aws_s3_bucket_lifecycle_configuration filter: tag(s)

[grimm26]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.1.0

Affected Resource(s)

• aws_s3_bucket_lifecycle_configuration

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

Config A

resource "aws_s3_bucket" "b" {
  bucket = "mkfoo1234"
}

resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
  bucket = aws_s3_bucket.b.id
  rule {
    status = "Enabled"
    id     = "rule1"
    expiration {
      days = 3
    }
    filter {
      and {
        prefix = "log/"
        tags =  {
          foo   = "bar"
          baz = "bam"
        }
      }
    }
  }
}

Config B

resource "aws_s3_bucket" "b" {
  bucket = "mkfoo1234"
}

resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
  bucket = aws_s3_bucket.b.id
  rule {
    status = "Enabled"
    id     = "rule1"
    expiration {
      days = 3
    }
    filter {
        tag  {
          key   = "foo"
          value = "bar"
        }
      }
    }
  }
}

Expected and Actual Behavior

Config A mirrors the example of using a lifecycle rule filter in the documentation and it works. However, the tags parameter in the filter block is not documented.

Config B uses the documented tag block and does NOT work as expected. It creates a filter for a single tag with a key of key and a value of foo. If you try to change the tag block to:

 filter {
      tag {
        foo = "bar"
      }
    }

it says An argument named "foo" is not expected here.

Also, trying to use the documented tag block inside of an and filter block fails (Blocks of type "tag" are not expected here.) and trying to use a tags parameter inside of a filter block without an and block fails (An argument named "tags" is not expected here.).

This appears to be more than just a case of poor documentation. There doesn't seem to be a way to make a filter on just a tag and the tags parameter to filter { and { } } is undocumented. It seems like there should just be a tags parameter either alone or inside an and block.

Steps to Reproduce

Use the configs above.

[anGie44]

Hi @grimm26 , thank you for reporting this issue. The documentation is certainly lacking and #23252 aims at addressing the documentation for the and block. The and block has a tags map and prefix argument but as suggested that was missing in the resource docs.

With regard to the aws_s3_bucket_lifecycle_configuration, the singular tag should technically still work within the filter block so I'll investigate that as a potential bug.

[derekheld]

Hi @grimm26 , thank you for reporting this issue. The documentation is certainly lacking and #23252 aims at addressing the documentation for the and block. The and block has a tags map and prefix argument but as suggested that was missing in the resource docs.

With regard to the aws_s3_bucket_lifecycle_configuration, the singular tag should technically still work within the filter block so I'll investigate that as a potential bug.

Does this mean that tags is not meant to be a supported attribute unless located within the and block? I would expect tags to act like prefix, where it can be located within or outside the and block.

[anGie44]

Correct @derekheld 👍 Per the AWS specs, tags is only available within the and condition and tag is only available directly in filter.

Filter API spec: https://docs.aws.amazon.com/AmazonS3/latest/API/API_LifecycleRuleFilter.html
Filter.And API spec: https://docs.aws.amazon.com/AmazonS3/latest/API/API_LifecycleRuleAndOperator.html

[grimm26]

@anGie44 so if I want to filter on multiple tags I use an and block with just a tags parameter? I have to admit that I am pretty bummed that the provider is making the user deal with when to use an and block instead of just handling for us. If we provide multiple parameter in a filter block the provider should just know to put them in an and block. Now I have to write that logic in terraform rather than the provider doing it in Golang where it is easier.

[derekheld]

@anGie44 so if I want to filter on multiple tags I use an and block with just a tags parameter? I have to admit that I am pretty bummed that the provider is making the user deal with when to use an and block instead of just handling for us. If we provide multiple parameter in a filter block the provider should just know to put them in an and block. Now I have to write that logic in terraform rather than the provider doing it in Golang where it is easier.

The provider isn't making you deal with it, it's Amazon's API that is forcing the change in the provider. As you can see in the links provided by @anGie44, the API only supports tags inside the and block. The provider should always match the API to avoid potential confusion.

If you want to see something different, get Amazon to change the API.

[anGie44]

@grimm26 that's correct, the and block should be used as:

filter {
  and {
    tags = {
      key = "Value"
      key2 = Value2"
    }
  }
}

Now I have to write that logic in terraform rather than the provider doing it in Golang where it is easier.

Yep, unfortunately that was a bit of a hack in the aws_s3_bucket (pre-v4.0) that didn't technically align with the AWS API as filter wasn't an argument available with the resource. I agree it's a an extra bit of terraform logic but to @derekheld 's point, aligning with API prevents potential confusion and enables us to properly add more features to the resource if upstream enhancements are made as well.

[grimm26]

@anGie44 so if I want to filter on multiple tags I use an and block with just a tags parameter? I have to admit that I am pretty bummed that the provider is making the user deal with when to use an and block instead of just handling for us. If we provide multiple parameter in a filter block the provider should just know to put them in an and block. Now I have to write that logic in terraform rather than the provider doing it in Golang where it is easier.

The provider isn't making you deal with it, it's Amazon's API that is forcing the change in the provider. As you can see in the links provided by @anGie44, the API only supports tags inside the and block. The provider should always match the API to avoid potential confusion.

If you want to see something different, get Amazon to change the API.

@derekheld I thnk you missed my point. The provider could have a little_toes parameter for this resource and have taht actually means tags when it makes the API call to AWS. The provider can make the interface easier for the terraform user.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.