Terraform bucket creation error

kbunny · April 26, 2025, 11:46am

Hi Team,

I’m currently running into a error saying:

**

"Error: creating S3 Bucket (tfstate-s3-bucket): operation error S3: CreateBucket, https response error StatusCode: 400, RequestID: MYS4NC0MT7NB7QD2, HostID: sOLAwcHjaoIIgaOUlTO6l1060PrL262Y2wTMR359sMm6WkP8xK1W6tG4wNG4uG6YS3sSfeWRfMg=, api error AuthorizationHeaderMalformed: The authorization header is malformed; the region ‘us-east-1’ is wrong; expecting ‘eu-central-1’ "

**

here is my TF S3 bucket creation code:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  required_version = ">= 1.5"
}

provider "aws" {
  region = var.region
}

resource "aws_s3_bucket" "tfstate_bucket" {
  bucket = var.bucket_name

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }

  tags = {
    Name        = var.bucket_name
    Environment = "dev"
  }
}

variable "bucket_name" {
  description = "The name of the S3 bucket"
  type        = string
  default     = "tfstate-s3-bucket"
}

variable "region" {
  description = "The AWS region to create the S3 bucket in"
  type        = string
  default     = "us-east-1"
}

Can someone please help me on this.

Thanks.

Alistair_KodeKloud · April 26, 2025, 12:35pm

Hi @kbunny

Firstly, you should post code in code blocks like I have below so it it legible

According to AWS, there are three situations this can happen.

When you are creating a bucket with a name that this already being used as a bucket name in your AWS account or in any other AWS account (Please note that S3 bucket names are globally unique).
When you are doing an operation on your S3 bucket and you have set the Region variable (either when configuring the SDK or while using environment variables etc) to a region other than the one in which the bucket is actually present.
You have recently deleted a S3 bucket in a particular region (say us-east-1) and you are trying to create a bucket (with the same name as the the bucket that was deleted) in another region right after deleting the bucket.

My guess is that you hit #1, due to

variable "bucket_name" {
  description = "The name of the S3 bucket"
  type = string
  default = "tfstate-s3-bucket"
}

and that some other AWS account has a bucket called tfstate-s3-bucket in the eu-central-1 region.

One way to pretty much ensure that your bucket name is unique is to suffix it with your AWS account number.

data "aws_caller_identity" "current" {}

locals {
  bucket_name = "${var.bucket_name}_${data.aws_caller_identity.current.account_id}"
}

resource "aws_s3_bucket" "tfstate_bucket" {
  bucket = local.bucket_name

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }

  tags = {
    Name = local.bucket_name
    Environment = "dev"
  }
}

I see also that you want to enable versioning. While this can be a good thing, it can make buckets very hard to delete as they won’t delete unless all the versions are also deleted. It is a good option to add lifecycle rules to ensure old versions of files don’t hang around for too long.

kbunny · April 26, 2025, 12:57pm

Hi @Alistair_KodeKloud,

thanks for your swift response. I do understand S3 buckets should be unique, but I didn’t see that error in the terminal and got confused.

Will update the TF code and let you know.

Thank you so much.

kbunny · April 26, 2025, 5:55pm

Hi @Alistair_KodeKloud,

I was able to create TF state bucket and created another bucket to store TF state bucket. Tried to create and delete at the same time to test S3 native lock testing. Works like a charm.

Thanks.