hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

[Bug]: Provider assume_role duration not being enforced #33404

Open kjenney opened 1 year ago

kjenney commented 1 year ago

Terraform Core Version

1.5.0

AWS Provider Version

5.16.1

Affected Resource(s)

I have Terraform that provisions an RDS databases synchronously and takes about 18 minutes. I have set an assume_role duration, and it is not being enforced as the apply lasts longer than 15 minutes. The provider documentation mentions nothing about getting new credentials during the apply process, so I need clarification on how/why this is occurring.

module.db.module.db_instance.aws_db_instance.this[0]: Creation complete after 19m42s [id=db-CFU52RWE774IJZXP55SZ4P3ZCM]

Expected Behavior

I expect Terraform to begin erroring if the apply takes longer than 15 minutes and then failing with an error.

Actual Behavior

The apply completes after 20 minutes with no errors.

Relevant Error/Panic Output Snippet

No errors

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  assume_role {
    duration = "15m"
    role_arn    = "arn:aws:iam::REDACTED:role/REDACTED"
  }
}

data "aws_availability_zones" "available" {}
data "aws_caller_identity" "current" {}

locals {
  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
  region = "eu-west-1"

  vpc_cidr = "10.0.0.0/16"
  azs      = slice(data.aws_availability_zones.available.names, 0, 3)

  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
    GithubOrg  = "terraform-aws-modules"
  }
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 4.0"

  name = local.name
  cidr = local.vpc_cidr

  azs             = local.azs
  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
  database_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 52)]

  manage_default_security_group = true
  create_database_subnet_group           = true

  enable_nat_gateway = true
  single_nat_gateway = true

  public_subnet_tags = {
    "kubernetes.io/role/elb" = 1
  }

  private_subnet_tags = {
    "kubernetes.io/role/internal-elb" = 1
  }

  tags = local.tags
}

resource "aws_iam_policy" "additional" {
  name = "${local.name}-additional"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

module "db" {
  source = "terraform-aws-modules/rds/aws"

  identifier = local.name

  # All available versions: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt
  engine               = "mysql"
  engine_version       = "8.0"
  family               = "mysql8.0" # DB parameter group
  major_engine_version = "8.0"      # DB option group
  instance_class       = "db.t4g.medium"

  allocated_storage     = 20
  max_allocated_storage = 100

  db_name  = "completeMysql"
  username = "complete_mysql"
  port     = 3306

  multi_az               = true
  db_subnet_group_name   = module.vpc.database_subnet_group
  vpc_security_group_ids = [module.vpc.default_security_group_id]

  maintenance_window              = "Mon:00:00-Mon:03:00"
  backup_window                   = "03:00-06:00"
  enabled_cloudwatch_logs_exports = ["general"]
  create_cloudwatch_log_group     = true
  blue_green_update = {
    enabled = true
  }

  skip_final_snapshot = true
  deletion_protection = false

  performance_insights_enabled          = true
  performance_insights_retention_period = 7
  create_monitoring_role                = false

  parameters = [
    {
      name  = "character_set_client"
      value = "utf8mb4"
    },
    {
      name  = "character_set_server"
      value = "utf8mb4"
    }
  ]

  tags = local.tags
  db_instance_tags = {
    "Sensitive" = "high"
  }
  db_option_group_tags = {
    "Sensitive" = "low"
  }
  db_parameter_group_tags = {
    "Sensitive" = "low"
  }
  db_subnet_group_tags = {
    "Sensitive" = "high"
  }
}

