[Bug]: Bucket Lifecycle Rules Get Dangerously Mangled When Earlier Entries Are Deleted

Bug: Bucket Lifecycle Rules Get Dangerously Mangled When Earlier Entries Are Deleted

Introduction

In this article, we will discuss a critical issue with the AWS provider in Terraform, specifically with the aws_s3_bucket_lifecycle_configuration resource. When deleting earlier entries in the lifecycle configuration, the rules get mangled, leading to unexpected behavior and potential data loss. We will explore the problem, provide a detailed explanation of the issue, and discuss the steps to reproduce it.

Background

The issue was first encountered with Terraform Core version 1.11.1 and AWS provider version 5.90.0. The problem does not exist in version 5.80.0, but it is believed to be related to the recent default value changes.

The Problem

Let's consider a simple Terraform configuration that creates an S3 bucket and a lifecycle configuration with two rules:

resource "aws_s3_bucket" "this" {
  bucket = "test-<name>-lifecycle-policy-20250312"
}

resource "aws_s3_bucket_lifecycle_configuration" "this" {
  bucket = aws_s3_bucket.this.id
  rule {
    id     = "del asdf1"
    status = "Enabled"

    filter {  # the issue happens even without prefix, keeping it to show how disastrous the result is
      prefix = "asdf1"
    }
    expiration {
      days = 1
    }
  }
  
  rule {
    id     = "expire delete markers"
    status = "Enabled"

    expiration {
      expired_object_delete_marker = true
    }
  }
}

If we remove the first rule, the lifecycle configuration should resemble the following:

resource "aws_s3_bucket_lifecycle_configuration" "this" {
  bucket = aws_s3_bucket.this.id
  rule {
    id     = "expire delete markers"
    status = "Enabled"

    expiration {
      expired_object_delete_marker = true
    }
  }
}

However, when we apply the changes, the output shows that the first rule has been cleared out, and the second rule has been modified to include the expiration block from the first rule:

  # aws_s3_bucket_lifecycle_configuration.this will be updated in-place
  ~ resource "aws_s3_bucket_lifecycle_configuration" "this" {
        id                                     = "test-purj-lifecycle-policy-20250312"
        # (3 unchanged attributes hidden)

      ~ rule {
          ~ id     = "del asdf1" -> "expire delete markers"
          + prefix = (known after apply)
            # (1 unchanged attribute hidden)

          ~ expiration {
              ~ expired_object_delete_marker = false -> true
                # (1 unchanged attribute hidden)
            }

          - filter {
              - prefix = "asdf1" -> null
            }
        }
      - rule {
          - id     = "expire delete markers" -> null
          - status = "Enabled" -> null
            # (1 unchanged attribute hidden)

          - expiration {
              - days                         = 0 -> null
              - expired_object_delete_marker = true -> null
            }
        }
    }

This is a bad change, as the expiration block from the first rule has been applied to the second rule, leading to unexpected behavior.

Expected Behavior

The expected behavior is that the rules should resemble the final state we ask for. In this case, the first rule should be removed, and the second rule should remain unchanged.

Actual Behavior

The actual behavior is that the rules get mangled, leading to unexpected behavior and potential data loss.

Steps to Reproduce

To reproduce the issue, follow these steps:

1. Create a Terraform configuration with an S3 bucket and a lifecycle configuration with two rules.
2. Remove the first rule from the lifecycle configuration.
3. Apply the changes using terraform apply.

Debug Output

The debug output will show the mangled rules, as described above.

Panic Output

There is no panic output.

Important Factoids

• The issue was first encountered with Terraform Core version 1.11.1 and AWS provider version 5.90.0.
• The problem does not exist in version 5.80.0.
• The issue is believed to be related to the recent default value changes.

References

• Terraform Core version 1.11.1
• AWS provider version 5.90.0

Would you like to implement a fix?

Yes, please implement a fix to prevent the mangled rules from occurring when earlier entries are deleted. This will ensure that the rules remain unchanged and that the expected behavior is achieved.
Q&A: Bucket Lifecycle Rules Get Dangerously Mangled When Earlier Entries Are Deleted

Q: What is the issue with the AWS provider in Terraform?

A: The issue is that when deleting earlier entries in the lifecycle configuration, the rules get mangled, leading to unexpected behavior and potential data loss.

Q: What is the expected behavior?

A: The expected behavior is that the rules should resemble the final state we ask for. In this case, the first rule should be removed, and the second rule should remain unchanged.

Q: What is the actual behavior?

A: The actual behavior is that the rules get mangled, leading to unexpected behavior and potential data loss.

Q: How can I reproduce the issue?

A: To reproduce the issue, follow these steps:

1. Create a Terraform configuration with an S3 bucket and a lifecycle configuration with two rules.
2. Remove the first rule from the lifecycle configuration.
3. Apply the changes using terraform apply.

Q: What is the debug output?

A: The debug output will show the mangled rules, as described above.

Q: Is there any panic output?

A: No, there is no panic output.

Q: What are the important factoids about the issue?

A: The important factoids are:

• The issue was first encountered with Terraform Core version 1.11.1 and AWS provider version 5.90.0.
• The problem does not exist in version 5.80.0.
• The issue is believed to be related to the recent default value changes.

Q: Can I fix the issue?

A: Yes, please implement a fix to prevent the mangled rules from occurring when earlier entries are deleted. This will ensure that the rules remain unchanged and that the expected behavior is achieved.

Q: What are the references for the issue?

A: The references are:

• Terraform Core version 1.11.1
• AWS provider version 5.90.0

Q: What is the solution to the issue?

A: The solution is to implement a fix to prevent the mangled rules from occurring when earlier entries are deleted. This will ensure that the rules remain unchanged and that the expected behavior is achieved.

Q: How can I prevent the issue from occurring?

A: To prevent the issue from occurring, you can:

• Use a different version of the AWS provider that does not have this issue.
• Implement a fix to prevent the mangled rules from occurring when earlier entries are deleted.
• Use a different approach to manage your S3 bucket lifecycle configuration.

Q: What are the best practices for managing S3 bucket lifecycle configuration?

A: The best practices for managing S3 bucket lifecycle configuration are:

• Use a consistent and predictable approach to managing your S3 bucket lifecycle configuration.
• Use a version control system to track changes to your S3 bucket lifecycle configuration.
• Test your S3 bucket lifecycle configuration thoroughly before applying it to your production environment.
• Monitor your S3 bucket lifecycle configuration regularly to ensure that it is working as expected.