Add aws_s3_bucket_policy data source

aws/data_source_aws_s3_bucket_policy.go

@@ -0,0 +1,65 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/s3"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func dataSourceAwsS3BucketPolicy() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwsS3BucketPolicyRead,
+
+		Schema: map[string]*schema.Schema{
+			"bucket": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"policy": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceAwsS3BucketPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).s3conn
+
+	bucket := d.Get("bucket").(string)
+
+	input := &s3.GetBucketPolicyInput{
+		Bucket: aws.String(bucket),
+	}
+
+	log.Printf("[DEBUG] Reading S3 bucket policy: %s", input)
+	result, err := conn.GetBucketPolicy(input)
+
+	policy := ""
+
+	if err != nil {
+		log.Printf("[DEBUG] Error reading S3 bucket policy: %q", err)
+
+		if reqerr, ok := err.(awserr.RequestFailure); ok {
+			log.Printf("[DEBUG] Request failure reading S3 bucket policy: %q", reqerr)
+
+			// ignore error if bucket policy doesn't exist
+			if reqerr.StatusCode() != 404 {
+				return fmt.Errorf("Failed getting S3 bucket policy: %s Bucket: %q", err, bucket)
+			}
+		} else {
+			return fmt.Errorf("Failed getting S3 bucket policy: %s Bucket: %q", err, bucket)
+		}
+	} else {
+		policy = *result.Policy
+	}
+
+	d.SetId(bucket)
+	d.Set("policy", policy)
+
+	return nil
+}

aws/data_source_aws_s3_bucket_policy_test.go

@@ -0,0 +1,93 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccDataSourceS3BucketPolicy_basic(t *testing.T) {
+	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
+	partition := testAccGetPartition()
+
+	policy := fmt.Sprintf(`{
+	"Version": "2012-10-17",
+	"Statement": [{
+		"Sid": "",
+		"Effect": "Allow",
+		"Principal": {"AWS":"*"},
+		"Action": "s3:*",
+		"Resource": ["arn:%s:s3:::%s/*","arn:%s:s3:::%s"]
+	}]
+}`, partition, name, partition, name)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDataSourceS3BucketPolicyConfig_basic(name, policy),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSS3BucketExists("data.aws_s3_bucket_policy.bucket"),
+					testAccCheckAWSS3BucketHasPolicy("data.aws_s3_bucket_policy.bucket", policy),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceS3BucketPolicy_empty(t *testing.T) {
+	name := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt())
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDataSourceS3BucketPolicyConfig_empty(name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSS3BucketExists("data.aws_s3_bucket_policy.bucket"),
+				),
+			},
+		},
+	})
+}
+
+func testAccAWSDataSourceS3BucketPolicyConfig_basic(bucketName string, bucketPolicy string) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "bucket" {
+	bucket = "%s"
+	tags = {
+		TestName = "TestAccAWSDataSourceS3BucketPolicy"
+	}
+}
+
+resource "aws_s3_bucket_policy" "bucket" {
+	bucket = "${aws_s3_bucket.bucket.id}"
+	policy = <<POLICY
+%s
+POLICY
+}
+
+data "aws_s3_bucket_policy" "bucket" {
+	bucket = "${aws_s3_bucket_policy.bucket.bucket}"
+}
+`, bucketName, bucketPolicy)
+}
+
+func testAccAWSDataSourceS3BucketPolicyConfig_empty(bucketName string) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "bucket" {
+	bucket = "%s"
+	tags = {
+		TestName = "TestAccAWSDataSourceS3BucketPolicy"
+	}
+}
+
+data "aws_s3_bucket_policy" "bucket" {
+	bucket = "${aws_s3_bucket.bucket.bucket}"
+}
+`, bucketName)
+}

aws/provider.go

@@ -253,6 +253,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_s3_bucket":                                 dataSourceAwsS3Bucket(),
 			"aws_s3_bucket_object":                          dataSourceAwsS3BucketObject(),
 			"aws_s3_bucket_objects":                         dataSourceAwsS3BucketObjects(),
+			"aws_s3_bucket_policy":                          dataSourceAwsS3BucketPolicy(),
 			"aws_secretsmanager_secret":                     dataSourceAwsSecretsManagerSecret(),
 			"aws_secretsmanager_secret_version":             dataSourceAwsSecretsManagerSecretVersion(),
 			"aws_servicequotas_service":                     dataSourceAwsServiceQuotasService(),

website/docs/d/s3_bucket_policy.html.markdown

@@ -0,0 +1,61 @@
+---
+layout: "aws"
+page_title: "AWS: aws_s3_bucket_policy"
+sidebar_current: "docs-aws-datasource-s3-bucket-policy"
+description: |-
+  Provides details about a specific S3 bucket policy
+---
+
+# Data Source: aws_s3_bucket_policy
+
+Provides details about a specific S3 bucket policy.
+
+## Example Usage
+
+### Merge bucket policy statements
+
+```hcl
+data "aws_s3_bucket" "example" {
+  bucket = "bucket.test.com"
+}
+
+data "aws_s3_bucket_policy" "example" {
+  bucket = "${data.aws_s3_bucket.example.id}"
+}
+
+data "aws_iam_policy_document" "example" {
+
+  # use the bucket policy as the source
+  source_json = "${data.aws_s3_bucket_policy.example.policy}"
+
+  # overwrite any statements in the source policy which have matching statement IDs (sid)
+  statement {
+    sid = "ExampleStatement"
+    actions   = ["s3:GetObject"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["1234567890"]
+    }
+  }
+}
+
+# update the bucket policy with the merged policy document
+resource "aws_s3_bucket_policy" "example" {
+  bucket = "${data.aws_s3_bucket.example.id}"
+  policy = "${data.aws_iam_policy_document.example.json}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `bucket` - (Required) The name of the bucket
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `policy` - The policy for the bucket