terraform-provider-aws: import aws_s3_bucket does not store important attributes like acl

i am trying to import exist s3 resource. generating hcl with terraforming, and importing statefile with terraform. after import , while run terraform plan cannot get zero changes. Terraform verion

Terraform v0.11.8
+ provider.aws v1.38.0

Terraform Configuration Files

main.tf

terraform {
  backend "s3" {
    bucket         = "terraform-state-foodev-global"
    dynamodb_table = "terraform-lock-foodev-global"
    key            = "s3/terraform.tfstate"
    region         = "ap-southeast-1"
  }
}
 
provider "aws" {
  region = "ap-southeast-1"
}

resource.tf – generated by terraforming

resource "aws_s3_bucket" "freeman-test2" {
  bucket        = "freeman-test2"
  acl           = "private"
}

Output

$ terraform import aws_s3_bucket.freeman-test2 freeman-test2

Acquiring state lock. This may take a few moments...
aws_s3_bucket.freeman-test2: Importing from ID "freeman-test2"...
aws_s3_bucket.freeman-test2: Import complete!
  Imported aws_s3_bucket (ID: freeman-test2)
aws_s3_bucket.freeman-test2: Refreshing state... (ID: freeman-test2)
 
Import successful!
 
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
 
Releasing state lock. This may take a few moments...

$ terraform plan
aws_s3_bucket.freeman-test2: Refreshing state... (ID: freeman-test2)
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:

  ~ aws_s3_bucket.freeman-test2
      acl:           "" => "private"
      force_destroy: "" => "false"

Plan: 0 to add, 1 to change, 0 to destroy.

and check s3/terraform.tfstate file, without acl attribute

Expected Behavior run terraform plan get zero changes.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 55
  • Comments: 18 (4 by maintainers)

Most upvoted comments

The issue is persist in Terraform v0.12.18. The acl and force_destroy of S3 is still missing after imported.

+16
Willis0826 on Jan 17, 2020

Still an issue.

Terraform v0.14.5
+ provider registry.terraform.io/hashicorp/aws v3.24.1
+7
alxsbn on Jan 26, 2021

I’m seeing this with Terraform 0.12.26 and version 2.69.0 of the aws provider. It’s concerning when there are grants involved since trying to apply past this actually removed the grant. Here are the steps I observed:

  1. Defined my aws_s3_bucket resource which included no specification of the acl property but did have one grant block.
  2. Imported the bucket
  3. Ran a plan, acl and force_destroy showed as dirty.
  4. Attempted to set acl even though it’s conflicting but this was disallowed. Setting force_destroy to false as the plan showed also did not seem to take any effect.
  5. I decided to try to apply anyway, as this was a low risk bucket. Applying the phantom acl = "private" change actually removed my grant!
  6. I ran another plan with the same source code which showed the grant as a new addition, since it had been removed.
  7. I applied this and now the plan is finally clean.

I am not sure how to account for this without hacking the state file to add the acl (and maybe force_destroy) attributes directly but I have not been able to get an empty plan in this case and applying it is dangerous on high risk buckets since this would temporarily remove the policy as specified in code.

+7
jerryhebert on Jul 6, 2020

Just curious here, how do I know what was the correct acl and force_destroy of my imported resource? Is there a way to double-check it by using aws-cli?

https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html

+2
alxsbn on Jan 27, 2021

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the “Allow edits from maintainers” box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

+1
breathingdust on Feb 3, 2022

Here’s an OK workaround depending on your comfort level:

Step 1. Pull the state file down

Ensure you’re in the directory of your imported s3 bucket and run:

terraform state pull > state.json

Step 2. Edit the state.json file and set the correct state on force_destroy/acl

In the JSON file you’ll have to find your resource and in the attributes object you’ll find both the acl and force_destroy are set to null, set these to the appropriate values:

You can map your S3 ACL to set of canned ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl As for the force_destroy, i set mine to false, but i’m not actually sure what this related to in AWS.

Step 3. Increment the serial number at the top of the state.json file

If its currently 5 set it to 6… etc…

Step 4. Push the state file back up, and make sure to erase the local copy*

terraform state push ./state.json
rm state.json

After that all of it came out clean without having to ignore the state.

+1
trevorlinton on May 24, 2021
Read more comments on GitHub
← terraform-provider-aws: health_check.matcher not supported for TCP protocol
terraform-provider-aws: Inconsistent order of environment variables in aws_ecs_task_definition  →