[Bug]: UnknownOperationException for data.aws_identitystore_group.alternate_identifier.unique_attribute with aws v5.0.0

[luandrea]

Terraform Core Version

Terraform v1.0.0

AWS Provider Version

hashicorp/aws v5.0.0

Affected Resource(s)

When Terraform plan runs this snippet of code:

data "aws_identitystore_group" "groups" {
  for_each          = local.groups
  identity_store_id = tolist(data.aws_ssoadmin_instances.selected.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = each.value.name
    }
  }
}

We get the error:

Error: reading AWS SSO Identity Store Group Data Source (d-99672224a9): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: ddf32597-f001-468e-98d7-56153002980b, api error UnknownOperationException: UnknownError

Expected Behavior

An identity group should be retrieved

Actual Behavior

Error: reading AWS SSO Identity Store Group Data Source (d-99672224a9): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: ddf32597-f001-468e-98d7-56153002980b, api error UnknownOperationException: UnknownError

Relevant Error/Panic Output Snippet

Error: reading AWS SSO Identity Store Group Data Source (d-99672224a9): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: ddf32597-f001-468e-98d7-56153002980b, api error UnknownOperationException: UnknownError
  with data.aws_identitystore_group.groups["756cd5d0b663f862cc02e6b2100be8ae"],
  on data.tf line 17, in data "aws_identitystore_group" "groups":
  17: data "aws_identitystore_group" "groups" {

Terraform Configuration Files

data "aws_identitystore_group" "groups" {
  for_each          = local.groups
  identity_store_id = tolist(data.aws_ssoadmin_instances.selected.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = each.value.name
    }
  }
}

Steps to Reproduce

Terraform plan the snippet above.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

28139

28937

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[aliahmedmytoys]

any updates regarding this cause filter also is not working?

[ExBleaK]

In the new provider filter also is not working.

[popsicleslayer]

Hi! In version 5.8 the same error persists. Funnily enough, this error has been a problem for me since this issue so I had to use the filter functionality. Since the version 5.0 filter is no longer usable.

[karlbennett]

I am also getting the original permission error that was present in the "Closed" issue mentioned in the comment above. This means that version 5 of the AWS Provider is completely unusable for me with AWS SSO.

The role I was using had permission identitystore:GetGroup* on resources ["*"].

Terraform Version: 1.3.3 AWS Provider Version: 5.10.0

Error:

│ Error: reading AWS SSO Identity Store Group Data Source (*****): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: *****, AccessDeniedException: User: arn:aws:sts::*****:assumed-role/***** is not authorized to perform: identitystore:GetGroupId on resource: arn:aws:identitystore::*****:identitystore/***** because no identity-based policy allows the identitystore:GetGroupId action

[bjf-rga]

We're in the same boat. We have to lock to pessimistically lock to 4.0 (~> 4.0) because only the deprecated filter works. The non-deprecated syntax (alternate_identifier { unique_attribute {} }) is not operational. At least the fix from #28937 let us unpin the provider from 4.37.

[ewbankkit]

Filters was deprecated in AWS SDK for Go v1.44.89. Announcement.

[ewbankkit]

@luandrea et al. The maintainers are unable to reproduce this problem in any of our test accounts. To help us make progress could you please attach debug logs? Thanks.

[ExBleaK]

@ewbankkit Terraform Core Version: Terraform v1.2.9

AWS Provider Version: hashicorp/aws v5.13.1

Affected Resource(s):

data "aws_identitystore_group" "example" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = "xxx@xxx"
    }
  }
}

When Terraform plan runs this snippet of code:

provider "aws" {
  region = "us-east-1"
  profile = "root"
}

data "aws_ssoadmin_instances" "example" {}

data "aws_identitystore_group" "example" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = "xxx@xxx"
    }
  }
}

We get the error: Error: reading AWS SSO Identity Store Group Data Source (d-xxxxxxxxxx): operation error identitystore: GetGroupId, https

Expected Behavior: An identity group should be retrieved

Actual Behavior: Error: reading AWS SSO Identity Store Group Data Source (d-xxxxxxxxxx): operation error identitystore: GetGroupId, https

Relevant Error/Panic Output Snippet:

╷
│ Error: reading AWS SSO Identity Store Group Data Source (d-xxxxxxxxxx): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 25fe6a2e-3e97-42bd-ac5f-ea25f641c02e, api error UnknownOperationException: UnknownError
│
│   with data.aws_identitystore_group.example,
│   on main.tf line 8, in data "aws_identitystore_group" "example":
│    8: data "aws_identitystore_group" "example" {
│
╵

Steps to Reproduce: Terraform plan the snippet above.

Debug Output:

