From e6bd230291672a897ec86559d2156ce4d12ca0cd Mon Sep 17 00:00:00 2001
From: Anton Tayanovskyy <anton@pulumi.com>
Date: Thu, 3 Oct 2024 16:29:05 -0400
Subject: [PATCH] Update secrets-provider to BucketV2 (#1704)

Re: pulumi/home#3631
---
 secrets-provider/aws/README.md   | 10 ++--------
 secrets-provider/aws/index.ts    | 10 +++++++---
 secrets-provider/vault/README.md | 11 +++--------
 secrets-provider/vault/index.ts  | 10 +++++++---
 4 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/secrets-provider/aws/README.md b/secrets-provider/aws/README.md
index 1878dde9b..dc0310e01 100644
--- a/secrets-provider/aws/README.md
+++ b/secrets-provider/aws/README.md
@@ -64,7 +64,7 @@ pulumi up --yes
 Previewing update (aws-kms):
      Type                    Name                    Plan
  +   pulumi:pulumi:Stack     pulumi-aws-kms-aws-kms  create
- +   ├─ aws:s3:Bucket        bucket                  create
+ +   ├─ aws:s3:BucketV2      bucket                  create
  +   └─ aws:s3:BucketObject  secret                  create
 
 Resources:
@@ -73,7 +73,7 @@ Resources:
 Updating (aws-kms):
      Type                    Name                    Status
  +   pulumi:pulumi:Stack     pulumi-aws-kms-aws-kms  created
- +   ├─ aws:s3:Bucket        bucket                  created
+ +   ├─ aws:s3:BucketV2      bucket                  created
  +   └─ aws:s3:BucketObject  secret                  created
 
 Outputs:
@@ -100,9 +100,3 @@ pulumi up --yes
 error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
 	status code: 400, request id: 35ff51c6-ef88-4c06-9146-361231b8fd4a
 ```
-
-
-
-
-
-
diff --git a/secrets-provider/aws/index.ts b/secrets-provider/aws/index.ts
index cd5132008..5594d204a 100644
--- a/secrets-provider/aws/index.ts
+++ b/secrets-provider/aws/index.ts
@@ -10,10 +10,14 @@ const config = new pulumi.Config();
 const bucketName = config.require('bucketName');
 const secretValue = config.requireSecret('secretValue');
 
-// Create a private bucket
-const bucket = new aws.s3.Bucket("bucket", {
+// Create a private bucket.
+//
+// The configuration is kept very simple as the goal of this example is to demonstrate KMS encryption, not storing
+// secrets in buckets securely. In a real-world scenario if you are certain you need to be storing sensitive data in
+// buckets and have eliminated other storage options, consider setting up a custom KMS key, enforcing TLS, and enabling
+// versioning for the bucket.
+const bucket = new aws.s3.BucketV2("bucket", {
     bucket: bucketName,
-    acl: "private",
 });
 
 // Create an object from the secret value
diff --git a/secrets-provider/vault/README.md b/secrets-provider/vault/README.md
index e6c5ee086..38c64af0c 100644
--- a/secrets-provider/vault/README.md
+++ b/secrets-provider/vault/README.md
@@ -68,7 +68,7 @@ pulumi up --yes
 Previewing update (vault-kms):
      Type                    Name                    Plan
  +   pulumi:pulumi:Stack     pulumi-vault-kms-vault-kms  create
- +   ├─ aws:s3:Bucket        bucket                  create
+ +   ├─ aws:s3:BucketV2      bucket                  create
  +   └─ aws:s3:BucketObject  secret                  create
 
 Resources:
@@ -77,7 +77,7 @@ Resources:
 Updating (aws-kms):
      Type                    Name                    Status
  +   pulumi:pulumi:Stack     pulumi-vault-kms-vault-kms  created
- +   ├─ aws:s3:Bucket        bucket                  created
+ +   ├─ aws:s3:BucketV2      bucket                  created
  +   └─ aws:s3:BucketObject  secret                  created
 
 Outputs:
@@ -99,7 +99,7 @@ You'll notice the secret value is also omitted from the output!
 A quick way to verify if the encryption is using the Vault key is to remove your `VAULT_SERVER_TOKEN` environment variable setting:
 
 ```bash
-unset 
+unset
 pulumi up --yes
 error: getting secrets manager: secrets (code=Unknown): Error making API request.
 
@@ -108,8 +108,3 @@ Code: 400. Errors:
 
 * missing client token
 ```
-
-
-
-
-
diff --git a/secrets-provider/vault/index.ts b/secrets-provider/vault/index.ts
index cd5132008..5594d204a 100644
--- a/secrets-provider/vault/index.ts
+++ b/secrets-provider/vault/index.ts
@@ -10,10 +10,14 @@ const config = new pulumi.Config();
 const bucketName = config.require('bucketName');
 const secretValue = config.requireSecret('secretValue');
 
-// Create a private bucket
-const bucket = new aws.s3.Bucket("bucket", {
+// Create a private bucket.
+//
+// The configuration is kept very simple as the goal of this example is to demonstrate KMS encryption, not storing
+// secrets in buckets securely. In a real-world scenario if you are certain you need to be storing sensitive data in
+// buckets and have eliminated other storage options, consider setting up a custom KMS key, enforcing TLS, and enabling
+// versioning for the bucket.
+const bucket = new aws.s3.BucketV2("bucket", {
     bucket: bucketName,
-    acl: "private",
 });
 
 // Create an object from the secret value