yaroslav-nakonechnikov commented 1 year ago

Terraform Core Version

1.5.5

AWS Provider Version

5.13.1

Affected Resource(s)

aws_ssmcontacts_contact

Expected Behavior

aws_ssmcontacts_contact crated with defined alias, display_name and type.

Actual Behavior

resource can't be created, and in logs:

aws_ssmcontacts_contact.spde: Creating...
╷
│ Error: creating AWS SSM Contacts Contact (spde): operation error SSM Contacts: CreateContact, https response error StatusCode: 400, RequestID: afb71cff-312a-4d51-9a08-3d8385673af2, ValidationException: 
│ 
│   with aws_ssmcontacts_contact.spde,
│   on main.tf line 194, in resource "aws_ssmcontacts_contact" "spde":
│  194: resource "aws_ssmcontacts_contact" "spde" {
│ 
╵
Error: Process completed with exit code 1.

Relevant Error/Panic Output Snippet

resource "aws_ssmincidents_replication_set" "replicationSetName" {
  region {
    name        = var.aws_region
    kms_key_arn = data.aws_kms_alias.kms.target_key_arn
  }
}

resource "aws_ssmcontacts_contact" "spde" {
  alias        = "spde"
  display_name = "spde"
  type         = "PERSONAL"
  depends_on   = [aws_ssmincidents_replication_set.replicationSetName]
}

resource "aws_ssmcontacts_plan" "plan" {
  contact_id = aws_ssmcontacts_contact.spde.arn
  stage {
    duration_in_minutes = 1
  }
}

resource "aws_ssmcontacts_contact_channel" "spde" {
  contact_id = aws_ssmcontacts_contact.spde.arn

  delivery_address {
    simple_address = "+12345566"
  }

  name = "External call number"
  type = "VOICE"
}

Terraform Configuration Files

tfbackend:

bucket = "${account_id}-github-runner-tf-state"
dynamodb_table = "github-runner-tf-state-locking"
key = "state/terraform.tfstate"
region = "eu-central-1"
workspace_key_prefix = "incident-manager-${environment}"

providers:

required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }

aws provider setup:

provider "aws" {
  region = var.aws_region

  default_tags {
    tags = {
      "security:environment" : var.environment
      "security:confidentiality" : 3
      "business:cost-center" : 23
      "business:team" : "team"
      "business:product-project" : local.repository_name
      "business:product-owner" : "team@team.com"
      "business:emergency-contact" : "team@team.com"
      "product" : "team"
      "entity" : "team"
      "ea:shared-service" : false
      "ea:application-name" : "team"
      "gdpr:data-governance" : false
      "gdpr:relevance" : false
      "gdpr:resolution" : false

      "team:terraform" : true
      "team:repository" : local.repository_name
      "team:environment" : var.environment
    }
  }
}

Steps to Reproduce

try to create resource aws_ssmincidents_replication_set

Debug Output

2023-08-22T15:11:17.109Z [INFO]  Starting apply for aws_ssmcontacts_contact.spde
aws_ssmcontacts_contact.spde: Creating...
2023-08-22T15:11:17.109Z [DEBUG] aws_ssmcontacts_contact.spde: applying the planned Create change
Error: -22T15:11:17.153Z [ERROR] provider.terraform-provider-aws_v5.13.1_x5: Response contains error diagnostic: tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_severity=ERROR tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=4b276dc4-f5d0-fb0c-38b8-3e8523a44036 @caller=github.com/hashicorp/terraform-plugin-go@v0.18.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail= diagnostic_summary="creating AWS SSM Contacts Contact (spde): operation error SSM Contacts: CreateContact, https response error StatusCode: 400, RequestID: 7c2e474b-3c4f-49c8-9e0a-66e3ef985799, ValidationException: " tf_proto_version=5.3 tf_resource_type=aws_ssmcontacts_contact timestamp=2023-08-22T15:11:17.153Z
2023-08-22T15:11:17.154Z [DEBUG] State storage *remote.State declined to persist a state snapshot
Error: -22T15:11:17.154Z [ERROR] vertex "aws_ssmcontacts_contact.spde" error: creating AWS SSM Contacts Contact (spde): operation error SSM Contacts: CreateContact, https response error StatusCode: 400, RequestID: 7c2e474b-3c4f-49c8-9e0a-66e3ef985799, ValidationException:

Panic Output

No response

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssmcontacts_contact

Would you like to implement a fix?

No

debug.txt

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

justinretzolk commented 1 year ago

Hey @iaroslav-nakonechnikov 👋 Thank you for taking the time to raise this! Are you able to provide more complete debug logs (redacted as needed)? It looks like the error message has been truncated, and is missing some key details.

yaroslav-nakonechnikov commented 1 year ago

@justinretzolk thank for fast answer! yes, i will try.

i'm trying to import contact, and see expected error:

Error: reading AWS SSM Contacts Contact (arn:aws:ssm-contacts:eu-central-1:id:contact/spde): operation error SSM Contacts: GetContact, https response error StatusCode: 400, RequestID: 04d666c5-265f-4cdb-b53a-e37643dc8fbd, AccessDeniedException: User: arn:aws:sts::id:assumed-role/github-runner/1135289d95e44203aee104ccfdc89fdb is not authorized to perform: ssm-contacts:GetContact on resource: arn:aws:ssm-contacts:eu-central-1:id:contact/spde because no identity-based policy allows the ssm-contacts:GetContact action

but when just create - no definition. So maybe it will also help a bit.

yaroslav-nakonechnikov commented 1 year ago

additional:

aws_ssmcontacts_contact.spde: Modifying... [id=arn:aws:ssm-contacts:eu-central-1:id:contact/spde]
╷
│ Error: updating tags for SSM Contacts Context (arn:aws:ssm-contacts:eu-central-1:id:contact/spde): tagging resource (arn:aws:ssm-contacts:eu-central-1:id:contact/spde): operation error SSM Contacts: TagResource, https response error StatusCode: 400, RequestID: 1e083bb6-fb4a-43e4-9dfc-34e48fae984e, ValidationException: 
│ 
│   with aws_ssmcontacts_contact.spde,
│   on main.tf line 199, in resource "aws_ssmcontacts_contact" "spde":
│  199: resource "aws_ssmcontacts_contact" "spde" {
│ 
╵
Error: Process completed with exit code 1.

no validation after import. so possibly something with tags....

updated main message

yaroslav-nakonechnikov commented 1 year ago

@justinretzolk full debug log provided with masking critical info

yaroslav-nakonechnikov commented 1 year ago

today i doublechecked and if i add default tags to provider config - it fails. without tags - all being created correct.

hashicorp / terraform-provider-aws

[Bug]: Error: creating AWS SSM Contacts Contact: operation error SSM Contacts: CreateContact #33135

Terraform Core Version

AWS Provider Version

Affected Resource(s)

Expected Behavior

Actual Behavior

Relevant Error/Panic Output Snippet

Terraform Configuration Files

Steps to Reproduce

Debug Output

Panic Output

Important Factoids

References

Would you like to implement a fix?

Community Note