~$ export TF_LOG=DEBUG; terraform apply
2023-08-23T10:26:54.494+0300 [INFO]  Terraform version: 1.2.9
2023-08-23T10:26:54.495+0300 [DEBUG] using github.com/hashicorp/go-tfe v1.0.0
2023-08-23T10:26:54.495+0300 [DEBUG] using github.com/hashicorp/hcl/v2 v2.12.0
2023-08-23T10:26:54.495+0300 [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2023-08-23T10:26:54.495+0300 [DEBUG] using github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
2023-08-23T10:26:54.495+0300 [DEBUG] using github.com/zclconf/go-cty v1.11.0
2023-08-23T10:26:54.495+0300 [INFO]  Go runtime version: go1.18.1
2023-08-23T10:26:54.495+0300 [INFO]  CLI args: []string{"terraform", "apply"}
2023-08-23T10:26:54.495+0300 [DEBUG] Attempting to open CLI config file: /home/xxxx/.terraformrc
2023-08-23T10:26:54.495+0300 [INFO]  Loading CLI configuration from /home/xxxx/.terraformrc
2023-08-23T10:26:54.495+0300 [DEBUG] checking for credentials in "/home/xxxx/.terraform.d/plugins"
2023-08-23T10:26:54.495+0300 [DEBUG] Explicit provider installation configuration is set
2023-08-23T10:26:54.495+0300 [INFO]  CLI command args: []string{"apply"}
2023-08-23T10:26:54.495+0300 [INFO]  Checkpoint disabled. Not running.
2023-08-23T10:26:54.496+0300 [DEBUG] New state was assigned lineage "cb7cb64b-9047-b025-b42f-f3b20d3e0c3c"
2023-08-23T10:26:55.227+0300 [DEBUG] checking for provisioner in "."
2023-08-23T10:26:55.233+0300 [DEBUG] checking for provisioner in "/usr/bin"
2023-08-23T10:26:55.233+0300 [DEBUG] checking for provisioner in "/home/xxxx/.terraform.d/plugins"
2023-08-23T10:26:55.234+0300 [INFO]  backend/local: starting Apply operation
2023-08-23T10:26:55.235+0300 [DEBUG] created provider logger: level=debug
2023-08-23T10:26:55.235+0300 [INFO]  provider: configuring client automatic mTLS
2023-08-23T10:26:55.250+0300 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5]
2023-08-23T10:26:55.250+0300 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 pid=21814
2023-08-23T10:26:55.250+0300 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5
2023-08-23T10:26:55.361+0300 [INFO]  provider.terraform-provider-aws_v5.13.1_x5: configuring server automatic mTLS: timestamp=2023-08-23T10:26:55.361+0300
2023-08-23T10:26:55.377+0300 [DEBUG] provider: using plugin: version=5
2023-08-23T10:26:55.377+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: plugin address: address=/tmp/plugin1813267580 network=unix timestamp=2023-08-23T10:26:55.377+0300
2023-08-23T10:26:56.287+0300 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2023-08-23T10:26:56.297+0300 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 pid=21814
2023-08-23T10:26:56.297+0300 [DEBUG] provider: plugin exited
2023-08-23T10:26:56.297+0300 [DEBUG] Building and walking validate graph
2023-08-23T10:26:56.298+0300 [DEBUG] ProviderTransformer: "data.aws_ssoadmin_instances.example" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-23T10:26:56.298+0300 [DEBUG] ProviderTransformer: "data.aws_identitystore_group.example" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-23T10:26:56.298+0300 [DEBUG] ReferenceTransformer: "data.aws_ssoadmin_instances.example" references: []
2023-08-23T10:26:56.298+0300 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example" references: [data.aws_ssoadmin_instances.example]
2023-08-23T10:26:56.298+0300 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2023-08-23T10:26:56.298+0300 [DEBUG] Starting graph walk: walkValidate
2023-08-23T10:26:56.299+0300 [DEBUG] created provider logger: level=debug
2023-08-23T10:26:56.299+0300 [INFO]  provider: configuring client automatic mTLS
2023-08-23T10:26:56.328+0300 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5]
2023-08-23T10:26:56.328+0300 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 pid=21837
2023-08-23T10:26:56.328+0300 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5
2023-08-23T10:26:56.471+0300 [INFO]  provider.terraform-provider-aws_v5.13.1_x5: configuring server automatic mTLS: timestamp=2023-08-23T10:26:56.471+0300
2023-08-23T10:26:56.504+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: plugin address: address=/tmp/plugin297086427 network=unix timestamp=2023-08-23T10:26:56.504+0300
2023-08-23T10:26:56.504+0300 [DEBUG] provider: using plugin: version=5
2023-08-23T10:26:57.397+0300 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2023-08-23T10:26:57.407+0300 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 pid=21837
2023-08-23T10:26:57.407+0300 [DEBUG] provider: plugin exited
2023-08-23T10:26:57.407+0300 [INFO]  backend/local: apply calling Plan
2023-08-23T10:26:57.407+0300 [DEBUG] Building and walking plan graph for NormalMode
2023-08-23T10:26:57.407+0300 [DEBUG] ProviderTransformer: "data.aws_ssoadmin_instances.example (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-23T10:26:57.407+0300 [DEBUG] ProviderTransformer: "data.aws_identitystore_group.example (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-23T10:26:57.408+0300 [DEBUG] ReferenceTransformer: "data.aws_ssoadmin_instances.example (expand)" references: []
2023-08-23T10:26:57.408+0300 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example (expand)" references: [data.aws_ssoadmin_instances.example (expand)]
2023-08-23T10:26:57.408+0300 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2023-08-23T10:26:57.408+0300 [DEBUG] Starting graph walk: walkPlan
2023-08-23T10:26:57.409+0300 [DEBUG] created provider logger: level=debug
2023-08-23T10:26:57.409+0300 [INFO]  provider: configuring client automatic mTLS
2023-08-23T10:26:57.438+0300 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5]
2023-08-23T10:26:57.439+0300 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 pid=21858
2023-08-23T10:26:57.439+0300 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5
2023-08-23T10:26:57.591+0300 [INFO]  provider.terraform-provider-aws_v5.13.1_x5: configuring server automatic mTLS: timestamp=2023-08-23T10:26:57.591+0300
2023-08-23T10:26:57.608+0300 [DEBUG] provider: using plugin: version=5
2023-08-23T10:26:57.608+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: plugin address: address=/tmp/plugin3082747891 network=unix timestamp=2023-08-23T10:26:57.608+0300
2023-08-23T10:26:58.395+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Configuring Terraform AWS Provider: @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:117 @module=aws tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 timestamp=2023-08-23T10:26:58.395+0300
