Terraform rewriting tag and versioning info when using aws_s3_bucket

Question

I am running into an issue where Terraform is deleting the tag and version info of an S3 bucket. What could be the reason for this? How do I stop this from happening?

main.tf :

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-${var.accountName}"
  acl    = "private"

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }
}

output of plan:

module.s3.aws_s3_bucket.bucket
tags.%: "1" => "0"
tags.Versioning: "Yes" =>

Answer 1

The plan is telling you that it wants to remove the Versioning tag from the S3 bucket but note that it isn't telling you that it's undoing the actual versioning of the S3 bucket which would instead look something like:

  versioning.0.enabled:        "true" => "false"

You haven't defined any tags on the S3 bucket in your Terraform code so Terraform is attempting to force the S3 bucket back to the configuration you have defined after detecting the drift during the refresh stage.

You can either add the tags to the aws_s3_bucket resource your Terraform code, stop changing Terraform managed resources outside of Terraform or you can use ignore_changes to tell Terraform that you expect there to be drift on the tags.

The first option is the best option in my opinion and you would achieve that by using something like:

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-${var.accountName}"
  acl    = "private"

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }

  tags = {
    Versioning = "Yes"
  }
}

If you do want to add tags outside of Terraform for some reason but don't want Terraform to undo your changes then you can tell it to ignore the changes to tags by using the ignore_changes lifecycle:

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-${var.accountName}"
  acl    = "private"

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
    ignore_changes = ["tag"]
  }
}