aws_s3_bucket lifecycle encryption versus new aws_s3_bucket_... resources

[CyrilDevOps]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

╰$ terraform -v
Terraform v0.14.11

• provider registry.terraform.io/hashicorp/aws v3.75.0

Affected Resource(s)

• aws_s3_bucket
• aws_s3_bucket_lifecycle_configuration
• aws_s3_bucket_server_side_encryption_configuration

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

When I configured a the encryption and the lifecycle for my bucket s3 with the new aws_s3_bucket_... resources,
the plan will try to remove it from aws_s3_bucket.
When I applied the plan it removed the configuration in AWS too.
The next plan want to create the aws_s3_bucket_lifecycle_configuration and aws_s3_bucket_server_side_encryption_configuration to setup again lifecycle and encryption in AWS.

Both aws_s3_bucket and aws_s3_bucket_lifecycle_configuration/aws_s3_bucket_server_side_encryption_configuration fight again each other all the time.

Debug Output

Panic Output

Expected Behavior

The configuration made by aws_s3_bucket_lifecycle_configuration/aws_s3_bucket_server_side_encryption_configuration fight must stay and not try to be overwritten by aws_s3_bucket.

Actual Behavior

Can't have a stable setup with encryption and lifecycle with the resource aws_s3_bucket_lifecycle_configuration/aws_s3_bucket_server_side_encryption_configuration fight .

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[anGie44]

Hi @CyrilDevOps , thank you for raising this issue. Do you mind providing the configuration you are working with? Does this behavior persist if the source bucket ( aws_s3_bucket configuration) has a lifecycle configuration block to ignore changes to both lifecycle_rule and server_side_encryption_configuration?

[anGie44]

I'm seeing that the documentation shows Usage Notes in the lifecycle configuration resource but not the server side encryption configuration so that needs to be corrected.

[CyrilDevOps]

This is my s3 module terraform, I have a s3 bucket with a lifecycle rules and encryption with KMS.

resource "aws_s3_bucket" "bucket" {
  bucket = var.s3.name

  tags = var.s3.tags
}

resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    id                                     = "cleanup"
    status                                 = "Enabled"
    abort_incomplete_multipart_upload {
      days_after_initiation = 1
    }
    expiration {
      days = 30
    }
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = var.s3.kms_key_id
      sse_algorithm     = "aws:kms"
    }
    bucket_key_enabled = false
  }
}

resource "aws_s3_bucket_policy" "policy" {
  bucket = aws_s3_bucket.bucket.id
  policy = data.aws_iam_policy_document.prevent_unencrypted_uploads.json
}

When I do a plan with terraform (aws provider 3.75.0), it try to remove the encyrption and lifecycle rules and policy from the bucket :

  # module.s3.aws_s3_bucket.bucket will be updated in-place
  ~ resource "aws_s3_bucket" "bucket" {
        id                          = "xxx
      - policy                      = jsonencode(
            {
              - Statement = [
                  - { ... }]})
      - lifecycle_rule {
          - abort_incomplete_multipart_upload_days = 1 -> null
          - enabled                                = true -> null
          - id                                     = "cleanup" -> null           
          ....
      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {....

If I apply that, the next plan will try to try to set back those config based on the corresponding resources, and then the third plan will try to remove them based on the bucket resource.

If I use aws provider 4.6.0, my terraform plan is empty and everything is good and stable.

[dsech]

Same issue with cors_rule block vs aws_s3_bucket_cors_configuration.
The issue disappears if cors_rule is added in lifecycle ignore_changes for the aws_s3_bucket resource

[anGie44]

Hi all, this is expected behavior (in v3.75.0) as we could not additionally make all the S3 bucket arguments Computed because Terraform will not behave appropriately when those arguments are removed from their aws_s3_bucket configurations e.g. an S3 bucket CORS rule won't be removed if it is done so in terraform or Server Side Encryption configuration won't be disabled from the bucket if removed in terraform. To prevent regressions for users that are solely working with aws_s3_bucket resources, we've maintained the aws_s3_bucket as-is (only adding deprecation notes) and we've documented the lifecycle configuration block usage in these new resources (with the exception of SSE which is now added in #23781 and any resource whose corresponding argument was already Computed in the aws_s3_bucket resource e.g. versioning)

[anGie44]

Hi all noting here that in a upcoming 4.x release, the above mentioned PRs will remove the need to add a lifecycle block to ignore competing diffs in the aws_s3_bucket resource and the corresponding aws_s3_bucket_* resources. More info on this will be available in the docs and updated upgrade guide.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.