2023-08-23T10:26:58.395+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Resolving credentials provider: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 timestamp=2023-08-23T10:26:58.395+0300
2023-08-23T10:26:58.395+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Using profile: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_aws.profile=root tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider @module=aws.aws-base tf_aws.profile.source=provider tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-08-23T10:26:58.395+0300
2023-08-23T10:26:58.395+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Loading profile: @module=aws.aws-base tf_aws.profile=root tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 timestamp=2023-08-23T10:26:58.395+0300
2023-08-23T10:26:58.396+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Setting profile: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base tf_aws.profile=root tf_aws.profile.source=provider tf_mux_provider=*schema.GRPCProviderServer tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp=2023-08-23T10:26:58.396+0300
2023-08-23T10:26:58.396+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Loading configuration: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 timestamp=2023-08-23T10:26:58.396+0300
2023-08-23T10:26:58.398+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Retrieving credentials: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 timestamp=2023-08-23T10:26:58.398+0300
2023-08-23T10:26:58.398+0300 [INFO]  provider.terraform-provider-aws_v5.13.1_x5: Retrieved credentials: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:39 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @module=aws.aws-base tf_aws.credentials_source="SharedConfigCredentials: /home/xxxxx/.aws/credentials" tf_mux_provider=*schema.GRPCProviderServer tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 timestamp=2023-08-23T10:26:58.398+0300
2023-08-23T10:26:58.398+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Loading configuration: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer timestamp=2023-08-23T10:26:58.398+0300
2023-08-23T10:26:58.399+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Retrieving caller identity from STS: @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp=2023-08-23T10:26:58.399+0300
2023-08-23T10:26:58.400+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: HTTP Request Sent: http.request.body="Action=GetCallerIdentity&Version=2011-06-15
" http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.x_amz_date=20230823T072658Z http.request_content_length=43 net.peer.name=sts.us-east-1.amazonaws.com tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 aws.sdk=aws-sdk-go-v2 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************MYHF/20230823/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=*****" http.request.header.content_type=application/x-www-form-urlencoded tf_rpc=ConfigureProvider aws.region=us-east-1 aws.service=STS http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.2.9 (+https://www.terraform.io) terraform-provider-aws/5.13.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.20.2 os/linux lang/go#1.20.7 md/GOOS#linux md/GOARCH#amd64 api/sts#1.21.2" @module=aws.aws-base aws.operation=GetCallerIdentity http.request.header.amz_sdk_invocation_id=5ab458a2-c099-4b52-a6ce-42b68f5ea9e0 http.url=https://sts.us-east-1.amazonaws.com/ tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 http.method=POST timestamp=2023-08-23T10:26:58.400+0300
2023-08-23T10:26:58.987+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: HTTP Response Received: aws.service=STS tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 aws.operation=GetCallerIdentity @module=aws.aws-base http.duration=586 http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:iam::xxxxx:user/vault-ldap-xxxxxxxxxx</Arn>
    <UserId>AIDA*************JUK6</UserId>
    <Account>xxxxx</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>39ad93af-b87e-4b8f-823c-fd8935900acf</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" http.response.header.date="Wed, 23 Aug 2023 07:26:58 GMT" tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 http.response.header.x_amzn_requestid=39ad93af-b87e-4b8f-823c-fd8935900acf http.response_content_length=461 aws.sdk=aws-sdk-go-v2 http.response.header.content_type=text/xml http.status_code=200 tf_mux_provider=*schema.GRPCProviderServer aws.region=us-east-1 timestamp=2023-08-23T10:26:58.987+0300
2023-08-23T10:26:58.987+0300 [INFO]  provider.terraform-provider-aws_v5.13.1_x5: Retrieved caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:39 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer timestamp=2023-08-23T10:26:58.987+0300
2023-08-23T10:26:58.987+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Creating AWS SDK v1 session: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:139 @module=aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider timestamp=2023-08-23T10:26:58.987+0300
2023-08-23T10:26:58.990+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Retrieving AWS account details: @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:154 tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider @module=aws timestamp=2023-08-23T10:26:58.990+0300
2023-08-23T10:26:58.990+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: Retrieving caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 tf_rpc=ConfigureProvider timestamp=2023-08-23T10:26:58.990+0300
2023-08-23T10:26:58.990+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: HTTP Request Sent: aws.operation=GetCallerIdentity aws.service=STS http.request.header.amz_sdk_invocation_id=b0190847-9f21-4bd5-899f-0b812222fc5c http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************MYHF/20230823/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=*****" http.request.header.x_amz_date=20230823T072658Z aws.sdk=aws-sdk-go-v2 http.method=POST tf_provider_addr=registry.terraform.io/hashicorp/aws aws.region=us-east-1 @module=aws.aws-base http.request_content_length=43 http.url=https://sts.us-east-1.amazonaws.com/ http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.2.9 (+https://www.terraform.io) terraform-provider-aws/5.13.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.20.2 os/linux lang/go#1.20.7 md/GOOS#linux md/GOARCH#amd64 api/sts#1.21.2" tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 http.request.header.content_type=application/x-www-form-urlencoded net.peer.name=sts.us-east-1.amazonaws.com tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider http.request.body="Action=GetCallerIdentity&Version=2011-06-15
