aws_s3_bucket_replication_configuration is failing on provider version 4.14.0

[chandini193]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.7 AWS Provider 4.14.0

Affected Resource(s)

• aws_s3_bucket_replication_configuration
• aws_s3_bucket

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_s3_bucket" "primary_bucket" {
  count  = var.s3_bucket_identifier == null ? 0 : 1
  bucket = local.s3_primary_bucket_name
  tags   = module.common_primary.base_tags  # test tags can be empty. 
}

resource "aws_s3_bucket_versioning" "primary_bucket_versioning" {
  count  = var.s3_bucket_identifier == null ? 0 : 1
  bucket = aws_s3_bucket.primary_bucket[0].id
  versioning_configuration {
    status = var.versioning_enabled ? "Enabled" : "Disabled"
  }
}

resource "aws_s3_bucket" "replication_destination" {
  count    = var.s3_replica_bucket_identifier == null ? 0 : 1
  provider = aws.replica
  bucket   = local.s3_replica_bucket_name
  tags     = module.common_replica[0].base_tags # test tags can be empty.
}

resource "aws_s3_bucket_versioning" "replica_bucket_versioning" {
  count    = var.s3_replica_bucket_identifier == null ? 0 : 1
  provider = aws.replica
  bucket   = aws_s3_bucket.replication_destination[0].id
  versioning_configuration {
    status = var.versioning_enabled ? "Enabled" : "Disabled"
  }
}

resource "aws_s3_bucket_replication_configuration" "srctodest" {
 count = var.s3_replica_bucket_identifier == null ? 0 : 1
 depends_on = [aws_s3_bucket_versioning.primary_bucket_versioning[0], aws_s3_bucket_versioning.replica_bucket_versioning[0]]
  bucket     = aws_s3_bucket.primary_bucket[0].id
  role       = aws_iam_role.primary_replication[0].arn

  rule {
    id     = var.primary_replication_config_rule_id == null ? "${local.s3_primary_bucket_name}-primary-replication" : local.primary_replication_config_rule_id
    prefix = var.replication_configuration_prefix
    status = "Enabled"
    filter {
      prefix = var.replication_configuration_filter_prefix
    }
    delete_marker_replication {
      status = var.delete_marker_replication_status
    }
    source_selection_criteria {
      replica_modifications {
        status = var.replicate_modifications_on_replicas
      }
      dynamic "sse_kms_encrypted_objects" {
        for_each = var.kms_enabled == false ? [] : [1]
        content {
          status = "Enabled"
        }
      }
    }
    destination {
      bucket = length(aws_s3_bucket.replication_destination) >= 1 ? aws_s3_bucket.replication_destination[0].arn : null
      dynamic "encryption_configuration" {
        for_each = var.kms_enabled == false ? [] : [1]
        content {
          replica_kms_key_id = var.kms_key_arn_replica
        }
      }
      storage_class = var.primary_storage_class
      replication_time {
        status = var.primary_replication_time_status
        time {
          minutes = 15
        }
      }
      metrics {
        status = var.primary_metrics_status
        event_threshold {
          minutes = 15
        }
      }
    }
  }
}

Debug Output

https://github.com/chandini193/debug-outputs/blob/main/tf-debug.log

Panic Output

Expected Behavior

There should not be an issue on subsequent terraform refresh since none of the replication configs changed.

Actual Behavior

First terraform apply was successful and the resources are created successfully. Post that on updating tags on the bucket failing with the following error:

Steps to Reproduce

1. terraform apply
2. and subsequent addition/ modification of tags on bucket terraform apply

Important Factoids

The same implementation works as expected on AWS Provider 4.3.0.

References

• 0000

[justinretzolk]

Hey @chandini193 👋 Thank you for taking the time to raise this! So that we have all of the information in order to look into this, can you supply debug logs (redacted as necessary) as well?

[chandini193]

Hello @justinretzolk, added debug logs. Please let me know if you need any further info.

[chandini193]

Hello @justinretzolk, any updates on the issue.

[chandini193]

Any solution or workarounds @justinretzolk ?

[justinretzolk]

Hey @chandini193 👋 Thank you for checking in on this. Unfortunately, I'm not able to provide an estimate on when this will be looked into due to the potential of shifting priorities (we prioritize work by count of ":+1:" reactions, as well as a few other things). For more information on how we prioritize, check out out prioritization guide.

[Fuochi]

Any solution or workarounds @justinretzolk ?

Hi, we faced the same issue with a slightly different configuration and more rules. We managed to work this around by doing the following steps:

1. comment the source_selection_criteria block in aws_s3_bucket_replication_configuration resource, and add ignore_changes = all on aws_s3_bucket resource, to avoid it failing on the next apply.
2. terraform apply.
3. remove ignore_changes = all from aws_s3_bucket resource to let it fetch the changes and save them in the state.
4. terraform apply x2 (maybe it works also with just one run, haven't tried).
5. uncomment the source_selection_criteria block in aws_s3_bucket_replication_configuration resource.
6. terraform apply

I'm not sure if this will work in your situation as well but I hope it could help.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!