Can't update used `awscc_location_api_key`

[moritzzimmer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

• awscc_location_api_key

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_location_place_index" "test" {
  data_source = "Esri"
  index_name  = "test"

  data_source_configuration {
    intended_use = "SingleUse"
  }
}

resource "awscc_location_api_key" "test" {
  key_name     = "test"
  force_update = true
  no_expiry    = true
  
  restrictions = {
    allow_resources = [aws_location_place_index.test.index_arn]
    allow_actions   = ["geo:GetPlace", "geo:SearchPlaceIndexForPosition", "geo:SearchPlaceIndexForSuggestions"]
  }
}

Expected Behavior

API Key is updated.

Actual Behavior

API Key is not updated. Cloud Control responds with error message (see below) and apply fails after timeout.

 Waiting for Cloud Control API service UpdateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid request provided: This update may cause some users to
│ lose API access. Because this API Key has been used in the last 7 days, you must set 'ForceUpdate' to true to confirm this change.

Steps to Reproduce

1. terraform apply with the config above
2. use the api call, e.g. by calling aws location get-place --index-name test --place-id some-id --key <key>
3. change a restriction in hcl, e.g. remove "geo:GetPlace"
4. terraform apply again

References

• https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-location-apikey.html

[moritzzimmer]

Terraform v1.7.1
on darwin_amd64

awscc: 0.69.0

[wellsiau-aws]

From my own debug (redacted):

2024-02-16T21:09:19.270-0800 [DEBUG] provider.terraform-provider-awscc_v0.70.0_x5: HTTP Request Sent: http.request.body="{"ClientToken":"terraform-20240217050919270200000001","Identifier":"test","PatchDocument":"[{\"op\":\"remove\",\"path\":\"/Restrictions/AllowActions/0\"}]","TypeName":"AWS::Location::APIKey"}" 
...

AWSCC attempting a patch operation : {\"op\":\"remove\",\"path\":\"/Restrictions/AllowActions/0\"}

I am not sure if the patch operations can include force_update = true

[wellsiau-aws]

I have high confidence that terraform delete will also fail because it requires force delete attribute, I suspect that this attribute is not being implemented either on AWSCC nor CCAPI

[wellsiau-aws]

Confirmed my suspicion by looking at CloudTrail (redacted)

For delete

{
    "eventVersion": "1.09",
    "userIdentity": {
        ...
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2024-02-17T05:30:53Z",
    "eventSource": "geo.amazonaws.com",
    "eventName": "DeleteKey",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "ValidationException",
    "requestParameters": {
        "KeyName": "test",
        "forceDelete": "false"
    },
    "responseElements": {
        "reason": "Other",
        "Access-Control-Expose-Headers": "x-amzn-errortype,x-amzn-requestid,x-amzn-errormessage,x-amzn-trace-id,x-amz-apigw-id,date",
        "message": "'test' must be inactive for 90 days before it can be deleted.",
        "fieldList": []
    },
    ...
    "eventCategory": "Management"
}

For Update

{
    "eventVersion": "1.08",
    "userIdentity": {
        ...
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2024-02-17T05:09:20Z",
    "eventSource": "geo.amazonaws.com",
    "eventName": "UpdateKey",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "ValidationException",
    "requestParameters": {
        "KeyName": "test",
        "Description": "",
        "Restrictions": {
            "AllowActions": [
                "geo:SearchPlaceIndexForPosition",
                "geo:SearchPlaceIndexForSuggestions"
            ],
            "AllowReferers": [
                "*"
            ],
            "AllowResources": [
                "arn:aws:geo:us-east-1:204034886740:place-index/test"
            ]
        }
    },
    "responseElements": {
        "reason": "Other",
        "Access-Control-Expose-Headers": "x-amzn-errortype,x-amzn-requestid,x-amzn-errormessage,x-amzn-trace-id,x-amz-apigw-id,date",
        "message": "This update may cause some users to lose API access. Because this API Key has been used in the last 7 days, you must set 'ForceUpdate' to true to confirm this change."
    },
    ...
    "eventCategory": "Management"
}

This is upstream AWS issue with regards to handler implementation for Update and Delete

[wellsiau-aws]

behavior for the update handler is related to #1149