Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_s3_bucket: During terraform import - ACL is populated with "null" in tfstate, and terraform apply defaults to acl=private #17791

Open
itsjwala opened this issue Feb 24, 2021 · 6 comments
Open

aws_s3_bucket: During terraform import - ACL is populated with "null" in tfstate, and terraform apply defaults to acl=private #17791

itsjwala opened this issue Feb 24, 2021 · 6 comments
Labels
bug Addresses a defect in current functionality. service/s3 Issues and PRs that pertain to the s3 service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@itsjwala
Copy link

itsjwala commented Feb 24, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/aws v3.27.0

Your version of Terraform is out of date! The latest version
is 0.14.7. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

  • aws_s3_bucket

Terraform Configuration Files

Note - This only occurs while importing S3 bucket

  acl           = null
  grant {
    permissions = ["READ_ACP", "WRITE"]
    type        = "Group"
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
  grant {
    permissions = ["READ_ACP"]
    type        = "Group"
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
  grant {
    id          = "someid"
    permissions = ["FULL_CONTROL"]
    type        = "CanonicalUser"
  }

Debug Output

Panic Output

Expected Behavior

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Actual Behavior

      + acl                         = "private"

Steps to Reproduce

  1. import existing s3 bucket which has public access (so as to fill the grant block)
 terraform import aws_s3_bucket.bucket_name bucket_name
  1. Fill up the terraform file

bucket.tf

  acl           = null
  grant {
    permissions = ["READ_ACP", "WRITE"]
    type        = "Group"
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
  grant {
    permissions = ["READ_ACP"]
    type        = "Group"
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
  grant {
    id          = "someid"
    permissions = ["FULL_CONTROL"]
    type        = "CanonicalUser"
  }

# other details skipped for brevity
  1. terraform apply
      + acl                         = "private"
@ghost ghost added the service/s3 Issues and PRs that pertain to the s3 service. label Feb 24, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 24, 2021
@itsjwala itsjwala mentioned this issue Feb 24, 2021
Open
@itsjwala
Copy link
Author

itsjwala commented Feb 24, 2021
edited
Loading

irrespective of grant block present or not, terraform import doesn't populate acl argument
I had to manually update acl to private in terraform.tfstate to make sure there is no diff

bucket.tf

  # skipped .. 
  grant {
    permissions = ["READ_ACP", "WRITE"]
    type        = "Group"
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
  grant {
    permissions = ["READ_ACP"]
    type        = "Group"
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
  grant {
    id          = "someid"
    permissions = ["FULL_CONTROL"]
    type        = "CanonicalUser"
  }

# other details skipped for brevity

terraform.tfstate

// skipped..
        {
          "schema_version": 0,
          "attributes": {
            "acceleration_status": "",
            "acl": "private",

output

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

@itsjwala itsjwala changed the title aws_s3_bucket: when acl = null and grant block is given, ACL defaults private aws_s3_bucket: During terraform import - ACL is populated with "null" in tfstate, and terraform apply defaults to acl=private Feb 25, 2021
@natalysheinin
Copy link

I ran into this bug as well and had to manually edit the state file. This should definitely be addressed.

@pdecat
Copy link
Contributor

pdecat commented Aug 20, 2021

This looks like a duplicate of #6193

@pdecat pdecat mentioned this issue Aug 24, 2021
Closed
@breathingdust breathingdust added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 13, 2021
@justinretzolk justinretzolk mentioned this issue Feb 11, 2022
Closed
@m1mohamad
Copy link

I have similar issue but always populated with

  • acl = "private"
  • force_destroy = false

When importing the bucket , doing -target plan
terraform version 1.0.7

@Fuuzetsu Fuuzetsu mentioned this issue Aug 15, 2022
Open
@SimonEdwardsMQA
Copy link

To get around this, I've added the below so that Terraform ignores the missing acl & force_destory, this saves having to mess around with the state file.

lifecycle {
    ignore_changes = [
      acl,
      force_destroy,
    ]
  }

Interestingly a terraform state show doesn't list either of these.

@github-actions GitHub Actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/s3 Issues and PRs that pertain to the s3 service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@breathingdust @pdecat @natalysheinin @m1mohamad @itsjwala @SimonEdwardsMQA