`bucket` values are `known after apply`
brittandeyoung opened this issue · comments
Description
Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/*
directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply
without any further changes.
If your request is for a new feature, please use the Feature request
template.
- ✋ I have searched the open/closed issues and my issue is not listed.
The aws_s3_bucket_acl
, aws_s3_bucket_public_access_block
, and aws_s3_bucket_server_side_encryption_configuration
resources have bucket
value that is known after apply
. This causes problems when using IaC code scanning tools to scan your plan output as these tools use this field in order to make sure that the bucket does indeed have and acl
and public_access_block
configured.
Versions
-
Module version [Required]: 3.15.1
-
Terraform version: 1.6.3
-
Provider version(s): 4.67.0 aws
Reproduction Code [Required]
You can reproduce this issue using any of the example configurations.
Steps to reproduce the behavior:
Use any of the example configurations to:
terraform init
terraform plan
Look at the plan values for the aws_s3_bucket_acl
and aws_s3_bucket_public_access_block
resources. They will show a value of known after apply
example:
# module.da_s3_files_bucket.aws_s3_bucket_acl.this[0] will be created
+ resource "aws_s3_bucket_acl" "this" {
+ acl = "private"
+ bucket = (known after apply)
+ id = (known after apply)
+ access_control_policy {
+ grant {
+ permission = (known after apply)
+ grantee {
+ display_name = (known after apply)
+ email_address = (known after apply)
+ id = (known after apply)
+ type = (known after apply)
+ uri = (known after apply)
}
}
+ owner {
+ display_name = (known after apply)
+ id = (known after apply)
}
}
}
# module.da_s3_files_bucket.aws_s3_bucket_public_access_block.this[0] will be created
+ resource "aws_s3_bucket_public_access_block" "this" {
+ block_public_acls = false
+ block_public_policy = false
+ bucket = (known after apply)
+ id = (known after apply)
+ ignore_public_acls = false
+ restrict_public_buckets = false
}
Expected behavior
The bucket
value for the aws_s3_bucket_acl
, aws_s3_bucket_public_access_block
, and aws_s3_bucket_server_side_encryption_configuration
resources should be known as that is a required value when creating a bucket.
Actual behavior
The bucket
value for the aws_s3_bucket_acl
, aws_s3_bucket_public_access_block
, and aws_s3_bucket_server_side_encryption_configuration
is (known after apply)
Terminal Output Screenshot(s)
Additional context
This really matters when running IaC Scans against your plan output. Without the bucket
value having a known value, common security tests will fail.
/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/30ec69f3-af5e-4507-872f-1c927fde15c8.sh
WARN - /home/vsts/work/_temp/tfplan.json - main - TFP004: S3 bucket has no access blocks ( https://dev.azure.com/hagerty/Hagerty/_wiki/wikis/hagerty.wiki/24087/TFP004-Buckets-Without-Access-Blocks ): module.da_s3_files_bucket.aws_s3_bucket.this[0]
FAIL - /home/vsts/work/_temp/tfplan.json - main - TFP003: S3 bucket is missing private acl ( https://dev.azure.com/hagerty/Hagerty/_wiki/wikis/hagerty.wiki/24083/TFP003-Buckets-Without-Private-ACL ): module.da_s3_files_bucket.aws_s3_bucket.this[0]
FAIL - /home/vsts/work/_temp/tfplan.json - main - TFP005: S3 bucket is not encrypted, see document ( https://dev.azure.com/hagerty/Hagerty/_wiki/wikis/hagerty.wiki/25179/TFP005-S3-Bucket-is-not-encrypted ): module.da_s3_files_bucket.aws_s3_bucket.this[0]