S3: Move Tagging Functionality into Provider Methods (#13657)

aidehn · web-flow · commit bb27e3e098be · 2026-02-04T20:52:45.000+08:00
diff --git a/localstack-core/localstack/services/s3/provider.py b/localstack-core/localstack/services/s3/provider.py
@@ -212,6 +212,7 @@
     StartAfter,
     StorageClass,
     Tagging,
+    TagSet,
     Token,
     TransitionDefaultMinimumObjectSize,
     UploadIdMarker,
@@ -472,6 +473,19 @@ def _get_cross_account_bucket(
 
         return store, s3_bucket
 
+    def _create_bucket_tags(self, resource_arn: str, account_id: str, region: str, tags: TagSet):
+        store = self.get_store(account_id, region)
+        store.TAGS.tag_resource(arn=resource_arn, tags=tags)
+
+    def _remove_all_bucket_tags(self, resource_arn: str, account_id: str, region: str):
+        store = self.get_store(account_id, region)
+        store.TAGS.tags.pop(resource_arn, None)
+
+    def _list_bucket_tags(self, resource_arn: str, account_id: str, region: str) -> TagSet:
+        store = self.get_store(account_id, region)
+        tags = store.TAGS.list_tags_for_resource(resource_arn)["Tags"]
+        return tags
+
     @staticmethod
     def get_store(account_id: str, region_name: str) -> S3Store:
         # Use default account id for external access? would need an anonymous one
@@ -500,7 +514,7 @@ def create_bucket(
 
         create_bucket_configuration = request.get("CreateBucketConfiguration") or {}
 
-        bucket_tags = create_bucket_configuration.get("Tags")
+        bucket_tags = create_bucket_configuration.get("Tags", [])
         if bucket_tags:
             validate_tag_set(bucket_tags, type_set="create-bucket")
 
@@ -556,9 +570,8 @@ def create_bucket(
         store.buckets[bucket_name] = s3_bucket
         store.global_bucket_map[bucket_name] = s3_bucket.bucket_account_id
         if bucket_tags:
-            store.TAGS.tag_resource(
-                arn=s3_bucket.bucket_arn,
-                tags=bucket_tags,
+            self._create_bucket_tags(
+                s3_bucket.bucket_arn, context.account_id, bucket_region, bucket_tags
             )
         self._cors_handler.invalidate_cache()
         self._storage_backend.create_bucket(bucket_name)
@@ -598,6 +611,9 @@ def delete_bucket(
         self._preconditions_locks.pop(bucket, None)
         # clean up the storage backend
         self._storage_backend.delete_bucket(bucket)
+        self._remove_all_bucket_tags(
+            s3_bucket.bucket_arn, context.account_id, s3_bucket.bucket_region
+        )
 
     def list_buckets(
         self,
@@ -3251,8 +3267,12 @@ def put_bucket_tagging(
         validate_tag_set(tag_set, type_set="bucket")
 
         # remove the previous tags before setting the new ones, it overwrites the whole TagSet
-        store.TAGS.tags.pop(s3_bucket.bucket_arn, None)
-        store.TAGS.tag_resource(s3_bucket.bucket_arn, tags=tag_set)
+        self._remove_all_bucket_tags(
+            s3_bucket.bucket_arn, context.account_id, s3_bucket.bucket_region
+        )
+        self._create_bucket_tags(
+            s3_bucket.bucket_arn, context.account_id, s3_bucket.bucket_region, tag_set
+        )
 
     def get_bucket_tagging(
         self,
@@ -3262,7 +3282,9 @@ def get_bucket_tagging(
         **kwargs,
     ) -> GetBucketTaggingOutput:
         store, s3_bucket = self._get_cross_account_bucket(context, bucket)
-        tag_set = store.TAGS.list_tags_for_resource(s3_bucket.bucket_arn, root_name="Tags")["Tags"]
+        tag_set = self._list_bucket_tags(
+            s3_bucket.bucket_arn, context.account_id, s3_bucket.bucket_region
+        )
         if not tag_set:
             raise NoSuchTagSet(
                 "The TagSet does not exist",
@@ -3280,7 +3302,13 @@ def delete_bucket_tagging(
     ) -> None:
         store, s3_bucket = self._get_cross_account_bucket(context, bucket)
 
