Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_backup_selection selection_tag and resources do not interact as expected #41274

Open
DerekTBrown opened this issue Feb 7, 2025 · 2 comments
Open

[Bug]: aws_backup_selection selection_tag and resources do not interact as expected #41274

DerekTBrown opened this issue Feb 7, 2025 · 2 comments
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/backup Issues and PRs that pertain to the backup service.

Comments

@DerekTBrown
Copy link
Contributor

DerekTBrown commented Feb 7, 2025
edited
Loading

Terraform Core Version

1.7.5

AWS Provider Version

5.86.0

Affected Resource(s)

  • aws_backup_selection

Expected Behavior

Expected Behavior: Backup plan targets S3 buckets with the enable_backup = true tag.1

Actual Behavior

Actual Behavior: Backup plan targets all S3 buckets AND all AWS resources with theenable_backup = true tag.

Terraform Configuration Files

resource "aws_backup_selection" "backup_selection_usw2" {
  provider = aws.usw2

  name         = "my-backup-plan"
  plan_id      = aws_backup_plan.s3_bucket_backup.id
  iam_role_arn = data.aws_iam_role.backup_default_role.arn

  resources = [
    "arn:aws:s3:::*"
  ]

  selection_tag {
    key   = "enable_backup"
    value = "true"
    type  = "STRINGEQUALS"
  }
}

Steps to Reproduce

  1. Apply the given configuration.
  2. Observe the AWS resources added to the AWS Vault of choice.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

Footnotes

  1. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection#:~:text=selection_tag%20%2D%20(Optional)%20Tag%2Dbased%20conditions%20used%20to%20specify%20a%20set%20of%20resources%20to%20assign%20to%20a%20backup%20plan.

@DerekTBrown DerekTBrown added the bug Addresses a defect in current functionality. label Feb 7, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2025

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/backup Issues and PRs that pertain to the backup service. needs-triage Waiting for first response or review from a maintainer. labels Feb 7, 2025
@DerekTBrown
Copy link
Contributor Author

The solution is to use the condition field instead of selection_tag:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection#:~:text=condition%20%2D%20(Optional)%20A%20list%20of%20conditions%20that%20you%20define%20to%20assign%20resources%20to%20your%20backup%20plans%20using%20tags.

However, we should:

  • At a minimum, document this better.
  • Ideally, change the interface to make it hard to miss this.

This can quickly create significant costs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/backup Issues and PRs that pertain to the backup service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DerekTBrown