feat(object): bucket policy takes on bucket's region rather than default region if not explicit

Author: Mia-Cross

scaleway/data_source_object_bucket_policy_test.go

@@ -57,6 +57,7 @@ func TestAccScalewayDataSourceObjectBucketPolicy_Basic(t *testing.T) {
 					}
 				`, bucketName),
 				Check: resource.ComposeTestCheckFunc(
+					testAccCheckScalewayObjectBucketExists(tt, "scaleway_object_bucket.main"),
 					resource.TestCheckResourceAttr("data.scaleway_object_bucket_policy.selected", "bucket", bucketName),
 					resource.TestCheckResourceAttrSet("data.scaleway_object_bucket_policy.selected", "policy"),
 					resource.TestCheckResourceAttrPair("data.scaleway_object_bucket_policy.selected", "policy", "scaleway_object_bucket_policy.main", "policy"),

scaleway/data_source_object_bucket_test.go

@@ -81,6 +81,7 @@ func TestAccScalewayDataSourceObjectStorage_ProjectIDAllowed(t *testing.T) {
 					project.ID,
 				),
 				Check: resource.ComposeTestCheckFunc(
+					testAccCheckScalewayObjectBucketExists(tt, "scaleway_object_bucket.base"),
 					resource.TestCheckResourceAttr("data.scaleway_object_bucket.selected", "name", bucketName),
 					resource.TestCheckResourceAttr("data.scaleway_object_bucket.selected", "project_id", project.ID),
 				),

scaleway/helpers_object.go

@@ -30,6 +30,8 @@ const (
 	defaultObjectBucketTimeout = 10 * time.Minute
 
 	maxObjectVersionDeletionWorkers = 8
+
+	objectTestsMainRegion = "fr-par"
 )
 
 func newS3Client(httpClient *http.Client, region, accessKey, secretKey string) (*s3.S3, error) {
@@ -66,6 +68,18 @@ func newS3ClientFromMeta(meta *Meta) (*s3.S3, error) {
 	return newS3Client(meta.httpClient, region.String(), accessKey, secretKey)
 }
 
+func newS3ClientFromMetaForceRegion(meta *Meta, region string) (*s3.S3, error) {
+	accessKey, _ := meta.scwClient.GetAccessKey()
+	secretKey, _ := meta.scwClient.GetSecretKey()
+
+	projectID, _ := meta.scwClient.GetDefaultProjectID()
+	if projectID != "" {
+		accessKey = accessKeyWithProjectID(accessKey, projectID)
+	}
+
+	return newS3Client(meta.httpClient, region, accessKey, secretKey)
+}
+
 func s3ClientWithRegion(d *schema.ResourceData, m interface{}) (*s3.S3, scw.Region, error) {
 	meta := m.(*Meta)
 	region, err := extractRegion(d, meta)
@@ -163,6 +177,23 @@ func s3ClientWithRegionWithNameACL(d *schema.ResourceData, m interface{}, name s
 	return s3Client, scw.Region(region), name, outerID, err
 }
 
+func s3ClientForceRegion(d *schema.ResourceData, m interface{}, region string) (*s3.S3, error) {
+	meta := m.(*Meta)
+
+	accessKey, _ := meta.scwClient.GetAccessKey()
+	if projectID, _, err := extractProjectID(d, meta); err == nil {
+		accessKey = accessKeyWithProjectID(accessKey, projectID)
+	}
+	secretKey, _ := meta.scwClient.GetSecretKey()
+
+	s3Client, err := newS3Client(meta.httpClient, region, accessKey, secretKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return s3Client, err
+}
+
 func accessKeyWithProjectID(accessKey string, projectID string) string {
 	return accessKey + "@" + projectID
 }

scaleway/resource_object_bucket_policy.go

@@ -55,6 +55,20 @@ func resourceScalewayObjectBucketPolicyCreate(ctx context.Context, d *schema.Res
 	bucket := expandID(d.Get("bucket"))
 	tflog.Debug(ctx, fmt.Sprintf("bucket name: %s", bucket))
 
+	bucketRegion, err := s3Client.GetBucketLocation(&s3.GetBucketLocationInput{
+		Bucket: &bucket,
+	})
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	if bucketRegion.LocationConstraint != nil && *bucketRegion.LocationConstraint != region.String() {
+		s3Client, err = s3ClientForceRegion(d, meta, *bucketRegion.LocationConstraint)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		region = scw.Region(*bucketRegion.LocationConstraint)
+	}
+
 	policy, err := structure.NormalizeJsonString(d.Get("policy").(string))
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("policy (%s) is an invalid JSON: %w", policy, err))

scaleway/resource_object_bucket_policy_test.go

@@ -15,6 +15,42 @@ import (
 func TestAccScalewayBucketPolicy_Basic(t *testing.T) {
 	bucketName := sdkacctest.RandomWithPrefix("tf-test-bucket")
 
