From 2cc5043068fd2821be7156534f7f3f92193532ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20K=C3=A4ufl?= <michael-k@users.noreply.github.com>
Date: Tue, 15 Jun 2021 19:18:46 +0200
Subject: [PATCH] Do not remove account and region from non-bucket s3 ARNs

Fixes cloudtools/awacs#185
---
 awacs/aws.py     |  7 +++++--
 awacs/s3.py      |  8 ++++++--
 scrape/scrape.py |  8 ++++++--
 tests/test_s3.py | 11 +++++++++++
 4 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/awacs/aws.py b/awacs/aws.py
index a71ac70c..eb89a6d5 100644
--- a/awacs/aws.py
+++ b/awacs/aws.py
@@ -73,8 +73,11 @@ def __init__(
         else:
             aws_partition = "aws"
 
-        regionless = ["iam", "s3"]
-        if service in regionless:
+        if service == "iam":
+            region = ""
+        elif service == "s3" and not resource.startswith(
+            ("accesspoint/", "job/", "storage-lens/")
+        ):
             region = ""
 
         self.data = "arn:%s:%s:%s:%s:%s" % (
diff --git a/awacs/s3.py b/awacs/s3.py
index 0e38dfba..28a5682d 100644
--- a/awacs/s3.py
+++ b/awacs/s3.py
@@ -17,8 +17,12 @@ def __init__(self, action: str = None) -> None:
 
 class ARN(BaseARN):
     def __init__(self, resource: str = "", region: str = "", account: str = "") -> None:
-        # account is empty for S3
-        super().__init__(service=prefix, resource=resource, region=region, account="")
+        # account is empty for S3 buckets
+        if not resource.startswith(("accesspoint/", "job/", "storage-lens/")):
+            account = ""
+        super().__init__(
+            service=prefix, resource=resource, region=region, account=account
+        )
 
 
 AbortMultipartUpload = Action("AbortMultipartUpload")
diff --git a/scrape/scrape.py b/scrape/scrape.py
index 7f841200..eab694d4 100755
--- a/scrape/scrape.py
+++ b/scrape/scrape.py
@@ -43,8 +43,12 @@ def __init__(self, action: str = None) -> None:
 
 class ARN(BaseARN):
     def __init__(self, resource: str = "", region: str = "", account: str = "") -> None:
-        # account is empty for S3
-        super().__init__(service=prefix, resource=resource, region=region, account="")
+        # account is empty for S3 buckets
+        if not resource.startswith(("accesspoint/", "job/", "storage-lens/")):
+            account = ""
+        super().__init__(
+            service=prefix, resource=resource, region=region, account=account
+        )
 """
 
 BASEDIR = "awacs"
diff --git a/tests/test_s3.py b/tests/test_s3.py
index 5b8ac436..5ad65437 100644
--- a/tests/test_s3.py
+++ b/tests/test_s3.py
@@ -15,3 +15,14 @@ def test_cn(self):
     def test_gov(self):
         arn = ARN("bucket/key", "us-gov-west-1", "account")
         self.assertEqual(arn.JSONrepr(), "arn:aws-us-gov:s3:::bucket/key")
+
+    def test_non_bucket_arns(self):
+        for resource in [
+            "accesspoint/my-access-point",
+            "job/job-id",
+            "storage-lens/config-id",
+        ]:
+            arn = ARN(resource, "us-east-1", "111122223333")
+            self.assertEqual(
+                arn.JSONrepr(), f"arn:aws:s3:us-east-1:111122223333:{resource}"
+            )