aws_s3files_synchronization_configuration fails to delete when a prefix is configured

[tkampsplunk]

Terraform and AWS Provider Version

terraform --version
Terraform v1.9.8

Affected Resource(s) or Data Source(s)

• aws_s3files_synchronization_configuration

Expected Behavior

The resource is deleted successfully.

Actual Behavior

I receive an error:

╷
│ Error: deleting S3 Files Synchronization Configuration
│ 
│ ID: fs-07ac12e59c75a745c
│ Cause: operation error S3Files: PutSynchronizationConfiguration, , ValidationException: Invalid importDataRules. Prefix must start with the file system prefix 'easygoing-eagle-r25/' for each
│ rule."
│ 

Relevant Error/Panic Output

╷
│ Error: deleting S3 Files Synchronization Configuration
│ 
│ ID: fs-07ac12e59c75a745c
│ Cause: operation error S3Files: PutSynchronizationConfiguration, , ValidationException: Invalid importDataRules. Prefix must start with the file system prefix 'easygoing-eagle-r25/' for each
│ rule."
│ 

Sample Terraform Configuration

Click to expand configuration

# Variables
variable "prefix" {
  description = "The prefix to use for the S3Files file system."
  type        = string
}

variable "bucket" {
  description = "The S3 bucket to use for the S3Files file system."
  type        = string
}

# Provider
provider "aws" {
  region = "us-east-1"
}

# Data sources
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}

locals {
  partition  = data.aws_partition.current.partition
  account_id = data.aws_caller_identity.current.account_id
}

# Resources
resource "aws_s3files_file_system" "filesystem" {
  bucket   = var.bucket
  role_arn = aws_iam_role.s3_files_role.arn
  prefix   = var.prefix
}

resource "aws_s3files_synchronization_configuration" "sync_config" {
  file_system_id = aws_s3files_file_system.filesystem.id

  import_data_rule {
    prefix         = var.prefix
    size_less_than = 1073741824 # 1 GB
    trigger        = "ON_DIRECTORY_FIRST_ACCESS"
  }

  expiration_data_rule {
    days_after_last_access = 5
  }
}


data "aws_iam_policy_document" "s3_files_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      identifiers = ["elasticfilesystem.amazonaws.com"]
      type        = "Service"
    }

    condition {
      test     = "StringEquals"
      variable = "aws:SourceAccount"
      values   = [local.account_id]
    }

    condition {
      test     = "ArnLike"
      variable = "aws:SourceArn"
      values   = [format("arn:%s:s3files:*:%s:file-system/*", local.partition, local.account_id)]
    }
  }
}

data "aws_iam_policy_document" "s3files_policy" {
  statement {
    actions = [
      "s3:ListBucket",
      "s3:ListBucketVersions",
    ]

    resources = [var.bucket]

    condition {
      test     = "StringEquals"
      variable = "aws:ResourceAccount"
      values   = [local.account_id]
    }
  }

  statement {
    actions = [
      "s3:PutObject*",
      "s3:GetObject*",
      "s3:DeleteObject*",
      "s3:GetObjectVersion",
      "s3:AbortMultipartUpload",
    ]

    resources = ["${var.bucket}/${var.prefix}*"]

    condition {
      test     = "StringEquals"
      variable = "aws:ResourceAccount"
      values   = [local.account_id]
    }
  }

  statement {
    actions = [
      "events:DeleteRule",
      "events:DisableRule",
      "events:EnableRule",
      "events:PutRule",
      "events:PutTargets",
      "events:RemoveTargets",
    ]

    condition {
      test     = "StringEquals"
      variable = "events:ManagedBy"
      values   = ["elasticfilesystem.amazonaws.com"]
    }

    resources = [
      "arn:${local.partition}:events:*:${local.account_id}:rule/DO-NOT-DELETE-S3FILES*",
    ]
  }

  statement {
    actions = [
      "events:DescribeRule",
      "events:ListRuleNamesByTarget",
      "events:ListRules",
      "events:ListTargetsByRule",
    ]

    resources = ["*"]
  }
}

resource "aws_iam_role" "s3_files_role" {
  name               = "s3-files-role"
  assume_role_policy = data.aws_iam_policy_document.s3_files_assume_role_policy.json
}

resource "aws_iam_role_policy" "s3_files_role_policy" {
  name   = "s3-files-role-policy"
  role   = aws_iam_role.s3_files_role.id
  policy = data.aws_iam_policy_document.s3files_policy.json
}

Steps to Reproduce

1. Apply configuration terraform apply
2. Destroy configuration terraform destroy

Debug Logging

None.

GenAI / LLM Assisted Development

n/a

Important Facts and References

This appears to be the offending line https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/s3files/synchronization_configuration.go#L225 which sets the prefix to "" instead of using the configured prefix.

Would you like to implement a fix?

Yes

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v6.44.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!