r/aws_s3_bucket(test): add tagging fallback acceptance test (#45339)

jar-b · web-flow · commit acf865a55870 · 2025-12-02T09:07:56.000-05:00
With `TF_ACC_ASSUME_ROLE_ARN` set:

```console
% TF_ACC_ASSUME_ROLE_ARN=arn:aws:iam::&lt;redacted&gt;:role/tfacctest-s3-bucket-no-tag-perms make testacc K=s3 T=TestAccS3Bucket_tags_fallbackS3API
make: Verifying source code with gofmt...
==&gt; Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 td-s3-tagging-fallback 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_tags_fallbackS3API'  -timeout 360m -vet=off
2025/12/01 11:30:48 Creating Terraform AWS Provider (SDKv2-style)...
2025/12/01 11:30:48 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccS3Bucket_tags_fallbackS3API
=== PAUSE TestAccS3Bucket_tags_fallbackS3API
=== CONT  TestAccS3Bucket_tags_fallbackS3API
--- PASS: TestAccS3Bucket_tags_fallbackS3API (48.24s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 54.701s
```

Otherwise:

```console
% make testacc K=s3 T=TestAccS3Bucket_tags_fallbackS3API
make: Verifying source code with gofmt...
==&gt; Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 td-s3-tagging-fallback 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20 -run='TestAccS3Bucket_tags_fallbackS3API'  -timeout 360m -vet=off
2025/12/01 11:37:32 Creating Terraform AWS Provider (SDKv2-style)...
2025/12/01 11:37:32 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccS3Bucket_tags_fallbackS3API
=== PAUSE TestAccS3Bucket_tags_fallbackS3API
=== CONT  TestAccS3Bucket_tags_fallbackS3API
    bucket_test.go:856: skipping test; environment variable TF_ACC_ASSUME_ROLE_ARN must be set. Usage: Amazon Resource Name (ARN) of existing IAM Role to assume for testing restricted permissions
--- SKIP: TestAccS3Bucket_tags_fallbackS3API (0.36s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3 6.807s
```
diff --git a/internal/acctest/configs.go b/internal/acctest/configs.go
@@ -295,6 +295,17 @@ provider "aws" {
 `, tag1, value1, tag2, value2))
 }
 
+func ConfigAssumeRole() string {
+	//lintignore:AT004
+	return fmt.Sprintf(`
+provider "aws" {
+  assume_role {
+    role_arn = %[1]q
+  }
+}
+`, os.Getenv(envvar.AccAssumeRoleARN))
+}
+
 func ConfigAssumeRolePolicy(policy string) string {
 	//lintignore:AT004
 	return fmt.Sprintf(`
diff --git a/internal/service/s3/bucket_test.go b/internal/service/s3/bucket_test.go
@@ -734,6 +734,175 @@ func TestAccS3Bucket_tags_ignoreTags(t *testing.T) {
 	})
 }
 
