hashicorp · ewbankkit · Dec 21, 2022 · Dec 9, 2022 · Dec 15, 2022 · Dec 15, 2022
@@ -0,0 +1,3 @@
+```release-note:new-data-source
+aws_s3control_multi_region_access_point
+```
@@ -870,7 +870,8 @@ func New(ctx context.Context) (*schema.Provider, error) {
 			"aws_s3_bucket_objects": s3.DataSourceBucketObjects(), // DEPRECATED: use aws_s3_objects instead
 			"aws_s3_bucket_policy":  s3.DataSourceBucketPolicy(),
 
-			"aws_s3_account_public_access_block": s3control.DataSourceAccountPublicAccessBlock(),
+			"aws_s3_account_public_access_block":      s3control.DataSourceAccountPublicAccessBlock(),
+			"aws_s3control_multi_region_access_point": s3control.DataSourceMultiRegionAccessPoint(),
 
 			"aws_sagemaker_prebuilt_ecr_image": sagemaker.DataSourcePrebuiltECRImage(),
 

@@ -0,0 +1,135 @@
+package s3control
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/arn"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
+)
+
+func DataSourceMultiRegionAccessPoint() *schema.Resource {
+	return &schema.Resource{
+		ReadWithoutTimeout: dataSourceMultiRegionAccessPointBlockRead,
+
+		Schema: map[string]*schema.Schema{
+			"account_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: verify.ValidAccountID,
+			},
+			"alias": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"created_at": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"domain_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"public_access_block": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"block_public_acls": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"block_public_policy": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"ignore_public_acls": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"restrict_public_buckets": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+					},
+				},
+			},
+			"regions": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"bucket": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"region": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+			"status": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceMultiRegionAccessPointBlockRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn, err := ConnForMRAP(meta.(*conns.AWSClient))
+
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	accountID := meta.(*conns.AWSClient).AccountID
+	if v, ok := d.GetOk("account_id"); ok {
+		accountID = v.(string)
+	}
+	name := d.Get("name").(string)
+
+	accessPoint, err := FindMultiRegionAccessPointByAccountIDAndName(conn, accountID, name)
+
+	if err != nil {
+		return diag.Errorf("reading S3 Multi Region Access Point (%s): %s", name, err)
+	}
+
+	d.SetId(MultiRegionAccessPointCreateResourceID(accountID, name))
+
+	alias := aws.StringValue(accessPoint.Alias)
+	arn := arn.ARN{
+		Partition: meta.(*conns.AWSClient).Partition,
+		Service:   "s3",
+		AccountID: accountID,
+		Resource:  fmt.Sprintf("accesspoint/%s", alias),
+	}.String()
+	d.Set("account_id", accountID)
+	d.Set("alias", alias)
+	d.Set("arn", arn)
+	d.Set("created_at", aws.TimeValue(accessPoint.CreatedAt).Format(time.RFC3339))
+	// https://docs.aws.amazon.com/AmazonS3/latest/userguide//MultiRegionAccessPointRequests.html#MultiRegionAccessPointHostnames.
+	d.Set("domain_name", meta.(*conns.AWSClient).PartitionHostname(fmt.Sprintf("%s.accesspoint.s3-global", alias)))
+	d.Set("name", accessPoint.Name)
+	d.Set("public_access_block", []interface{}{flattenPublicAccessBlockConfiguration(accessPoint.PublicAccessBlock)})
+	d.Set("regions", flattenRegionReports(accessPoint.Regions))
+	d.Set("status", accessPoint.Status)
+
+	return nil
+}
@@ -0,0 +1,108 @@
+package s3control_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/s3control"
+	sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func TestAccS3ControlMultiRegionAccessPointDataSource_basic(t *testing.T) {
+	resourceName := "aws_s3control_multi_region_access_point.test"
+	dataSourceName := "data.aws_s3control_multi_region_access_point.test"
+
+	bucket1Name := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	bucket2Name := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	if acctest.Partition() == "aws-us-gov" {
+		t.Skip("S3 Multi-Region Access Point is not supported in GovCloud partition")
+	}
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t); acctest.PreCheckMultipleRegion(t, 2) },
+		ErrorCheck:               acctest.ErrorCheck(t, s3control.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5FactoriesMultipleRegions(t, 2),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccMultiRegionAccessPointDataSourceConfig_basic(bucket1Name, bucket2Name, rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrPair(resourceName, "account_id", dataSourceName, "account_id"),
+					resource.TestCheckResourceAttrPair(resourceName, "alias", dataSourceName, "alias"),
+					resource.TestCheckResourceAttrPair(resourceName, "arn", dataSourceName, "arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", dataSourceName, "domain_name"),
+					resource.TestCheckResourceAttrPair(resourceName, "details.0.name", dataSourceName, "name"),
+					resource.TestCheckResourceAttrPair(resourceName, "details.0.public_access_block.0.block_public_acls", dataSourceName, "public_access_block.0.block_public_acls"),
+					resource.TestCheckResourceAttrPair(resourceName, "details.0.public_access_block.0.block_public_policy", dataSourceName, "public_access_block.0.block_public_policy"),
