Fix S3 Express Directory Bucket tagging API routing

Author: Christopher Robert Sherman

internal/conns/awsclient.go

@@ -17,6 +17,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	apigatewayv2_types "github.com/aws/aws-sdk-go-v2/service/apigatewayv2/types"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3control"
 	"github.com/hashicorp/aws-sdk-go-base/v2/endpoints"
 	baselogging "github.com/hashicorp/aws-sdk-go-base/v2/logging"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
@@ -191,6 +192,14 @@ func (c *AWSClient) S3ExpressClient(ctx context.Context) *s3.Client {
 	return c.s3ExpressClient
 }
 
+// S3ExpressControlClient returns an AWS SDK for Go v2 S3 Control API client suitable for use with S3 Express (directory buckets).
+// For Directory Buckets, control plane operations like ListTagsForResource must use the s3express-control.region.amazonaws.com endpoint.
+func (c *AWSClient) S3ExpressControlClient(ctx context.Context) *s3control.Client {
+	return errs.Must(client[*s3control.Client](ctx, c, names.S3Control, map[string]any{
+		"endpoint": fmt.Sprintf("https://s3express-control.%s.%s", c.Region(ctx), c.DNSSuffix(ctx)),
+	}))
+}
+
 // S3UsePathStyle returns the s3_force_path_style provider configuration value.
 func (c *AWSClient) S3UsePathStyle(context.Context) bool {
 	return c.s3UsePathStyle
@@ -258,7 +267,7 @@ func (c *AWSClient) DefaultKMSKeyPolicy(ctx context.Context) string {
 			"Resource": "*"
 		}
 	]
-}	
+}
 `, c.Partition(ctx), c.AccountID(ctx))
 }
 

internal/service/s3control/tags_gen.go

@@ -0,0 +1,54 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package s3control
+
+import "testing"
+
+func TestIsDirectoryBucketARN(t *testing.T) {
+	testCases := []struct {
+		name     string
+		arn      string
+		expected bool
+	}{
+		{
+			name:     "Standard S3 bucket ARN",
+			arn:      "arn:aws:s3:::my-bucket",
+			expected: false,
+		},
+		{
+			name:     "S3 Control Access Point ARN",
+			arn:      "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
+			expected: false,
+		},
+		{
+			name:     "Directory Bucket ARN (S3 Express)",
+			arn:      "arn:aws:s3express:us-east-1:123456789012:bucket/my-directory-bucket--usw2-az1--x-s3",
+			expected: true,
+		},
+		{
+			name:     "Directory Bucket Access Point ARN",
+			arn:      "arn:aws:s3express:us-east-1:123456789012:accesspoint/my-access-point",
+			expected: true,
+		},
+		{
+			name:     "Empty ARN",
+			arn:      "",
+			expected: false,
+		},
+		{
+			name:     "Invalid ARN format",
+			arn:      "not-an-arn",
+			expected: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := isDirectoryBucketARN(tc.arn)
+			if result != tc.expected {
+				t.Errorf("isDirectoryBucketARN(%q) = %v, expected %v", tc.arn, result, tc.expected)
+			}
+		})
+	}
+}