" timestamp=2023-08-23T10:26:58.990+0300
2023-08-23T10:26:59.120+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: HTTP Response Received: aws.service=STS http.response.header.x_amzn_requestid=aa2fa350-d9c9-4bbe-a63f-3a48f48418de tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 aws.sdk=aws-sdk-go-v2 http.response.header.content_type=text/xml aws.operation=GetCallerIdentity aws.region=us-east-1 http.duration=129 http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:iam::xxxxx:user/vault-ldap-xxxxxxxxxx</Arn>
    <UserId>AIDA*************JUK6</UserId>
    <Account>xxxxx</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>aa2fa350-d9c9-4bbe-a63f-3a48f48418de</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" http.response_content_length=461 http.status_code=200 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 http.response.header.date="Wed, 23 Aug 2023 07:26:58 GMT" tf_rpc=ConfigureProvider @module=aws.aws-base timestamp=2023-08-23T10:26:59.120+0300
2023-08-23T10:26:59.120+0300 [INFO]  provider.terraform-provider-aws_v5.13.1_x5: Retrieved caller identity from STS: tf_rpc=ConfigureProvider @module=aws.aws-base tf_req_id=95f13ab3-b1d2-06f4-5618-6be25e6b0043 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:39 tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-08-23T10:26:59.120+0300
2023-08-23T10:26:59.121+0300 [DEBUG] Resource instance state not found for node "data.aws_ssoadmin_instances.example", instance data.aws_ssoadmin_instances.example
2023-08-23T10:26:59.121+0300 [DEBUG] ReferenceTransformer: "data.aws_ssoadmin_instances.example" references: []
data.aws_ssoadmin_instances.example: Reading...
2023-08-23T10:26:59.123+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: HTTP Request Sent: http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************MYHF/20230823/us-east-1/sso/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=*****" aws.operation=ListInstances http.method=POST http.request.header.content_type=application/x-amz-json-1.1 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.2.9 (+https://www.terraform.io) terraform-provider-aws/5.13.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.326 (go1.20.7; linux; amd64)" tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws aws.region=us-east-1 http.flavor=1.1 http.request.body="{}
" http.request.header.x_amz_target=SWBExternalService.ListInstances http.request_content_length=2 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.35/logger.go:96 net.peer.name=sso.us-east-1.amazonaws.com aws.service="SSO Admin" http.request.header.x_amz_date=20230823T072659Z http.url=https://sso.us-east-1.amazonaws.com/ tf_data_source_type=aws_ssoadmin_instances tf_mux_provider=*schema.GRPCProviderServer tf_req_id=577f96a1-0277-6c35-09d2-42bcd16f05f0 tf_rpc=ReadDataSource aws.sdk=aws-sdk-go timestamp=2023-08-23T10:26:59.123+0300
2023-08-23T10:26:59.771+0300 [DEBUG] provider.terraform-provider-aws_v5.13.1_x5: HTTP Response Received: http.status_code=200 tf_req_id=577f96a1-0277-6c35-09d2-42bcd16f05f0 aws.sdk=aws-sdk-go http.duration=647 http.response.body="{"Instances":[{"IdentityStoreId":"d-xxxxx","InstanceArn":"arn:aws:sso:::instance/ssoins-xxxxx"}]}
" http.response.header.x_amzn_requestid=81843788-19ee-40e9-9649-a4a38d21dec1 http.response_content_length=113 tf_rpc=ReadDataSource aws.operation=ListInstances aws.region=us-east-1 aws.service="SSO Admin" @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.35/logger.go:144 tf_data_source_type=aws_ssoadmin_instances http.response.header.date="Wed, 23 Aug 2023 07:26:59 GMT" tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws http.response.header.content_type=application/x-amz-json-1.1 timestamp=2023-08-23T10:26:59.771+0300
data.aws_ssoadmin_instances.example: Read complete after 1s [id=us-east-1]
2023-08-23T10:26:59.771+0300 [DEBUG] Resource instance state not found for node "data.aws_identitystore_group.example", instance data.aws_identitystore_group.example
2023-08-23T10:26:59.772+0300 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example" references: []
data.aws_identitystore_group.example: Reading...
2023-08-23T10:27:00.240+0300 [ERROR] provider.terraform-provider-aws_v5.13.1_x5: Response contains error diagnostic: @module=sdk.proto diagnostic_detail= diagnostic_summary="reading AWS SSO Identity Store Group Data Source (d-xxxxx): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 5a3354ae-77b4-4292-97c1-20292450dfc5, api error UnknownOperationException: UnknownError" tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=479b2eef-54c7-c87c-b71b-dd479a4ab43b @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_severity=ERROR tf_data_source_type=aws_identitystore_group tf_rpc=ReadDataSource timestamp=2023-08-23T10:27:00.240+0300
2023-08-23T10:27:00.241+0300 [ERROR] vertex "data.aws_identitystore_group.example" error: reading AWS SSO Identity Store Group Data Source (d-xxxxx): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 5a3354ae-77b4-4292-97c1-20292450dfc5, api error UnknownOperationException: UnknownError
2023-08-23T10:27:00.241+0300 [ERROR] vertex "data.aws_identitystore_group.example" error: reading AWS SSO Identity Store Group Data Source (d-xxxxx): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 5a3354ae-77b4-4292-97c1-20292450dfc5, api error UnknownOperationException: UnknownError
2023-08-23T10:27:00.241+0300 [ERROR] vertex "data.aws_identitystore_group.example (expand)" error: reading AWS SSO Identity Store Group Data Source (d-xxxxx): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 5a3354ae-77b4-4292-97c1-20292450dfc5, api error UnknownOperationException: UnknownError
╷
│ Error: reading AWS SSO Identity Store Group Data Source (d-xxxxx): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 5a3354ae-77b4-4292-97c1-20292450dfc5, api error UnknownOperationException: UnknownError
│
│   with data.aws_identitystore_group.example,
│   on main.tf line 8, in data "aws_identitystore_group" "example":
│    8: data "aws_identitystore_group" "example" {
│
╵
2023-08-23T10:27:00.241+0300 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2023-08-23T10:27:00.250+0300 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5 pid=21858
2023-08-23T10:27:00.250+0300 [DEBUG] provider: plugin exited

