S3 bucket versioning enabled when explicitly set to false

[ltagliamonte]

if the s3 bucket specification explicitly sets the versioning of a bucket to false, the bucket gets wringly created with versioning enabled.

The following snippets creates a bucket with versioning enabled when it is explicitly set to false.

resource "aws_s3_bucket" "snapshots" {
  bucket = "${lower(var.prefix)}${var.name}-snap"

  versioning {
    enabled = false
  }

  tags {
    Name        = "${lower(var.prefix)}${var.name}-snap"
    Environment = "${var.env}"
  }
}

The default (without specifying the versioning) creates a bucket with versioning disabled:

resource "aws_s3_bucket" "snapshots" {
  bucket = "${lower(var.prefix)}${var.name}-snap"

  tags {
    Name        = "${lower(var.prefix)}${var.name}-snap"
    Environment = "${var.env}"
  }
}

Terraform version

terraform --version
Terraform v0.11.7

• provider.aws v1.17.0
• provider.template v1.0.0

[kuba142]

This is still happening in the terraform version and aws provider:

Terraform v0.11.10
+ provider.aws v1.43.2


resource "aws_s3_bucket" "bucket" {
  bucket = "my_bucket"

  versioning {
    enabled = false
  }

Output:

      versioning.#:                                                        "1"
      versioning.0.enabled:                                                "false"
      versioning.0.mfa_delete:                                             "false"

[jpancoast-kenzan]

I am still seeing this with Terraform 0.11.11 and aws provider 1.57

[rberlind]

I've noticed something strange in connection with the versioning argument in TFE Sentinel. If I don't include the versioning {enabled = true}, printing the resource seen by Sentinel shows "versioning": "74D93920-ED26-11E3-AC10-0800200C9A66". But if I do include it, I see "versioning": [{"enabled": true, "mfa_delete": false}]. This causes problems in Sentinel because versioning is a string in the first case and a list in the second case.

I wonder if this is related to the problem reported here? It seems that versioning is being treated inconsistently based on whether it is included or not. Note that when I do not include it, my plan shows versioning.#: <computed>. I wonder if that should actually be 0?

If I do explicitly set versioning { enabled = false }, then I do see "versioning": [{"enabled": false, "mfa_delete": false}] in the Sentinel output which looks correct. The plan shows:
versioning.#: "1"
versioning.0.enabled: "false"
versioning.0.mfa_delete: "false"
which also looks correct.

More germane to this issue is that versioning actually was disabled as desired for my S3 bucket, contrary to what the other posters have reported.

Here is my Terraform code:

terraform {
  required_version = ">= 0.11.7"
}

variable "aws_region" {
  description = "AWS region"
  default = "us-east-1"
}

variable "bucket_name" {
   description = "Name of the bucket to create"
}

variable "bucket_acl" {
   description = "ACL for S3 bucket: private, public-read, public-read-write, etc"
   default = "private"
}

provider "aws" {
  region = "${var.aws_region}"
}

resource "aws_s3_bucket" "bucket" {
  bucket = "${var.bucket_name}"
  acl    = "${var.bucket_acl}" 
  
 server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "REDACTED"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  
  versioning {
    enabled = false
  }
  
  tags {
    Name        = "Roger Test Bucket"
    Owner = "[email protected]"
    website = "true"
  }
}

[JoshiiSinfield]

HI,

We're encountering this also.

We're setting

versioning {
  enabled = false
}

The bucket gets created "unversioned".
Looking at the code, it will always update the bucket to be "suspended".

the IF statement here is naive. It should evaluate whether versioning { enabled=false} AND vc.Status != 'unversioned''(exact wording unknown) then not call the API at all...

Upon checking the wording/enum/const of 'unversioned' this might be a limitation/bug of the aws-sdk-go...
according to https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketVersioning.html the response, if a bucket has never been versioned, will contain no Status element.

However the aws-sdk-go seems to only set two values in the GetBucketVersioningOutput from the enum func BucketVersioningStatus_Values()
https://raw.githubusercontent.com/aws/aws-sdk-go/master/service/s3/api.go
We need to check the SDK to verify whether an "unversioned" bucket comes through as suspended or in fact contains no status at all.

I'll try to test it when I can.

[JoshiiSinfield]

Further to my last above - The SDK is working as I expected. The bug lies within this provider.

Here's the code I used to test: https://gist.github.com/JoshiiSinfield/6007d9784b496b3b2f35ea411181d8db

the output looks something like:

unversioned bucket: GetBucketVersioning output: {

}
versioned bucket: GetBucketVersioning output: {
  Status: "Enabled"
}

I'll try and push a PR up when I can...

[ismailyenigul]

terraform-aws-provider creates bucket with Versioning Suspended even if I set

versioning {
  enabled = false
}

debug output.

2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: 
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: -----------------------------------------------------
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: 2020/11/10 23:37:56 [DEBUG] [aws-sdk-go] 
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: 2020/11/10 23:37:56 [DEBUG] S3 put bucket versioning: {
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:   Bucket: "my-s3-bucket",
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:   VersioningConfiguration: {
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:     MFADelete: "Disabled",
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:     Status: "Suspended"
2020-11-10T23:37:56.227+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5:   }
2020-11-10T23:37:56.228+0300 [DEBUG] plugin.terraform-provider-aws_v3.14.1_x5: }

If I remove the following blocks from my main.tf, the bucket is created with versioning disabled.

versioning {
  enabled = false
}

It seems it is a bug in terraform-provider-aws. it calls update function after creating the bucket

terraform-provider-aws/aws/resource_aws_s3_bucket.go

Line 717 in 42657e6

return resourceAwsS3BucketUpdate(d, meta)

then update checks if versioning enabled it set enabled or suspended

terraform-provider-aws/aws/resource_aws_s3_bucket.go

Line 754 in 42657e6

if d.HasChange("versioning") {

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.