[Bug]: Unable to sns:CreateTopic when using proper ABAC permissions in providers newer than 4.0

[curator]

Terraform Core Version

v1.4.0

AWS Provider Version

v4.1.0,v4.57.0,v4.58.0

Affected Resource(s)

aws_sns_topic

Expected Behavior

When creating a basic sns topic with the following code, a topic should be successfully created if using ABAC (and using the default_tags provider attribute properly):

 resource "aws_sns_topic" "bmtest" {
   name = "bmtest"
}

The role performing the creation has an IAM policy with following statement:

  statement {
    actions = [
      "sns:SetTopicAttributes"
    ]
    effect    = "Allow"
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:ResourceTag/project"
      values   = ["something"]
    }
  }

Actual Behavior

From 4.1.0 and newer (we have tried a half dozen versions between 4.1.0 and 4.58.0), this results in a permissions error, but with an SNS topic in a partially created state.

Relevant Error/Panic Output Snippet

Error: setting SNS Topic (arn:aws:sns:us-west-2:099911042375:bmtest) attribute (ApplicationSuccessFeedbackSampleRate): AuthorizationError: User: arn:aws:sts::099911042375:assumed-role/pntest/preston.norvell@gettyimages.com is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:099911042375:bmtest because no identity-based policy allows the SNS:SetTopicAttributes action

Terraform Configuration Files

The tag we're using with ABAC here is application-group with a value that matches in default_tags, or as static tags on the resource.

The SNS topic:

resource "aws_sns_topic" "bmtest" {
  name = "bmtest"
  tags = {
    application-group = "test"
}

The following IAM policy on a role:

data "aws_iam_policy_document" "integration" {

  #########
  ## sns ##
  #########

  # Creates constrained by appgroup tag
  statement {
    actions = [
      "sns:CreateTopic"
    ]
    effect    = "Allow"
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:RequestTag/application-group"
      values   = ["test"]
    }
  }

  statement {
    actions = [
      "sns:AddPermission",
      "sns:ConfirmSubscription",
      "sns:DeleteEndpoint",
      "sns:DeleteTopic",
      "sns:Publish",
      "sns:PutDataProtectionPolicy",
      "sns:RemovePermission",
      "sns:SetSubscriptionAttributes",
      "sns:SetTopicAttributes",
      "sns:Subscribe",
      "sns:Unsubscribe",
      "sns:UntagResource",
    ]
    effect    = "Allow"
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:ResourceTag/application-group"
      values   = ["test"]
    }
  }

  statement {
    actions = [
      "sns:TagResource"
    ]
    effect    = "Allow"
    resources = ["*"]
    condition {
      test     = "StringEqualsIfExists"
      variable = "aws:RequestTag/application-group"
      values = [
        "test"
      ]
    }
    condition {
      test     = "StringEquals"
      variable = "aws:ResourceTag/application-group"
      values = [
       "test"
      ]
    }
  }
}

Steps to Reproduce

1. Execute terraform apply with an IAM role/user with the above policy attached for managing SNS resources.
2. Observe error. Observe SNS topic is still created.

Debug Output

Plan: 1 to add, 0 to change, 0 to destroy.
2023-03-09T14:14:04.099-0800 [DEBUG] command: asking for input: "\nDo you want to perform these actions?"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

