aws_s3_bucket_* backported to version 3.75.1

[rngan]

Running:

AWS Provider version 3.75.1
TF version 1.1.5

I tested migrating to the backported S3 resources for:

aws_s3_bucket_logging
aws_s3_bucket_server_side_encryption_configuration

It creates the resources the first time, no problem. However on subsequent plans/applies using the exact same code (no changes - just a re-rerun), it removes the resources. 3rd time, it creates again.

FYI, I also tested the following:

aws_s3_bucket_acl
aws_s3_bucket_versioning

No issues, works as expected. Resources stay even after subsequent runs.

Terraform Configuration Files

resource "aws_s3_bucket" "bucket" {
  bucket = "${var.tenant}-${var.environment}-bucket"
  tags = {
    environment = var.environment
    tenant      = var.tenant
  }
}

resource "aws_s3_bucket_public_access_block" "s3-block" {
  bucket = aws_s3_bucket.my_bucket.id

  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true

}
resource "aws_s3_bucket_acl" "acl-private" {
  bucket = aws_s3_bucket.my_bucket.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "sse-enable" {
  bucket = aws_s3_bucket.my_bucket.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_s3_bucket_versioning" "versioning_enabled" {
  bucket = aws_s3_bucket.my_bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_logging" "logging" {
  bucket = aws_s3_bucket.my_bucket.id

  target_bucket = var.s3_log_bucket
  target_prefix = "bucket-${var.tenant}-${var.environment}/s3-access-logs/"
}

Expected Behavior

It creates the resources during the 1st plan/apply.

Actual Behavior

It removes the resources during the 2nd plan/apply.
It adds the resources during the 3rd plan/apply.
Keeps going in circles during each subsequent plan/apply.

References

https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.75.0
#23106 (comment)

• #0000

[anGie44]

Hi @rngan 👋 , thank you for raising this issue. For reference, this has been noted in #23758 . In cases where arguments are removed from the source S3 bucket resource, you'll want to include the following block in the source S3 bucket, where the ignore_changes array should include the s3 bucket's arguments that have migrated to the independent resources.

lifecycle { 
  ignore_changes = [ ... ] 
}

More example usage should be available in each independent resource's documentation page hosted at https://registry.terraform.io/providers/hashicorp/aws/3.75.1/docs.
With the upcoming changes related to #23106 (to be released in a 4.x version), the S3 bucket resource will no longer require this lifecycle block .

[anGie44]

I'm going to close this issue as it's a duplicate of #23758, but if you have any follow-up questions please reach out there 👍

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.