hashicorp · christophersherman · Sep 28, 2025 · Sep 28, 2025 · Sep 28, 2025 · Sep 29, 2025
@@ -0,0 +1,19 @@
+```release-note:bug
+resource/aws_s3_access_point: Fix support for S3 Express One Zone Directory Bucket Access Points by ensuring proper AWS SDK endpoint routing
+```
+
+```release-note:bug
+resource/aws_s3control_access_point_policy: Fix support for S3 Express One Zone Directory Bucket Access Points by ensuring proper AWS SDK endpoint routing
+```
+
+```release-note:bug
+resource/aws_s3control_bucket_policy: Fix support for S3 Express One Zone Directory Bucket resources by ensuring proper AWS SDK endpoint routing
+```
+
+```release-note:bug
+resource/aws_s3control_bucket_lifecycle_configuration: Fix support for S3 Express One Zone Directory Bucket resources by ensuring proper AWS SDK endpoint routing
+```
+
+```release-note:bug
+resource/aws_s3control_directory_bucket_access_point_scope: Fix operations by ensuring proper AWS SDK endpoint routing for Directory Buckets
+```
@@ -17,6 +17,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	apigatewayv2_types "github.com/aws/aws-sdk-go-v2/service/apigatewayv2/types"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3control"
 	"github.com/hashicorp/aws-sdk-go-base/v2/endpoints"
 	baselogging "github.com/hashicorp/aws-sdk-go-base/v2/logging"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
@@ -191,6 +192,14 @@ func (c *AWSClient) S3ExpressClient(ctx context.Context) *s3.Client {
 	return c.s3ExpressClient
 }
 
+// S3ExpressControlClient returns an AWS SDK for Go v2 S3 Control API client suitable for use with S3 Express (directory buckets).
+// For Directory Buckets, control plane operations like ListTagsForResource must use the s3express-control.region.amazonaws.com endpoint.
+func (c *AWSClient) S3ExpressControlClient(ctx context.Context) *s3control.Client {
+	return errs.Must(client[*s3control.Client](ctx, c, names.S3Control, map[string]any{
+		"endpoint": fmt.Sprintf("https://s3express-control.%s.%s", c.Region(ctx), c.DNSSuffix(ctx)),
+	}))
+}
+
 // S3UsePathStyle returns the s3_force_path_style provider configuration value.
 func (c *AWSClient) S3UsePathStyle(context.Context) bool {
 	return c.s3UsePathStyle
@@ -258,7 +267,7 @@ func (c *AWSClient) DefaultKMSKeyPolicy(ctx context.Context) string {
 			"Resource": "*"
 		}
 	]
-}	
+}
 `, c.Partition(ctx), c.AccountID(ctx))
 }
 

@@ -28,7 +28,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
-// @SDKResource("aws_s3_access_point, name="Access Point")
+// @SDKResource("aws_s3_access_point", name="Access Point")
 // @Tags(identifierAttribute="arn")
 func resourceAccessPoint() *schema.Resource {
 	return &schema.Resource{
@@ -155,16 +155,21 @@ func resourceAccessPoint() *schema.Resource {
 func resourceAccessPointCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
 	c := meta.(*conns.AWSClient)
-	conn := c.S3ControlClient(ctx)
 
 	accountID := c.AccountID(ctx)
 	if v, ok := d.GetOk(names.AttrAccountID); ok {
 		accountID = v.(string)
 	}
 	name := d.Get(names.AttrName).(string)
+	bucketName := d.Get(names.AttrBucket).(string)
+
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	input := s3control.CreateAccessPointInput{
 		AccountId: aws.String(accountID),
-		Bucket:    aws.String(d.Get(names.AttrBucket).(string)),
+		Bucket:    aws.String(bucketName),
 		Name:      aws.String(name),
 		Tags:      getTagsIn(ctx),
 	}
@@ -224,13 +229,16 @@ func resourceAccessPointCreate(ctx context.Context, d *schema.ResourceData, meta
 func resourceAccessPointRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
 	c := meta.(*conns.AWSClient)
-	conn := c.S3ControlClient(ctx)
 