+					resource.TestCheckResourceAttrPair(resourceName, "details.0.public_access_block.0.ignore_public_acls", dataSourceName, "public_access_block.0.ignore_public_acls"),
+					resource.TestCheckResourceAttrPair(resourceName, "details.0.public_access_block.0.restrict_public_buckets", dataSourceName, "public_access_block.0.restrict_public_buckets"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "details.0.region.*", map[string]string{
+						"bucket": bucket1Name,
+					}),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "details.0.region.*", map[string]string{
+						"bucket": bucket2Name,
+					}),
+					resource.TestCheckResourceAttrPair(resourceName, "status", dataSourceName, "status"),
+				),
+			},
+		},
+	})
+}
+
+func testAccMultiRegionAccessPointDataSource_base(bucket1Name string, bucket2Name string, rName string) string {
+	return acctest.ConfigCompose(
+		acctest.ConfigMultipleRegionProvider(2),
+		fmt.Sprintf(`
+resource "aws_s3_bucket" "test1" {
+  provider = aws
+
+  bucket        = %[1]q
+  force_destroy = true
+}
+
+resource "aws_s3_bucket" "test2" {
+  provider = awsalternate
+
+  bucket        = %[2]q
+  force_destroy = true
+}
+
+resource "aws_s3control_multi_region_access_point" "test" {
+  provider = aws
+
+  details {
+    name = %[3]q
+
+    region {
+      bucket = aws_s3_bucket.test1.id
+    }
+
+    region {
+      bucket = aws_s3_bucket.test2.id
+    }
+
+    public_access_block {
+      block_public_acls       = false
+      block_public_policy     = false
+      ignore_public_acls      = false
+      restrict_public_buckets = false
+    }
+  }
+}
+`, bucket1Name, bucket2Name, rName))
+}
+
+func testAccMultiRegionAccessPointDataSourceConfig_basic(bucket1Name string, bucket2Name string, rName string) string {
+	return acctest.ConfigCompose(testAccMultiRegionAccessPointDataSource_base(bucket1Name, bucket2Name, rName), fmt.Sprintf(`
+data "aws_s3control_multi_region_access_point" "test" {
+  provider = aws
+
+  name = %[1]q
+
+  depends_on = [aws_s3control_multi_region_access_point.test]
+}
+`, rName))
+}
@@ -0,0 +1,56 @@
+---
+subcategory: "S3 Control"
+layout: "aws"
+page_title: "AWS: aws_s3control_multi_region_access_point"
+description: |-
+  Provides details an S3 Multi-Region Access Point.
+---
+
+# Data Source: aws_s3control_multi_region_access_point
+
+Provides details on a specific S3 Multi-Region Access Point.
+
+## Example Usage
+
+```terraform
+data "aws_s3control_multi_region_access_point" "example" {
+  name = "example"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `account_id` - (Optional) The AWS account ID of the S3 Multi-Region Access Point. Defaults to automatically determined account ID of the Terraform AWS provider.
+* `name` - (Required) The name of the Multi-Region Access Point.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `alias` - The alias for the Multi-Region Access Point.
+* `arn` - Amazon Resource Name (ARN) of the Multi-Region Access Point.
+* `created_at` - Timestamp when the resource has been created.
+* `domain_name` - The DNS domain name of the S3 Multi-Region Access Point in the format _`alias`_.accesspoint.s3-global.amazonaws.com. For more information, see the documentation on [Multi-Region Access Point Requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRequests.html).
+* `public_access_block` - Public Access Block of the Multi-Region Access Point. Detailed below.
+* `regions` - A collection of the regions and buckets associated with the Multi-Region Access Point.
+* `status` - The current status of the Multi-Region Access Point.
+
+### public_access_block
+
+* `block_public_acls` - Specifies whether Amazon S3 should block public access control lists (ACLs). When set to `true` causes the following behavior:
+    * PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.
+    * PUT Object calls fail if the request includes a public ACL.
+    * PUT Bucket calls fail if the request includes a public ACL.
+* `block_public_policy` - Specifies whether Amazon S3 should block public bucket policies for buckets in this account. When set to `true` causes Amazon S3 to:
+    * Reject calls to PUT Bucket policy if the specified bucket policy allows public access.
+* `ignore_public_acls` - Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. When set to `true` causes Amazon S3 to:
+    * Ignore all public ACLs on buckets in this account and any objects that they contain.
+* `restrict_public_buckets` - Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. When set to `true`:
+    * Only the bucket owner and AWS Services can access buckets with public policies.
+
+### regions
+
+* `bucket` - The name of the bucket.
+* `region` - The name of the region.
@@ -103,7 +103,6 @@ In addition to all arguments above, the following attributes are exported:
 
 * `alias` - The alias for the Multi-Region Access Point.
 * `arn` - Amazon Resource Name (ARN) of the Multi-Region Access Point.
-* `alias` - The alias for the Multi-Region Access Point.
 * `domain_name` - The DNS domain name of the S3 Multi-Region Access Point in the format _`alias`_.accesspoint.s3-global.amazonaws.com. For more information, see the documentation on [Multi-Region Access Point Requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRequests.html).
 * `id` - The AWS account ID and access point name separated by a colon (`:`).
 * `status` - The current status of the Multi-Region Access Point. One of: `READY`, `INCONSISTENT_ACROSS_REGIONS`, `CREATING`, `PARTIALLY_CREATED`, `PARTIALLY_DELETED`, `DELETING`.