-        store.TAGS.tags.pop(s3_bucket.bucket_arn, None)
+        # This operation doesn't remove the tags from the store like deleting a resource does, it just sets them as empty.
+        self._remove_all_bucket_tags(
+            s3_bucket.bucket_arn, context.account_id, s3_bucket.bucket_region
+        )
+        self._create_bucket_tags(
+            s3_bucket.bucket_arn, context.account_id, s3_bucket.bucket_region, []
+        )
 
     def put_object_tagging(
         self,
diff --git a/localstack-core/localstack/services/s3control/exceptions.py b/localstack-core/localstack/services/s3control/exceptions.py
@@ -0,0 +1,6 @@
+from localstack.aws.api import CommonServiceException
+
+
+class NoSuchResource(CommonServiceException):
+    def __init__(self, message=None):
+        super().__init__("NoSuchResource", status_code=404, message=message)
diff --git a/localstack-core/localstack/services/s3control/provider.py b/localstack-core/localstack/services/s3control/provider.py
@@ -1,4 +1,4 @@
-from localstack.aws.api import CommonServiceException, RequestContext
+from localstack.aws.api import RequestContext
 from localstack.aws.api.s3control import (
     AccountId,
     ListTagsForResourceResult,
@@ -9,16 +9,9 @@
     TagResourceResult,
     UntagResourceResult,
 )
-from localstack.aws.forwarder import NotImplementedAvoidFallbackError
-from localstack.services.s3.models import s3_stores
-from localstack.services.s3control.validation import validate_tags
+from localstack.services.s3.models import S3Store, s3_stores
+from localstack.services.s3control.validation import validate_arn_for_tagging, validate_tags
 from localstack.state import StateVisitor
-from localstack.utils.tagging import TaggingService
-
-
-class NoSuchResource(CommonServiceException):
-    def __init__(self, message=None):
-        super().__init__("NoSuchResource", status_code=404, message=message)
 
 
 class S3ControlProvider(S3ControlApi):
@@ -33,26 +26,26 @@ def accept_state_visitor(self, visitor: StateVisitor):
     """
 
     @staticmethod
-    def _get_tagging_service_for_bucket(
-        resource_arn: S3ResourceArn,
-        partition: str,
-        region: str,
-        account_id: str,
-    ) -> TaggingService:
-        s3_prefix = f"arn:{partition}:s3:::"
-        if not resource_arn.startswith(s3_prefix):
-            # Moto does not support Tagging operations for S3 Control, so we should not forward those operations back
-            # to it
-            raise NotImplementedAvoidFallbackError(
-                "LocalStack only support Bucket tagging operations for S3Control"
-            )
+    def get_s3_store(account_id: str, region: str) -> S3Store:
+        return s3_stores[account_id][region]
 
-        store = s3_stores[account_id][region]
-        bucket_name = resource_arn.removeprefix(s3_prefix)
-        if bucket_name not in store.global_bucket_map:
-            raise NoSuchResource("The specified resource doesn't exist.")
+    def _tag_bucket_resource(
+        self, resource_arn: str, partition: str, region: str, account_id: str, tags: TagList
+    ) -> None:
+        tagging_service = self.get_s3_store(account_id, region).TAGS
+        tagging_service.tag_resource(resource_arn, tags)
 
-        return store.TAGS
+    def _untag_bucket_resource(
+        self, resource_arn: str, partition: str, region: str, account_id: str, tag_keys: TagKeyList
+    ) -> None:
+        tagging_service = self.get_s3_store(account_id, region).TAGS
+        tagging_service.untag_resource(resource_arn, tag_keys)
+
+    def _list_bucket_tags(
+        self, resource_arn: str, partition: str, region: str, account_id: str
+    ) -> TagList:
+        tagging_service = self.get_s3_store(account_id, region).TAGS
+        return tagging_service.list_tags_for_resource(resource_arn)["Tags"]
 
