Terraform: Delete Non-Empty S3 Bucket (Easy Guide)

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

This guide provides solutions to the common issue of Terraform being unable to delete a non-empty S3 bucket. We'll explore various methods, from manual deletion using the AWS CLI to leveraging Terraform's lifecycle rules and the force_destroy option. We'll also discuss handling versioned buckets, best practices to ensure data safety, and troubleshooting tips for common problems.

1. Understand the Problem: Terraform can't delete an S3 bucket if it's not empty. This includes actual files and "delete markers" (if versioning is enabled).

2. Manual Deletion (Easiest):

   • Use AWS CLI: The simplest way is to empty the bucket manually before running terraform destroy. Use the AWS CLI command: aws s3 rm s3://your-bucket-name --recursive. Replace your-bucket-name with the actual bucket name.

3. Terraform Lifecycle Rules (For Objects):

   • Add lifecycle_rule to your aws_s3_bucket resource: This allows you to define rules for automatically expiring or deleting objects in your bucket. You can set rules to expire objects after a certain time or on a specific date.

4. force_destroy Option (Use with Caution):

   • Add force_destroy = true to your aws_s3_bucket resource: This tells Terraform to delete the bucket even if it's not empty. Warning: This will permanently delete all data in the bucket.

5. Handling Versioned Buckets:

   • Emptying versioned buckets is more complex: You'll need to delete all versions of all objects, including delete markers. The AWS CLI command above will handle this.
   • force_destroy might not work reliably with versioned buckets: There have been reported issues with force_destroy not consistently deleting versioned buckets.

6. Best Practices:

   • Always back up important data before deleting buckets.
   • Consider using lifecycle rules to automatically manage object expiration.
   • Use force_destroy with extreme caution and only if you understand the implications.

7. Troubleshooting:

   • Check for hidden objects or delete markers: If you're sure the bucket is empty but still can't delete it, there might be hidden objects or delete markers. Use the AWS CLI or S3 console to investigate.
   • Review Terraform logs: The logs can provide more information about why the deletion is failing.
   • Check for dependencies: Ensure no other resources depend on the bucket before deleting it.

This document provides examples of how to delete AWS S3 buckets using Terraform, including methods for handling non-empty buckets. It covers manual deletion using the AWS CLI, automated deletion using Terraform lifecycle rules, and forced deletion using the force_destroy option (use with caution). It also explains how to empty versioned buckets using the AWS CLI. The document emphasizes best practices such as backing up data, using lifecycle rules, and using force_destroy cautiously. It concludes with troubleshooting tips, including checking for hidden objects, reviewing Terraform logs, and checking for dependencies.

This example demonstrates different approaches to deleting S3 buckets with Terraform, addressing the common issue of non-empty buckets.

1. Manual Deletion (AWS CLI):

This is the simplest approach, but it requires manual intervention outside of Terraform.

aws s3 rm s3://your-bucket-name --recursive

2. Terraform Lifecycle Rules:

This approach uses Terraform to define rules for automatically expiring or deleting objects in your bucket.

resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"

  lifecycle_rule {
    enabled = true

    prefix = "logs/"

    expiration {
      days = 30
    }
  }
}

3. force_destroy Option (Use with Caution):

This approach forces Terraform to delete the bucket even if it's not empty. Use with extreme caution!

resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"

  force_destroy = true  # Use with extreme caution!
}

4. Handling Versioned Buckets (AWS CLI):

Emptying versioned buckets requires deleting all versions of all objects, including delete markers.

aws s3api delete-objects --bucket your-bucket-name --delete '{"Objects": [{"Key": "object-key"}, {"Key": "another-object-key", "VersionId": "object-version-id"}]}'

5. Best Practices:

• Back up important data: Always back up important data before deleting buckets.
• Use lifecycle rules: Consider using lifecycle rules to automatically manage object expiration.
• Use force_destroy cautiously: Use force_destroy with extreme caution and only if you understand the implications.

6. Troubleshooting:

• Check for hidden objects: Use the AWS CLI or S3 console to check for hidden objects or delete markers.
• Review Terraform logs: The logs can provide more information about why the deletion is failing.
• Check for dependencies: Ensure no other resources depend on the bucket before deleting it.

Remember to replace placeholders like your-bucket-name, object-key, and object-version-id with your actual values.

• Alternatives to force_destroy: While force_destroy is an option, consider these alternatives for a cleaner approach:
  • Data source with for_each: Use a aws_s3_bucket_objects data source to fetch objects and delete them with a aws_s3_object resource within a for_each loop. This provides more control and visibility.
  • Modules: Create a separate Terraform module dedicated to emptying and deleting S3 buckets. This promotes reusability and a more organized codebase.
• Permissions: Ensure your IAM user or role has the necessary permissions (e.g., s3:DeleteBucket, s3:DeleteObject) to delete buckets and objects.
• State file: If you manually delete a bucket outside of Terraform, update your Terraform state file to reflect the change. Otherwise, Terraform might encounter errors in subsequent runs.
• Bucket policies and ACLs: Be aware that bucket policies and ACLs can restrict deletion. Review and modify them as needed before attempting to delete the bucket.
• Object locking: If object locking is enabled on the bucket, you'll need to disable it before deleting objects or the bucket itself.
• S3 Inventory: For large buckets, consider using S3 Inventory to get a complete list of objects for deletion. This can be particularly helpful for versioned buckets.
• CloudTrail: Enable CloudTrail to track S3 bucket operations, including deletions. This can be useful for auditing and troubleshooting purposes.
• Consider using tools: Several tools can help manage S3 buckets and objects, including:
  • AWS Console: Provides a user-friendly interface for managing S3 resources.
  • AWS SDKs: Offer programmatic access to AWS services, including S3.
  • Third-party tools: Various third-party tools specialize in S3 management, offering features like bulk deletion, version control, and lifecycle management.

