feat(obj): resource object bucket acl (#1465)

Author: Monitob

docs/resources/object_bucket_acl.md

@@ -0,0 +1,125 @@
+---
+page_title: "Scaleway: scaleway_object_bucket_acl"
+description: |-
+Manages Scaleway object storage bucket ACL resource.
+---
+
+# scaleway_object_bucket
+
+Creates and manages Scaleway object storage bucket ACL.
+For more information, see [the documentation](https://www.scaleway.com/en/docs/storage/object/concepts/#access-control-list-(acl)).
+
+-> **Note:** `terraform destroy`  does not delete the Object Bucket ACL but does remove the resource from Terraform state.
+
+-> **Note:** [Account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html) is not supported by scaleway.
+
+## Example Usage
+
+```hcl
+resource "scaleway_object_bucket" "some_bucket" {
+  name = "some-unique-name"
+}
+
+resource "scaleway_object_bucket_acl" "main" {
+  bucket = scaleway_object_bucket.main.name
+  acl = "private"
+}
+```
+
+## Example with Grants
+
+```hcl
+resource "scaleway_object_bucket" "main" {
+    name = "your-bucket"
+}
+
+resource "scaleway_object_bucket_acl" "main" {
+    bucket = scaleway_object_bucket.main.name
+    access_control_policy {
+      grant {
+        grantee {
+            id   = "<project-id>:<project-id>"
+            type = "CanonicalUser"
+        }
+        permission = "FULL_CONTROL"
+      }
+    
+      grant {
+        grantee {
+          id   = "<project-id>"
+          type = "CanonicalUser"
+        }
+        permission = "WRITE"
+      }
+    
+      owner {
+        id = "<project-id>"
+      }
+    }
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+* `bucket` - (Required) The name of the bucket.
+* `acl` - (Optional) The canned ACL you want to apply to the bucket.
+* `access_control_policy` - (Optional, Conflicts with acl) A configuration block that sets the ACL permissions for an object per grantee documented below.
+* `expected_bucket_owner` - (Optional, Forces new resource) The project ID of the expected bucket owner.
+* `region` - (Optional) The [region](https://developers.scaleway.com/en/quickstart/#region-definition) in which the bucket should be created.
+
+
+## The ACL
+
+Please check the [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl_overview.html#canned-acl)
+
+## The Access Control policy
+
+The `access_control_policy` configuration block supports the following arguments:
+
+* `grant` - (Required) Set of grant configuration blocks documented below.
+* `owner` - (Required) Configuration block of the bucket owner's display name and ID documented below.
+
+## The Grant
+
+The `grant` configuration block supports the following arguments:
+
+* `grantee` - (Required) Configuration block for the project being granted permissions documented below.
+* `permission` - (Required) Logging permissions assigned to the grantee for the bucket.
+
+## The permission
+
+The following list shows each access policy permissions supported.
+
+`READ`, `WRITE`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`
+
+For more information about ACL permissions in the S3 bucket, see [ACL permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html).
+
+## The owner
+
+The `owner` configuration block supports the following arguments:
+
+* `id` - (Required) The ID of the project owner.
+* `display_name` - (Optional) The display name of the owner.
+
+## the grantee
+
+The `grantee` configuration block supports the following arguments:
+
+* `id` - (Required) The canonical user ID of the grantee.
+* `type` - (Required) Type of grantee. Valid values: CanonicalUser.
+
+## Attributes Reference
+
+In addition to all above arguments, the following attribute is exported:
+
+* `id` - The `region`,`bucket` and `acl` separated by (`/`).
+
+## Import
+
+Buckets can be imported using the `{region}/{bucketName}/{acl}` identifier, e.g.
+
+```bash
+$ terraform import scaleway_object_bucket_acl.some_bucket fr-par/some-bucket
+/private```

scaleway/helpers.go

@@ -92,7 +92,7 @@ func expandZonedID(id interface{}) ZonedID {
 }
 
 // parseLocalizedID parses a localizedID and extracts the resource locality and id.
-func parseLocalizedID(localizedID string) (locality string, id string, err error) {
+func parseLocalizedID(localizedID string) (locality, id string, err error) {
 	tab := strings.Split(localizedID, "/")
 	if len(tab) != 2 {
 		return "", localizedID, fmt.Errorf("cant parse localized id: %s", localizedID)
@@ -109,6 +109,27 @@ func parseLocalizedNestedID(localizedID string) (locality string, innerID, outer
 	return tab[0], tab[1], tab[2], nil
 }
 