     def tag_resource(
         self,
@@ -62,17 +55,11 @@ def tag_resource(
         tags: TagList,
         **kwargs,
     ) -> TagResourceResult:
-        # currently S3Control only supports tagging buckets
-        tagging_service = self._get_tagging_service_for_bucket(
-            resource_arn=resource_arn,
-            partition=context.partition,
-            region=context.region,
-            account_id=account_id,
-        )
-
-        validate_tags(tags=tags)
-        tagging_service.tag_resource(resource_arn, tags)
+        # Currently S3Control only supports tagging buckets
+        validate_arn_for_tagging(resource_arn, context.partition, account_id, context.region)
+        validate_tags(tags)
 
+        self._tag_bucket_resource(resource_arn, context.partition, context.region, account_id, tags)
         return TagResourceResult()
 
     def untag_resource(
@@ -83,28 +70,19 @@ def untag_resource(
         tag_keys: TagKeyList,
         **kwargs,
     ) -> UntagResourceResult:
-        # currently S3Control only supports tagging buckets
-        tagging_service = self._get_tagging_service_for_bucket(
-            resource_arn=resource_arn,
-            partition=context.partition,
-            region=context.region,
-            account_id=account_id,
-        )
-
-        tagging_service.untag_resource(resource_arn, tag_keys)
+        # Currently S3Control only supports tagging buckets
+        validate_arn_for_tagging(resource_arn, context.partition, account_id, context.region)
 
+        self._untag_bucket_resource(
+            resource_arn, context.partition, context.region, account_id, tag_keys
+        )
         return TagResourceResult()
 
     def list_tags_for_resource(
         self, context: RequestContext, account_id: AccountId, resource_arn: S3ResourceArn, **kwargs
     ) -> ListTagsForResourceResult:
-        # currently S3Control only supports tagging buckets
-        tagging_service = self._get_tagging_service_for_bucket(
-            resource_arn=resource_arn,
-            partition=context.partition,
-            region=context.region,
-            account_id=account_id,
-        )
+        # Currently S3Control only supports tagging buckets
+        validate_arn_for_tagging(resource_arn, context.partition, account_id, context.region)
 
-        tags = tagging_service.list_tags_for_resource(resource_arn)
-        return ListTagsForResourceResult(Tags=tags["Tags"])
+        tags = self._list_bucket_tags(resource_arn, context.partition, context.region, account_id)
+        return ListTagsForResourceResult(Tags=tags)
diff --git a/localstack-core/localstack/services/s3control/validation.py b/localstack-core/localstack/services/s3control/validation.py
@@ -1,7 +1,37 @@
 from localstack.aws.api.s3 import InvalidTag
 from localstack.aws.api.s3control import Tag, TagList
+from localstack.aws.forwarder import NotImplementedAvoidFallbackError
 from localstack.services.s3.exceptions import MalformedXML
+from localstack.services.s3.models import s3_stores
 from localstack.services.s3.utils import TAG_REGEX
+from localstack.services.s3control.exceptions import NoSuchResource
+
+
+def validate_arn_for_tagging(
+    resource_arn: str, partition: str, account_id: str, region: str
+) -> None:
+    """
+    Validates the resource ARN for the resource being tagged.
+
+    :param resource_arn: The ARN of the resource being tagged.
+    :param partition: The partition the request is originating from.
+    :param account_id: The account ID of the target resource.
+    :param region: The region the request is originating from.
+    :return: None
+    """
+
+    s3_prefix = f"arn:{partition}:s3:::"
+    if not resource_arn.startswith(s3_prefix):
+        # Moto does not support Tagging operations for S3 Control, so we should not forward those operations back
+        # to it
+        raise NotImplementedAvoidFallbackError(
+            "LocalStack only support Bucket tagging operations for S3Control"
+        )
+
+    store = s3_stores[account_id][region]
+    bucket_name = resource_arn.removeprefix(s3_prefix)
+    if bucket_name not in store.global_bucket_map:
+        raise NoSuchResource("The specified resource doesn't exist.")
 
 
 def validate_tags(tags: TagList):