 	accountID, name, err := accessPointParseResourceID(d.Id())
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	output, err := findAccessPointByTwoPartKey(ctx, conn, accountID, name)
 
 	if !d.IsNewResource() && tfresource.NotFound(err) {
@@ -335,13 +343,17 @@ func resourceAccessPointRead(ctx context.Context, d *schema.ResourceData, meta a
 
 func resourceAccessPointUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	accountID, name, err := accessPointParseResourceID(d.Id())
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	if d.HasChange(names.AttrPolicy) {
 		if v, ok := d.GetOk(names.AttrPolicy); ok && v.(string) != "" && v.(string) != "{}" {
 			policy, err := structure.NormalizeJsonString(v.(string))
@@ -379,13 +391,17 @@ func resourceAccessPointUpdate(ctx context.Context, d *schema.ResourceData, meta
 
 func resourceAccessPointDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	accountID, name, err := accessPointParseResourceID(d.Id())
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	log.Printf("[DEBUG] Deleting S3 Access Point: %s", d.Id())
 	input := s3control.DeleteAccessPointInput{
 		AccountId: aws.String(accountID),

@@ -53,9 +53,10 @@ func resourceAccessPointPolicy() *schema.Resource {
 
 func resourceAccessPointPolicyCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
-	resourceID, err := accessPointCreateResourceID(d.Get("access_point_arn").(string))
+	accessPointARN := d.Get("access_point_arn").(string)
+	resourceID, err := accessPointCreateResourceID(accessPointARN)
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
@@ -65,6 +66,10 @@ func resourceAccessPointPolicyCreate(ctx context.Context, d *schema.ResourceData
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	policy, err := structure.NormalizeJsonString(d.Get(names.AttrPolicy).(string))
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
@@ -89,13 +94,17 @@ func resourceAccessPointPolicyCreate(ctx context.Context, d *schema.ResourceData
 
 func resourceAccessPointPolicyRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	accountID, name, err := accessPointParseResourceID(d.Id())
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	policy, status, err := findAccessPointPolicyAndStatusByTwoPartKey(ctx, conn, accountID, name)
 
 	if !d.IsNewResource() && tfresource.NotFound(err) {
@@ -125,13 +134,17 @@ func resourceAccessPointPolicyRead(ctx context.Context, d *schema.ResourceData,
 
 func resourceAccessPointPolicyUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	accountID, name, err := accessPointParseResourceID(d.Id())
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	policy, err := structure.NormalizeJsonString(d.Get(names.AttrPolicy).(string))
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
@@ -154,13 +167,17 @@ func resourceAccessPointPolicyUpdate(ctx context.Context, d *schema.ResourceData
 
 func resourceAccessPointPolicyDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	accountID, name, err := accessPointParseResourceID(d.Id())
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	log.Printf("[DEBUG] Deleting S3 Access Point Policy: %s", d.Id())
 	input := s3control.DeleteAccessPointPolicyInput{
 		AccountId: aws.String(accountID),

@@ -130,7 +130,7 @@ func resourceBucketLifecycleConfiguration() *schema.Resource {
 
 func resourceBucketLifecycleConfigurationCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	bucket := d.Get(names.AttrBucket).(string)
 	parsedArn, err := arn.Parse(bucket)
@@ -140,9 +140,13 @@ func resourceBucketLifecycleConfigurationCreate(ctx context.Context, d *schema.R
 	}
 
 	if parsedArn.AccountID == "" {
-		return sdkdiag.AppendErrorf(diags, "parsing S3 Control Bucket ARN (%s): unknown format", d.Id())
+		return sdkdiag.AppendErrorf(diags, "parsing S3 Control Bucket ARN (%s): unknown format", bucket)
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	input := &s3control.PutBucketLifecycleConfigurationInput{
 		AccountId: aws.String(parsedArn.AccountID),
 		Bucket:    aws.String(bucket),
@@ -164,7 +168,7 @@ func resourceBucketLifecycleConfigurationCreate(ctx context.Context, d *schema.R
 
 func resourceBucketLifecycleConfigurationRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	parsedArn, err := arn.Parse(d.Id())
 
