Get S3 bucket fails to read when GetBucketACL not implemented

Cyb3r-Jak3 commented 2 years ago

When attempted to use S3 with custom provider, Cloudflare R2, a NotImplemented error is raised when attempted to read the bucket. The GetBucketAcl command has not been implemented

When working with a Cloudflare engineer, it seems that other commands are not handled gracefully.

The (potentially incomplete) set of commands that don't handle NotImplemented gracefully:

GetBucketAcl

GetBucketVersioning

GetBucketLifecycleConfiguration

GetBucketReplication

GetBucketEncryption (but R2 does implement it)

GetObjectLockConfiguration

GetBucketTagging

The rest seem to gracefully ignore NotImplemented

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.2.4 on linux_amd64

provider registry.terraform.io/hashicorp/aws v4.20.1

Affected Resource(s)

aws_s3

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

main.tf

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.20.1"
    }
  }
}

provider "aws" {
  access_key = var.cloudflare_access_key
  secret_key = var.cloudflare_secret_key
  skip_credentials_validation = true
  skip_region_validation = true
  skip_requesting_account_id = true
  endpoints {
    s3 = "https://${var.cloudflare_account_id}.r2.cloudflarestorage.com"
  }
}

resource "aws_s3_bucket" "cloudflare-bucket" {
  bucket = "my-tf-test-bucket"
}

variables.tf

variable "cloudflare_account_id" {
  type = string
}

variable "cloudflare_access_key" {
  type = string
}

variable "cloudflare_secret_key" {
  type = string
}

Debug Output

Debug Link https://gist.github.com/Cyb3r-Jak3/9d552fe7409a0238d65626bba1510dcc

Expected Behavior

GetBucketACL NotImplemented should be handed gracefully.

Actual Behavior

An error is throw ACL: NotImplemented: GetBucketAcl not implemented when attempted

Steps to Reproduce

Create an R2 API key in Cloudflare R2
Copy the main.tf file
Create a vars file with cloudflare_account_id, cloudflare_access_key, and cloudflare_secret_key and fill them with the values
Run terraform plan -var-file="<your variable file>" -out plan
terraform apply plan

The bucket will be created and viewable in Cloudflare dashboard, but you can not run plan again because it attempts to read the ACL and throws NotImplemented error.

Important Factoids

Using Cloudflare R2 which has some S3 API compatibility

Cyb3r-Jak3 commented 2 years ago

R2 has been updated. It now returns dummy responses for

GetBucketVersioning
GetBucketLifecycleConfiguration
GetBucketReplication
GetBucketTagging
GetObjectLockConfiguration

cron410 commented 1 year ago

I'm attempting the same thing with the same config and just get MissingRegion: could not find region configuration

Edit: The following configs in providers.tf shows the same issue with any combination of Terraform 1.1.7 and 1.2.4

aws = {
    source  = "hashicorp/aws"
    version = "~> 4.36"
  }

and

aws = {
    source  = "hashicorp/aws"
    version = "4.20.1"
  }

hashicorp / terraform-provider-aws