replication_configuration variable does not handle null

[tcarreira]

Description

With the current setup it is not possible to conditionally configure an S3 Bucket with replication_configuration.
The true and false result expressions can't have consistent types, because the module code is not designed for that.

If the condition is true (replication_configuration should be defined), then an empty object ({}) as false result is not accepted and raises a Terraform error The true and false result expressions must have consistent types. The 'true' value includes object attribute "role", which is absent in the 'false' value., only null is possible.

If the condition is false (replication_configuration should not be defined), null is not accepted by the module code, resulting in the error Invalid value for "inputMap" parameter: argument must not be null..

Versions

• Module version [Required]: 4.2.2

• Terraform version: Terraform v1.9.8 on linux_amd64

• Provider version(s): + provider registry.terraform.io/hashicorp/aws v5.73.0

Reproduction Code [Required]

Steps to reproduce the behavior:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">=5.73.0"
    }
  }
}

variable "should_replicate" {
  default = false
}

locals {
  replication_configuration = var.should_replicate ? {
    role = "arn:aws:iam::1234567890:role/myreplicationrole"
    rules = [
      {
        id     = "everything-without-filters"
        status = "Enabled"

        delete_marker_replication = true

        destination = {
          bucket        = "arn:aws:s3:::destinationbucketname"
          storage_class = "STANDARD"
        }
      },
    ]
  } : null
}

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "4.2.2"

  bucket                    = "mybucketname"
  force_destroy             = true
  replication_configuration = local.replication_configuration
}

Expected behavior

The module should not give an error and should not set replication if var.replication_configuration == null

Actual behavior

It is not possible to conditionally set replication_configuration

Terminal Output Screenshot(s)

╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/s3_bucket/main.tf line 373, in resource "aws_s3_bucket_replication_configuration" "this":
│  373:   count = local.create_bucket && length(keys(var.replication_configuration)) > 0 ? 1 : 0
│     ├────────────────
│     │ while calling keys(inputMap)
│     │ var.replication_configuration is null
│ 
│ Invalid value for "inputMap" parameter: argument must not be null.

note: initially reported at #285

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[booi]

I ran into this issue as well. @tcarreira did you end up finding a workaround that didn't involve replicating the entire definition?

[tcarreira]

There is a workaround, which is using a variable instead of a local.

If you define

variable "replication_configuration" {
  default = {} 
} 

Then you can pass the variable as a full object (eg: by yaml). Since terraform is not able to infer the type of the passed variable until runtime, it will cast it to a map, instead of an object

It's not ideal, but it is a workaround

[booi]

There is a workaround, which is using a variable instead of a local.

If you define

variable "replication_configuration" {
default = {}
}
Then you can pass the variable as a full object (eg: by yaml). Since terraform is not able to infer the type of the passed variable until runtime, it will cast it to a map, instead of an object

This is pretty clever. I'll keep it in mind.

The way we worked around it was to apply the s3 replication config as a separate resource using the native aws provider's aws_s3_bucket_replication_configuration. Not ideal as well. If I find some time I might submit a PR to fix this module.

[tcarreira]

I do prefer your solution though. I was not aware of that resource. Thanks for sharing

I was hoping to find some time to make a PR for fixing it, but it is not in the critical path...

[eminugurkenar]

experienced same thing for now solved with jsonencode in locals and set the variable with jsondecode , not sure if safe

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.