versioning enabled = false leads to 'delete markers'

[ghost]

This issue was originally opened by @henrikb123 as hashicorp/terraform#24350. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

v0.12.21

Terraform Configuration Files

resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name
  acl    = "private"

  tags   = {
    Name        = var.bucket_name
  }

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    expose_headers  = ["ETag"]
  }

  versioning {
    enabled = var.use_versioning
  }

}

Debug Output

Crash Output

Expected Behavior

When use_versioning is set to false I expect the bucket to be created without versioning and with versioning never being enabled on the bucket.

Actual Behavior

From observation it seems like Terraform is first creating the bucket with versioning enabled, then afterwards disabling versioning. This leads to a different behavior compared to expected: all deleted objects are not fully deleted but leave behind 'delete markers', making it hard to e.g. programatically delete empty the bucket (e.g. only bucket owner can remove delete markers).

Steps to Reproduce

1. terraform init
2. terraform apply
3. aws s3 cp foo.txt s3://bucket_name/foo.txt
4. aws s3 rm s3://bucket_name/foo.txt
5. terraform destroy

Step 5 will fail complaining of bucket not being empty.

Additional Context

References

[minamijoyo]

I found enabled = false doesn't have the same meaning as undefined. It means Suspended . Unfortunately, it seems that there is no way to remove the existing bucket versioning configuration if set once.
https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html

The current implementation implicitly set the versioning configuration to Suspended if versioning block changes.
https://github.com/hashicorp/terraform-provider-aws/blob/v3.23.0/aws/resource_aws_s3_bucket.go#L1770-L1808

It causes a problem when writing a generic module for aws_s3_bucket. My workaround is as follows:

s3/aws_s3_bucket.tf

variable "bucket" {
  type = string
}

variable "versioning" {
  type = bool
}

resource "aws_s3_bucket" "test" {
  bucket = var.bucket
  acl    = "private"

  dynamic "versioning" {
    for_each = try([coalesce(var.versioning)], [])
    content {
      enabled = versioning.value
    }
  }
}

main.tf

module "test" {
  source = "./s3"
  bucket = "foo-versioning-test1"

  versioning = null
}

However, I think it doesn't make sense setting Suspended with a new bucket.
In more general, it would be great if we could ignore changing versioning.enabled from null to false.

[grimm26]

The provider should make a call of GetBucketVersioning if the config has versioning { enabled = false}. If the bucket does not have versioning enabled or suspended, do not make a PutBucketVersioning call at all.

[minamijoyo]

FYI: I found this issue had been already fixed in #22221 in v3.70.0

[anGie44]

Closing this as suggested the fix is available in provider versions as early as v3.70.0.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.