-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: creating S3 backed aws_appconfig_configuration_profile hits IAM trying to assume role error #38206
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Hey @reikje 👋 Thank you for taking the time to raise this! I often find that intermittent failures like this are caused by the order in which resources are created, so I traced the dependency graph a bit, starting at the failure point. The If that doesn't help, are you able to supply debug logs (redacted as needed), in case whoever picks this up needs that information? |
@justinretzolk that seem to do the trick, thanks a million. Curious how you traced the dependency graph? I'd like to learn how to find these missing dependencies. Could you also tell me how to get access to Terraform debug logs? |
I was a bit quick here.
after adding:
I'll investigate :) |
Debug logs: tf_log.txt |
Thanks for the updated information here @reikje! I took a look over the logging that you sent over and wanted to call out two lines that were of particular interest to me: # aws_iam_role_policy_attachment.config creation completion
2024-07-15T08:48:58.164+0200 [DEBUG] provider.terraform-provider-aws_v5.58.0_x5: HTTP Response Received: rpc.service=IAM rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.date="Mon, 15 Jul 2024 06:48:58 GMT" rpc.method=ListAttachedRolePolicies aws.region=us-east-1 http.response.header.content_type=text/xml http.response.header.x_amzn_requestid=bf5444b5-e034-49ed-bf8a-520044640200 http.response_content_length=581 tf_aws.signing_region="" @module=aws tf_resource_type=aws_iam_role_policy_attachment tf_rpc=ApplyResourceChange http.status_code=200 tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=0960eace-301f-4dad-3cd2-4420971fdcaf @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:45 http.duration=153
# aws_appconfig_configuration_profile.default creation attempt
2024-07-15T08:49:00.524+0200 [DEBUG] provider.terraform-provider-aws_v5.58.0_x5: HTTP Request Sent: rpc.system=aws-api http.request.header.amz_sdk_invocation_id=64e01ef7-be26-4a5d-b839-d2ba4636a027 If you attempt a subsequent apply shortly after this one fails, does the apply succeed as you'd expect? Given that the IAM change completes ~2 seconds before it's attempted to be used, I suspect you may be running into eventual consistency issues. If that does seem to be the case, I don't suspect a code change (to the provider) will be the right path, so the best course of action is likely going to be to refactor the configuration a bit. You could do this via two separate applies (generally speaking, my recommendation) or by trying to introduce a bit more delay between those particular resources (e.g. separating the IAM resources into a different module, so that the entire module must complete before the As far as tracing dependencies, the following resources offer, I think, a pretty comprehensive overview of understanding dependencies in Terraform. |
Thanks @justinretzolk we worked around the eventual consistency issue by no longer basing our AppConfig on an S3 object. Instead we switched to the hosted configuration, which doesn't have the same problem. |
Terraform Core Version
1.6.1
AWS Provider Version
5.52.0
Affected Resource(s)
Expected Behavior
When creating the
aws_appconfig_configuration_profile
, the IAM role specified via theretrieval_role_arn
can be assumed properly for creating the resource.Actual Behavior
A permission error happens occasionally.
As a workaround, I added a
time_sleep
dependency of 10 seconds to theaws_appconfig_configuration_profile
which seem to improve things, but still fails for the same reason from time to time.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Use the given snippet to create an AppConfig having a configuration profile that is backed by an object inside an S3 bucket.
Debug Output
No response
Panic Output
No response
Important Factoids
This error doesn't happen all the time. There must be some sort of race condition that occasionally makes this fail. Expecting the IAM role to be not fully propagated and ready when AppConfig already tries to use it for creating the configuration profile.
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: