fix: Eliminate perpetual Terraform drift in 4 AWS resources (#59)

sam-at-luther · claude · web-flow · commit a61f39a510f0 · 2026-02-26T15:22:38.000-08:00
Add luthername tags to admin IAM role and Route53 zone (previously untagged), add lifecycle ignore for managed_policy_arns on the admin role, add lifecycle ignore for deprecated inline S3 bucket attributes, and set bucket_key_enabled = false on S3 encryption config to match AWS defaults. Closes #58 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/aws-platform-ui-bootstrap/admin.tf b/aws-platform-ui-bootstrap/admin.tf
@@ -1,7 +1,22 @@
+module "luthername_admin_role" {
+  source         = "../luthername"
+  luther_project = var.project
+  aws_region     = local.region
+  luther_env     = var.env
+  org_name       = var.org_name
+  component      = "admin"
+  resource       = "role"
+}
+
 resource "aws_iam_role" "admin" {
   name               = var.admin_role_name
   description        = "Provides administrator level access"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = module.luthername_admin_role.tags
+
+  lifecycle {
+    ignore_changes = [managed_policy_arns]
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
diff --git a/aws-platform-ui-bootstrap/dns.tf b/aws-platform-ui-bootstrap/dns.tf
@@ -1,6 +1,18 @@
+module "luthername_dns_zone" {
+  source         = "../luthername"
+  count          = var.create_dns ? 1 : 0
+  luther_project = var.project
+  aws_region     = local.region
+  luther_env     = var.env
+  org_name       = var.org_name
+  component      = "dns"
+  resource       = "zone"
+}
+
 resource "aws_route53_zone" "main" {
-  count = var.create_dns ? 1 : 0 # Only create the resource if var.create_dns is true
+  count = var.create_dns ? 1 : 0
   name  = var.domain
+  tags  = module.luthername_dns_zone[0].tags
 }
 
 output "domain" {
diff --git a/aws-s3-bucket/s3_buckets.tf b/aws-s3-bucket/s3_buckets.tf
@@ -30,6 +30,10 @@ resource "aws_s3_bucket" "bucket" {
   )
 
   force_destroy = var.force_destroy
+
+  lifecycle {
+    ignore_changes = [server_side_encryption_configuration, versioning]
+  }
 }
 
 resource "aws_s3_bucket_ownership_controls" "bucket" {
@@ -44,6 +48,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
   bucket = aws_s3_bucket.bucket.id
 
   rule {
+    bucket_key_enabled = false
+
     apply_server_side_encryption_by_default {
       kms_master_key_id = var.aws_kms_key_arn
       sse_algorithm     = "aws:kms"