Remember to adapt these notes and examples to your specific needs and environment. Always prioritize data safety and thoroughly understand the implications of your actions before deleting S3 buckets.

This document outlines methods for deleting AWS S3 buckets using Terraform, addressing the challenge of non-empty buckets.

Key Points:

• Problem: Terraform cannot delete non-empty S3 buckets, including those containing files or delete markers (from versioning).
• Manual Deletion (Recommended): The easiest solution is to empty the bucket using the AWS CLI command aws s3 rm s3://your-bucket-name --recursive before running terraform destroy.
• Terraform Lifecycle Rules: Configure automatic object expiration within your aws_s3_bucket resource using lifecycle_rule to prevent future accumulation.
• force_destroy Option (Use Cautiously): Adding force_destroy = true to your aws_s3_bucket resource forces deletion even if the bucket is not empty. Warning: This permanently deletes all data.
• Versioned Buckets: Emptying versioned buckets requires deleting all object versions and delete markers. While the AWS CLI command handles this, force_destroy may not work reliably.
• Best Practices:
  • Back up important data before deleting buckets.
  • Utilize lifecycle rules for automated object expiration.
  • Exercise extreme caution with force_destroy, understanding its implications.
• Troubleshooting:
  • Investigate hidden objects or delete markers using the AWS CLI or S3 console.
  • Review Terraform logs for deletion failure insights.
  • Ensure no resource dependencies exist before deleting the bucket.

Deleting S3 buckets with Terraform requires careful consideration due to the "bucket not empty" constraint. While manual deletion using the AWS CLI is the simplest approach, Terraform offers lifecycle rules for automated object expiration. The force_destroy option exists but should be used with extreme caution as it bypasses safety checks and permanently deletes all data. Versioned buckets present additional complexity, necessitating the deletion of all object versions and delete markers. Always prioritize data safety by backing up important information and understanding the implications of each deletion method. When encountering issues, investigate potential hidden objects, review Terraform logs, and ensure no resource dependencies exist. Remember to adapt these practices to your specific environment and prioritize a thorough understanding of your actions before deleting S3 buckets.

• Terraform: Handling the deletion of a non-empty AWS S3 Bucket ... | This article applies to Terraform v1.1.4 When using Terraform to manage your infrastructure you will...
• s3 is not empty and I can't destroy s3 bucket : r/Terraform | Posted by u/asquare412014 - 3 votes and 6 comments
• Error deleting S3 Bucket with Versioning Enabled: BucketNotEmpty ... | Terraform Version Terraform v0.6.16 Affected Resource(s) aws_s3_bucket Terraform Configuration Files resource "aws_s3_bucket" "storage" { bucket = "storage.${var.dns_zone}" acl = "private" force_de...
• Deleting S3 objects on Destroy : r/Terraform | Posted by u/Trick-Bumblebee-3555 - 3 votes and 7 comments
• Terraform HOWTO: delete a non-empty AWS S3 bucket | Alan D ... | The Amazon AWS S3 service provides a number of different ways to delete a non-empty S3 bucket; some of the approaches involve “emptying” the bucket prior to deleting it. The process can also vary a bit depending on whether or not the bucket has versioning enabled.
• [Bug]: r/aws_s3_bucket force destroy on non-empty versioned ... | Terraform Core Version 1.5.5 AWS Provider Version 5.29.0 Affected Resource(s) aws_s3_bucket Expected Behavior When a non-empty versioned bucket that contains at least one delete marker is destroyed...
• How to prevent an s3 bucket from being destroy on apply - AWS ... | Given a bucket like so: resource aws_s3_bucket nfcisbenchmark_config { bucket = "${var.name}-config" acl = "private" # ensure the CloudTrail S3 bucket has access logging is enabled. logging { target_bucket = aws_s3_bucket.log_bucket_config.id target_prefix = "log/" } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.nfcisbenchmark.arn sse_algorithm = "aws:k...
• Destroy non-empty bucket · Issue #1977 · hashicorp/terraform · GitHub | Right now if you try to destroy an S3 bucket with any items in it, terraform will fail: Error applying plan: 1 error(s) occurred: * 1 error(s) occurred: * BucketNotEmpty: The bucket you tried to de...
• How to fix : « … operation error S3: DeleteBucket, https response ... | You might come across this error if you make a bucket with Terraform, add files, and then try to delete it using “terraform destroy”.