terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Improve error message when hitting service limit on aws_ssoadmin_account_assignment

Open lorengordon opened this issue 3 years ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.70.0

(I know this is slightly older, but I checked the release notes and found no updates for this resource)

Affected Resource(s)

  • aws_ssoadmin_account_assignment

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_ssoadmin_account_assignment" "this" {
  for_each = local.sso_account_assignments
  provider = aws.sso

  instance_arn       = local.sso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn

  principal_id   = data.aws_identitystore_group.this[each.key].id
  principal_type = "GROUP"

  target_id   = local.parent_account_id
  target_type = "AWS_ACCOUNT"
}

Expected Behavior

Display the error that AWS returns, so I can take appropriate action. In this case, request a limit increase.

You have exceeded AWS SSO limits. Cannot create ApplicationProfile. The limit is 50 for id xxx. Please refer to https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html

Actual Behavior

aws_ssoadmin_account_assignment.this["..."]: Creating...
╷
│ Error: error waiting for SSO Account Assignment for GROUP (...) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│   with aws_ssoadmin_account_assignment.this["..."],
│   on main.tf line 1497, in resource "aws_ssoadmin_account_assignment" "this":
│ 1497: resource "aws_ssoadmin_account_assignment" "this" {

Steps to Reproduce

  1. terraform apply

lorengordon avatar Feb 04 '22 18:02 lorengordon

It is mostly the issue with the inline policy associated with the permission set. If you click on edit inline policy it will show you the error. It's kinda annoying that this message clearly does not specify the root cause.

bhatiaparas177 avatar Jun 24 '22 06:06 bhatiaparas177

Any plans to address this? It's still an issue as of v4.52.0

dmorina avatar Jan 27 '23 18:01 dmorina

I hit this with trying to associate an account with one that wasn't a member of the org OU, so a cleaner error message would've been helpful in debugging this

khouse avatar Feb 20 '23 21:02 khouse

Hi! All,

I solved this issue doing some investigations with the aws-cli,

aws sso-admin list-account-assignment-creation-status --instance-arn arn-xxxxxxx-xxx

aws sso-admin describe-account-assignment-creation-status --instance-arn arn-xxxxx-xxxx --account-assignment-creation-request-id request-id-xxxxxxxx

In my case, the issue was by lack of grants in the service-account that I am using. It would be nice to add more description in the error to avoid extra effort to find the root of cause.

Have a nice day!! ;)

aasier avatar Feb 24 '23 10:02 aasier

I also found the root cause was similar for me - the customer managed IAM policy didn't already exist in the account I was trying to use it in (via account_assignment). I finally noticed it when I saw there were only 3 errors but I had 4 account ids assigned. Running TF in debug mode also shows this:

"FailureReason":"Received a 404 status error: Not supported policy arn:aws:iam::1234567890:policy/TestPolicy." Which still isn't fully clear, but is more helpful than the current error message. As mentioned earlier, the sso resources need to be updated with more descriptive error messages to improve customer experience when troubleshooting.

novekm avatar Jun 20 '23 01:06 novekm

This got fixed in https://github.com/hashicorp/terraform-provider-aws/pull/33121 so should be resolved in the next release 🤞 The error message being printed is now the FailureReason returned from AWS, rather than nil.

dancorne avatar Aug 23 '23 10:08 dancorne

This functionality has been released in v5.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] avatar Aug 24 '23 21:08 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Sep 24 '23 02:09 github-actions[bot]