diff --git a/terraform/modules/s3_bucket/encrypted_bucket/encrypted_bucket.tf b/terraform/modules/s3_bucket/encrypted_bucket/encrypted_bucket.tf
index 1668ec56f..4bcbd24e2 100644
--- a/terraform/modules/s3_bucket/encrypted_bucket/encrypted_bucket.tf
+++ b/terraform/modules/s3_bucket/encrypted_bucket/encrypted_bucket.tf
@@ -27,13 +27,16 @@ resource "aws_s3_bucket_acl" "encrypted_bucket_acl" {
 
 resource "aws_s3_bucket_lifecycle_configuration" "encrypted_bucket_lifecycle" {
   bucket = aws_s3_bucket.encrypted_bucket.id
+  # since the only rule is an expiration rule, we only create the lifecycle
+  # configuration if expiration days are set
+  count = var.expiration_days == 0 ? 0 : 1
 
   dynamic "rule" {
-    # if expiration_days is 0 then the rule is not created
     for_each = var.expiration_days == 0 ? [] : [var.expiration_days]
 
     content {
-      id     = "expiration-rule"
+      id = "expiration-rule"
+      # if expiration_days is 0 then the rule is disabled
       status = "Enabled"
 
       expiration {
diff --git a/terraform/modules/s3_bucket/encrypted_bucket_v2/encrypted_bucket.tf b/terraform/modules/s3_bucket/encrypted_bucket_v2/encrypted_bucket.tf
index 13ab6d5e4..2b9136d53 100644
--- a/terraform/modules/s3_bucket/encrypted_bucket_v2/encrypted_bucket.tf
+++ b/terraform/modules/s3_bucket/encrypted_bucket_v2/encrypted_bucket.tf
@@ -30,7 +30,10 @@ resource "aws_s3_bucket_versioning" "encrypted_bucket_versioning" {
 
 resource "aws_s3_bucket_lifecycle_configuration" "encrypted_bucket_lifecycle" {
   bucket = aws_s3_bucket.encrypted_bucket.id
-  
+  # since the only rule is an expiration rule, we only create the lifecycle
+  # configuration if expiration days are set
+  count = var.expiration_days == 0 ? 0 : 1
+
   dynamic "rule" {
     # if expiration_days is 0 then the rule is not created
     for_each = var.expiration_days == 0 ? [] : [var.expiration_days]