Using mfa_delete on an S3 bucket

[hashibot]

This issue was originally opened by @Techbrunch as hashicorp/terraform#12973. It was migrated here as part of the provider split. The original body of the issue is below.

---

How to enable mfa_delete on an s3 bucket ?

Terraform Version

Terraform v0.9.1

Affected Resource(s)

• aws_s3_bucket

Terraform Configuration Files

resource "aws_s3_bucket" "test-terraform-mfa-delete" {
  bucket = "test-terraform-mfa-delete"
  versioning {
    mfa_delete = true
  }
}

Debug Output

provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value:

aws_s3_bucket.test-terraform-mfa-delete: Creating...
  acceleration_status:     "" => "<computed>"
  acl:                     "" => "private"
  arn:                     "" => "<computed>"
  bucket:                  "" => "test-terraform-mfa-delete"
  bucket_domain_name:      "" => "<computed>"
  force_destroy:           "" => "false"
  hosted_zone_id:          "" => "<computed>"
  region:                  "" => "<computed>"
  request_payer:           "" => "<computed>"
  versioning.#:            "" => "1"
  versioning.0.enabled:    "" => "false"
  versioning.0.mfa_delete: "" => "true"
  website_domain:          "" => "<computed>"
  website_endpoint:        "" => "<computed>"
Error applying plan:

1 error(s) occurred:

* aws_s3_bucket.test-terraform-mfa-delete: 1 error(s) occurred:

* aws_s3_bucket.test-terraform-mfa-delete: Error putting S3 versioning: AccessDenied: Mfa Authentication must be used for this request
	status code: 403, request id: 768ACF725BBD91DD

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[austinbyers]

I think mfa_delete only applies if the bucket has a non-empty versioning configuration (i.e. a lifecycle rule); the example given does not

[aynsof]

Is this simply because only the root account can enable MFA delete?
"The bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning, but only the bucket owner (root account) can enable MFA delete."
See: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete

[tjordan-vrts]

The problem still exists with enabling MFA_Delete on an S3 bucket even if you execute terraform apply using root credentials and an STS token.

[Dominik-K]

The underlying command s3conn.PutBucketVersioning needs the MFA serial and a valid token code. Didn't find any hints in the AWS forum that you could use STS temporary credentials (with MFA enabled) instead.

Therefore Terraform needs to ask for the token code while applying. It can't ask beforehand as the token code may be already invalid (TOTP is time-based).
@radeksimko Can a Terraform provider ask for input in the CRUD operations?

[tdmalone]

According to @apparentlymart here:

Some users have reported success using a wrapper/helper script that calls sts:GetSessionToken to obtain temporary credentials in return for an MFA token, and then passes those temporary credentials to Terraform via environment variables.
...
At this time we do not have plans to support interactive authentication to providers since it would require some significant changes to the provider model.

aws-mfa looks like a promising, pretty-much-automated way of solving this, but I haven't been able to get it to work with this issue yet.

I tried both with and without root account keys, and both with a credentials profile and by passing the creds (including AWS_SESSION_TOKEN) in as environment variables - but the same error persists:

aws_s3_bucket.main: Error putting S3 versioning: AccessDenied: Mfa Authentication must be used for this request

[apparentlymart]

The link above to the S3 Go SDK is pointing to a line that doesn't seem relevant, so I assume that file has just changed a bunch since that comment. I think the intent was to link to the MFA argument on PutBucketVersioning.

This argument becomes the special HTTP header X-Amz-MFA, directly sending the MFA value inside the header rather than the usual approach (from other AWS APIs) of doing the MFA during token generation and then using that token.

I don't know why this particular API is designed in this unusual way; I'd guess it's probably an API analog of the usual MFA setup UI where you are requested to enter your token once during setup to prove that you've got your MFA device set up properly before you potentially lock yourself out, which is separate than then using the MFA process once it's activated.

Indeed it does seem like the Terraform AWS provider would need to do something special to make this work. As I noted in my other comment, we don't consider Terraform to be an interactive tool in general and so introducing extra interactive input in the apply phase is not ideal.

Probably the best we could do in the short term is to expose an additional argument on the resource that calls this endpoint that takes the TOTP code and then have the user pass it in as a variable, but as noted in an earlier comment that's problematic if you are doing a separate plan/apply since the token will probably have expired by the time you get to the apply stage.

Given that MFA setup is generally an interactive process anyway, it could potentially be argued that it's not a good fit for Terraform, but if we can find a way to support it without adding a lot of complexity then that'd definitely be nice. If not, perhaps we could just find and document a suitable workflow for doing that particular change interactively via the AWS console without Terraform trying to revert it back to off again on the next run.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!