Terraform does not detect changes outside #43007
Description
Terraform and AWS Provider Version
Terraform v1.11.4
on darwin_arm64Affected Resource(s) or Data Source(s)
- aws_s3_bucket_acl
- aws_s3_bucket_public_access_block
- aws_s3_bucket_ownership_controls
Expected Behavior
Terraform should detect outside changes and print them as
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply" which
may have affected this plan:
Having IDs of objects inside tfstate the changes could be automatically synced.
Actual Behavior
It tried to create/destroy resources
# module.private-cloud.aws_s3_bucket_public_access_block.users-s3 will be created
+ resource "aws_s3_bucket_public_access_block" "users-s3" {
+ block_public_acls = true
+ block_public_policy = true
+ bucket = "XXXXX"
+ id = (known after apply)
+ ignore_public_acls = true
+ restrict_public_buckets = true
}
# module.private-cloud.aws_s3_bucket_ownership_controls.iguides-s3 will be created
+ resource "aws_s3_bucket_ownership_controls" "users-s3" {
+ bucket = "XXXX"
+ id = (known after apply)
+ rule {
+ object_ownership = "BucketOwnerEnforced"
}
}
# module.private-cloud.aws_s3_bucket_acl.users[0] will be destroyed
# (because aws_s3_bucket_acl.users is not in configuration)
- resource "aws_s3_bucket_acl" "users" {
- acl = "private" -> null
- bucket = "XXXXX" -> null
- expected_bucket_owner = "XXXX" -> null
- id = "uXXXXXX,XXXXX,private" -> null
- access_control_policy {
- grant {
- permission = "FULL_CONTROL" -> null
- grantee {
- display_name = "aws" -> null
- id = "XXXXX" -> null
- type = "CanonicalUser" -> null
# (2 unchanged attributes hidden)
}
}
- owner {
- display_name = "aws" -> null
- id = "XXXXX" -> null
}
}
}
Relevant Error/Panic Output
Sample Terraform Configuration
+resource "aws_s3_bucket_public_access_block" "users-s3" {
bucket = aws_s3_bucket.users-s3.id
block_public_acls = true
block_public_policy = true
restrict_public_buckets = true
ignore_public_acls = true
}
-resource "aws_s3_bucket_acl" "users" {
count = var.project_name == "essentials" ? 1: 0
bucket = aws_s3_bucket.users-s3.id
expected_bucket_owner = data.aws_caller_identity.current.account_id
acl = "private"
}
+resource "aws_s3_bucket_ownership_controls" "users-s3" {
bucket = aws_s3_bucket.users-s3.id
rule {
object_ownership = "BucketOwnerEnforced"
}
}
- -- removed configuration
+ -- added configuration
Steps to Reproduce
- Change bucket configuration from here to here:
and
- Terraform plan/apply
Debug Logging
Click to expand log output
GenAI / LLM Assisted Development
n/a
Important Facts and References
No response
Would you like to implement a fix?
No