[Bug]: Terraform does not import DataSync S3 location with a required argument

[markoeremija]

Terraform Core Version

1.4.2

AWS Provider Version

4.67.0

Affected Resource(s)

aws_datasync_location_s3

Expected Behavior

When importing an existing AWS DataSync S3 location to the terraform state, it would be expected to import also the argument marked as required in the documentation, i.e., s3_bucket_arn.

Actual Behavior

The terrform import command completes successfully (based on the example from the documentation):

> terraform import module.datasync.aws_datasync_location_s3.source arn:aws:datasync:<region>:<account-id>:location/<loc-id> 

Acquiring state lock. This may take a few moments...
module.datasync.aws_datasync_location_s3.source: Importing from ID "arn:aws:datasync:<region>:<account-id>:location/<loc-id>"...
module.datasync.aws_datasync_location_s3.source: Import prepared!
  Prepared aws_datasync_location_s3 for import
module.datasync.aws_datasync_location_s3.source: Refreshing state... [id=arn:aws:datasync:<region>:<account-id>:location/<loc-id>]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

The subsequent terraform plan shows that terraform wants to recreate everything (including the DataSync task using this source, omitted for brevity) because the s3_bucket_arn argument was added:

  # module.datasync.aws_datasync_location_s3.source must be replaced
-/+ resource "aws_datasync_location_s3" "source" {
      - agent_arns       = [] -> null
      ~ arn              = "arn:aws:datasync:<region>:<account>:location/<loc-id>" -> (known after apply)
      ~ id               = "arn:aws:datasync:<region>:<account>:location/<loc-id>" -> (known after apply)
      + s3_bucket_arn    = "arn:aws:s3:::<bucket-name>" # forces replacement
      ~ s3_storage_class = "STANDARD" -> (known after apply)
      ~ uri              = "s3://<bucket-name>/path/to/copy/from/" -> (known after apply)
        # (2 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

The resource definition in the module is as follows:

resource "aws_datasync_location_s3" "source" {
  s3_bucket_arn = var.source_s3_bucket_arn
  subdirectory  = var.source_subdirectory

  s3_config {
    bucket_access_role_arn = var.bucket_access_role_arn
  }
}

Using terraform state show module.datasync.aws_datasync_location_s3.source gives the following output:

# module.datasync.aws_datasync_location_s3.source:
resource "aws_datasync_location_s3" "source" {
    agent_arns       = []
    arn              = "arn:aws:datasync:<region>:<account>:location/<loc-id>"
    id               = "arn:aws:datasync:<region>:<account>:location/<loc-id>"
    s3_storage_class = "STANDARD"
    subdirectory     = "/path/to/copy/from/"
    uri              = "s3://<bucket-name>/path/to/copy/from/"

    s3_config {
        bucket_access_role_arn = "arn:aws:iam::<account>:role/<datasync-role-name>"
    }
}

As can be seen from the terraform state show output, there is no s3_bucket_arn argument. Currently, the workaround is to use lifecycle block to ignore changes to the s3_bucket_arn argument:

resource "aws_datasync_location_s3" "source" {
  s3_bucket_arn = var.source_s3_bucket_arn
  subdirectory  = var.source_subdirectory

  s3_config {
    bucket_access_role_arn = var.bucket_access_role_arn
  }

  lifecycle {
    ignore_changes = [
      s3_bucket_arn
    ]
  }
}

This approach solves the issue with terraform wanting to recreate everything.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_datasync_location_s3" "source" {
  s3_bucket_arn = var.source_s3_bucket_arn
  subdirectory  = var.source_subdirectory

  s3_config {
    bucket_access_role_arn = var.bucket_access_role_arn
  }

  lifecycle {
    ignore_changes = [
      s3_bucket_arn
    ]
  }
}

resource "aws_datasync_location_s3" "destination" {
  s3_bucket_arn = var.destination_s3_bucket_arn
  subdirectory  = var.destination_subdirectory

  s3_config {
    bucket_access_role_arn = var.bucket_access_role_arn
  }

  lifecycle {
    ignore_changes = [
      s3_bucket_arn
    ]
  }
}

resource "aws_datasync_task" "this" {
  name                     = var.datasync_task_name
  source_location_arn      = aws_datasync_location_s3.source.arn
  destination_location_arn = aws_datasync_location_s3.destination.arn
  cloudwatch_log_group_arn = var.cloudwatch_log_group_arn

  dynamic "options" {
    for_each = var.use_options ? [1] : []
    content {
      gid               = lookup(var.options, "gid", null)
      log_level         = lookup(var.options, "log_level", null)
      posix_permissions = lookup(var.options, "posix_permissions", null)
      uid               = lookup(var.options, "uid", null)
    }
  }

  dynamic "schedule" {
    for_each = var.use_schedule ? [1] : []
    content {
      schedule_expression = var.schedule_expression
    }
  }
}

Steps to Reproduce

• Create AWS DataSync source and destination S3 locations along with a task in AWS console.
• Import those resources into terraform state, following the official documentation for each of the resources.
• Run terraform plan.
• Verify that the resources will be recreated due to the fact that s3_bucket_arn is missing after the import.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

@markoeremija This should be fixed by #36072 which went into v5.42.0 of the provider. Please give it a try and close this ticket once verified. Thanks.

[markoeremija]

@acwwat Thanks for letting me know it's fixed, I no longer have access to the codebase where I found the bug, but I'll close it anyway.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.