+// parseLocalizedNestedID parses a localizedNestedOwnerID and extracts the resource locality, the inner and outer id and owner.
+func parseLocalizedNestedOwnerID(localizedID string) (locality string, innerID, outerID string, err error) {
+	tab := strings.Split(localizedID, "/")
+	n := len(tab)
+	switch n {
+	case 2:
+		locality = tab[0]
+		innerID = tab[1]
+	case 3:
+		locality, innerID, outerID, err = parseLocalizedNestedID(localizedID)
+	default:
+		err = fmt.Errorf("cant parse localized id: %s", localizedID)
+	}
+
+	if err != nil {
+		return "", "", localizedID, err
+	}
+
+	return locality, innerID, outerID, nil
+}
+
 // parseZonedID parses a zonedID and extracts the resource zone and id.
 func parseZonedID(zonedID string) (zone scw.Zone, id string, err error) {
 	locality, id, err := parseLocalizedID(zonedID)

scaleway/helpers_object.go

@@ -101,6 +101,22 @@ func s3ClientWithRegionAndNestedName(m interface{}, name string) (*s3.S3, scw.Re
 	return s3Client, region, outerID, innerID, err
 }
 
+func s3ClientWithRegionWithNameACL(m interface{}, name string) (*s3.S3, scw.Region, string, string, error) {
+	meta := m.(*Meta)
+	region, name, outerID, err := parseLocalizedNestedOwnerID(name)
+	if err != nil {
+		return nil, "", name, "", err
+	}
+
+	accessKey, _ := meta.scwClient.GetAccessKey()
+	secretKey, _ := meta.scwClient.GetSecretKey()
+	s3Client, err := newS3Client(meta.httpClient, region, accessKey, secretKey)
+	if err != nil {
+		return nil, "", "", "", err
+	}
+	return s3Client, scw.Region(region), name, outerID, err
+}
+
 func flattenObjectBucketTags(tagsSet []*s3.Tag) map[string]interface{} {
 	tags := map[string]interface{}{}
 
@@ -482,3 +498,17 @@ func WebsiteDomainURL(region string) string {
 	// https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_website_region_endpoints
 	return fmt.Sprintf("s3-website.%s.scw.cloud", region)
 }
+
+func buildBucketOwnerID(id *string) *string {
+	s := fmt.Sprintf("%[1]s:%[1]s", *id)
+	return &s
+}
+
+func normalizeOwnerID(id *string) *string {
+	tab := strings.Split(*id, ":")
+	if len(tab) != 2 {
+		return id
+	}
+
+	return &tab[0]
+}

scaleway/provider.go

@@ -141,6 +141,7 @@ func Provider(config *ProviderConfig) plugin.ProviderFunc {
 				"scaleway_redis_cluster":                       resourceScalewayRedisCluster(),
 				"scaleway_object":                              resourceScalewayObject(),
 				"scaleway_object_bucket":                       resourceScalewayObjectBucket(),
+				"scaleway_object_bucket_acl":                   resourceScalewayObjectBucketACL(),
 				"scaleway_object_bucket_policy":                resourceScalewayObjectBucketPolicy(),
 				"scaleway_object_bucket_website_configuration": ResourceBucketWebsiteConfiguration(),
 				"scaleway_vpc_public_gateway":                  resourceScalewayVPCPublicGateway(),

scaleway/resource_object_bucket.go

@@ -47,6 +47,7 @@ func resourceScalewayObjectBucket() *schema.Resource {
 					s3.ObjectCannedACLPublicReadWrite,
 					s3.ObjectCannedACLAuthenticatedRead,
 				}, false),
+				Deprecated: "ACL is deprecated. Please use resource_bucket_acl instead.",
 			},
 			"tags": {
 				Type: schema.TypeMap,
@@ -433,7 +434,7 @@ func resourceScalewayObjectBucketRead(ctx context.Context, d *schema.ResourceDat
 	// Known issue:
 	// Import a bucket (eg. terraform import scaleway_object_bucket.x fr-par/x)
 	// will always trigger a diff (eg. terraform plan) on acl attribute because
-	// we do not read it and it has a "private" default value.
+	// we do not read it, and it has a "private" default value.
 	// AWS has the same issue: https://github.com/terraform-providers/terraform-provider-aws/issues/6193
 
 	_, err = s3Client.ListObjectsWithContext(ctx, &s3.ListObjectsInput{