+// TestAccS3Bucket_tags_fallbackS3API exercises the bucket tagging "fallback" workflow
+//
+// To support ABAC (attribute based access control) in general purpose buckets,
+// the provider attempts using the S3 Control tagging APIs first. When a permissions
+// error is encountered, tag operations will fall back to the pre-existing S3 tagging
+// APIs instead.
+//
+// Ref: https://github.com/hashicorp/terraform-provider-aws/pull/45251
+//
+// This test expects the TF_ACC_ASSUME_ROLE_ARN to be set to a role ARN
+// which is missing permissions the S3 Control tagging APIs (s3:TagResource,
+// s3:UntagResource, and s3:ListTagsForResource), forcing the tag operations
+// to fall back to the S3 tagging APIs (s3:PutBucketTagging, s3:GetBucketTagging,
+// and s3:DeleteBucketTagging) instead.
+//
+// Use the following configuration to create the role to assume:
+//
+// ```
+//
+//	terraform {
+//	  required_providers {
+//	    aws = {
+//	      source  = "hashicorp/aws"
+//	      version = "~> 6.0"
+//	    }
+//	  }
+//	}
+//
+// # Configure the AWS Provider
+// provider "aws" {}
+//
+// data "aws_caller_identity" "current" {}
+//
+//	data "aws_iam_session_context" "current" {
+//	  arn = data.aws_caller_identity.current.arn
+//	}
+//
+//	data "aws_iam_policy_document" "test_assume_role" {
+//	  statement {
+//	    effect = "Allow"
+//	    actions = [
+//	      "sts:AssumeRole",
+//	      "sts:SetSourceIdentity",
+//	    ]
+//	    principals {
+//	      type = "AWS"
+//	      identifiers = [
+//	        data.aws_iam_session_context.current.issuer_arn,
+//	      ]
+//	    }
+//	  }
+//	}
+//
+//	data "aws_iam_policy_document" "test" {
+//	  statement {
+//	    sid    = "AllowAllS3"
+//	    effect = "Allow"
+//	    actions = [
+//	      "s3:*",
+//	    ]
+//	    resources = [
+//	      "arn:aws:s3:::*",
+//	    ]
+//	  }
+//	  statement {
+//	    sid    = "ForceTaggingFallback"
+//	    effect = "Deny"
+//	    actions = [
+//	      "s3:TagResource",
+//	      "s3:UntagResource",
+//	      "s3:ListTagsForResource",
+//	    ]
+//	    resources = [
+//	      "arn:aws:s3:::*",
+//	    ]
+//	  }
+//
+//	  statement {
+//	    actions = [
+//	      "sts:GetCallerIdentity",
+//	    ]
+//	    resources = [
+//	      "*",
+//	    ]
+//	  }
+//	}
+//
+//	resource "aws_iam_policy" "test" {
+//	  name   = "tfacctest-s3-bucket-no-tag-perms"
+//	  policy = data.aws_iam_policy_document.test.json
+//	}
+//
+//	resource "aws_iam_role" "test" {
+//	  name               = "tfacctest-s3-bucket-no-tag-perms"
+//	  assume_role_policy = data.aws_iam_policy_document.test_assume_role.json
+//	}
+//
+//	resource "aws_iam_role_policy_attachment" "test" {
+//	  role       = aws_iam_role.test.name
+//	  policy_arn = aws_iam_policy.test.arn
+//	}
+//
+//	output "role_arn" {
+//	  value = aws_iam_role.test.arn
+//	}
+//
+// ```
+//
+//	Once provisioned, use the role_arn output and run this test as follows:
+//
+//	TF_ACC_ASSUME_ROLE_ARN=<output> make t K=s3 T=TestAccS3Bucket_tags_fallbackS3API
+func TestAccS3Bucket_tags_fallbackS3API(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix("tf-test-bucket")
+	resourceName := "aws_s3_bucket.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckAssumeRoleARN(t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.S3ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckBucketDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: acctest.ConfigCompose(
+					acctest.ConfigAssumeRole(),
+					testAccBucketConfig_tags(rName),
+				),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckBucketExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "3"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key1", "AAA"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key2", "BBB"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key3", "CCC"),
+				),
+			},
+			{
+				Config: acctest.ConfigCompose(
+					acctest.ConfigAssumeRole(),
+					testAccBucketConfig_updatedTags(rName),
+				),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckBucketExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "4"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key2", "BBB"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key3", "XXX"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key4", "DDD"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key5", "EEE"),
+				),
+			},
+			{
+				Config: acctest.ConfigCompose(
+					acctest.ConfigAssumeRole(),
+					testAccBucketConfig_tags(rName),
+				),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckBucketExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "3"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key1", "AAA"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key2", "BBB"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Key3", "CCC"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccS3Bucket_Manage_lifecycleBasic(t *testing.T) {
 	ctx := acctest.Context(t)
 	bucketName := sdkacctest.RandomWithPrefix("tf-test-bucket")