2023-03-09T14:14:14.922-0800 [INFO]  backend/local: apply calling Apply
2023-03-09T14:14:14.922-0800 [DEBUG] Building and walking apply graph for NormalMode plan
2023-03-09T14:14:14.922-0800 [DEBUG] Resource state not found for node "aws_sns_topic.bmtest", instance aws_sns_topic.bmtest
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_vpc.vpc (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_subnets.private_nat (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_ami.ami (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_security_group.base-in-http-and-https-getty (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_iam_policy_document.helper (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_default_tags.default_tags (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "aws_iam_policy.helper (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_security_group.base-out-internet (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "aws_iam_role_policy_attachment.helper (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "aws_iam_policy.policy (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_subnets.private_proxied (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "aws_sns_topic.bmtest (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "aws_iam_role_policy_attachment.name (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "data.aws_iam_policy_document.integration (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ProviderTransformer: "aws_sns_topic.bmtest" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/hashicorp/aws"]
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_subnets.private_proxied (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "var.application_group" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "aws_sns_topic.bmtest (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "aws_iam_policy.helper (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_security_group.base-out-internet (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_iam_policy_document.integration (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_default_tags.default_tags (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "aws_sns_topic.bmtest" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_security_group.base-in-http-and-https-getty (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "aws_iam_role_policy_attachment.helper (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "aws_iam_policy.policy (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "aws_iam_role_policy_attachment.name (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_vpc.vpc (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_iam_policy_document.helper (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_subnets.private_nat (expand)" references: []
2023-03-09T14:14:14.923-0800 [DEBUG] ReferenceTransformer: "data.aws_ami.ami (expand)" references: []
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_subnets.private_proxied (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: aws_iam_policy.helper (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_security_group.base-out-internet (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_iam_policy_document.integration (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_default_tags.default_tags (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_ami.ami (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_security_group.base-in-http-and-https-getty (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_subnets.private_nat (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_iam_policy_document.helper (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: data.aws_vpc.vpc (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: aws_iam_role_policy_attachment.name (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: aws_iam_role_policy_attachment.helper (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] pruneUnusedNodes: aws_iam_policy.policy (expand) is no longer needed, removing
2023-03-09T14:14:14.924-0800 [DEBUG] Starting graph walk: walkApply
2023-03-09T14:14:14.924-0800 [DEBUG] created provider logger: level=debug
2023-03-09T14:14:14.924-0800 [INFO]  provider: configuring client automatic mTLS
2023-03-09T14:14:14.933-0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.57.1/darwin_amd64/terraform-provider-aws_v4.57.1_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/4.57.1/darwin_amd64/terraform-provider-aws_v4.57.1_x5]
2023-03-09T14:14:14.957-0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.57.1/darwin_amd64/terraform-provider-aws_v4.57.1_x5 pid=54826
2023-03-09T14:14:14.958-0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.57.1/darwin_amd64/terraform-provider-aws_v4.57.1_x5
2023-03-09T14:14:15.176-0800 [INFO]  provider.terraform-provider-aws_v4.57.1_x5: configuring server automatic mTLS: timestamp=2023-03-09T14:14:15.175-0800
2023-03-09T14:14:15.197-0800 [DEBUG] provider: using plugin: version=5
2023-03-09T14:14:15.198-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: plugin address: address=/var/folders/nr/ky7p7cqd0xl0dfjlw2fwlp8hq2bryr/T/plugin339297503 network=unix timestamp=2023-03-09T14:14:15.197-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 @module=sdk.framework tf_attribute_path=max_retries tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.429-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_rpc=PrepareProviderConfig @module=sdk.framework tf_attribute_path=max_retries tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: tf_rpc=PrepareProviderConfig tf_attribute_path=forbidden_account_ids tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 @module=sdk.framework timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_mux_provider=*proto5server.Server tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 @module=sdk.framework tf_attribute_path=forbidden_account_ids tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 @module=sdk.framework tf_attribute_path=shared_config_files tf_mux_provider=*proto5server.Server tf_rpc=PrepareProviderConfig tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_mux_provider=*proto5server.Server @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig tf_attribute_path=shared_config_files timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: tf_mux_provider=*proto5server.Server tf_rpc=PrepareProviderConfig tf_attribute_path=shared_credentials_files @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_provider_addr=registry.terraform.io/hashicorp/aws @module=sdk.framework tf_mux_provider=*proto5server.Server tf_attribute_path=shared_credentials_files tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: tf_attribute_path=allowed_account_ids tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 @module=sdk.framework tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: @module=sdk.framework tf_attribute_path=allowed_account_ids tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws @module=sdk.framework tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined validator.List: @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:214 @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws description="list must contain at most 1 elements" tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined validator.List: description="list must contain at most 1 elements" @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:224 tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @module=sdk.framework timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 tf_rpc=PrepareProviderConfig timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=PrepareProviderConfig timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined validator.List: @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:214 @module=sdk.framework description="list must contain at most 1 elements" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_mux_provider=*proto5server.Server tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined validator.List: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=PrepareProviderConfig tf_mux_provider=*proto5server.Server description="list must contain at most 1 elements" tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:224 @module=sdk.framework timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: @module=sdk.framework tf_mux_provider=*proto5server.Server tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_mux_provider=*proto5server.Server tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined validator.List: description="list must contain at most 1 elements" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:214 @module=sdk.framework tf_mux_provider=*proto5server.Server tf_rpc=PrepareProviderConfig timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined validator.List: @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:224 @module=sdk.framework description="list must contain at most 1 elements" tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=PrepareProviderConfig tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 tf_attribute_path=default_tags[0].tags tf_mux_provider=*proto5server.Server @module=sdk.framework tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: @module=sdk.framework tf_mux_provider=*proto5server.Server tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 tf_attribute_path=default_tags[0].tags tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.430-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_rpc=PrepareProviderConfig tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_mux_provider=*proto5server.Server @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 @module=sdk.framework timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.431-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Type Validate: @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.431-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Type Validate: tf_mux_provider=*proto5server.Server tf_rpc=PrepareProviderConfig tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 @module=sdk.framework timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.431-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined validator.List: description="list must contain at most 1 elements" tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:214 @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.430-0800
2023-03-09T14:14:15.431-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined validator.List: @module=sdk.framework description="list must contain at most 1 elements" tf_mux_provider=*proto5server.Server tf_rpc=PrepareProviderConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/block_validation.go:224 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=81c556b3-41b6-b070-9922-c8fca49b5dee timestamp=2023-03-09T14:14:15.431-0800
2023-03-09T14:14:15.435-0800 [INFO]  provider.terraform-provider-aws_v4.57.1_x5: Retrieved credentials: @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:33 tf_aws.credentials_source="SharedConfigCredentials: /Users/bmorrow/.aws/credentials" timestamp=2023-03-09T14:14:15.435-0800
2023-03-09T14:14:15.436-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Retrieving caller identity from STS: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:41 @module=aws.aws-base tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d tf_rpc=ConfigureProvider timestamp=2023-03-09T14:14:15.436-0800
2023-03-09T14:14:15.437-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Request Sent: http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************726G/20230309/us-west-2/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.content_type=application/x-www-form-urlencoded http.url=https://sts.us-west-2.amazonaws.com/ @module=aws.aws-base aws.operation=GetCallerIdentity net.peer.name=sts.us-west-2.amazonaws.com tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:41 http.method=POST http.request.header.x_amz_security_token=***** tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d aws.service=STS http.request.body=Action=GetCallerIdentity&Version=2011-06-15 http.request.header.x_amz_date=20230309T221415Z http.request_content_length=43 tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider aws.region=us-west-2 aws.sdk=aws-sdk-go-v2 http.request.header.amz_sdk_invocation_id=fa62a6ef-ef96-40ab-89a1-f1e3f80168a5 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.9 (+https://www.terraform.io) terraform-provider-aws/4.57.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.17.5 os/macos lang/go/1.19.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.18.5" timestamp=2023-03-09T14:14:15.437-0800
2023-03-09T14:14:15.596-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:41 aws.operation=GetCallerIdentity http.duration=158 http.status_code=200 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d aws.sdk=aws-sdk-go-v2 http.response.header.x_amzn_requestid=b981acfe-bddc-4add-97ac-828259aa1549 http.response_content_length=435 aws.service=STS http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::1234567890:assumed-role/test/tmp-session</Arn>