Steps to Reproduce

terraform init terraform apply

Debug Output

        <BackupTarget>region</BackupTarget>
        <CACertificateIdentifier>rds-ca-2019</CACertificateIdentifier>
        <DbInstancePort>0</DbInstancePort>
        <DbiResourceId>db-CFU52RWE774IJZXP55SZ4P3ZCM</DbiResourceId>
        <PreferredBackupWindow>03:00-06:00</PreferredBackupWindow>
        <DeletionProtection>false</DeletionProtection>
        <DBInstanceIdentifier>ex-role-duration</DBInstanceIdentifier>
        <DBInstanceArn>arn:aws:rds:us-east-1:556105087578:db:ex-role-duration</DBInstanceArn>
        <Endpoint>
          <HostedZoneId>Z2R2ITUGPM61AM</HostedZoneId>
          <Address>ex-role-duration.chyayesnoqgq.us-east-1.rds.amazonaws.com</Address>
          <Port>3306</Port>
        </Endpoint>
        <Engine>mysql</Engine>
        <MaxAllocatedStorage>100</MaxAllocatedStorage>
        <MasterUserSecret>
          <SecretStatus>active</SecretStatus>
          <SecretArn>arn:aws:secretsmanager:us-east-1:556105087578:secret:rds!db-680f76a6-7427-4854-8e06-b6690dadca1c-u60qhw</SecretArn>
          <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/4f97f290-dc27-4204-81cf-8fbcdd86e86f</KmsKeyId>
        </MasterUserSecret>
        <PubliclyAccessible>false</PubliclyAccessible>
        <IAMDatabaseAuthenticationEnabled>false</IAMDatabaseAuthenticationEnabled>
        <NetworkType>IPV4</NetworkType>
        <ActivityStreamStatus>stopped</ActivityStreamStatus>
        <PerformanceInsightsEnabled>true</PerformanceInsightsEnabled>
        <DBName>completeMysql</DBName>
        <MultiAZ>true</MultiAZ>
        <DomainMemberships/>
        <StorageEncrypted>true</StorageEncrypted>
        <DBSubnetGroup>
          <VpcId>vpc-076677b3700448de7</VpcId>
          <Subnets>
            <Subnet>
              <SubnetIdentifier>subnet-0a94adcfa86a35d99</SubnetIdentifier>
              <SubnetStatus>Active</SubnetStatus>
[truncated...]" http.response.header.content_type=text/xml http.response.header.x_amzn_requestid=29459b93-ad34-422a-9e60-04be00de216f tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange http.response.header.date="Mon, 11 Sep 2023 16:00:30 GMT" aws.region=us-east-1 http.duration=226 http.response.header.strict_transport_security=max-age=31536000 aws.operation=DescribeDBInstances aws.sdk=aws-sdk-go aws.service=RDS http.response_content_length=6471 http.status_code=200 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:144 @module=aws tf_resource_type=aws_db_instance timestamp=2023-09-11T12:00:31.370-0400
2023-09-11T12:00:41.373-0400 [DEBUG] provider.terraform-provider-aws_v5.16.1_x5: HTTP Request Sent: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:96 aws.service=RDS http.method=POST http.request.body="Action=DescribeDBInstances&DBInstanceIdentifier=ex-role-duration&Version=2014-10-31
" http.request_content_length=83 net.peer.name=rds.us-east-1.amazonaws.com tf_resource_type=aws_db_instance http.request.header.x_amz_date=20230911T160041Z http.url=https://rds.us-east-1.amazonaws.com/ tf_mux_provider=*schema.GRPCProviderServer tf_req_id=3100157c-cf94-adee-3dfd-f43cf3e4a917 tf_rpc=ApplyResourceChange aws.sdk=aws-sdk-go http.flavor=1.1 http.request.header.x_amz_security_token=***** http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.0 (+https://www.terraform.io) terraform-provider-aws/5.16.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.45.4 (go1.20.7; darwin; arm64)" tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws aws.operation=DescribeDBInstances aws.region=us-east-1 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************JT4P/20230911/us-east-1/rds/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" timestamp=2023-09-11T12:00:41.373-0400
2023-09-11T12:00:41.633-0400 [DEBUG] provider.terraform-provider-aws_v5.16.1_x5: HTTP Response Received: aws.service=RDS http.status_code=200 tf_req_id=3100157c-cf94-adee-3dfd-f43cf3e4a917 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:144 aws.sdk=aws-sdk-go http.response.header.strict_transport_security=max-age=31536000 http.response_content_length=6471 tf_mux_provider=*schema.GRPCProviderServer @module=aws aws.operation=DescribeDBInstances http.response.header.content_type=text/xml http.response.header.date="Mon, 11 Sep 2023 16:00:40 GMT" http.response.header.x_amzn_requestid=f49c019c-f06e-41e6-81ca-d08da8b0113b tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange aws.region=us-east-1 http.duration=258 http.response.body="<DescribeDBInstancesResponse xmlns="http://rds.amazonaws.com/doc/2014-10-31/">
