terraform-provider-aws: Breaking change for several resources from 2.51.0 β†’ 2.52.0

Community Note

  • Please vote on this issue by adding a πŸ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave β€œ+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Versions

terraform -v
Terraform v0.12.23
+ provider.aws v2.51.0
+ provider.kubernetes v1.11.1
+ provider.template v2.1.2

to

terraform -v
Terraform v0.12.23
+ provider.aws v2.52.0
+ provider.kubernetes v1.11.1
+ provider.template v2.1.2

Relevant bit: provider.aws v2.51.0 β†’ 2.52.0.

Affected Resource(s)

  • aws_iam_policy_document
  • aws_iam_policy
  • aws_s3_bucket

Terraform Configuration Files

data "aws_iam_policy_document" "XXX" {
  statement {
    actions = ...
    resources = [
      ...
    ]
  }
}

resource "aws_iam_policy" "XXX" {
  name   = "XXX"
  path   = "/"
  policy = data.aws_iam_policy_document.XXX.json
}

resource "aws_s3_bucket" "XXX" {
  bucket = ...
  acl    = "private"
  region = "us-east-1"

  tags = {
    Name = ...
  }
}

Expected Behavior

No changes. Infrastructure is up-to-date.

Actual Behavior

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # module.XXX.data.aws_iam_policy_document.XXX will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "deployment"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + ...
            ]
          + resources = [
              + ...
            ]
        }
    }

  # module.services.aws_iam_policy.deployment will be updated in-place
  ~ resource "aws_iam_policy" "XXX" {
        ...
      ~ policy      = jsonencode(
            {
              ...
            }
        ) -> (known after apply)
    }

  # module.XXX.aws_s3_bucket.XXX will be updated in-place
  ~ resource "aws_s3_bucket" "XXX" {
        ...

      - grant {
          ...
        }

        ...
    }

Plan: 0 to add, 7 to change, 0 to destroy.

------------------------------------------------------------------------

Steps to Reproduce

  1. Bump AWS Provider from 2.51.0 to 2.52.0 and run a plan.

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 37
  • Comments: 15 (3 by maintainers)

Most upvoted comments

Hi,

I’m also seeing an issue with how grant is calculated for the plan. Tested on 2.63.

  1. Create a bucket with grant:

    resource "aws_s3_bucket" "my-example-terraform-grant" {
    bucket = "my-example-terraform-grant"

    grant {
        id          = data.aws_canonical_user_id.current_user.id
        type        = "CanonicalUser"
        permissions = ["FULL_CONTROL"]
    }
}

  2. terraform apply.

  3. terraform plan yields an in-place update to add the grant.

    Output of terraform plan 
      # aws_s3_bucket.my-example-terraform-grant will be updated in-place
  ~ resource "aws_s3_bucket" "my-example-terraform-grant" {
        acl                         = "private"
        arn                         = "arn:aws:s3:::my-example-terraform-grant"
        bucket                      = "my-example-terraform-grant"
        bucket_domain_name          = "my-example-terraform-grant.s3.amazonaws.com"
        bucket_regional_domain_name = "my-example-terraform-grant.s3.eu-west-1.amazonaws.com"
        force_destroy               = false
        hosted_zone_id              = "XXXXXXXXXXXXXX"
        id                          = "my-example-terraform-grant"
        region                      = "eu-west-1"
        request_payer               = "BucketOwner"
        tags                        = {}

      + grant {
          + id          = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          + permissions = [
              + "FULL_CONTROL",
            ]
          + type        = "CanonicalUser"
        }

        versioning {
            enabled    = false
            mfa_delete = false
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

At this point I could terraform apply forever, it will always see a change.

This is the bucket in the backend state 
{
  "mode": "managed",
  "type": "aws_s3_bucket",
  "name": "my-example-terraform-grant",
  "provider": "provider.aws",
  "instances": [
    {
      "schema_version": 0,
      "attributes": {
        "acceleration_status": "",
        "acl": "private",
        "arn": "arn:aws:s3:::my-example-terraform-grant",
        "bucket": "my-example-terraform-grant",
        "bucket_domain_name": "my-example-terraform-grant.s3.amazonaws.com",
        "bucket_prefix": null,
        "bucket_regional_domain_name": "my-example-terraform-grant.s3.eu-west-1.amazonaws.com",
        "cors_rule": [],
        "force_destroy": false,
        "grant": [
          {
            "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "permissions": [
              "FULL_CONTROL"
            ],
            "type": "CanonicalUser",
            "uri": ""
          }
        ],
        "hosted_zone_id": "XXXXXXXXXXXXXX",
        "id": "my-example-terraform-grant",
        "lifecycle_rule": [],
        "logging": [],
        "object_lock_configuration": [],
        "policy": null,
        "region": "eu-west-1",
        "replication_configuration": [],
        "request_payer": "BucketOwner",
        "server_side_encryption_configuration": [],
        "tags": {},
        "versioning": [
          {
            "enabled": false,
            "mfa_delete": false
          }
        ],
        "website": [],
        "website_domain": null,
        "website_endpoint": null
      },
      "private": "bnVsbA=="
    }
  ]
}
+7
mrliptontea on May 27, 2020

@ewbankkit I think I’ve seen in the past where terraform can manage something but hasn’t actually been managing it where the provider will silently ignore the diff but maybe that’s a false memory.

Still, this kind of change feels odd for a minor version bump since I would expect those to be non-breaking.

+2
timvisher on Mar 11, 2020

still having the same issue with provider.aws ~> 2.69 and terraform 0.12.25

[terragrunt] 2020/07/07 15:27:01 Running command: terraform providers
.
β”œβ”€β”€ provider.aws ~> 2.69
β”œβ”€β”€ module.bucket_access_policies
β”‚   └── provider.aws (inherited)
β”œβ”€β”€ module.bucket_policies
β”‚   └── provider.aws (inherited)
β”œβ”€β”€ module.s3_bucket
β”‚   └── provider.aws (inherited)
└── module.system_users
    └── provider.aws (inherited)
+1
so0k on Jul 7, 2020

It’s the fact that terraform wants to remove a grant which is created by default whenever a bucket is created that I find confusing - IMO if the grants block isn’t specified then it should leave the default grant alone.

When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resource owner full control over the resource. https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html

Generated plan

      - grant {
          - id          = "<creatorid>" -> null
          - permissions = [
              - "FULL_CONTROL",
            ] -> null
          - type        = "CanonicalUser" -> null
        }
+1
aywrite on Mar 11, 2020
Read more comments on GitHub
← terraform-provider-aws: Better Lambda error
terraform-provider-aws: Breaking change on data source aws_lambda_function introduced in version 2.0.0 →