Only set delete markers on removal for s3_bucket_objects in versioned buckets

[fahrradflucht]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Changes that result in the removal of an aws_s3_bucket_object should just create a delete marker if the bucket is versioned.

While updating an aws_s3_bucket_object results in a new version being created, changes that require a re-creating (and therefore removal) like updating the key result in the real removal of all versions of the previous item. I think this is quite unintuitive since it defeats the purpose of a versioned bucket.

Down Sides:

I don't think its a big issue but changing it to just creating delete markers removes the ability of actually removing the items with terraform. If necessary this could be solved with a force_delete option on the object similar to the one aws_s3_bucket has.

New or Affected Resource(s)

• aws_s3_bucket_object

[copumpkin]

Somewhere between a "+1" and a reaction emoji, but to add some motivation: a colleague and I just wasted some significant time trying to figure out why terraform wasn't failing despite not creating an object for us in a versioned bucket, because we assumed that it wasn't going to delete all versions and just leave a delete marker in place. Instead, it was actually creating the object and then scrubbing all traces of it afterwards. This seems like very counterintuitive behavior.

[gazoakley]

Just ran into this on an S3 bucket that has MFADelete enabled - Terraform can't destroy objects because the current behaviour is to delete all versions instead of just placing a delete marker.

Also, deleting all versions without some kind of user feedback seems a dangerous thing to do.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[stekern]

I still think it would be nice to have a flag or similar that lets us toggle between retention and deletion of an aws_s3_bucket_object in versioned buckets. The current behavior initially caught me by surprise and I expected the default behavior upon deletion was to place a delete marker, not remove all traces of the object in question.

[wayneworkman]

I've just heard about the behavior for aws_s3_object requiring the permission s3:DeleteObjectVersion for a bucket with versioning enabled. And then I found this GitHub issue. This behavior is unexpected and not what is desired.

If an object created by aws_s3_bucket_object or aws_s3_object within a versioned bucket is to be "destroyed" by Terraform, it should set a delete marker only. The current behavior of this resource is counterintuitive.