    <UserId>AROA*************ADHL:tmp-session</UserId>
    <Account>1234567890</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>b981acfe-bddc-4add-97ac-828259aa1549</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" http.response.header.content_type=text/xml http.response.header.date="Thu, 09 Mar 2023 22:14:14 GMT" tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider @module=aws.aws-base aws.region=us-west-2 timestamp=2023-03-09T14:14:15.596-0800
2023-03-09T14:14:15.596-0800 [INFO]  provider.terraform-provider-aws_v4.57.1_x5: Retrieved caller identity from STS: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:33 timestamp=2023-03-09T14:14:15.596-0800
2023-03-09T14:14:15.598-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Retrieving caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:41 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d timestamp=2023-03-09T14:14:15.598-0800
2023-03-09T14:14:15.598-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Request Sent: http.request.header.x_amz_security_token=***** http.request_content_length=43 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.9 (+https://www.terraform.io) terraform-provider-aws/4.57.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.17.5 os/macos lang/go/1.19.3 md/GOOS/darwin md/GOARCH/amd64 api/sts/1.18.5" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:41 aws.sdk=aws-sdk-go-v2 aws.service=STS http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************726G/20230309/us-west-2/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.x_amz_date=20230309T221415Z http.url=https://sts.us-west-2.amazonaws.com/ net.peer.name=sts.us-west-2.amazonaws.com tf_provider_addr=registry.terraform.io/hashicorp/aws http.request.header.amz_sdk_invocation_id=16d6c285-3ff5-469a-9ee8-e8bc97fb6dc6 http.request.header.content_type=application/x-www-form-urlencoded tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d @module=aws.aws-base http.method=POST http.request.body=Action=GetCallerIdentity&Version=2011-06-15 tf_rpc=ConfigureProvider aws.operation=GetCallerIdentity aws.region=us-west-2 http.request.header.amz_sdk_request="attempt=1; max=25" tf_mux_provider=*schema.GRPCProviderServer timestamp=2023-03-09T14:14:15.598-0800
2023-03-09T14:14:15.626-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Response Received: @module=aws.aws-base aws.region=us-west-2 aws.sdk=aws-sdk-go-v2 http.duration=27 http.response.header.date="Thu, 09 Mar 2023 22:14:14 GMT" http.status_code=200 tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:41 http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::1234567890:assumed-role/test/tmp-session</Arn>
    <UserId>AROA*************ADHL:tmp-session</UserId>
    <Account>1234567890</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>55564830-e364-47dd-93b3-59d0edc532f0</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" http.response.header.content_type=text/xml http.response_content_length=435 tf_provider_addr=registry.terraform.io/hashicorp/aws aws.service=STS http.response.header.x_amzn_requestid=55564830-e364-47dd-93b3-59d0edc532f0 tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider aws.operation=GetCallerIdentity timestamp=2023-03-09T14:14:15.626-0800
2023-03-09T14:14:15.626-0800 [INFO]  provider.terraform-provider-aws_v4.57.1_x5: Retrieved caller identity from STS: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer @module=aws.aws-base @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.24/logging/logger.go:33 timestamp=2023-03-09T14:14:15.626-0800
2023-03-09T14:14:15.630-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Calling provider defined Provider Configure: tf_mux_provider=*proto5server.Server tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_configureprovider.go:12 @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp=2023-03-09T14:14:15.630-0800
2023-03-09T14:14:15.630-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: Called provider defined Provider Configure: @module=sdk.framework tf_req_id=a98c482c-950c-6121-c5a5-33cc38664c8d tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_configureprovider.go:20 tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-03-09T14:14:15.630-0800
2023-03-09T14:14:15.634-0800 [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_sns_topic.bmtest, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .content_based_deduplication: planned value cty.False for a non-computed attribute
      - .fifo_topic: planned value cty.False for a non-computed attribute
aws_sns_topic.bmtest: Creating...
2023-03-09T14:14:15.635-0800 [INFO]  Starting apply for aws_sns_topic.bmtest
2023-03-09T14:14:15.635-0800 [DEBUG] aws_sns_topic.bmtest: applying the planned Create change
2023-03-09T14:14:15.636-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Request Sent: http.request.header.x_amz_security_token=***** http.request_content_length=245 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.9 (+https://www.terraform.io) terraform-provider-aws/4.57.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.214 (go1.19.3; darwin; amd64)" aws.operation=CreateTopic aws.sdk=aws-sdk-go http.flavor=1.1 http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.request.header.x_amz_date=20230309T221415Z net.peer.name=sns.us-west-2.amazonaws.com tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_sns_topic aws.service=SNS http.method=POST http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************726G/20230309/us-west-2/sns/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" tf_req_id=08db57df-a9cb-3b89-328f-19ad23381954 @module=aws http.url=https://sns.us-west-2.amazonaws.com/ tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.25/logger.go:90 aws.region=us-west-2 http.request.body=Action=CreateTopic&Name=bmtest&Tags.member.1.Key=application&Tags.member.1.Value=poet-test&Tags.member.2.Key=application-component&Tags.member.2.Value=test&Tags.member.3.Key=application-group&Tags.member.3.Value=infrastructure&Version=2010-03-31 timestamp=2023-03-09T14:14:15.636-0800
2023-03-09T14:14:15.864-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Response Received: http.response.header.date="Thu, 09 Mar 2023 22:14:15 GMT" http.response_content_length=313 http.status_code=200 aws.operation=CreateTopic aws.region=us-west-2 aws.service=SNS http.response.header.content_type=text/xml tf_mux_provider=*schema.GRPCProviderServer tf_req_id=08db57df-a9cb-3b89-328f-19ad23381954 tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.25/logger.go:138 @module=aws tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_sns_topic http.response.header.x_amzn_requestid=685d31b4-b5b5-53f9-aef3-6d30e9c29131 aws.sdk=aws-sdk-go http.duration=228 http.response.body="<CreateTopicResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/">
