Apply with more than 10 default_tags fails due to aws_s3_bucket_objects limit

[oscr]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.0
provider 3.46.0

Affected Resource(s)

• aws_s3_bucket_object
• default_tags

Terraform Configuration Files

provider "aws" {
  region  = "eu-west-1"
  profile = "users_playground"

  default_tags {
    tags = {
      a = 1
      b = 2
      c = 3
      d = 4
      e = 5
      f = 6
      g = 7
      h = 8
      i = 9
      j = 10
      k = 11
    }
  }
}

resource "aws_s3_bucket" "bucket" {
  bucket_prefix = "foo"
  acl    = "private"
}

resource "aws_s3_bucket_object" "object" {
  bucket = aws_s3_bucket.bucket.id
  key    = "main.tf"
  source = "main.tf"
}

Expected Behavior

The error below is acceptable.

Actual Behavior

╷
│ Error: Error putting object in S3 bucket (foo20210619094644425600000001): BadRequest: Object tags cannot be greater than 10
│ 	status code: 400, request id: YMFZG5HM11CEP1NY, host id: wBrbyiU4dNHCJestnlQu4wFNZYlLK7oIfxh9bDaaQDx8EFuZ3kK7wLTnWoULB0/EtoJyBXMz7ro=
│ 
│   with aws_s3_bucket_object.object,
│   on main.tf line 27, in resource "aws_s3_bucket_object" "object":
│   27: resource "aws_s3_bucket_object" "object" {
│ 

Steps to Reproduce

1. terraform apply

Important Factoids

The problem is that s3 objects have a hard limit on tags:
"You can associate up to 10 tags with an object. Tags that are associated with an object must have unique tag keys. "
https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html

At the same time there doesn't seem to be a way of opting out of default tags:
"Provider tags can be overridden with new values, but not excluded from specific resources."
https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags

This means that in practice you can max have 10 default tags if you use s3 object resources. I understand this might sound like a silly use case, but when your company requires a large amount of mandatory tags this becauses a problem.

It would be great if we could for example opt of default tags for bucket objects AND/OR catch this on terraform plan.

Thanks for all your great work with Terraform!

[ChristophShyper]

• More than 10 tags can simply be ignored with some warning message. Just take default order.
• Or provider could have option to ignore default_tags for specific resources, or disable specific tags in affected resource's configuration.

Also, documentation only specifies differences for Auto Scaling Groups, while the one for S3 objects is also very important and should be at least mentioned.

I ended up using separate provider just for aws_s3_bucket_object...

[wschult23]

It would also be helpful, if you could override the default_tags with null values to solve this issue:

resource "aws_s3_bucket_object" "object" {
  bucket = aws_s3_bucket.bucket.id
  key    = "main.tf"
  source = "main.tf"

  tags = {
    c = null
    f = null
  }
}

[jpascoe]

Create separate provider for s3objects

provider "aws" { region = local.region default_tags { tags = local.tags } }
provider "aws" { alias = "no_tags" region = local.region }
resource "aws_s3_object" "s3_tf_code_zip" { provider = aws.no_tags }

[VadimJetstar]

It would also be helpful, if you could override the default_tags with null values to solve this issue:

resource "aws_s3_bucket_object" "object" {
  bucket = aws_s3_bucket.bucket.id
  key    = "main.tf"
  source = "main.tf"

  tags = {
    c = null
    f = null
  }
}

That would be great as https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider documentation clearly states: Setting default tags at the provider level will not supersede tags set on individual resources as resource tags take precedence.

[maunzCache]

Still present in provider version 5.x.
I noticed that using this module here https://github.com/terraform-aws-modules/terraform-aws-lambda

It has specific options to disable all sorts of tagging on an object, however, if you use default_tags (or tags_all) the apply will fail with this module.

[rfarro82]

Any update on this? It has been a real PITA with our Terrafrom

[nishadmehendale]

Please upvote the fix provided on #33262

[oscr]

Thank you @walteh and @ewbankkit for your work resolving this issue 🙏

[github-actions]

This functionality has been released in v5.24.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[shellwhale]

I have registry.terraform.io/hashicorp/aws v5.25 and An argument named "ignore_default_tags" is not expected here. is that normal?

[cawwot]

I have registry.terraform.io/hashicorp/aws v5.25 and An argument named "ignore_default_tags" is not expected here. is that normal?

This is what the implementation ended up looking like:

resource "aws_s3_object" "example_bucket_object" {
  bucket  = aws_s3_bucket.example.id
  key     = example_file
  content = "foo"
  tags = {
    "foo" = "bar"
  }
  override_provider {
    default_tags {
      tags = {}
    }
  }
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.