1

I naively tagged S3 objects with a common key, but arbitrary values (a UUID per batch), believing it would be "easy enough" to go back and delete every object with the specified tag.

So far, my testing suggests that if I specify a lifecycle rule which filters based on key-only (no value), then it matches only objects which also have the key and no value, rather than matching all objects with that key regardless of value.

I'm currently waiting for midnight UTC just to make sure that the issue isn't between Terraform and Amazon S3. But if there's a known way to specify apply rule to all objects with tag-key K, that would be super helpful; the documentation I've found to date isn't quite that clear.

Bit of terraform for completeness:

resource "aws_s3_bucket" "my_s3_bucket" {
  ...
  lifecycle_rule {
    id = "Tagged current version expiration"
    prefix = "my_prefix/"

    tags = {
      recyclable = ""
    }

    enabled = var.tagged_current_version_expiration_enabled

    noncurrent_version_expiration {
      days = var.tagged_noncurrent_version_expiration_days
    }
    
    expiration {
      days = var.tagged_current_version_expiration_days
    }
  }
  ...
}
Alex Reinking
  • 16,724
  • 5
  • 52
  • 86
Dave F
  • 11
  • 1

1 Answers1

1

I'm afraid the lifecycle rules documentation is pretty clear on this point, and you'll have to write a rule for every UUID you created.

The Lifecycle rule applies to objects that have both of the tags specified. Amazon S3 performs a logical AND. Note the following:

Each tag must match both key and value exactly.

The rule applies to a subset of objects that has all the tags specified in the rule. If an object has additional tags specified, the rule will still apply.

must match both key and value exactly seem to indicate that you can't use no wildcard here.

aherve
  • 3,795
  • 6
  • 28
  • 41
  • 1
    I would generally agree, except that specifying a "value" for a key is optional, both when tagging an object and when specifying a lifecycle rule. If the only thing matched by a non-valued rule is a non-valued object-tag, then why support it at all? It's equivalent to "empty string is a unique value" and instead S3 could just have required a value with no loss of generality. Not saying you're incorrect, just that it's non-obvious how to interpret the idea of an optional tag-value. – Dave F Aug 17 '21 at 21:20
  • I'd like to see lifecycle rules and S3 batch jobs support wildcard tag matching. IMO that would greatly enhance the functionality of S3 tags. – MrSuaveh Aug 18 '21 at 17:31