  <CreateTopicResult>
    <TopicArn>arn:aws:sns:us-west-2:1234567890:bmtest</TopicArn>
  </CreateTopicResult>
  <ResponseMetadata>
    <RequestId>685d31b4-b5b5-53f9-aef3-6d30e9c29131</RequestId>
  </ResponseMetadata>
</CreateTopicResponse>
" timestamp=2023-03-09T14:14:15.864-0800
2023-03-09T14:14:15.865-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: [DEBUG] Waiting for state to become: [success]
2023-03-09T14:14:15.865-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Request Sent: http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.request_content_length=170 net.peer.name=sns.us-west-2.amazonaws.com tf_resource_type=aws_sns_topic @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.25/logger.go:90 @module=aws aws.operation=SetTopicAttributes http.flavor=1.1 http.method=POST tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws http.request.body=Action=SetTopicAttributes&AttributeName=FirehoseSuccessFeedbackSampleRate&AttributeValue=0&TopicArn=arn%3Aaws%3Asns%3Aus-west-2%3A1234567890%3Abmtest&Version=2010-03-31 http.request.header.x_amz_date=20230309T221415Z tf_req_id=08db57df-a9cb-3b89-328f-19ad23381954 tf_rpc=ApplyResourceChange http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.9 (+https://www.terraform.io) terraform-provider-aws/4.57.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.214 (go1.19.3; darwin; amd64)" aws.region=us-west-2 aws.sdk=aws-sdk-go aws.service=SNS http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************726G/20230309/us-west-2/sns/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.x_amz_security_token=***** http.url=https://sns.us-west-2.amazonaws.com/ timestamp=2023-03-09T14:14:15.865-0800
2023-03-09T14:14:15.903-0800 [DEBUG] provider.terraform-provider-aws_v4.57.1_x5: HTTP Response Received: aws.service=SNS http.response_content_length=494 tf_resource_type=aws_sns_topic tf_req_id=08db57df-a9cb-3b89-328f-19ad23381954 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.25/logger.go:138 http.response.header.date="Thu, 09 Mar 2023 22:14:15 GMT" http.response.header.x_amzn_requestid=7cc6127d-e823-5f1d-b5fe-4ef9b4543dd5 tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.content_type=text/xml http.status_code=403 tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ApplyResourceChange aws.operation=SetTopicAttributes http.response.body="<ErrorResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/">
  <Error>
    <Type>Sender</Type>
    <Code>AuthorizationError</Code>
    <Message>User: arn:aws:sts::1234567890:assumed-role/test/tmp-session is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:1234567890:bmtest because no identity-based policy allows the SNS:SetTopicAttributes action</Message>
  </Error>
  <RequestId>7cc6127d-e823-5f1d-b5fe-4ef9b4543dd5</RequestId>
</ErrorResponse>
" @module=aws aws.region=us-west-2 aws.sdk=aws-sdk-go http.duration=37 timestamp=2023-03-09T14:14:15.903-0800
2023-03-09T14:14:15.903-0800 [ERROR] provider.terraform-provider-aws_v4.57.1_x5: Response contains error diagnostic: @module=sdk.proto diagnostic_detail= tf_proto_version=5.3 tf_resource_type=aws_sns_topic tf_rpc=ApplyResourceChange tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=08db57df-a9cb-3b89-328f-19ad23381954 @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_severity=ERROR diagnostic_summary="setting SNS Topic (arn:aws:sns:us-west-2:1234567890:bmtest) attribute (FirehoseSuccessFeedbackSampleRate): AuthorizationError: User: arn:aws:sts::1234567890:assumed-role/test/tmp-session is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:1234567890:bmtest because no identity-based policy allows the SNS:SetTopicAttributes action
        status code: 403, request id: 7cc6127d-e823-5f1d-b5fe-4ef9b4543dd5" timestamp=2023-03-09T14:14:15.903-0800
2023-03-09T14:14:15.904-0800 [ERROR] vertex "aws_sns_topic.bmtest" error: setting SNS Topic (arn:aws:sns:us-west-2:1234567890:bmtest) attribute (FirehoseSuccessFeedbackSampleRate): AuthorizationError: User: arn:aws:sts::1234567890:assumed-role/test/tmp-session is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:1234567890:bmtest because no identity-based policy allows the SNS:SetTopicAttributes action
        status code: 403, request id: 7cc6127d-e823-5f1d-b5fe-4ef9b4543dd5
2023-03-09T14:14:15.904-0800 [DEBUG] states/remote: state read serial is: 22; serial is: 22
2023-03-09T14:14:15.904-0800 [DEBUG] states/remote: state read lineage is: e2dedb4f-25ee-1b58-6a83-1d55801766db; lineage is: e2dedb4f-25ee-1b58-6a83-1d55801766db
2023-03-09T14:14:15.905-0800 [DEBUG] Uploading remote state to S3: {
  Body: buffer(0xc00503f9e0),
  Bucket: "getty-sbx-terraform-state",
  ContentLength: 23088,
  ContentType: "application/json",
  Key: "blastradius/sns-test"
}
2023-03-09T14:14:15.906-0800 [DEBUG] [aws-sdk-go] DEBUG: Request s3/PutObject Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT /blastradius/sns-test HTTP/1.1
Host: getty-sbx-terraform-state.s3.us-west-2.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.3.9 aws-sdk-go/1.42.35 (go1.19.6; darwin; amd64)
Content-Length: 23088
Authorization: AWS4-HMAC-SHA256 Credential=ASIAROQZJQVD7Q5N726G/20230309/us-west-2/s3/aws4_request, SignedHeaders=content-length;content-md5;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=69458f9ed40965b881b9874e70da91e31cace82e86c331c1ddfd6403e366a65b
Content-Md5: SfIDpT07zjAKiyJNPM32RA==
Content-Type: application/json
X-Amz-Content-Sha256: 584df94a4616f699f8fb6517c3c5ce4b304ad479347afee0ab55d3d20288698e
X-Amz-Date: 20230309T221415Z
X-Amz-Security-Token: IQoJb3JpZ2luX2VjEK7//////////wEaCXVzLXdlc3QtMiJGMEQCIH2fUxRUU1Ig+9NlnvjAcYcd8Dk1imEcjzUnQzqMBlEJAiAAuaTWTyY45frY1P6bjU7bgXrpFuFm0CQNnn2NDH4VvSqYAghnEAUaDDA5OTkxMTA0MjM3NSIMqAdi6ymqNZoh5iM9KvUBMrhweupFgztyp12UeiTqKNgzAo3u+U3b6RkgfVd0bDtmbTnc8dLQ2JQyBQtnuU4iecWTPVDiNXB3i8RXjIdvSXiLy7/X6HLPk/tm/b0rOCF/9UOT6eltxs9kcOz4Jf/V7NCXPRfRpWa/TOZ5+oolQY7ZjtLHOH2AKzHgwEWjYBF9s6pADvac7ROMWdib8rku0KLGJggz48Fcivy12yVbMz7mOdjVoZuHnon9jE18EU0oguoFQ1eTm4jJnjut5GqgQoCJua1OtMntEG8y4ISTGYRPsRD0zvQQ6F/3GUUrw4krUC//enSaBQEgXBsiYJEQNvml43EwjrCpoAY6ngFrHYxYR6LsdyDCzYfPm7FjTSu2y2dS8aG8k1E0l/JxwLyWK84GuNxpp3Ou0QTPZ2eM1O6RgsyJbSQXBjEpE5Y81GM27OpozB5JFVQwKIRNNvmEGu1LXAv6gfIkYaHd3Gv6ZZ0Yq/MKMr7sYb8lNJfZnMhhJQPhJTLtAKVyvPlhJJtIcXHTHS/dnj2Ps5bDLTB8IWZoCGWphnqJf5yOng==
Accept-Encoding: gzip