[ExBleaK]

@luandrea et al. The maintainers are unable to reproduce this problem in any of our test accounts. To help us make progress could you please attach debug logs? Thanks.

@ewbankkit Do you have any updates?

[Phylu]

@ewbankkit I also got some debug logs for you. I hope this helps, as this issue prevents a provider upgrade from 4.X to 5.X.

Terraform Code:

data "aws_ssoadmin_instances" "this" {}

data "aws_identitystore_group" "example" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = "aws-R-accounting@office.ottonova.de"
    }
  }
}

Debug Output:

2023-08-31T11:38:46.719+0200 [INFO]  Terraform version: 1.5.5
2023-08-31T11:38:46.720+0200 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
2023-08-31T11:38:46.720+0200 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
2023-08-31T11:38:46.720+0200 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
2023-08-31T11:38:46.720+0200 [DEBUG] using github.com/zclconf/go-cty v1.12.2
2023-08-31T11:38:46.720+0200 [INFO]  Go runtime version: go1.20.7
2023-08-31T11:38:46.720+0200 [INFO]  CLI args: []string{"terraform", "plan"}
2023-08-31T11:38:46.720+0200 [DEBUG] Attempting to open CLI config file: /Users/phylu/.terraformrc
2023-08-31T11:38:46.720+0200 [INFO]  Loading CLI configuration from /Users/phylu/.terraformrc
2023-08-31T11:38:46.721+0200 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-08-31T11:38:46.721+0200 [DEBUG] ignoring non-existing provider search directory /Users/phylu/.terraform.d/plugins
2023-08-31T11:38:46.721+0200 [DEBUG] ignoring non-existing provider search directory /Users/phylu/Library/Application Support/io.terraform/plugins
2023-08-31T11:38:46.721+0200 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2023-08-31T11:38:46.722+0200 [INFO]  CLI command args: []string{"plan"}
2023-08-31T11:38:46.723+0200 [DEBUG] New state was assigned lineage "939783ab-3234-50bb-8cab-32203aacb651"
2023-08-31T11:38:47.825+0200 [DEBUG] checking for provisioner in "."
2023-08-31T11:38:47.831+0200 [DEBUG] checking for provisioner in "/usr/local/bin"
2023-08-31T11:38:47.846+0200 [INFO]  backend/local: starting Plan operation
2023-08-31T11:38:47.849+0200 [DEBUG] created provider logger: level=debug
2023-08-31T11:38:47.850+0200 [INFO]  provider: configuring client automatic mTLS
2023-08-31T11:38:47.869+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5]
2023-08-31T11:38:47.903+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74368
2023-08-31T11:38:47.903+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5
2023-08-31T11:38:48.625+0200 [INFO]  provider.terraform-provider-aws_v5.14.0_x5: configuring server automatic mTLS: timestamp=2023-08-31T11:38:48.624+0200
2023-08-31T11:38:48.643+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: plugin address: address=/var/folders/mz/4ll1mb1d7yx10pk3h9sp401hlwkfc6/T/plugin2038767705 network=unix timestamp=2023-08-31T11:38:48.642+0200
2023-08-31T11:38:48.643+0200 [DEBUG] provider: using plugin: version=5
2023-08-31T11:38:49.654+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-31T11:38:49.664+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74368
2023-08-31T11:38:49.684+0200 [DEBUG] provider: plugin exited
2023-08-31T11:38:49.684+0200 [DEBUG] Building and walking validate graph
2023-08-31T11:38:49.685+0200 [DEBUG] ProviderTransformer: "data.aws_ssoadmin_instances.this" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-31T11:38:49.685+0200 [DEBUG] ProviderTransformer: "data.aws_identitystore_group.example" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-31T11:38:49.685+0200 [DEBUG] ReferenceTransformer: "data.aws_ssoadmin_instances.this" references: []
2023-08-31T11:38:49.685+0200 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example" references: [data.aws_ssoadmin_instances.this]
2023-08-31T11:38:49.685+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2023-08-31T11:38:49.685+0200 [DEBUG] Starting graph walk: walkValidate
2023-08-31T11:38:49.686+0200 [DEBUG] created provider logger: level=debug
2023-08-31T11:38:49.686+0200 [INFO]  provider: configuring client automatic mTLS
2023-08-31T11:38:49.693+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5]
2023-08-31T11:38:49.727+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74370
2023-08-31T11:38:49.728+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5
2023-08-31T11:38:50.425+0200 [INFO]  provider.terraform-provider-aws_v5.14.0_x5: configuring server automatic mTLS: timestamp=2023-08-31T11:38:50.425+0200
2023-08-31T11:38:50.444+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: plugin address: address=/var/folders/mz/4ll1mb1d7yx10pk3h9sp401hlwkfc6/T/plugin4009802623 network=unix timestamp=2023-08-31T11:38:50.443+0200
2023-08-31T11:38:50.444+0200 [DEBUG] provider: using plugin: version=5
2023-08-31T11:38:51.768+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-31T11:38:51.775+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74370
2023-08-31T11:38:51.795+0200 [DEBUG] provider: plugin exited
2023-08-31T11:38:51.796+0200 [INFO]  backend/local: plan calling Plan
2023-08-31T11:38:51.796+0200 [DEBUG] Building and walking plan graph for NormalMode
2023-08-31T11:38:51.797+0200 [DEBUG] ProviderTransformer: "data.aws_ssoadmin_instances.this (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-31T11:38:51.797+0200 [DEBUG] ProviderTransformer: "data.aws_identitystore_group.example (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-08-31T11:38:51.797+0200 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example (expand)" references: [data.aws_ssoadmin_instances.this (expand)]
2023-08-31T11:38:51.797+0200 [DEBUG] ReferenceTransformer: "data.aws_ssoadmin_instances.this (expand)" references: []
2023-08-31T11:38:51.797+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2023-08-31T11:38:51.798+0200 [DEBUG] Starting graph walk: walkPlan
2023-08-31T11:38:51.798+0200 [DEBUG] created provider logger: level=debug
2023-08-31T11:38:51.798+0200 [INFO]  provider: configuring client automatic mTLS
2023-08-31T11:38:51.809+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5]
2023-08-31T11:38:51.841+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74372
2023-08-31T11:38:51.842+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5
2023-08-31T11:38:52.548+0200 [INFO]  provider.terraform-provider-aws_v5.14.0_x5: configuring server automatic mTLS: timestamp=2023-08-31T11:38:52.548+0200
2023-08-31T11:38:52.567+0200 [DEBUG] provider: using plugin: version=5
2023-08-31T11:38:52.567+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: plugin address: address=/var/folders/mz/4ll1mb1d7yx10pk3h9sp401hlwkfc6/T/plugin785650795 network=unix timestamp=2023-08-31T11:38:52.567+0200
2023-08-31T11:38:53.900+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Configuring Terraform AWS Provider: @module=aws tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:117 timestamp=2023-08-31T11:38:53.900+0200
2023-08-31T11:38:53.900+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Resolving credentials provider: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 timestamp=2023-08-31T11:38:53.900+0200
2023-08-31T11:38:53.900+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Loading configuration: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 timestamp=2023-08-31T11:38:53.900+0200
2023-08-31T11:38:53.901+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Retrieving credentials: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 @module=aws.aws-base timestamp=2023-08-31T11:38:53.901+0200
2023-08-31T11:38:53.901+0200 [INFO]  provider.terraform-provider-aws_v5.14.0_x5: Retrieved credentials: tf_rpc=ConfigureProvider @module=aws.aws-base tf_aws.credentials_source="SharedConfigCredentials: /Users/phylu/.aws/credentials" tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:39 timestamp=2023-08-31T11:38:53.901+0200
2023-08-31T11:38:53.901+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Loading configuration: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base timestamp=2023-08-31T11:38:53.901+0200
2023-08-31T11:38:53.902+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Retrieving caller identity from STS: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 timestamp=2023-08-31T11:38:53.902+0200
2023-08-31T11:38:53.903+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: HTTP Request Sent: http.request_content_length=43 http.url=https://sts.eu-central-1.amazonaws.com/ http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.5 (+https://www.terraform.io) terraform-provider-aws/5.14.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.21.0 os/macos lang/go#1.20.7 md/GOOS#darwin md/GOARCH#amd64 api/sts#1.21.5" tf_mux_provider=*schema.GRPCProviderServer aws.region=eu-central-1 http.request.header.content_type=application/x-www-form-urlencoded tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 aws.operation=GetCallerIdentity http.method=POST http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************4YPD/20230831/eu-central-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" @module=aws.aws-base aws.sdk=aws-sdk-go-v2 aws.service=STS http.request.body="Action=GetCallerIdentity&Version=2011-06-15
