[Bug]: A configuration deprecation warning is missed

[EugenKon]

Terraform Core Version

v1.9.5

AWS Provider Version

v5.67.0

Affected Resource(s)

• aws_s3_bucket_acl

Expected Behavior

Our old cluster has the next configurtion:

resource "aws_s3_bucket_acl" "planitar-public-releases" {
  bucket                = aws_s3_bucket.planitar-public-releases.id
  expected_bucket_owner = data.aws_caller_identity.current.account_id

This resource was created a long time ago and when we run terraform plan/apply we do not see any issues regarding that.

But according this documentation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl#argument-reference we should get warning that our configuration is outdated and we need to fix it.

Actual Behavior

We copied this configuration above and tried to create a new cluster, but got errors:

Relevant Error/Panic Output Snippet

╷
│ Error: Invalid combination of arguments
│
│   with aws_s3_bucket_acl.planitar-public-releases,
│   on public-releases.tf line 46, in resource "aws_s3_bucket_acl" "planitar-public-releases":
│   46: resource "aws_s3_bucket_acl" "planitar-public-releases" {
│
│ "access_control_policy": one of `access_control_policy,acl` must be specified
╵
╷
│ Error: Invalid combination of arguments
│
│   with aws_s3_bucket_acl.planitar-public-releases,
│   on public-releases.tf line 46, in resource "aws_s3_bucket_acl" "planitar-public-releases":
│   46: resource "aws_s3_bucket_acl" "planitar-public-releases" {
│
│ "acl": one of `access_control_policy,acl` must be specified
╵

Terraform Configuration Files

resource "aws_s3_bucket_acl" "planitar-public-releases" { bucket = aws_s3_bucket.planitar-public-releases.id expected_bucket_owner = data.aws_caller_identity.current.account_id }

Steps to Reproduce

You need the old cluster with this resource already created. During plan/apply you will not see any warning about required options were missed.

UPD

When I added acl = "private" to my configuration I got this error message:

aws_s3_bucket_acl.planitar-public-releases: Creating...
╷
│ Error: creating S3 Bucket (planitar-public-releases) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: DJE2JABYE7WRYGSX, HostID: m6X+vmhFrdizTNnfGzB1MsI7RfI17AQ7LKMygjJoZWd5DRWF4Q6p/0+3ZEqUuzNVwsZA990fzd/Vi9IBNG7nwrKcdSnr3VvtyJKDQA7hsMo=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│
│   with aws_s3_bucket_acl.planitar-public-releases,
│   on public-releases.tf line 46, in resource "aws_s3_bucket_acl" "planitar-public-releases":
│   46: resource "aws_s3_bucket_acl" "planitar-public-releases" {
│
╵

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dimaman2001]

@EugenKon - Your latest issue applying the ACL is expected:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#requiring-bucket-owner-enforced

By default, all new buckets are created with the Bucket owner enforced setting applied and ACLs are disabled.

If you need ACLs, you can use the s3_bucket_ownership_controls resource to enable ACLs and then modify accordingly.

From your configuration, you can simply remove the ACL block all together as it is no longer needed to enforce ownership of objects (this is the default).

[EugenKon]

Expected result

The old configuration works without any issues (warnings). Thus we expect it works in case we reuse that configuration and create the new cluster. But this scenario failed: copy/paste, terraform plan/apply.

If the current configuration will not work to deploy new cluster, then a warning should be issued to make uses know that they need to update theirs deprecated configuration, despite on it works for this cluster created a long time ago.

Use case

In case of emergency you can see that users will not be able to reuse their working configuration. They need to google info, fix it, but all of these will take time and could lead to money loss during this downtime. Instead of just simple terraform plan/apply.