fix: normalize bucket policy Principal values (#38)

Author: kangasta

CHANGELOG.md

@@ -5,6 +5,11 @@ See updating [Changelog example here](https://keepachangelog.com/en/1.0.0/)
 
 ## [Unreleased]
 
+### Fixed
+
+- objsto_bucket_policy: when comparing policy documents, treat wildcard `Principal` value (`"*"`) as equal to `{"AWS": ["*"]}`.
+- objsto_bucket_policy: when comparing policy documents, treat string value in `Principal` field as equal to list containing that string as its only item, e.g. `{"AWS": "*"}` vs. `{"AWS": ["*"]}`.
+
 ## [0.2.1]
 
 ### Fixed

internal/provider/bucket_policy_resource.go

@@ -191,7 +191,7 @@ func normalizePolicyDocument(document string) (string, diag.Diagnostics) {
 		return "", errToDiags(err)
 	}
 
-	// Change ID key into Id (Minio)
+	// Change ID key into Id
 	if id, ok := unmarshaled["ID"]; ok {
 		unmarshaled["Id"] = id
 		delete(unmarshaled, "ID")
@@ -200,12 +200,12 @@ func normalizePolicyDocument(document string) (string, diag.Diagnostics) {
 	if statements, ok := unmarshaled["Statement"].([]interface{}); ok {
 		for _, statement := range statements {
 			if statement, ok := statement.(map[string]interface{}); ok {
-				// Always use array type for Action (Minio)
+				// Always use array type for Action
 				if action, ok := statement["Action"].(string); ok {
 					statement["Action"] = []string{action}
 				}
 
-				// Sort statement actions (Minio)
+				// Sort statement actions
 				if actions, ok := statement["Action"].([]interface{}); ok {
 					sort.Slice(actions, func(i, j int) bool {
 						a, aOk := actions[i].(string)
@@ -216,11 +216,27 @@ func normalizePolicyDocument(document string) (string, diag.Diagnostics) {
 						return a < b
 					})
 				}
+
+				// Use {"AWS": ["*"]} instead of "*" for Principal
+				if _, ok := statement["Principal"].(string); ok {
+					statement["Principal"] = map[string]interface{}{
+						"AWS": []string{"*"},
+					}
+				}
+
+				// Always use array type for Principal values
+				if principal, ok := statement["Principal"].(map[string]interface{}); ok {
+					for key, value := range principal {
+						if s, ok := value.(string); ok {
+							principal[key] = []string{s}
+						}
+					}
+				}
 			}
 		}
 	}
 
-	// Remove "null" Id (UpCloud Managed Object Storage)
+	// Remove "null" Id
 	if id := unmarshaled["Id"]; id == "null" {
 		delete(unmarshaled, "Id")
 	}

internal/provider/bucket_policy_resource_test.go

@@ -53,6 +53,16 @@ func TestNormalizePolicyDocument(t *testing.T) {
 			input:    `{"Statement":[{"Action":["s3:ListBucket","s3:GetBucketLocation"]}]}`,
 			expected: `{"Statement":[{"Action":["s3:GetBucketLocation","s3:ListBucket"]}]}`,
 		},
+		{
+			name:     "Normalizes wildcard Principal",
+			input:    `{"Statement":[{"Principal":"*"}]}`,
+			expected: `{"Statement":[{"Principal":{"AWS":["*"]}}]}`,
+		},
+		{
+			name:     "Normalizes Principal values to arrays",
+			input:    `{"Statement":[{"Principal":{"AWS":"*"}}]}`,
+			expected: `{"Statement":[{"Principal":{"AWS":["*"]}}]}`,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
@@ -104,23 +114,14 @@ func TestAccBucketPolicyResource(t *testing.T) {
 }
 
 func TestAccBucketPolicyResource_Normalization(t *testing.T) {
-	tests := []struct {
-		configName string
-		testImport bool
-	}{
-		{
-			configName: "bucket_policy_str_action",
-			testImport: false,
-		},
-		{
-			configName: "bucket_policy_no_id",
-			testImport: true,
-		},
+	configFiles := []string{
+		"bucket_policy_str_action",
+		"bucket_policy_no_id",
 	}
 
-	for _, test := range tests {
-		t.Run(test.configName, func(t *testing.T) {
-			configPath := fmt.Sprintf("testdata/%s.tf", test.configName)
+	for _, configFile := range configFiles {
+		t.Run(configFile, func(t *testing.T) {
+			configPath := fmt.Sprintf("testdata/%s.tf", configFile)
 
 			bucket_name := withSuffix("bucket-policy-no-id")
 			variables := func(allow_get_object bool) map[string]config.Variable {
@@ -143,18 +144,6 @@ func TestAccBucketPolicyResource_Normalization(t *testing.T) {
 				},
 			}
 
-			if test.testImport {
-				steps = append(steps, resource.TestStep{
-					ConfigFile:                           config.StaticFile(configPath),
-					ConfigVariables:                      variables(true),
-					ResourceName:                         "objsto_bucket_policy.this",
-					ImportState:                          true,
-					ImportStateId:                        bucket_name,
-					ImportStateVerifyIdentifierAttribute: "bucket",
-					ImportStateVerify:                    true,
-				})
-			}
-
 			resource.Test(t, resource.TestCase{
 				PreCheck:                 func() { testAccPreCheck(t) },
 				ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,

internal/provider/testdata/bucket_policy_no_id.tf

@@ -18,9 +18,7 @@ resource "objsto_bucket_policy" "this" {
     Version = "2012-10-17",
     Statement = [
       {
-        Principal = {
-          "AWS" = ["*"]
-        }
+        Principal = "*"
         Effect = var.allow_get_object ? "Allow" : "Deny"
         Action = [
           "s3:GetObject",

internal/provider/testdata/bucket_policy_str_action.tf

@@ -19,7 +19,7 @@ resource "objsto_bucket_policy" "this" {
     Statement = [
       {
         Principal = {
-          "AWS" = ["*"]
+          "AWS" = "*"
         }
         Effect = var.allow_get_object ? "Allow" : "Deny"
         Action = "s3:GetObject"