aws 3.75 aws_s3_bucket_server_side_encryption_configuration toggling bucket encryption

[ceastman-r7]

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.0
on darwin_amd64

• provider local.terraform.com/rapid7/gotemplate v1.0.0
• provider local.terraform.com/rapid7/spinnaker v1.0.0
• provider registry.terraform.io/hashicorp/aws v3.75.0
• provider registry.terraform.io/hashicorp/helm v2.4.1
• provider registry.terraform.io/hashicorp/kubernetes v2.9.0
• provider registry.terraform.io/hashicorp/local v2.2.2
• provider registry.terraform.io/hashicorp/null v3.1.1
• provider registry.terraform.io/hashicorp/random v3.1.2
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

aws_s3_bucket_server_side_encryption_configuration

Terraform Configuration Files

resource "aws_s3_bucket_server_side_encryption_configuration" "test_configuration" {
  bucket = aws_s3_bucket.test_configuration.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

Expected Behavior

This should enable encryption of the s3 bucket and leave the encryption setting enabled after each terraform apply

Actual Behavior

Each time terraform apply is run the encryption of the bucket is turned off and on

Steps to Reproduce

terraform apply

module.name.aws_s3_bucket_server_side_encryption_configuration.test_configuration will be created

• resource "aws_s3_bucket_server_side_encryption_configuration" "test_configuration" {

  • bucket = "s3bucketname"

  • id = (known after apply)

  • rule {

    • apply_server_side_encryption_by_default {
      • sse_algorithm = "AES256"
        }
        }
        }

terraform apply

module.name.aws_s3_bucket.test_configuration will be updated in-place

~ resource "aws_s3_bucket" "test_configuration" {
id = "s3bucketname"
tags = {}
# (11 unchanged attributes hidden)

  - server_side_encryption_configuration {
      - rule {
          - bucket_key_enabled = false -> null

          - apply_server_side_encryption_by_default {
              - sse_algorithm = "AES256" -> null
            }
        }
    }

    # (1 unchanged block hidden)
}

[anGie44]

Hi @ceastman-r7 , thank you for raising this issue. For the aws_s3_bucket_server_side_encryption_configuration to be used alongside the aws_s3_bucket resource, the source bucket must have a lifecycle config block to ignore changes to its internal server_side_encryption_configuration argument. This was not made apparent in the docs in v3.75.0 of the provider but theUsage Notes section in v3.75.1 of the AWS provider shows an example for reference https://registry.terraform.io/providers/hashicorp/aws/3.75.1/docs/resources/s3_bucket_server_side_encryption_configuration#usage-notes.

Hopefully this info helps @ceastman-r7 and if you have any follow-up questions, let us know.

[anGie44]

Relates #23781 , #23758

[ceastman-r7]

@anGie44 Looks like that fixed me up. Thank you.

add the following to aws_s3_bucket:

lifecycle {
ignore_changes = [
server_side_encryption_configuration
]
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.