Bucket tainted, so must be replaced

findH · February 1, 2023, 4:26pm

Creating a S3 bucket via Terraform. This is what main.tf looks like -

terraform {
required_providers {
aws = {
source = “hashicorp/aws”
version = “~> 4.16”
}
}

required_version = “>= 1.2.0”
}

provider “aws” {
region = “us-east-1”
}

resource “aws_s3_bucket” “s3_bucket” {
bucket = “tcb-app-qa-jr”
}

Upon ‘terraform plan’, this is the error I am getting:

  # aws_s3_bucket.s3_bucket is tainted, so must be replaced
-/+ resource "aws_s3_bucket" "s3_bucket" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      ~ arn                         = "arn:aws:s3:::tcb-app-qa-hp" -> (known after apply)
      ~ bucket_domain_name          = "tcb-app-qa-hp.s3.amazonaws.com" -> (known after apply)

I tried to destroy and redo it with same error.
I also tried to rm terraform.state with no luck.

What is causing this?

apparentlymart · February 3, 2023, 10:30pm

Hi @findH,

What you’ve shared here is not itself an error, but rather just Terraform giving some extra information about why it is proposing to destroy this object.

The idea of an object being “tainted” typically represents it being damaged in some way. The most common reason is if there was an error partway through its creation which left the object partially created in a way that the provider doesn’t know how to recover from.

Another way something can become “tainted” is explicitly through the deprecated terraform taint command, but I assume if that were the cause then you would already know you ran that command.

If this object is functioning correctly as far as you are concerned and you don’t want to recreate it then you can use terraform untaint to remove the tainted status without modifying the underlying object. If you do this then you might leave the object in a state that the AWS provider doesn’t understand, but hopefully if you run terraform apply again after untainting the provider will just propose some in-place updates sufficient to make the remote object match your configuration.

Unfortunately I can’t give you a definitive answer about why it is tainted in the first place, because that would have happened on a previous run of Terraform. You mentioned that if you destroy and recreate this object you get back into this same state, and so that means that Terraform ought to be returning an error during the creation of the bucket that explains the cause of the taint status.

findH · February 3, 2023, 10:34pm

Thanks. This makes sense. Yes this occurred when i ran the plan in previous tries. At this point I was able to move forward by cleaning up and re-doing things but its good to know I can untaint if I really need to.
Thx again