-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error destroying aws_ssoadmin resources #23585
Comments
Thanks for submitting this, @jsimoni. Can you send the debug output, as described at https://www.terraform.io/internals/debugging, please? |
@gdavison here is the debug output... https://github.com/jsimoni/23585/blob/main/debug-destroy.log |
@gdavison do you have any thoughts on this one? Do you need more info from me? |
I also encouter this issue when attempting account assignment. instance_arn = "arn:aws:sso:::instance/ssoins-xxxxxxx"
permission_set_arn = "arn:aws:sso:::permissionSet/ssoins-xxxxxxxx/ps-xxxxxxxxx"
# instance_arn = data.aws_ssoadmin_permission_set.example.instance_arn
# permission_set_arn = data.aws_ssoadmin_permission_set.example.arn
principal_id = data.aws_identitystore_group.example.group_id
principal_type = "GROUP"
target_id = "xxxxxxx"
target_type = "AWS_ACCOUNT"
}```
Output:
```╷
│ Error: error waiting for SSO Account Assignment for GROUP (xxxxx-30c1-7045-affe-1b2fc5de4e6a) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│ with aws_ssoadmin_account_assignment.example,
│ on main.tf line 46, in resource "aws_ssoadmin_account_assignment" "example":
│ 46: resource "aws_ssoadmin_account_assignment" "example" {
│
╵```
Keen on any ideas to resolve looks to me like the API call to AWS itself might be failing. |
For me destroying the account assignment worked but it failed removing Permission Sets:
|
Encountered the same issue while attaching Customer Managed policies to a Permission Set:
The customer managed policy gets attached to the permission set in the second attempt, but both times it failed with this error. |
I'm getting the same thing. In absence of a fix, is there a way to work around it? Is it just a matter of deleting the resources and terraform state objects manually and then trying again? |
We are also facing the same issue. Any workaround? |
Also seeing this issue but only for one of the permission sets customer managed policy attachments. The others were fine.
|
Facing same error, from last 3months and it not addressed in new version of aws providers Error: error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ss-xx) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s() |
Having the same issue while creating
Any updates on this issue? |
As a workaround, you can use |
We also ran into this error, when enabling terraform DEBUG logging it was shown that we actually ran into an AWS IAM limit. |
While attaching a customer managed policy
Although, the policy gets created and you can manually attach it. Also creating an inline policy works |
@ls-pieter-vanisacker Can you share which limits you have increased and how? Throughh ttps://console.aws.amazon.com/servicequotas/home? |
@ls-pieter-vanisacker in our case it was the amount of policies/roles that can be attached to a user/group. It defaults to 10, we had to increase it to 20. |
We get the same error on every destroy of our sso-admin resources.
Rerunning the Pretty annoying though... |
Any update on this? I'm getting the same issue. Re executing the destroy command will work, however for automation purposes, this is not a workaround
|
For those who are having trouble with this issue, try allowing the following actions for the resource
Apparently, the action |
I am not sure if this adds to the conversation but I was getting a very similar error and when I looked at Cloudtrail logs for the My Terraform is not associating any permission set to an account, it only creates the permission sets.
|
Same issue here - wondering is it's something around how the state is handled for the resources during deletion? Running TF in debug mode gives me this information:
So it looks like it is unaware the resource is already deleted until you re-run |
This is a nice change however I don't believe it solves the issue raised here. The permission set still fails to be attached until the 2nd attempt. |
This functionality has been released in v5.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I am still receiving the same error upon running It appears as if it is still not aware that the resource has already been deleted until you re-run |
@samlangley1 and @novekm can you please create new issues. We typically do not check comments on closed issues, and I only came across this incidentally. @novekm, in your particular case, the provision message is output when updating the resource. Can you include the Terraform configuration used? |
Thanks @gdavison - here is the link to the new GitHub issue for this. Happy to try to implement the fix, I think I have an idea what it could be. Added that to the issue as well |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
The AWS resources should be destroyed without Terraform errors.
Actual Behavior
Terraform generates errors on the first attempt to destroy. If I run destroy again immediately, it succeeds. It's not a race condition as I've waited hours between running apply & destroy. It may be that the dependencies aren't being tracked correctly since the second attempt to destroy always seems to succeed.
Steps to Reproduce
terraform apply
terraform destroy
Important Factoids
References
The text was updated successfully, but these errors were encountered: