feat(object): add project_id resource attribute (#1703)

Author: quantumsheep

.github/workflows/acceptance-tests.yaml

@@ -47,5 +47,4 @@ jobs:
           SCW_DEBUG: 0
           SCW_ACCESS_KEY: "SCWXXXXXXXXXXXXXFAKE"
           SCW_SECRET_KEY: "11111111-1111-1111-1111-111111111111"
-          SCW_DEFAULT_PROJECT_ID: "11111111-1111-1111-1111-111111111111"
           SCW_ENABLE_BETA: true

docs/data-sources/object_bucket.md

@@ -24,11 +24,22 @@ data "scaleway_object_bucket" "selected" {
 }
 ```
 
+
+### Fetching the bucket from a specific project
+
+```hcl
+data "scaleway_object_bucket" "selected" {
+  name = "bucket.test.com"
+  project_id = "11111111-1111-1111-1111-111111111111"
+}
+```
+
 ## Argument Reference
 
 - `name` - (Required) The bucket name.
 - `object_lock_enabled` - (Optional) Enable object lock on the bucket. Defaults to `false`. Updating this field will force creating a new bucket.
 - `region` - (Defaults to [provider](../index.md#region) `region`) The [region](../guides/regions_and_zones.md#zones) in which the Object Storage exists.
+- `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
 
 
 ## Attributes Reference

docs/resources/object.md

@@ -38,6 +38,7 @@ The following arguments are supported:
 * `visibility` - (Optional) Visibility of the object, `public-read` or `private`
 * `metadata` - (Optional) Map of metadata used for the object, keys must be lowercase
 * `tags` - (Optional) Map of tags
+* `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
 
 ## Attributes Reference
 

docs/resources/object_bucket.md

@@ -20,6 +20,15 @@ resource "scaleway_object_bucket" "some_bucket" {
 }
 ```
 
