Terraform-provider-aws: import aws_s3_bucket does not store important attributes like acl

Created on 18 Oct 2018 · 5Comments · Source: hashicorp/terraform-provider-aws

i am trying to import exist s3 resource. generating hcl with terraforming, and importing statefile with terraform.
after import , while run terraform plan cannot get zero changes.
Terraform verion

Terraform v0.11.8
+ provider.aws v1.38.0

Terraform Configuration Files

_main.tf_

terraform {
  backend "s3" {
    bucket         = "terraform-state-foodev-global"
    dynamodb_table = "terraform-lock-foodev-global"
    key            = "s3/terraform.tfstate"
    region         = "ap-southeast-1"
  }
}

provider "aws" {
  region = "ap-southeast-1"
}

_resource.tf_ -- generated by terraforming

resource "aws_s3_bucket" "freeman-test2" {
  bucket        = "freeman-test2"
  acl           = "private"
}

Output

$ terraform import aws_s3_bucket.freeman-test2 freeman-test2

Acquiring state lock. This may take a few moments...
aws_s3_bucket.freeman-test2: Importing from ID "freeman-test2"...
aws_s3_bucket.freeman-test2: Import complete!
  Imported aws_s3_bucket (ID: freeman-test2)
aws_s3_bucket.freeman-test2: Refreshing state... (ID: freeman-test2)

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Releasing state lock. This may take a few moments...

$ terraform plan
aws_s3_bucket.freeman-test2: Refreshing state... (ID: freeman-test2)
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:

  ~ aws_s3_bucket.freeman-test2
      acl:           "" => "private"
      force_destroy: "" => "false"

Plan: 0 to add, 1 to change, 0 to destroy.

and check s3/terraform.tfstate file, without acl attribute

Expected Behavior
run terraform plan get zero changes.

bug servics3

Source

7rack

👍32

Most helpful comment

The issue is persist in Terraform v0.12.18. The acl and force_destroy of S3 is still missing after imported.

Willis0826 on 17 Jan 2020

👍14

All 5 comments

The issue is persist in Terraform v0.12.18. The acl and force_destroy of S3 is still missing after imported.

Willis0826 on 17 Jan 2020

👍14

I'm seeing this with Terraform 0.12.26 and version 2.69.0 of the aws provider. It's concerning when there are grants involved since trying to apply past this actually removed the grant. Here are the steps I observed:

Defined my aws_s3_bucket resource which included no specification of the acl property but did have one grant block.
Imported the bucket
Ran a plan, acl and force_destroy showed as dirty.
Attempted to set acl even though it's conflicting but this was disallowed. Setting force_destroy to false as the plan showed also did not seem to take any effect.
I decided to try to apply anyway, as this was a low risk bucket. Applying the phantom acl = "private" change actually removed my grant!
I ran another plan with the same source code which showed the grant as a new addition, since it had been removed.
I applied this and now the plan is finally clean.

I am not sure how to account for this without hacking the state file to add the acl (and maybe force_destroy) attributes directly but I have not been able to get an empty plan in this case and applying it is dangerous on high risk buckets since this would temporarily remove the policy as specified in code.