[Bug]: Provider doesn't properly set/store S3 Storage Lens configuration

[geoL86]

Terraform Core Version

1.3.5

AWS Provider Version

4.39.0

Affected Resource(s)

aws_s3control_storage_lens_configuration

Expected Behavior

Terraform/Provider doesn't create resource (Storage Lens configuration) with exactly parameters that are presented in code. This applies specifically to the parameters: activity_metrics

For example:

resource "aws_s3control_storage_lens_configuration" "organization_dashboard" {
  config_id = "organization-dashboard"
  storage_lens_configuration {
    enabled = true
    aws_org {
      arn = data.aws_organizations_organization.current.arn
    }
    account_level {
      activity_metrics {
        enabled = false
      }
      bucket_level {
        activity_metrics {
          enabled = false
        }
      }
    }
    data_export {
      cloud_watch_metrics {
        enabled = false
      }
    }
  }
}

Actual Behavior

Instead, it creates a resource with enabled options and on the next plan indicates what needs to be changed about the code (shows diff). And so in a circle.

Relevant Error/Panic Output Snippet

Terraform will perform the following actions:

  # aws_s3control_storage_lens_configuration.organization_dashboard will be updated in-place
  ~ resource "aws_s3control_storage_lens_configuration" "organization_dashboard" {
        id         = "123456789012:organization-dashboard"
        tags       = {}
        # (4 unchanged attributes hidden)

      ~ storage_lens_configuration {
            # (1 unchanged attribute hidden)

          ~ account_level {
              ~ activity_metrics {
                  ~ enabled = true -> false
                }

              ~ bucket_level {
                  ~ activity_metrics {
                      ~ enabled = true -> false
                    }
                }
            }

            # (2 unchanged blocks hidden)
        }
    }

  # module.notify_slack.module.lambda.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
      ~ id       = "8627681441491886041" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "timestamp" = "1668775414118395000" -> "1669106538902097000"
            # (1 unchanged element hidden)
        }
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Terraform Configuration Files

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3control_storage_lens_configuration

Steps to Reproduce

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3control_storage_lens_configuration

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ripa1993]

Still happening with Terraform 1.8.3 and AWS Provider 5.50.0

[ssabo]

This can be a really expensive bug. I enabled a storage lens for a set of buckets with a large number of objects and explicitly put enabled = false into the code with a comment for all paid metrics so that anyone who came along knew not to enable it.

What seems to be happening is that any value passed for enabled results in it being enabled, and only nulling it disables the metrics.

I took a look at the code for the provider and it seems like it is properly setting false on the apiObject which is a configuration instance from the aws go sdk v2 https://github.com/hashicorp/terraform-provider-aws/blob/v5.14.0/internal/service/s3control/storage_lens_configuration.go#L794-L806

I was wondering if this is a bug in the sdk where the IsEnabled on the objects is not properly honoring but i cannot find any evidence that they are doing anything but bundling it up as a payload and handing it off to AWS.

Either way, until AWS fixes this, I think the correct behavior for the provider is to check if the enabled values are true and set the config to nil if enabled is false.

[RanVaknin]

Hi there, AWS SDK for Go maintainer here 👋

If one of the participants on the thread can isolate the issue using the Go SDK directly, please open a corresponding issue on our repo and we will take a look.

Thanks, Ran~

[ssabo]

@RanVaknin I wrote up a proof of concept here https://github.com/ssabo/s3lens_bug_proof/blob/main/main.go

if you replace the temp string in there with the account Id you are running on, it will create a storage lens for the whole account. If you go check the configuration for that storage lens, you will see that the paid metrics are enabled for the cost optimization which is specified as false in the code. Everything else that is nil is disabled.

[RanVaknin]

Hi @ssabo ,

Thanks for this. We have identified the issue with the S3Control API model and have submitted an internal ticket to the S3 team to fix it.

Thanks again. Ran~