Terraform-provider-aws: Unexpected behavior declaring multiple `aws_s3_bucket_notification` on the same bucket

Created on 23 Jul 2018 · 8Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @alirabiee as hashicorp/terraform#18521. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

0.11.4

Terraform Configuration Files

resource "aws_s3_bucket_notification" "my-bucket-trigger-1" {
  bucket = "${aws_s3_bucket.my-bucket.id}"

  lambda_function {
    lambda_function_arn = "${aws_lambda_function.my-lambda-1.arn}"
    events              = ["s3:ObjectCreated:*"]
    filter_prefix       = "blahblah"
    filter_suffix       = "blahblah"
  }
}
resource "aws_s3_bucket_notification" "my-bucket-trigger-2" {
  bucket = "${aws_s3_bucket.my-bucket.id}"

  lambda_function {
    lambda_function_arn = "${aws_lambda_function.my-lambda-2.arn}"
    events              = ["s3:ObjectCreated:*"]
    filter_prefix       = "abcd"
    filter_suffix       = "wxyz"
  }
}

Debug Output

aws_s3_bucket_notification.my-bucket-trigger-2: Modifying... (ID: ####)
...
  lambda_function.0.filter_prefix:       "blahblah" => "abcd"

Expected Behavior

It is expected that Terraform creates the two separate resource definitions, merges them, or throws a validation error.

Actual Behavior

It considers the definition valid and tries to apply the changes. By applying, it overrides one resource definition over another, resulting some lambdas not to have the expected triggers.

documentation servics3

Source

hashibot[bot]

Most helpful comment

hi @bflad not sure how this would work with modules? We have created modules to allow our developers to create triggered lambda jobs based on events from cloud watch. Our module currently will take the filters for the trigger

  s3_event_type = "s3:ObjectCreated:*,s3:ObjectRemoved:*"
  s3_file_suffix = "*"
  s3_bucket_name = "${local.s3_bucket_name}"
  s3_key_prefix  = "/inbound/dev/1/1/834"

So as you can see if they want to have 2 separate triggers on the same bucket it doesn't allow the creation of the notifications in one resource. Maybe I am not seeing the workaround. Please advise on how to approach this use case with current best practices from above.

fewknow on 5 Mar 2019

👍3

All 8 comments

Hi @alirabiee 👋 Sorry you're running into this unexpected behavior.

Have you seen the documentation available here that outlines triggering multiple Lambda functions?
https://www.terraform.io/docs/providers/aws/r/s3_bucket_notification.html#trigger-multiple-lambda-functions

It seems to suggest that all the notifications must be bundled together in a single resource configuration. This may be due to the S3 API implementation.

Does merging together all your configurations fix the perpetual difference in Terraform? Thanks.

bflad on 23 Jul 2018

Hi @bflad

Yes, merging them together will work as expected.

It is just that it would be much less confusing if the behavior could be defined more clearly in the case where the configuration is not defined as the provider expects.

Thank you,
Ali

alirabiee on 3 Aug 2018

  s3_event_type = "s3:ObjectCreated:*,s3:ObjectRemoved:*"
  s3_file_suffix = "*"
  s3_bucket_name = "${local.s3_bucket_name}"
  s3_key_prefix  = "/inbound/dev/1/1/834"

fewknow on 5 Mar 2019

👍3

We run into this in exactly the same situation as @fewknow. It is not possible to create multiple notifications if aws_s3_bucket_notification is encapsulated within module.

With no aws_s3_bucket_notification.queue.id defined, Terraform just randomly overwrites single notification with one of the notification configurations, without any failure. With aws_s3_bucket_notification.queue.id set to unique values, Terraform fails with A conflicting conditional operation is currently in progress against this resource.

raskam on 6 Mar 2019

👍2

@bflad pinging again as this is going to impact us greatly. Ideally we it should work the way we have designed so the developer can add N number of notifications using our module. Is there a work around still using a module? I don't think exposing terraform code to the developer and having them be responsible is possible, exactly why there are modules and we used that pattern. Any and all help is greatly appreciated.

Thanks

fewknow on 15 Mar 2019

👍1

Hi folks 👋

This issue is specifically for tracking that the aws_s3_bucket_notification documentation doesn't make the multiple resources on the same S3 Bucket limitation clear, which I have just submitted a pull request for: #7967

The limitation of one aws_s3_bucket_notification resource per S3 Bucket is a function of the S3 API only having one notification configuration for the entire bucket:

https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#how-to-enable-disable-notification-intro
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTnotification.html

Along with some other API level restrictions that may prevent an acceptable implementation. To follow the feature request for supporting multiple notification resources, I would vote and subscribe to https://github.com/terraform-providers/terraform-provider-aws/issues/501. This issue will be closed when the documentation update is merged.

bflad on 16 Mar 2019

Hi folks, this was closed with a documentation update to include a note at the top of the aws_s3_bucket_notification resource documentation that multiple declarations of this resource is not supported against the same S3 Bucket (which will get deployed when version 2.3.0 is released later this week). We will keep #501 open with the feature request to support multiple resources with the same S3 Bucket, however as noted there, S3 API limitations may prevent that implementation.

bflad on 19 Mar 2019

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 31 Mar 2020

Was this page helpful?

0 / 5 - 0 ratings