I am trying to terraform and import an existing log bucket. The HCL code looks like the following and is a complete replica of what is up in production:
locals {
bucket_name = "log-bucket-${var.environment}-${var.region}"
}
module "bucket" {
source = "[email protected]:mycompany/s3-bucket-module?ref=1.0.5"
name = local.bucket_name
log_bucket = local.bucket_name
bucket_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowSSLRequestsOnly",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "s3:*",
"Resource" : [*],
"Condition" : {
"Bool" : {
"aws:SecureTransport" : "false"
}
}
}
]
})
grant = [
{
id = data.aws_canonical_user_id.current_user.id
type = "CanonicalUser"
permissions = ["FULL_CONTROL"]
},
{
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
permissions = ["READ_ACP", "WRITE"]
},
]
lifecycle_rules = [
{
id = "log"
enabled = true
prefix = "log/"
tags = {
"rule" = "log"
"autoclean" = "true"
}
transition = [
{
days = 30
storage_class = "STANDARD_IA"
},
{
days = 60
storage_class = "GLACIER"
}
]
expiration = {
days = 90
}
}
]
}
After importing the bucket with terraform import ... and making a terraform plan I get the following changes:
# module.s3-bucket-module.module.bucket.aws_s3_bucket.bucket will be updated in-place
~ resource "aws_s3_bucket" "bucket" {
acl = "private"
force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
Based on this plan, the terraform wants to perform two things:
acl = "private"
force_destroy = false
but these are the default values, which I have never explicitly changed. I guess what I am trying to say is that in reality it doesn't seem to change anything, but rather explicitly set the default values.
This is confusing me, and since it is a production bucket I want your opinion before applying. Why are those two "changes" appearing there?
CodePudding user response:
This is related to the bug bembas mentioned in the comments.
I created a replica bucket and imported it.
Step 1
Before applying the plan
~ resource "aws_s3_bucket" "bucket" {
acl = "private"
force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
I run aws s3api get-bucket-acl --bucket mycompany-log-bucket-myenvironment-myregion
and got this response:
{
"Owner": {
"ID": "hidden"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "READ_ACP"
},
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "WRITE"
},
{
"Grantee": {
"ID": "hidden",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
Step 2
After applying the plan
{
"Owner": {
"ID": "hidden"
},
"Grants": [
{
"Grantee": {
"ID": "hidden",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
Step 3
Made a new plan, the resource wants to change the resource again!
~ resource "aws_s3_bucket" "bucket" {
# (10 unchanged attributes hidden)
grant {
permissions = [
"READ_ACP",
"WRITE",
]
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
id = "hidden"
permissions = [
"FULL_CONTROL",
]
type = "CanonicalUser"
}
# (4 unchanged blocks hidden)
}
After applying this second plan, everything is back to normal and terraform doesn't request changes anymore.
No changes. Your infrastructure matches the configuration.
CodePudding user response:
16/11/2021
I guess there is an open bug and terraform see as update the following attributes :
acl = "private"
force_destroy = false
In the specific tf resource, a workaround is to apply the update (bug) and then reapply for terraform state to be up to date.