+### Creating the bucket in a specific project
+
+```hcl
+resource "scaleway_object_bucket" "some_bucket" {
+  name = "some-unique-name"
+  project_id = "11111111-1111-1111-1111-111111111111"
+}
+```
+
 ### Using object lifecycle
 
 ```hcl
@@ -115,6 +124,7 @@ The following arguments are supported:
 * `versioning` - (Optional) A state of [versioning](https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) (documented below)
 * `cors_rule` - (Optional) A rule of [Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) (documented below).
 * `force_destroy` - (Optional) Enable deletion of objects in bucket before destroying, locked objects or under legal hold are also deleted and **not** recoverable
+* `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
 
 The `acl` attribute is deprecated. See [scaleway_object_bucket_acl](object_bucket_acl.md) resource documentation.
 Please check the [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl_overview.html#canned-acl) documentation for supported values.

docs/resources/object_bucket_acl.md

@@ -68,6 +68,7 @@ The following arguments are supported:
 * `access_control_policy` - (Optional, Conflicts with acl) A configuration block that sets the ACL permissions for an object per grantee documented below.
 * `expected_bucket_owner` - (Optional, Forces new resource) The project ID of the expected bucket owner.
 * `region` - (Optional) The [region](https://developers.scaleway.com/en/quickstart/#region-definition) in which the bucket should be created.
+* `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
 
 
 ## The ACL

docs/resources/object_bucket_object_lock_configuration.md

@@ -55,6 +55,8 @@ The following arguments are supported:
 
         - `years` - (Optional) The number of years that you want to specify for the default retention period.
 
+- `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
+
 ## Import
 
 Lock configuration Bucket can be imported using the `{region}/{bucketName}` identifier, e.g.

docs/resources/object_bucket_policy.md

@@ -84,6 +84,7 @@ The following arguments are supported:
 
 * `bucket` - (Required) The name of the bucket.
 * `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/tutorials/terraform/aws-iam-policy?_ga=2.164714495.1557487853.1659960650-563504983.1635944492).
+* `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
 
 ~> **Important:** The [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) data source may be used, so long as it specifies a principal.
 

docs/resources/object_bucket_website_configuration.md

@@ -70,6 +70,7 @@ The following arguments are supported:
 * `bucket` - (Required, Forces new resource) The name of the bucket.
 * `index_document` - (Required) The name of the index document for the website [detailed below](#index_document).
 * `error_document` - (Optional) The name of the error document for the website [detailed below](#error_document).
+* `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the bucket is associated with.
 
 ## index_document
 

scaleway/data_source_object_bucket.go

@@ -16,7 +16,7 @@ func dataSourceScalewayObjectBucket() *schema.Resource {
 	dsSchema := datasourceSchemaFromResourceSchema(resourceScalewayObjectBucket().Schema)
 
 	// Set 'Optional' schema elements
-	addOptionalFieldsToSchema(dsSchema, "name", "region")
+	addOptionalFieldsToSchema(dsSchema, "name", "region", "project_id")
 
 	return &schema.Resource{
 		ReadContext: dataSourceScalewayObjectStorageRead,
@@ -43,6 +43,14 @@ func dataSourceScalewayObjectStorageRead(ctx context.Context, d *schema.Resource
 		return diag.FromErr(fmt.Errorf("failed getting Object Storage bucket (%s): %w", bucket, err))
 	}
 
+	acl, err := s3Client.GetBucketAclWithContext(ctx, &s3.GetBucketAclInput{
+		Bucket: aws.String(bucket),
+	})
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("couldn't read bucket acl: %s", err))
+	}
+	_ = d.Set("project_id", *normalizeOwnerID(acl.Owner.ID))
+
 	bucketRegionalID := newRegionalIDString(region, bucket)
 	d.SetId(bucketRegionalID)
 	return resourceScalewayObjectBucketRead(ctx, d, meta)

scaleway/data_source_object_bucket_test.go

@@ -1,11 +1,15 @@
 package scaleway
 
 import (
+	"context"
 	"fmt"
+	"regexp"
 	"testing"
 
 	sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/stretchr/testify/require"
 )
 
 func TestAccScalewayDataSourceObjectStorage_Basic(t *testing.T) {
@@ -38,3 +42,90 @@ func TestAccScalewayDataSourceObjectStorage_Basic(t *testing.T) {
 		},
 	})
 }
+
+func TestAccScalewayDataSourceObjectStorage_ProjectIDAllowed(t *testing.T) {
+	tt := NewTestTools(t)
+	defer tt.Cleanup()
+	bucketName := sdkacctest.RandomWithPrefix("test-acc-scaleway-object-bucket")
+
+	project, iamAPIKey, terminateFakeSideProject, err := createFakeSideProject(tt)
+	require.NoError(t, err)
+
+	ctx := context.Background()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: fakeSideProjectProviders(ctx, tt, project, iamAPIKey),
+		CheckDestroy: resource.ComposeAggregateTestCheckFunc(
+			func(s *terraform.State) error {
+				return terminateFakeSideProject()
+			},
+			testAccCheckScalewayObjectDestroy(tt),
+		),
+		Steps: []resource.TestStep{
+			// Create a bucket from the main provider into the side project and read it from the side provider
+			// The side provider should only be able to read the bucket from the side project
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_object_bucket" "base" {
+						name = "%[1]s"
+						project_id = "%[2]s"
+					}
+
+					data "scaleway_object_bucket" "selected" {
+						name = scaleway_object_bucket.base.name
+						provider = side
+					}
+				`,
+					bucketName,
+					project.ID,
+				),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.scaleway_object_bucket.selected", "name", bucketName),
+					resource.TestCheckResourceAttr("data.scaleway_object_bucket.selected", "project_id", project.ID),
+				),
+			},
+		},
+	})
+}
+
+func TestAccScalewayDataSourceObjectStorage_ProjectIDForbidden(t *testing.T) {
+	tt := NewTestTools(t)
+	defer tt.Cleanup()
+	bucketName := sdkacctest.RandomWithPrefix("test-acc-scaleway-object-bucket")
+
+	project, iamAPIKey, terminateFakeSideProject, err := createFakeSideProject(tt)
+	require.NoError(t, err)
+
+	ctx := context.Background()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: fakeSideProjectProviders(ctx, tt, project, iamAPIKey),
+		CheckDestroy: resource.ComposeAggregateTestCheckFunc(
+			func(s *terraform.State) error {
+				return terminateFakeSideProject()
+			},
+			testAccCheckScalewayObjectDestroy(tt),
+		),
+		Steps: []resource.TestStep{
+			// The side provider should not be able to read the bucket from the main project
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_object_bucket" "base" {
+						name = "%[1]s"
+					}
+
+					data "scaleway_object_bucket" "selected" {
+						name = scaleway_object_bucket.base.name
+						provider = side
+					}
+				`,
+					bucketName,
+					project.ID,
+				),
+				ExpectError: regexp.MustCompile("failed getting Object Storage bucket"),
+			},
+		},
+	})
+}