terraform-provider-aws: Error destroying aws_ssoadmin resources
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
Terraform v1.1.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.4.0
Affected Resource(s)
- aws_ssoadmin_permission_set
- aws_ssoadmin_account_assignment
- aws_ssoadmin_managed_policy_attachment
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
locals {
okta_awsinstance_arn = "REDACTED"
okta_identity_store_id = "REDACTED"
}
data "aws_organizations_organization" "this" {}
data "aws_identitystore_group" "operations_group" {
identity_store_id = local.okta_identity_store_id
filter {
attribute_path = "DisplayName"
attribute_value = "Team"
}
}
resource "aws_ssoadmin_permission_set" "operations" {
name = "operations"
description = "operations"
instance_arn = local.okta_awsinstance_arn
session_duration = "PT2H"
}
resource "aws_ssoadmin_managed_policy_attachment" "operations" {
for_each = toset( ["arn:aws:iam::aws:policy/AWSCloudShellFullAccess", "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"] )
instance_arn = local.okta_awsinstance_arn
managed_policy_arn = each.value
permission_set_arn = aws_ssoadmin_permission_set.operations.arn
}
resource "aws_ssoadmin_account_assignment" "operations" {
for_each = toset(data.aws_organizations_organization.this.accounts[*].id)
instance_arn = local.okta_awsinstance_arn
permission_set_arn = aws_ssoadmin_permission_set.operations.arn
principal_id = data.aws_identitystore_group.operations_group.group_id
principal_type = "GROUP"
target_id = sensitive(each.value)
target_type = "AWS_ACCOUNT"
}
Debug Output
Plan: 0 to add, 0 to change, 6 to destroy.
aws_ssoadmin_managed_policy_attachment.operations["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]: Destroying...
aws_ssoadmin_account_assignment.operations["AccountA"]: Destroying...
aws_ssoadmin_managed_policy_attachment.operations["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]: Destroying...
aws_ssoadmin_account_assignment.operations["AccountB"]: Destroying...
aws_ssoadmin_account_assignment.operations["AccountC"]: Destroying...
aws_ssoadmin_account_assignment.operations["AccountA"]: Destruction complete after 5s
aws_ssoadmin_account_assignment.operations["AccountB"]: Destruction complete after 5s
2022-03-08T06:25:31.253-0500 [ERROR] vertex "aws_ssoadmin_managed_policy_attachment.operations[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"] (destroy)" error: error waiting for SSO Permission Set (REDACTED) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
aws_ssoadmin_account_assignment.operations["AccountC"]: Destruction complete after 5s
2022-03-08T06:25:33.075-0500 [ERROR] vertex "aws_ssoadmin_managed_policy_attachment.operations[\"arn:aws:iam::aws:policy/job-function/ViewOnlyAccess\"] (destroy)" error: error waiting for SSO Permission Set (REDACTED) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::REDACTED) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::REDACTED) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
Panic Output
Expected Behavior
The AWS resources should be destroyed without Terraform errors.
Actual Behavior
Terraform generates errors on the first attempt to destroy. If I run destroy again immediately, it succeeds. It’s not a race condition as I’ve waited hours between running apply & destroy. It may be that the dependencies aren’t being tracked correctly since the second attempt to destroy always seems to succeed.
Steps to Reproduce
terraform applyterraform destroy
Important Factoids
References
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 56
- Comments: 27 (6 by maintainers)
Encountered the same issue while attaching Customer Managed policies to a Permission Set:
The customer managed policy gets attached to the permission set in the second attempt, but both times it failed with this error.
For those who are having trouble with this issue, try allowing the following actions for the resource
arn:aws:iam::${Account}:role/aws-reserved/sso.amazonaws.com/${Region}/AWSReservedSSO_*to users running terraform.Apparently, the action
ProvisionPermissionSetcalls the AWS internal actionUpdateApplicationProfileForAWSAccountInstance, which is not documented, requiring the above permissions.This is a nice change however I don’t believe it solves the issue raised here. The permission set still fails to be attached until the 2nd attempt.