-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
awscc_s3_bucket with basic configuration re-created when apply are re-deployed #1216
Comments
I've run into this a few times and it appears to be centered around defaults Cloud Formation populates. When you create a bucket using the following definition, the Terraform state contains default Users can workaround this problem by populating the Steps to reproduce.
resource "awscc_s3_bucket" "example" {
bucket_name = "example-bucket-958630"
}
# awscc_s3_bucket.example:
resource "awscc_s3_bucket" "example" {
arn = "arn:aws:s3:::example-bucket-958630"
bucket_encryption = {
server_side_encryption_configuration = [
{
bucket_key_enabled = false
server_side_encryption_by_default = {
sse_algorithm = "AES256"
}
},
]
}
bucket_name = "example-bucket-958630"
domain_name = "example-bucket-958630.s3.amazonaws.com"
dual_stack_domain_name = "example-bucket-958630.s3.dualstack.us-east-1.amazonaws.com"
id = "example-bucket-958630"
ownership_controls = {
rules = [
{
object_ownership = "BucketOwnerEnforced"
},
]
}
public_access_block_configuration = {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
regional_domain_name = "example-bucket-958630.s3.us-east-1.amazonaws.com"
website_url = "http://example-bucket-958630.s3-website-us-east-1.amazonaws.com"
}
{
"PublicAccessBlockConfiguration": {
"RestrictPublicBuckets": true,
"BlockPublicPolicy": true,
"BlockPublicAcls": true,
"IgnorePublicAcls": true
},
"BucketName": "example-bucket-958630",
"RegionalDomainName": "example-bucket-958630.s3.us-east-1.amazonaws.com",
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "BucketOwnerEnforced"
}
]
},
"DomainName": "example-bucket-958630.s3.amazonaws.com",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"BucketKeyEnabled": false,
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"WebsiteURL": "http://example-bucket-958630.s3-website-us-east-1.amazonaws.com",
"DualStackDomainName": "example-bucket-958630.s3.dualstack.us-east-1.amazonaws.com",
"Arn": "arn:aws:s3:::example-bucket-958630"
}
resource "awscc_s3_bucket" "example" {
bucket_name = "example-bucket-958630"
ownership_controls = {
rules = [{
object_ownership = "BucketOwnerEnforced"
}]
}
bucket_encryption = {
server_side_encryption_configuration = [{
server_side_encryption_by_default = {
sse_algorithm = "AES256"
}
}]
}
} TLDR: I would expect the provider to handle the |
got bitten by this again today during my test, which reminded me to get back to this issue. in my case, the trigger was this particular attribute
on the Terraform statefile, this attribute was set to null, since I did not declare it on the Terraform config.
|
This is known issue, related to #1139 |
#1139 resolves problem when non-mandatory attribute triggers resource replacement because there is no default values for said attribute provided in the schema. however the lack of default values in the Cfn schema still can trigger drift (without replacement) as shown in this issue. |
Upon further debug by setting the env var PlanResourceChange_Request_PriorState matches what is on the state file:
The PlanResourceChange_Request_ProposedNewState set both
Finallly the PlanResourceChange_Response_PlannedState resemble everything again:
According to this doc:
As such, I expect that PlanResourceChange_Request_ProposedNewState will not set |
Digging through the framework open issues, I found similar problem reported here: hashicorp/terraform-plugin-framework#898 |
local test confirmed this behavior, after removing the
Results:
|
Community Note
Terraform CLI and Terraform AWS Cloud Control Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
Resource should not be re-deployed every time, seems like there are some changes done on AWS and the provider configuration is not keeping up. Ref. encryption setting from the plan above
Actual Behavior
Re-deployed the same configuration, but the bucket is then deleted and deployed again.
Steps to Reproduce
Apply two times the example in the following documentation: https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/s3_bucket
terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: