S3 cloudfront error when get_object_enable_dirs is empty (#5427)

jfreixa · web-flow · commit c48aa5c31238 · 2026-02-19T09:43:19.000+01:00
* S3 cloudfront error when get_object_enable_dirs is empty

Make error more explicid since now the error appears in terraform apply

* Add test for the new funcionality
diff --git a/reconcile/test/utils/test_terrascript_aws_client.py b/reconcile/test/utils/test_terrascript_aws_client.py
@@ -1933,3 +1933,51 @@ def test_populate_tf_resource_s3_cloudfront_with_bucket_policy_multiple_statemen
     assert "Statement1" in sids
     assert "Statement2" in sids
     assert "Grant access to CloudFront Origin Identity" in sids
+
+
+@pytest.mark.parametrize(
+    "get_object_enable_dirs",
+    [
+        [],
+        None,
+    ],
+    ids=["empty_list", "none"],
+)
+def test_populate_tf_resource_s3_cloudfront_raises_on_empty_get_object_enable_dirs(
+    mocker: MockerFixture,
+    ts: TerrascriptClient,
+    get_object_enable_dirs: list[str] | None,
+) -> None:
+    init_values: dict = {
+        "region": "us-east-1",
+        "distribution_config": {
+            "enabled": True,
+            "default_root_object": "index.html",
+        },
+        "tags": {},
+    }
+    if get_object_enable_dirs is not None:
+        init_values["get_object_enable_dirs"] = get_object_enable_dirs
+
+    mocker.patch.object(ts, "add_resources")
+    mocker.patch.object(ts, "init_values", return_value=init_values)
+
+    resource: dict = {
+        "identifier": "s3-cf-bucket",
+        "provider": "s3-cloudfront",
+        "region": "us-east-1",
+        "distribution_config": {
+            "enabled": True,
+            "default_root_object": "index.html",
+        },
+    }
+    if get_object_enable_dirs is not None:
+        resource["get_object_enable_dirs"] = get_object_enable_dirs
+
+    spec = build_s3_spec(resource)
+
+    with pytest.raises(
+        ValueError,
+        match="get_object_enable_dirs must be provided and non-empty",
+    ):
+        ts.populate_tf_resource_s3_cloudfront(spec)
diff --git a/reconcile/utils/terrascript_aws_client.py b/reconcile/utils/terrascript_aws_client.py
@@ -3464,14 +3464,20 @@ def populate_tf_resource_s3_cloudfront(self, spec: ExternalResourceSpec) -> None
         tf_resources.append(cf_oai_tf_resource)
 
         # bucket policy for cloudfront - merge custom policy with CloudFront access statement
+        get_object_enable_dirs = common_values.get("get_object_enable_dirs", [])
+        if not get_object_enable_dirs:
+            raise ValueError(
+                f"get_object_enable_dirs must be provided and non-empty for resource {identifier}"
+            )
+
         cf_statement = {
             "Sid": "Grant access to CloudFront Origin Identity",
             "Effect": "Allow",
             "Principal": {"AWS": "${" + cf_oai_tf_resource.iam_arn + "}"},
             "Action": "s3:GetObject",
             "Resource": [
                 f"arn:aws:s3:::{identifier}/{enable_dir}/*"
-                for enable_dir in common_values.get("get_object_enable_dirs", [])
+                for enable_dir in get_object_enable_dirs
             ],
         }
 
