Terraform-provider-aws: S3 bucket versioning enabled when explicitly set to false

This is still happening in the terraform version and aws provider:

Terraform v0.11.10
+ provider.aws v1.43.2


resource "aws_s3_bucket" "bucket" {
  bucket = "my_bucket"

  versioning {
    enabled = false
  }

Output:

      versioning.#:                                                        "1"
      versioning.0.enabled:                                                "false"
      versioning.0.mfa_delete:                                             "false"

I am still seeing this with Terraform 0.11.11 and aws provider 1.57

I've noticed something strange in connection with the versioning argument in TFE Sentinel. If I don't include the versioning {enabled = true}, printing the resource seen by Sentinel shows "versioning": "74D93920-ED26-11E3-AC10-0800200C9A66". But if I do include it, I see "versioning": [{"enabled": true, "mfa_delete": false}]. This causes problems in Sentinel because versioning is a string in the first case and a list in the second case.

I wonder if this is related to the problem reported here? It seems that versioning is being treated inconsistently based on whether it is included or not. Note that when I do not include it, my plan shows versioning.#: <computed>. I wonder if that should actually be 0?

If I do explicitly set versioning { enabled = false }, then I do see "versioning": [{"enabled": false, "mfa_delete": false}] in the Sentinel output which looks correct. The plan shows:
versioning.#: "1"
versioning.0.enabled: "false"
versioning.0.mfa_delete: "false"
which also looks correct.

More germane to this issue is that versioning actually was disabled as desired for my S3 bucket, contrary to what the other posters have reported.

Here is my Terraform code:

terraform {
  required_version = ">= 0.11.7"
}

variable "aws_region" {
  description = "AWS region"
  default = "us-east-1"
}

variable "bucket_name" {
   description = "Name of the bucket to create"
}

variable "bucket_acl" {
   description = "ACL for S3 bucket: private, public-read, public-read-write, etc"
   default = "private"
}

provider "aws" {
  region = "${var.aws_region}"
}

resource "aws_s3_bucket" "bucket" {
  bucket = "${var.bucket_name}"
  acl    = "${var.bucket_acl}" 

 server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "REDACTED"
        sse_algorithm     = "aws:kms"
      }
    }
  }

  versioning {
    enabled = false
  }

  tags {
    Name        = "Roger Test Bucket"
    Owner = "[email protected]"
    website = "true"
  }
}

HI,

We're encountering this also.

We're setting

versioning {
  enabled = false
}

The bucket gets created "unversioned".
Looking at the code, it will always update the bucket to be "suspended".

the IF statement here is naive. It should evaluate whether versioning { enabled=false} AND vc.Status != 'unversioned''(exact wording unknown) then not call the API at all...

Upon checking the wording/enum/const of 'unversioned' this might be a limitation/bug of the aws-sdk-go...
according to https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketVersioning.html the response, if a bucket has never been versioned, will contain no Status element.

However the aws-sdk-go seems to only set two values in the GetBucketVersioningOutput from the enum func BucketVersioningStatus_Values()
https://raw.githubusercontent.com/aws/aws-sdk-go/master/service/s3/api.go
We need to check the SDK to verify whether an "unversioned" bucket comes through as suspended or in fact contains no status at all.

I'll try to test it when I can.

Further to my last above - The SDK is working as I expected. The bug lies within this provider.

Here's the code I used to test: https://gist.github.com/JoshiiSinfield/6007d9784b496b3b2f35ea411181d8db

the output looks something like:

unversioned bucket: GetBucketVersioning output: {

}
versioned bucket: GetBucketVersioning output: {
  Status: "Enabled"
}

I'll try and push a PR up when I can...

terraform-aws-provider creates bucket with Versioning Suspended even if I set

versioning {
  enabled = false
}

debug output.

2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: 
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: -----------------------------------------------------
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: 2020/11/10 23:37:56 [DEBUG] [aws-sdk-go] 
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: 2020/11/10 23:37:56 [DEBUG] S3 put bucket versioning: {
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:   Bucket: "my-s3-bucket",
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:   VersioningConfiguration: {
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:     MFADelete: "Disabled",
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:     Status: "Suspended"
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:   }
2020-11-10T23:37:56.228+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: }

If I remove the following blocks from my main.tf, the bucket is created with versioning disabled.

versioning {
  enabled = false
}

It seems it is a bug in terraform-provider-aws. it calls update function after creating the bucket
https://github.com/hashicorp/terraform-provider-aws/blob/42657e66db95bc18466cb22002e27b6c1278724e/aws/resource_aws_s3_bucket.go#L717
then update checks if versioning enabled it set enabled or suspended
https://github.com/hashicorp/terraform-provider-aws/blob/42657e66db95bc18466cb22002e27b6c1278724e/aws/resource_aws_s3_bucket.go#L754