Open RubenMakandra opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Can you use the depends_on meta argument?
Something like:
resource "aws_sesv2_configuration_set_event_destination" "bounce_log_kinesis_stream" {
configuration_set_name = aws_sesv2_configuration_set.bounce_log.configuration_set_name
event_destination_name = "kinesis_event_destination"
event_destination {
kinesis_firehose_destination {
delivery_stream_arn = local.kinesis_firehose_stream_arn
iam_role_arn = aws_iam_role.ses_access_to_kinesis.arn
}
enabled = true
matching_event_types = ["BOUNCE"]
}
depends_on = [aws_iam_role_policy_attachment. ses_access_to_kinesis]
}
Can you use the depends_on meta argument?
Something like:
resource "aws_sesv2_configuration_set_event_destination" "bounce_log_kinesis_stream" { configuration_set_name = aws_sesv2_configuration_set.bounce_log.configuration_set_name event_destination_name = "kinesis_event_destination" event_destination { kinesis_firehose_destination { delivery_stream_arn = local.kinesis_firehose_stream_arn iam_role_arn = aws_iam_role.ses_access_to_kinesis.arn } enabled = true matching_event_types = ["BOUNCE"] } depends_on = [aws_iam_role_policy_attachment. ses_access_to_kinesis] }
The other option would be to use an managed_policy_arns on the role directly rather than attaching them separately , as the dependency on the role ARN is already there this should also solve the issue.
Can you use the depends_on meta argument?
Something like:
resource "aws_sesv2_configuration_set_event_destination" "bounce_log_kinesis_stream" { configuration_set_name = aws_sesv2_configuration_set.bounce_log.configuration_set_name event_destination_name = "kinesis_event_destination" event_destination { kinesis_firehose_destination { delivery_stream_arn = local.kinesis_firehose_stream_arn iam_role_arn = aws_iam_role.ses_access_to_kinesis.arn } enabled = true matching_event_types = ["BOUNCE"] } depends_on = [aws_iam_role_policy_attachment. ses_access_to_kinesis] }
Thanks for the suggestion, I tried it out, and get a different IAM related error, in 3/3 tries:
│ Error: creating Amazon SESv2 (Simple Email V2) Configuration Set Event Destination (test_Set|kinesis_event_destination): operation error SESv2: CreateConfigurationSetEventDestination, https response error StatusCode: 400, RequestID: f230abda-d9ba-4b30-9121-d71639027a02, BadRequestException: Could not assume IAM role <arn:aws:iam::ARN:role/SES_access_to_Kinesis>.
│
│ with aws_sesv2_configuration_set_event_destination.bounce_log_kinesis_stream,
│ on test.tf line 54, in resource "aws_sesv2_configuration_set_event_destination" "bounce_log_kinesis_stream":
│ 54: resource "aws_sesv2_configuration_set_event_destination" "bounce_log_kinesis_stream" {
│
Applying a second time worked without issue.
I also tried @grahamhar suggestion and unsurprisingly received the same error message, that the role couldn't be assumed.
I can also post an updated terraform code sample that also creates a bucket and the firehose delivery stream, if it would be helpful. Issue there is that creating the bucket and stream makes the terraform apply a lot slower, that's why I just used a reference to an existing stream in the example and in my tests.
Running into the same exact issue/case. My first thought was also to add an explicate depends_on for the event destination resource . That didn't have any affect.
Looking over the high level resource log output, the ordering is indeed correct. It waits until the policy attachment completes before attempting to create the aws_sesv2_configuration_set_event_destination
. It fails just the same. Re-running and it works fine.
Looking through the cloudtrail logs, it seems like there's a similar condition with the Kinesis stream. The cloutrail logs show the create fails several times, being unable to assume its prescribed IAM role, and then it magically works. Looking over the AWS provider code for Kinesis, it seems like that resource has built-in retry logic to handles this delay in dependent resources being available: https://github.com/hashicorp/terraform-provider-aws/blob/9e149726e119b2c8cde94b2f3f5de225b1344b50/internal/service/firehose/delivery_stream.go#L1506
time_sleep
helped to solve the problem. Example of the configuration :resource "time_sleep" "wait_120_seconds" {
depends_on = [aws_iam_role_policy_attachment.ses_access_to_kinesis]
create_duration = "120s"
}
resource "aws_sesv2_configuration_set_event_destination" "bounce_log_kinesis_stream" {
configuration_set_name = aws_sesv2_configuration_set.bounce_log.configuration_set_name
event_destination_name = "kinesis_event_destination"
event_destination {
kinesis_firehose_destination {
delivery_stream_arn = local.kinesis_firehose_stream_arn
iam_role_arn = aws_iam_role.ses_access_to_kinesis.arn
}
enabled = true
matching_event_types = ["BOUNCE"]
}
depends_on = [time_sleep.wait_120_seconds]
}
Terraform Core Version
1.5.3
AWS Provider Version
4.55.0
Affected Resource(s)
Expected Behavior
Actual Behavior
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
Running
terraform apply
a second time successfully creates theaws_sesv2_configuration_set_event_destination
. I assume the underlying reason for this behaviour is the same as in the referenced ticked #14008, and the solution would be to retry the resource creation, similar to the fix implemented for that issue.References
14008
Would you like to implement a fix?
No