@@ -176,6 +180,10 @@ func resourceBucketLifecycleConfigurationRead(ctx context.Context, d *schema.Res
 		return sdkdiag.AppendErrorf(diags, "parsing S3 Control Bucket ARN (%s): unknown format", d.Id())
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	output, err := findBucketLifecycleConfigurationByTwoPartKey(ctx, conn, parsedArn.AccountID, d.Id())
 
 	if !d.IsNewResource() && tfresource.NotFound(err) {
@@ -199,7 +207,7 @@ func resourceBucketLifecycleConfigurationRead(ctx context.Context, d *schema.Res
 
 func resourceBucketLifecycleConfigurationUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	parsedArn, err := arn.Parse(d.Id())
 
@@ -211,6 +219,10 @@ func resourceBucketLifecycleConfigurationUpdate(ctx context.Context, d *schema.R
 		return sdkdiag.AppendErrorf(diags, "parsing S3 Control Bucket ARN (%s): unknown format", d.Id())
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	input := &s3control.PutBucketLifecycleConfigurationInput{
 		AccountId: aws.String(parsedArn.AccountID),
 		Bucket:    aws.String(d.Id()),
@@ -230,7 +242,7 @@ func resourceBucketLifecycleConfigurationUpdate(ctx context.Context, d *schema.R
 
 func resourceBucketLifecycleConfigurationDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	parsedArn, err := arn.Parse(d.Id())
 
@@ -242,6 +254,10 @@ func resourceBucketLifecycleConfigurationDelete(ctx context.Context, d *schema.R
 		return sdkdiag.AppendErrorf(diags, "parsing S3 Control Bucket ARN (%s): unknown format", d.Id())
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	log.Printf("[DEBUG] Deleting S3 Control Bucket Lifecycle Configuration: %s", d.Id())
 	_, err = conn.DeleteBucketLifecycleConfiguration(ctx, &s3control.DeleteBucketLifecycleConfigurationInput{
 		AccountId: aws.String(parsedArn.AccountID),

@@ -59,10 +59,14 @@ func resourceBucketPolicy() *schema.Resource {
 
 func resourceBucketPolicyCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	bucket := d.Get(names.AttrBucket).(string)
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	policy, err := structure.NormalizeJsonString(d.Get(names.AttrPolicy).(string))
 	if err != nil {
 		return sdkdiag.AppendFromErr(diags, err)
@@ -86,7 +90,7 @@ func resourceBucketPolicyCreate(ctx context.Context, d *schema.ResourceData, met
 
 func resourceBucketPolicyRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
 
 	parsedArn, err := arn.Parse(d.Id())
 	if err != nil {
@@ -97,6 +101,10 @@ func resourceBucketPolicyRead(ctx context.Context, d *schema.ResourceData, meta
 		return sdkdiag.AppendErrorf(diags, "parsing S3 Control Bucket ARN (%s): unknown format", d.Id())
 	}
 
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
+
 	output, err := findBucketPolicyByTwoPartKey(ctx, conn, parsedArn.AccountID, d.Id())
 
 	if !d.IsNewResource() && tfresource.NotFound(err) {
@@ -127,7 +135,11 @@ func resourceBucketPolicyRead(ctx context.Context, d *schema.ResourceData, meta
 
 func resourceBucketPolicyUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
+
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
 
 	policy, err := structure.NormalizeJsonString(d.Get(names.AttrPolicy).(string))
 	if err != nil {
@@ -150,7 +162,11 @@ func resourceBucketPolicyUpdate(ctx context.Context, d *schema.ResourceData, met
 
 func resourceBucketPolicyDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).S3ControlClient(ctx)
+	c := meta.(*conns.AWSClient)
+
+	// Directory Buckets are supported by the standard S3 Control client
+	// The AWS SDK automatically routes to the correct endpoint based on the resource ARN
+	conn := c.S3ControlClient(ctx)
 
 	parsedArn, err := arn.Parse(d.Id())