Terraform - import aws_s3_bucket does not store important attributes like acl
Recently, I had to import some AWS resources to terraform, and most things went smoothly, but some did not. More specifically, I have encountered this problem. And here is my reply how to deal with it now. In this post, I am going to be more elaborate about this issue.
So, what exactly I have run into? Here is the code:
Such bucket existed and I wanted to import this guy to terraform (the bucket was public). So, I typed terraform import 'aws_s3_bucket.my-bucket' 'my-bucket' and pressed enter:
Wait, what? I understand the force_destroy argument (it is false by default), because I had not specified it, but acl? I have two grant blocks... and according to the documentation, acl conflicts with grant. So, how is it even possible? 🤔
It was tempting to run terraform apply command... so let's do that!
And what happened? Terraform (or should I say aws provider?) ignored these grant blocks and removed some ACL (Access control list) records from my bucket (the bucket was converted to the private one after this action). Why the grant blocks were ignored? They were there the whole time, they are still there.
Hmm, what if I run terraform apply again? 😅
ACL records (grant blocks) had been removed (from terrafom state (and from my bucket ☹️), not from my code) in the first apply and now in the second one terraform wants to add them. I cannot accept such behaviour on production; I don't want to make my bucket private for some minutes/seconds on prod env. It was funny on dev environment, but not on production.
So, it is time for lifecycle Meta-Argument! ⛑ And specifically ignore_changes argument. This way we can define which arguments should be ignored during an update procedure. After changes, my code looked like this:
I had to add both acl and force_destroy arguments to the ignore_changes list. Adding only acl did not resolve the problem. Terraform showed that only this argument would be added, but ACL records were removed also 🤷.
Using this meta-argument I can import production buckets fearlessly. Terraform does not want to change (remove if I want to be more specific) ACL records this way. It works, but it is quite hacky and rather should be resolved on aws provider side, methinks. I have not fixed any issue in terraform repo yet, so maybe it is time to learn something new, help others and fix this bug.
Comments
Post a Comment