Open alexhaycock opened 2 years ago
@alexhaycock - Did you ever figure out any cause of this? We're running into this error with the ap-southeast-1 region. The project also has providers for Oregon, N. Virginia and Ireland but Singapore is the only provider where it errors.
I read on a blog post that this error will happen when STS is not enabled for a certain region, but I confirmed all the regions listed above have it enabled.
Unsure if related, but we only started seeing this after trying to migrate from provider v3 (v3.75.2) to v4 (v4.32.0). It seems to be fine with v3.
@rymancl - Nope not got anywhere with it but seeing the same as you, it always seems to happen with a couple of the ap regions. The other regions are hit and miss if it happens or not.
And the same we can see everything is enabled, wondered if it was a timing issue at one point but doesn't seem to matter how long the accounts have been up and running it still happens.
Unfortunately I'm unsure on when or what version we started seeing this issue as we didn't set specific versions but would say around 6 months ago for us we started getting this error. The second apply works all the time but it's annoying that it throws these errors up.
@alexhaycock - We were able to work around this by adding sts_region
to the ap-southeast-1 provider configuration.
provider "aws" {
alias = "Singapore"
region = "ap-southeast-1"
sts_region = "us-west-2"
assume_role {
role_arn = "<role-arn-here>"
}
# remaining config omitted
}
I don't know if this actually fixed it, but we were able to plan and apply after adding this. I'd be curious if this helps your case.
@rymancl - Just tried your recommendation today and looks like it has fixed it, we got an apply with no errors. Will try this again in the next week to double check it has fixed it.
Thanks a lot for the suggestion!
@alexhaycock - We were able to work around this by adding
sts_region
to the ap-southeast-1 provider configuration.provider "aws" { alias = "Singapore" region = "ap-southeast-1" sts_region = "us-west-2" assume_role { role_arn = "<role-arn-here>" } # remaining config omitted }
I don't know if this actually fixed it, but we were able to plan and apply after adding this. I'd be curious if this helps your case.
Hi, I tried using this but the same is not working for "ap-south-2" region. We are getting assume role error only on this region. Any other workaround?
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v1.2.6 on darwin_arm64
This has been an issue for a few months now with older providers
Affected Resource(s)
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
Deployed access analyzer resource in to all regions
Actual Behavior
Steps to Reproduce
We get this error on the first apply within a new environment, on the second apply it will work as expected.
terraform apply
Important Factoids
We create this resource in all regions that are enabled by default, we don't always get the error can sometimes have it apply with no issues at all. Then other times we get the error in a few regions more often than not it is the ap-* regions where it can't assume the role.
References