search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.15k forks source link

resource/aws_synthetics_canary: Acceptance tests have a race condition in the IAM Role #21950

Open gdavison opened 2 years ago

gdavison commented 2 years ago

All acceptance tests for aws_synthetics_canary have a potential race condition when setting up the IAM Role. The aws_synthetics_canary must depend on the aws_iam_role_policy as well as the aws_iam_role to ensure the policy is attached to the role

rajaie-sg commented 2 years ago

Ran into this issue. I had a Terraform configuration that was creating the aws_synthetics_canary/aws_iam_role/aws_iam_policy and I was running into the error below:

Error: error waiting for Synthetics Canary (XXXX) create: unexpected state 'ERROR', wanted target 'READY'. last error: CREATE_FAILED: The role defined for the function cannot be assumed by Lambda. (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: XXXXXXXX; Proxy: null)

I tried fixing it by adding this to the aws_synthetics_canary resource:

  depends_on = [aws_iam_policy.main, aws_iam_role.main, aws_iam_role_policy_attachment.main]

but it was still failing.

This solution ended up working for me https://github.com/hashicorp/terraform-provider-aws/issues/21394#issuecomment-977473431, but instead of depends_on = [resource.aws_iam_role.main] I used depends_on = [aws_iam_role_policy_attachment.main]

tomcart90 commented 1 year ago

Ran into this issue. I had a Terraform configuration that was creating the aws_synthetics_canary/aws_iam_role/aws_iam_policy and I was running into the error below:

Error: error waiting for Synthetics Canary (XXXX) create: unexpected state 'ERROR', wanted target 'READY'. last error: CREATE_FAILED: The role defined for the function cannot be assumed by Lambda. (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: XXXXXXXX; Proxy: null)

I tried fixing it by adding this to the aws_synthetics_canary resource:

  depends_on = [aws_iam_policy.main, aws_iam_role.main, aws_iam_role_policy_attachment.main]

but it was still failing.

This solution ended up working for me #21394 (comment), but instead of depends_on = [resource.aws_iam_role.main] I used depends_on = [aws_iam_role_policy_attachment.main]

This workaround didn't work for me unfortunately, I was still occasionally seeing the error. In the end I added a 10 second sleep between creation of the role and policy and the aws_synthetics_canary resource. I haven't been able to reproduce it since.