" http.request.header.amz_sdk_invocation_id=0a5588f6-869a-439a-9a49-a178b7e64e0a http.request.header.x_amz_date=20230831T093853Z http.request.header.x_amz_security_token=***** @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_rpc=ConfigureProvider net.peer.name=sts.eu-central-1.amazonaws.com timestamp=2023-08-31T11:38:53.903+0200
2023-08-31T11:38:53.981+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: HTTP Response Received: http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::558979714556:assumed-role/AWSReservedSSO_AdministratorAccess_e21c129003e8e0d6/phylu@example.de</Arn>
    <UserId>AROA*************O5KA:phylu@example.de</UserId>
    <Account>558979714556</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>4af0cac3-91b2-4cbc-80ac-5bde374ab454</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" http.response.header.date="Thu, 31 Aug 2023 09:38:53 GMT" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base aws.sdk=aws-sdk-go-v2 http.response.header.x_amzn_requestid=4af0cac3-91b2-4cbc-80ac-5bde374ab454 http.status_code=200 tf_mux_provider=*schema.GRPCProviderServer aws.operation=GetCallerIdentity http.response.header.content_type=text/xml tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 aws.region=eu-central-1 aws.service=STS http.duration=77 http.response_content_length=508 timestamp=2023-08-31T11:38:53.981+0200
2023-08-31T11:38:53.981+0200 [INFO]  provider.terraform-provider-aws_v5.14.0_x5: Retrieved caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:39 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 tf_rpc=ConfigureProvider timestamp=2023-08-31T11:38:53.981+0200
2023-08-31T11:38:53.981+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Creating AWS SDK v1 session: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:139 @module=aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 timestamp=2023-08-31T11:38:53.981+0200
2023-08-31T11:38:53.984+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Retrieving AWS account details: @module=aws tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:154 tf_rpc=ConfigureProvider timestamp=2023-08-31T11:38:53.983+0200
2023-08-31T11:38:53.984+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: Retrieving caller identity from STS: @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 timestamp=2023-08-31T11:38:53.983+0200
2023-08-31T11:38:53.984+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: HTTP Request Sent: http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************4YPD/20230831/eu-central-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.x_amz_date=20230831T093853Z tf_mux_provider=*schema.GRPCProviderServer aws.operation=GetCallerIdentity http.method=POST http.request.header.amz_sdk_invocation_id=7fffdd1b-5820-460a-b19c-2450a6c52d44 http.request.body="Action=GetCallerIdentity&Version=2011-06-15
" http.request.header.content_type=application/x-www-form-urlencoded http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.5 (+https://www.terraform.io) terraform-provider-aws/5.14.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.21.0 os/macos lang/go#1.20.7 md/GOOS#darwin md/GOARCH#amd64 api/sts#1.21.5" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base aws.sdk=aws-sdk-go-v2 http.request.header.x_amz_security_token=***** http.url=https://sts.eu-central-1.amazonaws.com/ net.peer.name=sts.eu-central-1.amazonaws.com aws.service=STS http.request.header.amz_sdk_request="attempt=1; max=25" http.request_content_length=43 tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 aws.region=eu-central-1 timestamp=2023-08-31T11:38:53.984+0200
2023-08-31T11:38:53.997+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: HTTP Response Received: http.response.header.x_amzn_requestid=4a350b9b-3be5-493c-8a19-ac3ee4ff3c88 aws.region=eu-central-1 http.response.header.content_type=text/xml http.response.header.date="Thu, 31 Aug 2023 09:38:53 GMT" aws.sdk=aws-sdk-go-v2 http.duration=12 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:47 @module=aws.aws-base http.status_code=200 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider aws.operation=GetCallerIdentity aws.service=STS http.response_content_length=508 tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::558979714556:assumed-role/AWSReservedSSO_AdministratorAccess_e21c129003e8e0d6/phylu@example.de</Arn>
    <UserId>AROA*************O5KA:phylu@example.de</UserId>
    <Account>558979714556</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>4a350b9b-3be5-493c-8a19-ac3ee4ff3c88</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" tf_mux_provider=*schema.GRPCProviderServer timestamp=2023-08-31T11:38:53.997+0200
2023-08-31T11:38:53.997+0200 [INFO]  provider.terraform-provider-aws_v5.14.0_x5: Retrieved caller identity from STS: tf_req_id=2164f98a-7d23-1fd5-8974-6f6c3d6905f2 tf_rpc=ConfigureProvider @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_mux_provider=*schema.GRPCProviderServer @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.34/logging/tf_logger.go:39 timestamp=2023-08-31T11:38:53.997+0200
2023-08-31T11:38:53.998+0200 [DEBUG] Resource instance state not found for node "data.aws_ssoadmin_instances.this", instance data.aws_ssoadmin_instances.this
2023-08-31T11:38:53.998+0200 [DEBUG] ReferenceTransformer: "data.aws_ssoadmin_instances.this" references: []
2023-08-31T11:38:54.000+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: HTTP Request Sent: tf_data_source_type=aws_ssoadmin_instances @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.35/logger.go:96 @module=aws aws.operation=ListInstances http.request.header.content_type=application/x-amz-json-1.1 http.request_content_length=2 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ReadDataSource aws.region=eu-central-1 http.request.body="{}
" http.request.header.x_amz_security_token=***** net.peer.name=sso.eu-central-1.amazonaws.com tf_mux_provider=*schema.GRPCProviderServer tf_req_id=93a96660-e99d-8fc7-3f18-2d17b7ab4033 aws.sdk=aws-sdk-go http.flavor=1.1 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************4YPD/20230831/eu-central-1/sso/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.url=https://sso.eu-central-1.amazonaws.com/ aws.service="SSO Admin" http.method=POST http.request.header.x_amz_date=20230831T093854Z http.request.header.x_amz_target=SWBExternalService.ListInstances http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.5 (+https://www.terraform.io) terraform-provider-aws/5.14.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.328 (go1.20.7; darwin; amd64)" timestamp=2023-08-31T11:38:54.000+0200
2023-08-31T11:38:54.101+0200 [DEBUG] provider.terraform-provider-aws_v5.14.0_x5: HTTP Response Received: aws.region=eu-central-1 aws.service="SSO Admin" http.duration=100 http.status_code=200 aws.operation=ListInstances aws.sdk=aws-sdk-go http.response.header.date="Thu, 31 Aug 2023 09:38:54 GMT" http.response_content_length=113 tf_data_source_type=aws_ssoadmin_instances @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.35/logger.go:144 http.response.header.content_type=application/x-amz-json-1.1 http.response.header.x_amzn_requestid=b320692a-08e1-4de8-a26c-566b47652fff tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=93a96660-e99d-8fc7-3f18-2d17b7ab4033 tf_rpc=ReadDataSource @module=aws http.response.body="{"Instances":[{"IdentityStoreId":"d-9967361e99","InstanceArn":"arn:aws:sso:::instance/ssoins-69878ab6c4fa1ee6"}]}
" tf_mux_provider=*schema.GRPCProviderServer timestamp=2023-08-31T11:38:54.100+0200
2023-08-31T11:38:54.101+0200 [DEBUG] Resource instance state not found for node "data.aws_identitystore_group.example", instance data.aws_identitystore_group.example
2023-08-31T11:38:54.102+0200 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example" references: []
2023-08-31T11:38:54.179+0200 [ERROR] provider.terraform-provider-aws_v5.14.0_x5: Response contains error diagnostic: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=cd46d236-30d8-867e-c5d7-eaeefea216e6 @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto tf_proto_version=5.3 tf_rpc=ReadDataSource diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: eaba3e9e-d18d-4ad5-a824-545c7ce1e0dc, api error UnknownOperationException: UnknownError" tf_data_source_type=aws_identitystore_group timestamp=2023-08-31T11:38:54.179+0200
2023-08-31T11:38:54.179+0200 [ERROR] vertex "data.aws_identitystore_group.example" error: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: eaba3e9e-d18d-4ad5-a824-545c7ce1e0dc, api error UnknownOperationException: UnknownError
2023-08-31T11:38:54.179+0200 [ERROR] vertex "data.aws_identitystore_group.example (expand)" error: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: eaba3e9e-d18d-4ad5-a824-545c7ce1e0dc, api error UnknownOperationException: UnknownError
2023-08-31T11:38:54.179+0200 [INFO]  backend/local: plan operation completed
╷
│ Error: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: eaba3e9e-d18d-4ad5-a824-545c7ce1e0dc, api error UnknownOperationException: UnknownError
│ 
│   with data.aws_identitystore_group.example,
│   on test.tf line 3, in data "aws_identitystore_group" "example":
│    3: data "aws_identitystore_group" "example" {
│ 
╵
2023-08-31T11:38:54.213+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-31T11:38:54.222+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74372
2023-08-31T11:38:54.243+0200 [DEBUG] provider: plugin exited

