bug: default_tags in aws provider causes aws_s3_object_copy diff each apply

[tfolbrecht]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.2.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.19.0

Affected Resource(s)

"aws_s3_object_copy"

Terraform Configuration Files

aws_s3_object_copy resource example

terraform {
  backend "s3" { # uses s3 backend with kms if this is useful information
    bucket
    key
    region
    kms_key_id
   }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.19.0"
    }
  }
}

provider "aws" {
  region     = var.aws_region
  access_key = var.aws_access_key
  secret_key = var.aws_secret
  default_tags {
    tags = {
      Environment = "environment"
    }
  }
}

resource "aws_s3_object_copy" "copy-object-to-bucket" {
  bucket = "${aws_s3_bucket.target-bucket.id}"
  key    = "targetobjectkey"
  source = "sourcebucket/sourceobjectkey"
}

Debug Output

Terraform will perform the following actions:

  # aws_s3_object_copy.copy-object-to-bucket will be updated in-place
  ~ resource "aws_s3_object_copy" "copy-object-to-bucket" {
      - copy_if_unmodified_since = "2022-07-01T00:00:00-08:00" -> null
        id                       = "targetobjectkey"
        tags                     = {}
      ~ tags_all                 = {
          + "Environment" = "environment"
        }
        # (16 unchanged attributes hidden)
    }

Expected Behavior

Not sure if s3 objects are tag-able
but
Apply tags to s3 object
or
Don't apply tags to s3 object

Actual Behavior

Provider attempts to apply tags to s3 object on each apply

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

Target S3 bucket is KMS encrypted, Remote S3 bucket is public

[tfolbrecht]

Confirmed objects are taggable,
Mitigating for now with

resource "aws_s3_object_copy" "copy-object-to-bucket" {
  bucket = "${aws_s3_bucket.target-bucket.id}"
  key    = "targetobjectkey"
  source = "sourcebucket/sourceobjectkey"
  
  lifecycle { 
      ignore_changes = [tags_all]
  }
} 

[hameno]

Same with aws_db_proxy_endpoint for me

[hameno]

Any update here?

[rquadling]

@hameno Ditto. OOI, is your endpoint for the target_role = "READ_ONLY"?

[hameno]

@rquadling Yes

[rquadling]

I think

terraform-provider-aws/internal/service/rds/proxy_endpoint.go

Line 190 in 2d2308a

func resourceProxyEndpointUpdate(d *schema.ResourceData, meta interface{}) error {

is the issue in that it only looks at tags, and not tags_all.

	if d.HasChange("tags") {
		o, n := d.GetChange("tags")

		if err := UpdateTags(conn, d.Get("arn").(string), o, n); err != nil {
			return fmt.Errorf("Error updating RDS DB Proxy Endpoint (%s) tags: %w", d.Get("arn").(string), err)
		}
	}

vs

	if d.HasChange("tags_all") {
		o, n := d.GetChange("tags_all")

		if err := UpdateTags(conn, d.Get("arn").(string), o, n); err != nil {
			return fmt.Errorf("updating RDS Cluster (%s) tags: %w", d.Get("arn").(string), err)
		}
	}

and

	if d.HasChange("tags_all") {
		o, n := d.GetChange("tags_all")

		if err := UpdateTags(conn, d.Get("arn").(string), o, n); err != nil {
			return fmt.Errorf("updating RDS Cluster Instance (%s) tags: %w", d.Id(), err)
		}
	}

In looking at the other resources,

terraform-provider-aws/internal/service/rds/cluster.go

Line 1094 in 2d2308a

func resourceClusterUpdate(d *schema.ResourceData, meta interface{}) error {

,

terraform-provider-aws/internal/service/rds/cluster_instance.go

Line 441 in 2d2308a

func resourceClusterInstanceUpdate(d *schema.ResourceData, meta interface{}) error {

(picking 2 at random), they both use tags_all for their processing.

I'll see if I can get a PR made for aws_db_proxy_endpoint (not a GoLang expert).

[rquadling]

I've taken a look at the S3 copy object resource ... not at my ability to make a PR for that ... sorry.

[rquadling]

@hameno The fix for the RDS Proxy Endpoint tags / tags_all has been fixed and merged. So at least we've got that bit done!

[svix-aaron1011]

I believe that the aws_s3_copy_object issue is caused by the way that the "tagging directive" interacts with Terraform state. When the tagging_directive argument is unset, the x-amz-tagging-directive header will be unset (which will default to copying the tags. When the tagging directive is "COPY", AWS appear to ignore x-amz-tagging, and copies over the source tags as though x-amz-tagging was not passed at all.

This means that the tags from default_tags will not actually be applied to the target object, despite terraform-provider-aws passing them to AWS. When terraform-provider-aws reads the target object, it will notice that the tags are "now" unset (they were never set at all), and generates a diff.

Setting tagging_directive = "REPLACE" fixes the constant diff generation (assuming that it's the behavior that you want).

[ascopes]

Had the same issue. Only workaround I could find was declaring a second AWS provider that didn't use default tags and using it specifically as a provider alias for any usages of aws_s3_object_copy.