[Bug]: aws_s3_directory_bucket — Missing Resource Identity After Read

[markelliot]

Terraform and AWS Provider Version

hashicorp/aws v6.34.0

Affected Resource(s) or Data Source(s)

• aws_s3_directory_bucket

Expected Behavior

terraform apply of a fresh aws_s3_directory_bucket resource should create the bucket and complete without error. Refresh of an existing one should populate state and identity cleanly.

Actual Behavior

Both Create-then-Read and refresh against an existing directory bucket fail with:

Error: Missing Resource Identity After Read

The Terraform Provider unexpectedly returned no resource identity data
after having no errors in the resource read. This is always an issue in
the Terraform Provider and should be reported to the provider developers.

The Read function returns no error and no identity, tripping the framework's identity assertion. This blocks all reconciliation — the resource never proceeds to Create or to a clean refresh.

Steps to Reproduce

1. Apply a minimal config:

   resource "aws_s3_directory_bucket" "example" {
     bucket = "example-bucket--use1-az4--x-s3"
     location {
       name = "use1-az4"
       type = "AvailabilityZone"
     }
     data_redundancy = "SingleAvailabilityZone"
     type            = "Directory"
   }

2. Run terraform apply (greenfield) — error fires before Create.

3. Or, pre-create the bucket out of band with aws s3api create-bucket --bucket example-bucket--use1-az4--x-s3 --create-bucket-configuration '{"Location":{"Type":"AvailabilityZone","Name":"use1-az4"},"Bucket":{"Type":"Directory","DataRedundancy":"SingleAvailabilityZone"}}' and then terraform import aws_s3_directory_bucket.example example-bucket--use1-az4--x-s3 → next refresh hits the same error.

The bucket itself can be created and managed normally via the AWS CLI / SDK; the failure is purely the TF resource's identity contract.

Relevant Error/Panic Output

read resource request failed: Missing Resource Identity After Read: The
Terraform Provider unexpectedly returned no resource identity data after
having no errors in the resource read. This is always an issue in the
Terraform Provider and should be reported to the provider developers.

Notes

internal/service/s3/directory_bucket.go declares framework.WithImportByIdentity and is annotated @Testing(preIdentityVersion=\"v6.31.0\"), but the Read function does not appear to populate identity on the response, which appears to be the proximate cause. Comparable issues for sibling resources have been resolved by explicitly setting identity in Read — e.g. #46674 (aws_s3_bucket_lifecycle_configuration) and #46116 (security group). #45303 tracks the same class of bug for VPC SG rules and is still open.

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[dosubot]

Hey @markelliot 👋 Thank you for taking the time to raise this!

Your analysis is spot-on. The Read function in internal/service/s3/directory_bucket.go does not set the data.ID field [1], while the Create function explicitly sets it via data.ID = fwflex.StringValueToFramework(ctx, bucket) [2]. Since ID is a computed-only field, it must be explicitly populated by Read, but the flatten() helper only sets DataRedundancy, Location, and Type. This causes the identity contract to be violated on the post-Create read and on refresh/import.

The resource declares @IdentityAttribute("bucket", identityDuplicateAttributes="id") and @Testing(preIdentityVersion="v6.31.0") [3], so the framework expects identity data to be present after Read returns successfully.

A framework-level fix for this class of bug was merged in PR #46964 [4] and released in v6.37.0, but that fix specifically handles the case where a pre-identity resource is deleted outside Terraform (null response state fallback). It does not appear to cover the greenfield create-then-read case you're hitting, where Read actively returns a non-null state but with the ID field unset.

The fix pattern used in sibling resources (as you noted in #46674 and #46116) — explicitly setting the identity-relevant fields in Read — would be the appropriate resolution here.

Written by @dosu, approved by justinretzolk

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.