hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.83k stars 9.18k forks source link

[Bug]: Incomplete error description when not allowed to get data by "aws_ram_resource_share". #29400

Open GuiuMateu opened 1 year ago

GuiuMateu commented 1 year ago

Terraform Core Version

1.3.6

AWS Provider Version

4.53.0

Affected Resource(s)

aws_ram_resource_share (data resource)

Expected Behavior

When I do terraform apply for

data "aws_ram_resource_share" "example" {
  name = "Transit Gateway Shared"
  resource_owner = "OTHER-ACCOUNTS"
}

and the AWS resource share exists BUT the policy attached to the user used to perform the action doesn't have permission to do "ram:Get" or "ram:" the error message is

Error: retrieving resource share: empty response for: {
│   Name: "Transit Gateway Shared",
│   ResourceOwner: "OTHER-ACCOUNTS"
│ }
│ 
│   with data.aws_ram_resource_share.example,
│   on vpc.tf line 137, in data "aws_ram_resource_share" "example":
│  137: data "aws_ram_resource_share" "example" {
│ 

Actual Behavior

The error message when the user has not allowed to get RAM resources should be more explicit, like:

Error: retrieving resource share: **not allowed** for: {
│   Name: "Transit Gateway Shared",
│   ResourceOwner: "OTHER-ACCOUNTS"
│ }
│ 
│   with data.aws_ram_resource_share.example,
│   on vpc.tf line 137, in data "aws_ram_resource_share" "example":
│  137: data "aws_ram_resource_share" "example" {
│ 

Or the AWS API error message should propagate to the user console output.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  region = "eu-west-1"
}

data "aws_ram_resource_share" "example" {
  name           = "Transit Gateway Shared"
  resource_owner = "OTHER-ACCOUNTS"
}

output "example_ram_resource_share_arn" {
  value = data.aws_ram_resource_share.example.arn
}

Steps to Reproduce

  1. Create an IAM user
  2. Attach to this IAM user a policy WITHOUT "ram:*" permissions
  3. Apply code
  4. The error message should "Error: retrieving resource share: empty response [...]"

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

I was investigating and I think that problem is in this line https://github.com/hashicorp/terraform-provider-aws/blob/5857c145b31d41966bef256f669c12ae35cc2486/internal/service/ram/resource_share_data_source.go#L103

if err != nil {
    return sdkdiag.AppendErrorf(diags, "retrieving resource share: empty response for: %s", params)
}

when there is an error in the response (err != nil) the output message is hardcoded to "retrieving resource share: empty response for: %s" and the err is not showing to user.

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue