persistent diff with grants and aws_s3_bucket_acl

[mheiges]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.15.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.75.0

Affected Resource(s)

• aws_s3_bucket_acl

Terraform Configuration Files

An S3 bucket is created using the legacy configuration with grant as attribute of `aws_s3_bucket,

data "aws_canonical_user_id" "current_user" {}

resource "aws_s3_bucket" "this" {
  bucket = "tf-test-20220317"

  grant {
    id          = data.aws_canonical_user_id.current_user.id
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ_ACP", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
}

The grants are then migrated to the new aws_s3_bucket_acl

data "aws_canonical_user_id" "current_user" {}

resource "aws_s3_bucket" "this" {
  bucket = "tf-test-20220317"
}

resource "aws_s3_bucket_acl" "this" {
  bucket = aws_s3_bucket.this.id

  access_control_policy {
    grant {
      grantee {
        id   = data.aws_canonical_user_id.current_user.id
        type = "CanonicalUser"
      }
      permission = "FULL_CONTROL"
    }

    grant {
      grantee {
        type = "Group"
        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
      }
      permission = "READ_ACP"
    }

    grant {
      grantee {
        type = "Group"
        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
      }
      permission = "WRITE"
    }

    owner {
      id = data.aws_canonical_user_id.current_user.id
    }
  }
}

Expected Behavior

Applying new configuration should create the new aws_s3_bucket_acl resource and remove grants from aws_s3_bucket and there should be no further changes after that.

Actual Behavior

The aws_s3_bucket_acl resource is created and grant removed from the aws_s3_bucket resource, but subsequent apply continue to show changes to aws_s3_bucket_acl and aws_s3_bucket resources.

Steps to Reproduce

1. Create an S3 bucket with the legacy configuration.
2. Migrate the configuration to use aws_s3_bucket_acl and terraform apply

First apply

  # aws_s3_bucket.this will be updated in-place
  ~ resource "aws_s3_bucket" "this" {
        id                          = "tf-test-20220317"
        tags                        = {}
        # (11 unchanged attributes hidden)

      - grant {
          - permissions = [
              - "READ_ACP",
              - "WRITE",
            ] -> null
          - type        = "Group" -> null
          - uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery" -> null
        }
      - grant {
          - id          = "2a13f427094f1b017422c3e94d44b6b5af88ac2ea4fd4648a5676aab22ffb094" -> null
          - permissions = [
              - "FULL_CONTROL",
            ] -> null
          - type        = "CanonicalUser" -> null
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.this will be created
  + resource "aws_s3_bucket_acl" "this" {
      + bucket = "tf-test-20220317"
      + id     = (known after apply)

      + access_control_policy {
          + grant {
              + permission = "READ_ACP"

              + grantee {
                  + display_name = (known after apply)
                  + type         = "Group"
                  + uri          = "http://acs.amazonaws.com/groups/s3/LogDelivery"
                }
            }
          + grant {
              + permission = "WRITE"

              + grantee {
                  + display_name = (known after apply)
                  + type         = "Group"
                  + uri          = "http://acs.amazonaws.com/groups/s3/LogDelivery"
                }
            }
          + grant {
              + permission = "FULL_CONTROL"

              + grantee {
                  + display_name = (known after apply)
                  + id           = "2a13f427094f1b017422c3e94d44b6b5af88ac2ea4fd4648a5676aab22ffb094"
                  + type         = "CanonicalUser"
                }
            }

          + owner {
              + display_name = (known after apply)
              + id           = "2a13f427094f1b017422c3e94d44b6b5af88ac2ea4fd4648a5676aab22ffb094"
            }
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Second Apply

  # aws_s3_bucket.this will be updated in-place
  ~ resource "aws_s3_bucket" "this" {
        id                          = "tf-test-20220317"
        tags                        = {}
        # (11 unchanged attributes hidden)

      - grant {
          - permissions = [
              - "READ_ACP",
              - "WRITE",
            ] -> null
          - type        = "Group" -> null
          - uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery" -> null
        }
      - grant {
          - id          = "2a13f427094f1b017422c3e94d44b6b5af88ac2ea4fd4648a5676aab22ffb094" -> null
          - permissions = [
              - "FULL_CONTROL",
            ] -> null
          - type        = "CanonicalUser" -> null
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Third apply

  # aws_s3_bucket.this will be updated in-place
  ~ resource "aws_s3_bucket" "this" {
        id                          = "tf-test-20220317"
        tags                        = {}
        # (11 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm = "AES256" -> null
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.this will be updated in-place
  ~ resource "aws_s3_bucket_acl" "this" {
        id     = "tf-test-20220317"
        # (1 unchanged attribute hidden)

      ~ access_control_policy {
          - grant {
              - permission = "FULL_CONTROL" -> null

              - grantee {
                  - display_name = "dl-hids-ado4" -> null
                  - id           = "2a13f427094f1b017422c3e94d44b6b5af88ac2ea4fd4648a5676aab22ffb094" -> null
                  - type         = "CanonicalUser" -> null
                }
            }
          + grant {
              + permission = "FULL_CONTROL"

              + grantee {
                  + display_name = "dl-hids-ado4"
                  + id           = "2a13f427094f1b017422c3e94d44b6b5af88ac2ea4fd4648a5676aab22ffb094"
                  + type         = "CanonicalUser"
                }
            }
          + grant {
              + permission = "READ_ACP"

              + grantee {
                  + display_name = (known after apply)
                  + type         = "Group"
                  + uri          = "http://acs.amazonaws.com/groups/s3/LogDelivery"
                }
            }
          + grant {
              + permission = "WRITE"

              + grantee {
                  + display_name = (known after apply)
                  + type         = "Group"
                  + uri          = "http://acs.amazonaws.com/groups/s3/LogDelivery"
                }
            }

            # (1 unchanged block hidden)
        }
    }

Plan: 0 to add, 2 to change, 0 to destroy.

and so on. The state never stabilizes.

[anGie44]

Hi @mheiges thank you for reporting an issue. This sounds similar to behavior reported in #23758. Similar comment here in that when using these new resources, practitioners should add a lifecycle block to ignore changes to the argument that was once configured in the source aws_s3_bucket resource. An additional example is available in the Usage Notes section in each new resource, in this case https://registry.terraform.io/providers/hashicorp/aws/3.75.0/docs/resources/s3_bucket_acl#usage-notes

Hope this helps! And if you're facing any additional issues, let us know.

[mheiges]

awesome. Thanks!

[lapkritinis]

I see same behavior with aws_s3_bucket_server_side_encryption_configuration and aws_s3_bucket_lifecycle_configuration.
It gets added/removed over and over.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.