_bucket_policy_test.go | 38 ++++++++++++++++++--
 2 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/aws/data_source_aws_s3_bucket_policy.go b/aws/data_source_aws_s3_bucket_policy.go
index 89a273b581f2..5c42fd9af809 100644
--- a/aws/data_source_aws_s3_bucket_policy.go
+++ b/aws/data_source_aws_s3_bucket_policy.go
@@ -5,6 +5,7 @@ import (
 	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/hashicorp/terraform/helper/schema"
 )
@@ -38,12 +39,27 @@ func dataSourceAwsS3BucketPolicyRead(d *schema.ResourceData, meta interface{}) e
 	log.Printf("[DEBUG] Reading S3 bucket policy: %s", input)
 	result, err := conn.GetBucketPolicy(input)
 
+	policy := ""
+
 	if err != nil {
-		return fmt.Errorf("Failed getting S3 bucket policy: %s Bucket: %q", err, bucket)
+		log.Printf("[DEBUG] Error reading S3 bucket policy: %q", err)
+
+		if reqerr, ok := err.(awserr.RequestFailure); ok {
+			log.Printf("[DEBUG] Request failure reading S3 bucket policy: %q", reqerr)
+
+			// ignore error if bucket policy doesn't exist
+			if reqerr.StatusCode() != 404 {
+				return fmt.Errorf("Failed getting S3 bucket policy: %s Bucket: %q", err, bucket)
+			}
+		} else {
+			return fmt.Errorf("Failed getting S3 bucket policy: %s Bucket: %q", err, bucket)
+		}
+	} else {
+		policy = *result.Policy
 	}
 
 	d.SetId(bucket)
-	d.Set("policy", *result.Policy)
+	d.Set("policy", policy)
 
-	return err
+	return nil
 }
diff --git a/aws/data_source_aws_s3_bucket_policy_test.go b/aws/data_source_aws_s3_bucket_policy_test.go
index fe90ace1edd2..d43e4d203c02 100644
--- a/aws/data_source_aws_s3_bucket_policy_test.go
+++ b/aws/data_source_aws_s3_bucket_policy_test.go
@@ -8,7 +8,7 @@ import (
 	"github.com/hashicorp/terraform/helper/resource"
 )
 
-func TestAccDataSourceS3BucketPolicy(t *testing.T) {
+func TestAccDataSourceS3BucketPolicy_basic(t *testing.T) {
 	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
 	partition := testAccGetPartition()
 
@@ -28,7 +28,7 @@ func TestAccDataSourceS3BucketPolicy(t *testing.T) {
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSDataSourceS3BucketPolicyConfig(name, policy),
+				Config: testAccAWSDataSourceS3BucketPolicyConfig_basic(name, policy),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSS3BucketExists("data.aws_s3_bucket_policy.bucket"),
 					testAccCheckAWSS3BucketHasPolicy("data.aws_s3_bucket_policy.bucket", policy),
@@ -38,7 +38,24 @@ func TestAccDataSourceS3BucketPolicy(t *testing.T) {
 	})
 }
 
-func testAccAWSDataSourceS3BucketPolicyConfig(bucketName string, bucketPolicy string) string {
+func TestAccDataSourceS3BucketPolicy_empty(t *testing.T) {
+	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDataSourceS3BucketPolicyConfig_empty(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSS3BucketExists("data.aws_s3_bucket_policy.bucket"),
+				),
+			},
+		},
+	})
+}
+
+func testAccAWSDataSourceS3BucketPolicyConfig_basic(bucketName string, bucketPolicy string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "bucket" {
 	bucket = "%s"
@@ -59,3 +76,18 @@ data "aws_s3_bucket_policy" "bucket" {
 }
 `, bucketName, bucketPolicy)
 }
+
+func testAccAWSDataSourceS3BucketPolicyConfig_empty(bucketName string) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "bucket" {
+	bucket = "%s"
+	tags = {
+		TestName = "TestAccAWSDataSourceS3BucketPolicy"
+	}
+}
+
+data "aws_s3_bucket_policy" "bucket" {
+	bucket = "${aws_s3_bucket.bucket.bucket}"
+}
+`, bucketName)
+}