switching mfa_delete Flag in aws.s3.Bucket completely blocked further updates to the S3 bucket

pk-hugo commented 3 months ago

What happened?

I have enabled the flag mfa_delete in the aws S3 bucket versioning. After doing any further updates is always showing this flag in the differences and throwing the below error.

` error: 1 error occurred:

updating urn:pulumi:nonprod::hugosave-sg::aws:s3/bucket:Bucket::: 1 error occurred:
error putting S3 versioning for bucket (): AccessDenied: Mfa Authentication must be used for this request status code: 403 `

If I change mfa_delete flag to False Then pulumi preview --diff command shows like this:

~ versioning: { ~ mfaDelete: true => false }

Then if I change the mfa_delete flag to True The pulumi preview --diff command shows like this: ~ versioning: { ~ mfaDelete: false => true }

Example

Steps to reproduce:

Create an S3 bucket using the python aws library.
Change the mfa_delete flag to True.
Then again try to do a pulumi preview --diff. The mfa_delete flag is always toggled and showed as difference.

Output of `pulumi about`

CLI
Version 3.116.1 Go Version go1.22.3 Go Compiler gc

Plugins KIND NAME VERSION resource aws 6.18.2 resource aws-native 0.95.0 language python unknown

Host
OS darwin Version 14.5 Arch arm64

This project is written in python: executable='/Users/pk-hugo/Documents/hugo/repos/venv/pk-venv/bin/python3' version='3.11.9'

Dependencies: NAME VERSION allure-behave 2.13.2 autoflake 2.2.0 awscli 1.29.84 awscli-local 0.21 black 23.7.0 cfn-flip 1.3.0 dacite 1.8.1 Faker 19.3.0 flake8 6.1.0 hugo-lib 0.0.73 infra-lib 0.0.10 isort 5.12.0 jq 1.7.0 localstack 2.2.0 phonenumbers 8.13.18 pip 24.0 pipdeptree 2.13.0 pydantic 2.7.3 pytest-dependency 0.5.1 pytest-mock 3.11.1 pytest-xdist 3.3.1 pytz 2023.3 reportlab 4.1.0 retry2 0.9.5 setuptools 69.5.1 sshtunnel 0.3.1 wheel 0.41.1 yq 3.4.3

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

tgummerer commented 3 months ago

From the docs for mfa_delete: "This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS"

So I believe this setting should be set in the AWS console, rather than through pulumi. I'm not sure why it would flip-flow without a pulumi up in between those pulumi preview --diffs. Are you running any commands in between running pulumi preview --diff?

Regarding the error, either you need to use 2fa credentials for running the pulumi command, or disable the setting in the AWS console.

justinvp commented 3 months ago

Moving this to the aws provider repo for further triage.

flostadler commented 3 months ago

Hey, @tgummerer is correct that the mfaDelete property cannot be used currently for toggling this setting, rather just for keeping the pulumi state in sync with AWS.

Enabling MFA delete itself requires using an MFA token, which the provider currently doesn't support. This comment here goes into more details explaining the background: https://github.com/hashicorp/terraform-provider-aws/issues/629#issuecomment-408937315

pulumi / pulumi-aws