{
  "version": 4,
  "terraform_version": "1.3.9",
  "serial": 23,
  "lineage": "e2dedb4f-25ee-1b58-6a83-1d55801766db",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "aws_sns_topic",
      "name": "bmtest",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "status": "tainted",
          "schema_version": 0,
          "attributes": {
            "application_failure_feedback_role_arn": null,
            "application_success_feedback_role_arn": null,
            "application_success_feedback_sample_rate": null,
            "arn": null,
            "content_based_deduplication": false,
            "delivery_policy": null,
            "display_name": null,
            "fifo_topic": false,
            "firehose_failure_feedback_role_arn": null,
            "firehose_success_feedback_role_arn": null,
            "firehose_success_feedback_sample_rate": null,
            "http_failure_feedback_role_arn": null,
            "http_success_feedback_role_arn": null,
            "http_success_feedback_sample_rate": null,
            "id": "arn:aws:sns:us-west-2:1234567890:bmtest",
            "kms_master_key_id": null,
            "lambda_failure_feedback_role_arn": null,
            "lambda_success_feedback_role_arn": null,
            "lambda_success_feedback_sample_rate": null,
            "name": "bmtest",
            "name_prefix": null,
            "owner": null,
            "policy": null,
            "signature_version": null,
            "sqs_failure_feedback_role_arn": null,
            "sqs_success_feedback_role_arn": null,
            "sqs_success_feedback_sample_rate": null,
            "tags": null,
            "tags_all": {
              "application": "poet-test",
              "application-component": "test",
              "application-group": "infrastructure"
            },
            "tracing_config": null
          },
          "sensitive_attributes": [],
          "private": "bnVsbA=="
        }
      ]
    }
  ],
  "check_results": null
}