+	tfConfig := fmt.Sprintf(`
+		resource "scaleway_object_bucket" "bucket" {
+			name = %[1]q
+			region = %[2]q
+			tags = {
+				TestName = "TestAccSCWBucketPolicy_basic"
+			}
+		}
+
+		resource "scaleway_object_bucket_policy" "bucket" {
+			bucket = scaleway_object_bucket.bucket.name
+			policy = jsonencode(
+				{
+					Id = "MyPolicy"
+					Statement = [
+						{
+							Action = [
+								"s3:ListBucket",
+								"s3:GetObject",
+							]
+							Effect = "Allow"
+							Principal = {
+								SCW = "*"
+							}
+							Resource  = [
+								"%[1]s",
+								"%[1]s/*",
+							]
+							Sid = "GrantToEveryone"
+						},
+					]
+					Version = "2012-10-17"
+				}
+			)
+		}`, bucketName, objectTestsMainRegion)
+
 	expectedPolicyText := `{
 	"Version":"2012-10-17",
 	"Id":"MyPolicy",
@@ -43,52 +79,106 @@ func TestAccScalewayBucketPolicy_Basic(t *testing.T) {
 		CheckDestroy:      testAccCheckScalewayObjectBucketDestroy(tt),
 		Steps: []resource.TestStep{
 			{
-				Config: fmt.Sprintf(`
-					resource "scaleway_object_bucket" "bucket" {
-						name = %[1]q
-
-						tags = {
-							TestName = "TestAccSCWBucketPolicy_basic"
-						}
-					}
-
-					resource "scaleway_object_bucket_policy" "bucket" {
-						bucket = scaleway_object_bucket.bucket.name
-						policy = jsonencode(
-							{
-								Id = "MyPolicy"
-								Statement = [
-									{
-										Action = [
-											"s3:ListBucket",
-											"s3:GetObject",
-										]
-										Effect = "Allow"
-										Principal = {
-											SCW = "*"
-										}
-										Resource  = [
-											"%[1]s",
-											"%[1]s/*",
-										]
-										Sid = "GrantToEveryone"
-									},
-								]
-								Version = "2012-10-17"
+				Config: tfConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckScalewayObjectBucketExists(tt, "scaleway_object_bucket.bucket"),
+					testAccCheckBucketHasPolicy(tt, "scaleway_object_bucket.bucket", expectedPolicyText),
+				),
+				ExpectNonEmptyPlan: !*UpdateCassettes,
+			},
+			{
+				ResourceName: "scaleway_object_bucket_policy.bucket",
+				ImportState:  true,
+			},
+			{
+				Config:   tfConfig,
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
+func TestAccScalewayBucketPolicy_OtherRegion(t *testing.T) {
+	bucketName := sdkacctest.RandomWithPrefix("tf-test-bucket")
+
+	tfConfig := fmt.Sprintf(`
+		resource "scaleway_object_bucket" "bucket" {
+			name = %[1]q
+			region = "nl-ams"
+			tags = {
+				TestName = "TestAccSCWBucketPolicy_OtherZone"
+			}
+		}
+
+		resource "scaleway_object_bucket_policy" "bucket" {
+			bucket = scaleway_object_bucket.bucket.name
+			policy = jsonencode(
+				{
+					Id = "MyPolicy"
+					Statement = [
+						{
+							Action = [
+								"s3:*"
+							]
+							Effect = "Allow"
+							Principal = {
+								SCW = "*"
 							}
-						)
-					}
-					`, bucketName),
+							Resource  = [
+								"%[1]s",
+								"%[1]s/*",
+							]
+							Sid = "GrantToEveryone"
+						},
+					]
+					Version = "2023-04-17"
+				}
+			)
+		}`, bucketName)
+
+	expectedPolicyText := `{
+	"Version":"2023-04-17",
+	"Id":"MyPolicy",
+	"Statement": [
+		{
+			"Sid":"GrantToEveryone",
+			"Effect":"Allow",
+			"Principal":{
+				"SCW":"*"
+			},
+			"Action":[
+				"s3:*"
+			]
+		}
+   ]
+}`
+
+	tt := NewTestTools(t)
+	defer tt.Cleanup()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ErrorCheck:        ErrorCheck(t, EndpointsID),
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      testAccCheckScalewayObjectBucketDestroy(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: tfConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckScalewayObjectBucketExists(tt, "scaleway_object_bucket.bucket"),
 					testAccCheckBucketHasPolicy(tt, "scaleway_object_bucket.bucket", expectedPolicyText),
+					resource.TestCheckResourceAttr("scaleway_object_bucket.bucket", "region", "nl-ams"),
+					resource.TestCheckResourceAttr("scaleway_object_bucket_policy.bucket", "region", "nl-ams"),
 				),
 				ExpectNonEmptyPlan: !*UpdateCassettes,
 			},
 			{
-				ResourceName:      "scaleway_object_bucket_policy.bucket",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName: "scaleway_object_bucket_policy.bucket",
+				ImportState:  true,
+			},
+			{
+				Config:   tfConfig,
+				PlanOnly: true,
 			},
 		},
 	})
@@ -101,7 +191,8 @@ func testAccCheckBucketHasPolicy(tt *TestTools, n string, expectedPolicyText str
 			return fmt.Errorf("not found: %s", n)
 		}
 
-		s3Client, err := newS3ClientFromMeta(tt.Meta)
+		bucketRegion := rs.Primary.Attributes["region"]
+		s3Client, err := newS3ClientFromMetaForceRegion(tt.Meta, bucketRegion)
 		if err != nil {
 			return err
 		}

scaleway/resource_object_bucket_test.go

@@ -670,8 +670,9 @@ func testAccCheckScalewayObjectBucketExists(tt *TestTools, n string) resource.Te
 			return fmt.Errorf("resource not found")
 		}
 		bucketName := rs.Primary.Attributes["name"]
+		bucketRegion := rs.Primary.Attributes["region"]
 
-		s3Client, err := newS3ClientFromMeta(tt.Meta)
+		s3Client, err := newS3ClientFromMetaForceRegion(tt.Meta, bucketRegion)
 		if err != nil {
 			return err
 		}