Here is also the relevant trace part, as I am not sure whether there is much useful info in the debug logs:

2023-08-31T11:41:32.466+0200 [TRACE] vertex "data.aws_identitystore_group.example (expand)": starting visit (*terraform.nodeExpandPlannableResource)
2023-08-31T11:41:32.466+0200 [TRACE] vertex "data.aws_identitystore_group.example (expand)": expanding dynamic subgraph
2023-08-31T11:41:32.466+0200 [TRACE] Executing graph transform *terraform.ResourceCountTransformer
2023-08-31T11:41:32.466+0200 [TRACE] ResourceCountTransformer: adding data.aws_identitystore_group.example as *terraform.NodePlannableResourceInstance
2023-08-31T11:41:32.466+0200 [TRACE] Completed graph transform *terraform.ResourceCountTransformer with new graph:
  data.aws_identitystore_group.example - *terraform.NodePlannableResourceInstance
  ------
2023-08-31T11:41:32.466+0200 [TRACE] Executing graph transform *terraform.OrphanResourceInstanceCountTransformer
2023-08-31T11:41:32.466+0200 [TRACE] Completed graph transform *terraform.OrphanResourceInstanceCountTransformer (no changes)
2023-08-31T11:41:32.466+0200 [TRACE] Executing graph transform *terraform.AttachStateTransformer
2023-08-31T11:41:32.466+0200 [DEBUG] Resource instance state not found for node "data.aws_identitystore_group.example", instance data.aws_identitystore_group.example
2023-08-31T11:41:32.466+0200 [TRACE] Completed graph transform *terraform.AttachStateTransformer (no changes)
2023-08-31T11:41:32.466+0200 [TRACE] Executing graph transform *terraform.TargetsTransformer
2023-08-31T11:41:32.466+0200 [TRACE] Completed graph transform *terraform.TargetsTransformer (no changes)
2023-08-31T11:41:32.466+0200 [TRACE] Executing graph transform *terraform.ReferenceTransformer
2023-08-31T11:41:32.466+0200 [DEBUG] ReferenceTransformer: "data.aws_identitystore_group.example" references: []
2023-08-31T11:41:32.466+0200 [TRACE] Completed graph transform *terraform.ReferenceTransformer (no changes)
2023-08-31T11:41:32.466+0200 [TRACE] Executing graph transform *terraform.RootTransformer
2023-08-31T11:41:32.466+0200 [TRACE] Completed graph transform *terraform.RootTransformer with new graph:
  data.aws_identitystore_group.example - *terraform.NodePlannableResourceInstance
  root - terraform.graphNodeRoot
    data.aws_identitystore_group.example - *terraform.NodePlannableResourceInstance
  ------
2023-08-31T11:41:32.466+0200 [TRACE] vertex "data.aws_identitystore_group.example (expand)": entering dynamic subgraph
2023-08-31T11:41:32.466+0200 [TRACE] vertex "data.aws_identitystore_group.example": starting visit (*terraform.NodePlannableResourceInstance)
2023-08-31T11:41:32.466+0200 [TRACE] readDataSource: Re-validating config for data.aws_identitystore_group.example
2023-08-31T11:41:32.466+0200 [TRACE] GRPCProvider: ValidateDataResourceConfig
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Received request: tf_req_id=211feb74-4568-8f63-724c-8d8844029d9d tf_rpc=ValidateDataSourceConfig tf_provider_addr=registry.terraform.io/hashicorp/aws @module=sdk.proto tf_data_source_type=aws_identitystore_group tf_proto_version=5.3 @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/tf5server/server.go:622 timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Sending request downstream: @module=sdk.proto tf_data_source_type=aws_identitystore_group tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=211feb74-4568-8f63-724c-8d8844029d9d @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/tf5serverlogging/downstream_request.go:20 tf_proto_version=5.3 tf_rpc=ValidateDataSourceConfig timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: calling downstream server: @caller=github.com/hashicorp/terraform-plugin-mux@v0.11.2/internal/logging/mux.go:19 @module=sdk.mux tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ValidateDataSourceConfig timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Calling downstream: @module=sdk.helper_schema tf_mux_provider=*schema.GRPCProviderServer tf_req_id=211feb74-4568-8f63-724c-8d8844029d9d tf_rpc=ValidateDataSourceConfig tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.27.0/helper/schema/grpc_provider.go:275 tf_data_source_type=aws_identitystore_group timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Called downstream: tf_provider_addr=registry.terraform.io/hashicorp/aws @module=sdk.helper_schema tf_data_source_type=aws_identitystore_group tf_mux_provider=*schema.GRPCProviderServer tf_req_id=211feb74-4568-8f63-724c-8d8844029d9d tf_rpc=ValidateDataSourceConfig @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.27.0/helper/schema/grpc_provider.go:277 timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Received downstream response: tf_rpc=ValidateDataSourceConfig @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/tf5serverlogging/downstream_request.go:40 diagnostic_error_count=0 diagnostic_warning_count=0 tf_data_source_type=aws_identitystore_group tf_req_duration_ms=0 tf_req_id=211feb74-4568-8f63-724c-8d8844029d9d @module=sdk.proto tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Served request: tf_req_id=211feb74-4568-8f63-724c-8d8844029d9d @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/tf5server/server.go:642 @module=sdk.proto tf_data_source_type=aws_identitystore_group tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ValidateDataSourceConfig timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.467+0200 [TRACE] readDataSource: data.aws_identitystore_group.example configuration is complete, so reading from provider
2023-08-31T11:41:32.467+0200 [TRACE] GRPCProvider: ReadDataSource
2023-08-31T11:41:32.468+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Received request: @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/tf5server/server.go:651 @module=sdk.proto tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a tf_rpc=ReadDataSource tf_data_source_type=aws_identitystore_group tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-08-31T11:41:32.467+0200
