feat: Allow override of the default tags override (#261)

Co-authored-by: Anton Babenko <[email protected]>

Author: kbcz1989

examples/object/README.md

@@ -37,6 +37,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_object"></a> [object](#module\_object) | ../../modules/object | n/a |
 | <a name="module_object_complete"></a> [object\_complete](#module\_object\_complete) | ../../modules/object | n/a |
 | <a name="module_object_locked"></a> [object\_locked](#module\_object\_locked) | ../../modules/object | n/a |
+| <a name="module_object_with_override_default_tags"></a> [object\_with\_override\_default\_tags](#module\_object\_with\_override\_default\_tags) | ../../modules/object | n/a |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | ../../ | n/a |
 | <a name="module_s3_bucket_with_object_lock"></a> [s3\_bucket\_with\_object\_lock](#module\_s3\_bucket\_with\_object\_lock) | ../../ | n/a |
 

examples/object/main.tf

@@ -5,6 +5,12 @@ provider "aws" {
   skip_metadata_api_check     = true
   skip_region_validation      = true
   skip_credentials_validation = true
+
+  default_tags {
+    tags = {
+      Example = "object"
+    }
+  }
 }
 
 locals {
@@ -25,6 +31,7 @@ module "object" {
     Sensitive = "not-really"
   }
 }
+
 module "object_complete" {
   source = "../../modules/object"
 
@@ -33,7 +40,7 @@ module "object_complete" {
 
   content = jsonencode({ data : "value" })
 
-  acl           = "public-read"
+  # acl           = "public-read"
   storage_class = "ONEZONE_IA"
   force_destroy = true
 
@@ -68,6 +75,21 @@ module "object_locked" {
   object_lock_retain_until_date = formatdate("YYYY-MM-DD'T'hh:00:00Z", timeadd(timestamp(), "1h")) # some time in the future
 }
 
+module "object_with_override_default_tags" {
+  source = "../../modules/object"
+
+  bucket = module.s3_bucket.s3_bucket_id
+  key    = "${random_pet.this.id}-local-override-default-tags"
+
+  override_default_tags = true
+
+  file_source = "README.md"
+
+  tags = {
+    Override = "true"
+  }
+}
+
 ##################
 # Extra resources
 ##################
@@ -96,7 +118,13 @@ module "s3_bucket_with_object_lock" {
   bucket        = "${random_pet.this.id}-with-object-lock"
   force_destroy = true
 
+  object_lock_enabled = true
   object_lock_configuration = {
-    object_lock_enabled = "Enabled"
+    rule = {
+      default_retention = {
+        mode = "GOVERNANCE"
+        days = 1
+      }
+    }
   }
 }

modules/object/README.md

@@ -8,13 +8,13 @@ Creates S3 bucket objects with different configurations.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.75 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.75 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.24 |
 
 ## Modules
 
@@ -50,6 +50,7 @@ No modules.
 | <a name="input_object_lock_legal_hold_status"></a> [object\_lock\_legal\_hold\_status](#input\_object\_lock\_legal\_hold\_status) | The legal hold status that you want to apply to the specified object. Valid values are ON and OFF. | `string` | `null` | no |
 | <a name="input_object_lock_mode"></a> [object\_lock\_mode](#input\_object\_lock\_mode) | The object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE and COMPLIANCE. | `string` | `null` | no |
 | <a name="input_object_lock_retain_until_date"></a> [object\_lock\_retain\_until\_date](#input\_object\_lock\_retain\_until\_date) | The date and time, in RFC3339 format, when this object's object lock will expire. | `string` | `null` | no |
+| <a name="input_override_default_tags"></a> [override\_default\_tags](#input\_override\_default\_tags) | Ignore provider default\_tags. S3 objects support a maximum of 10 tags. | `bool` | `false` | no |
 | <a name="input_server_side_encryption"></a> [server\_side\_encryption](#input\_server\_side\_encryption) | Specifies server-side encryption of the object in S3. Valid values are "AES256" and "aws:kms". | `string` | `null` | no |
 | <a name="input_source_hash"></a> [source\_hash](#input\_source\_hash) | Triggers updates like etag but useful to address etag encryption limitations. Set using filemd5("path/to/source") (Terraform 0.11.12 or later). (The value is only stored in state and not saved by AWS.) | `string` | `null` | no |
 | <a name="input_storage_class"></a> [storage\_class](#input\_storage\_class) | Specifies the desired Storage Class for the object. Can be either STANDARD, REDUCED\_REDUNDANCY, ONEZONE\_IA, INTELLIGENT\_TIERING, GLACIER, DEEP\_ARCHIVE, or STANDARD\_IA. Defaults to STANDARD. | `string` | `null` | no |

modules/object/main.tf

@@ -33,6 +33,16 @@ resource "aws_s3_object" "this" {
 
   tags = var.tags
 
+  dynamic "override_provider" {
+    for_each = var.override_default_tags ? [true] : []
+
+    content {
+      default_tags {
+        tags = {}
+      }
+    }
+  }
+
   lifecycle {
     ignore_changes = [object_lock_retain_until_date]
   }

modules/object/variables.tf

@@ -147,3 +147,9 @@ variable "source_hash" {
   type        = string
   default     = null
 }
+
+variable "override_default_tags" {
+  description = "Ignore provider default_tags. S3 objects support a maximum of 10 tags."
+  type        = bool
+  default     = false
+}

modules/object/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.75"
+      version = ">= 5.24"
     }
   }
 }

wrappers/object/main.tf

@@ -23,6 +23,7 @@ module "wrapper" {
   object_lock_legal_hold_status = try(each.value.object_lock_legal_hold_status, var.defaults.object_lock_legal_hold_status, null)
   object_lock_mode              = try(each.value.object_lock_mode, var.defaults.object_lock_mode, null)
   object_lock_retain_until_date = try(each.value.object_lock_retain_until_date, var.defaults.object_lock_retain_until_date, null)
+  override_default_tags         = try(each.value.override_default_tags, var.defaults.override_default_tags, false)
   server_side_encryption        = try(each.value.server_side_encryption, var.defaults.server_side_encryption, null)
   source_hash                   = try(each.value.source_hash, var.defaults.source_hash, null)
   storage_class                 = try(each.value.storage_class, var.defaults.storage_class, null)