DynamoDB creation requires 'dynamodb:TagResource' permission with empty tags

jackyjjc-canva commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terraform: v0.12.9 aws provider: 2.21.1

Affected Resource(s)

aws_dynamodb_table

Terraform Configuration Files

resource "aws_dynamodb_table" "my_table" {
  name = "my-table"
  attribute {
    name = "userId"
    type = "S"
  }
  hash_key = "userId"
  read_capacity = 1
  write_capacity = 1

  point_in_time_recovery {
    enabled = true
  }

  server_side_encryption {
    enabled = true
  }

  lifecycle {
    ignore_changes = ["read_capacity", "write_capacity"]
  }
}

Debug Output

Error: error creating DynamoDB Table: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/xxxxx/xxxxx is not authorized to perform: dynamodb:TagResource on resource: arn:aws:dynamodb:us-east-1:xxxxx:table/my-table
--

Panic Output

Expected Behavior

The table should have been created since I do not have any tags specified

Actual Behavior

Table was not created due to user not having TagResource permission

Steps to Reproduce

terraform apply

Important Factoids

I work in a tightly controlled environment with restricted access to permissions. Terraform should not use permissions unnecessarily.

References

I think this bug was created by this change: https://github.com/terraform-providers/terraform-provider-aws/issues/8442

justinretzolk commented 2 years ago

Hey @jackyjjc-canva 👋 Thank you for taking the time to file this issue! Given that there's been a number of releases of the AWS provider since you initially filed it, can you confirm whether you're still experiencing this behavior?

cjrobson commented 2 years ago

I have also just run into this problem, using aws provider 4.13.0.

hnariman commented 1 week ago

issue is still reproducible, creating DynamoDB table with provider version 5.66 (most recent) one as well as 3.7 (stable one I used before reading this thread and suggestion to bump up for fixed version)


terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.66.0"
    }
  }
}

variable "AWS_REGION" {}
variable "AWS_ACCESS_KEY_ID" {}
variable "AWS_SECRET_ACCESS_KEY" {}

provider "aws" {
  region     = var.AWS_REGION
  access_key = var.AWS_ACCESS_KEY_ID
  secret_key = var.AWS_SECRET_ACCESS_KEY
}

resource "aws_dynamodb_table" "s_table" {
  provider     = aws
  name         = "data"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "id"

  attribute {
    name = "id"
    type = "S"
  }
}

hashicorp / terraform-provider-aws