-----------------------------------------------------
2023-03-09T14:14:16.368-0800 [DEBUG] [aws-sdk-go] DEBUG: Response s3/PutObject Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 0
Date: Thu, 09 Mar 2023 22:14:17 GMT
Etag: "49f203a53d3bce300a8b224d3ccdf644"
Server: AmazonS3
X-Amz-Id-2: 4zGNiP/qidlfXeAQ9CZP0Pa7mzaslE3h6XOsbLguHpTT8VqSDgGf1aGbR+2yNcfDJDNJhPYAjFY=
X-Amz-Request-Id: E9SDHXJN871X5DAC
X-Amz-Server-Side-Encryption: AES256

-----------------------------------------------------
2023-03-09T14:14:16.368-0800 [DEBUG] [aws-sdk-go]
╷
│ Error: setting SNS Topic (arn:aws:sns:us-west-2:1234567890:bmtest) attribute (FirehoseSuccessFeedbackSampleRate): AuthorizationError: User: arn:aws:sts::1234567890:assumed-role/test/tmp-session is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:1234567890:bmtest because no identity-based policy allows the SNS:SetTopicAttributes action
│       status code: 403, request id: 7cc6127d-e823-5f1d-b5fe-4ef9b4543dd5
│ 
│   with aws_sns_topic.bmtest,
│   on sns.tf line 1, in resource "aws_sns_topic" "bmtest":
│    1: resource "aws_sns_topic" "bmtest" {
│ 
╵
2023-03-09T14:14:16.370-0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-03-09T14:14:16.380-0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.57.1/darwin_amd64/terraform-provider-aws_v4.57.1_x5 pid=54826
2023-03-09T14:14:16.380-0800 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

4.0.0 works fine. The currrent aws-cli works fine performing same actions. We've tested multiple different ways to ensure the permissions are sound (for CreateTopic and SetTopicAttributes at least). Everything newer than 4.0.0 errors out, for reasons we have yet to determine.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

@curator Thanks for raising this issue 👏. Off the top of my head I think that this is an IAM eventual consistency error.

[curator]

My question would be why it works in 4.0 and older. The resources are tag on create, so it should be fine. I've also tested it as a composite command with the awscli (using the --attributes parameter) and also doing an aws sns create-topic ... && aws sns set-topic-attributes ... both of which work perfectly.

[curator]

Submitted above to fix the issue. 🤞 on swift review.

[github-actions[bot]]

This functionality has been released in v4.64.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.