2023-08-31T11:41:32.468+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Sending request downstream: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/tf5serverlogging/downstream_request.go:20 @module=sdk.proto tf_data_source_type=aws_identitystore_group tf_proto_version=5.3 tf_rpc=ReadDataSource timestamp=2023-08-31T11:41:32.468+0200
2023-08-31T11:41:32.468+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: calling downstream server: @module=sdk.mux tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-mux@v0.11.2/internal/logging/mux.go:19 timestamp=2023-08-31T11:41:32.468+0200
2023-08-31T11:41:32.468+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Calling downstream: @module=sdk.helper_schema tf_data_source_type=aws_identitystore_group tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.27.0/helper/schema/resource.go:969 tf_rpc=ReadDataSource timestamp=2023-08-31T11:41:32.468+0200
2023-08-31T11:41:32.574+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Called downstream: @module=sdk.helper_schema tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.27.0/helper/schema/resource.go:971 tf_data_source_type=aws_identitystore_group tf_rpc=ReadDataSource timestamp=2023-08-31T11:41:32.574+0200
2023-08-31T11:41:32.575+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Received downstream response: tf_proto_version=5.3 tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/tf5serverlogging/downstream_request.go:40 tf_data_source_type=aws_identitystore_group diagnostic_error_count=1 diagnostic_warning_count=0 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_duration_ms=106 @module=sdk.proto timestamp=2023-08-31T11:41:32.574+0200
2023-08-31T11:41:32.575+0200 [ERROR] provider.terraform-provider-aws_v5.14.0_x5: Response contains error diagnostic: tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 13abf4f6-702a-4683-8008-ae6338758e35, api error UnknownOperationException: UnknownError" tf_data_source_type=aws_identitystore_group tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/diag/diagnostics.go:58 tf_proto_version=5.3 timestamp=2023-08-31T11:41:32.574+0200
2023-08-31T11:41:32.575+0200 [TRACE] provider.terraform-provider-aws_v5.14.0_x5: Served request: tf_data_source_type=aws_identitystore_group tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6fec1b1-9b02-2fe3-9b84-e2b1834fdd5a @module=sdk.proto tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/tf5server/server.go:673 timestamp=2023-08-31T11:41:32.574+0200
2023-08-31T11:41:32.575+0200 [ERROR] vertex "data.aws_identitystore_group.example" error: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 13abf4f6-702a-4683-8008-ae6338758e35, api error UnknownOperationException: UnknownError
2023-08-31T11:41:32.575+0200 [TRACE] vertex "data.aws_identitystore_group.example": visit complete, with errors
2023-08-31T11:41:32.575+0200 [TRACE] dag/walk: upstream of "root" errored, so skipping
2023-08-31T11:41:32.575+0200 [TRACE] vertex "data.aws_identitystore_group.example (expand)": dynamic subgraph encountered errors: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 13abf4f6-702a-4683-8008-ae6338758e35, api error UnknownOperationException: UnknownError
2023-08-31T11:41:32.575+0200 [ERROR] vertex "data.aws_identitystore_group.example (expand)" error: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 13abf4f6-702a-4683-8008-ae6338758e35, api error UnknownOperationException: UnknownError
2023-08-31T11:41:32.575+0200 [TRACE] vertex "data.aws_identitystore_group.example (expand)": visit complete, with errors
2023-08-31T11:41:32.575+0200 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" errored, so skipping
2023-08-31T11:41:32.575+0200 [TRACE] dag/walk: upstream of "root" errored, so skipping
2023-08-31T11:41:32.575+0200 [TRACE] LoadSchemas: retrieving schema for provider type "registry.terraform.io/hashicorp/aws"
2023-08-31T11:41:32.575+0200 [INFO]  backend/local: plan operation completed
2023-08-31T11:41:32.575+0200 [TRACE] LoadSchemas: retrieving schema for provider type "registry.terraform.io/hashicorp/aws"
╷
│ Error: reading AWS SSO Identity Store Group Data Source (d-9967361e99): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 13abf4f6-702a-4683-8008-ae6338758e35, api error UnknownOperationException: UnknownError
│ 
│   with data.aws_identitystore_group.example,
│   on test.tf line 3, in data "aws_identitystore_group" "example":
│    3: data "aws_identitystore_group" "example" {
│ 
╵
2023-08-31T11:41:32.605+0200 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2023-08-31T11:41:32.606+0200 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2023-08-31T11:41:32.607+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-31T11:41:32.618+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.14.0/darwin_amd64/terraform-provider-aws_v5.14.0_x5 pid=74576
2023-08-31T11:41:32.640+0200 [DEBUG] provider: plugin exited

[ewbankkit]

Although I can't reproduce this with the one IAM Identity Center instance I have in us-west-2, I am going to restore the filter argument for the aws_identitystore_group and aws_identitystore_user data sources. We will really remove the arguments in a future Terraform AWS provider major version (likely v6.0.0).

[Phylu]

Maybe the following additional information helps to reproduce the issue:

• Region: EU Central 1
• AWS IAM is connected to an Active Directory domain as its data source (I'd assume that the error is somewhere hidden in the link to AD)

If you need some more special info on our setup, I am happy to provide it.

[Phylu]

I just checked our configuration now of the IAM Identity Center now. The settings are:

• Identity source: AD Connector
• Authentication method: Active Directory
• Provisioning method: AD Sync

Maybe this helps for reproducing the original issue.

[github-actions[bot]]

This functionality has been released in v5.16.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.