  <DescribeDBInstancesResult>
    <DBInstances>
      <DBInstance>
        <AllocatedStorage>20</AllocatedStorage>
        <EnabledCloudwatchLogsExports>
          <member>general</member>
        </EnabledCloudwatchLogsExports>
        <AssociatedRoles/>
        <DBParameterGroups>
          <DBParameterGroup>
            <DBParameterGroupName>ex-role-duration-20230911154053437200000002</DBParameterGroupName>
            <ParameterApplyStatus>in-sync</ParameterApplyStatus>
          </DBParameterGroup>
        </DBParameterGroups>
        <AvailabilityZone>us-east-1b</AvailabilityZone>
        <SecondaryAvailabilityZone>us-east-1a</SecondaryAvailabilityZone>
        <DBSecurityGroups/>
        <PerformanceInsightsKMSKeyId>arn:aws:kms:us-east-1:556105087578:key/2e5b0e8a-c1b1-4959-8d89-f9c4b8dbb3da</PerformanceInsightsKMSKeyId>
        <PerformanceInsightsRetentionPeriod>7</PerformanceInsightsRetentionPeriod>
        <EngineVersion>8.0.33</EngineVersion>
        <MasterUsername>complete_mysql</MasterUsername>
        <CertificateDetails>
          <ValidTill>2024-08-22T17:08:50Z</ValidTill>
          <CAIdentifier>rds-ca-2019</CAIdentifier>
        </CertificateDetails>
        <InstanceCreateTime>2023-09-11T15:44:35.296Z</InstanceCreateTime>
        <DBInstanceClass>db.t4g.medium</DBInstanceClass>
        <StorageThroughput>0</StorageThroughput>
        <HttpEndpointEnabled>false</HttpEndpointEnabled>
        <ReadReplicaDBInstanceIdentifiers/>
        <CustomerOwnedIpEnabled>false</CustomerOwnedIpEnabled>
        <MonitoringInterval>0</MonitoringInterval>
        <DBInstanceStatus>available</DBInstanceStatus>
        <BackupRetentionPeriod>1</BackupRetentionPeriod>
        <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/2e5b0e8a-c1b1-4959-8d89-f9c4b8dbb3da</KmsKeyId>
        <OptionGroupMemberships>
          <OptionGroupMembership>
            <OptionGroupName>ex-role-duration-20230911154053436900000001</OptionGroupName>
            <Status>in-sync</Status>
          </OptionGroupMembership>
        </OptionGroupMemberships>
        <DedicatedLogVolume>false</DedicatedLogVolume>
        <LatestRestorableTime>2023-09-11T15:56:10.588Z</LatestRestorableTime>
        <BackupTarget>region</BackupTarget>
        <CACertificateIdentifier>rds-ca-2019</CACertificateIdentifier>
        <DbInstancePort>0</DbInstancePort>
        <DbiResourceId>db-CFU52RWE774IJZXP55SZ4P3ZCM</DbiResourceId>
        <PreferredBackupWindow>03:00-06:00</PreferredBackupWindow>
        <DeletionProtection>false</DeletionProtection>
        <DBInstanceIdentifier>ex-role-duration</DBInstanceIdentifier>
        <DBInstanceArn>arn:aws:rds:us-east-1:556105087578:db:ex-role-duration</DBInstanceArn>
        <Endpoint>
          <HostedZoneId>Z2R2ITUGPM61AM</HostedZoneId>
          <Address>ex-role-duration.chyayesnoqgq.us-east-1.rds.amazonaws.com</Address>
          <Port>3306</Port>
        </Endpoint>
        <Engine>mysql</Engine>
        <MaxAllocatedStorage>100</MaxAllocatedStorage>
        <MasterUserSecret>
          <SecretStatus>active</SecretStatus>
          <SecretArn>arn:aws:secretsmanager:us-east-1:556105087578:secret:rds!db-680f76a6-7427-4854-8e06-b6690dadca1c-u60qhw</SecretArn>
          <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/4f97f290-dc27-4204-81cf-8fbcdd86e86f</KmsKeyId>
        </MasterUserSecret>
        <PubliclyAccessible>false</PubliclyAccessible>
        <IAMDatabaseAuthenticationEnabled>false</IAMDatabaseAuthenticationEnabled>
        <NetworkType>IPV4</NetworkType>
        <ActivityStreamStatus>stopped</ActivityStreamStatus>
        <PerformanceInsightsEnabled>true</PerformanceInsightsEnabled>
        <DBName>completeMysql</DBName>
        <MultiAZ>true</MultiAZ>
        <DomainMemberships/>
        <StorageEncrypted>true</StorageEncrypted>
        <DBSubnetGroup>
          <VpcId>vpc-076677b3700448de7</VpcId>
          <Subnets>
            <Subnet>
              <SubnetIdentifier>subnet-0a94adcfa86a35d99</SubnetIdentifier>
              <SubnetStatus>Active</SubnetStatus>
[truncated...]" tf_resource_type=aws_db_instance timestamp=2023-09-11T12:00:41.632-0400
2023-09-11T12:00:51.635-0400 [DEBUG] provider.terraform-provider-aws_v5.16.1_x5: HTTP Request Sent: aws.operation=DescribeDBInstances aws.region=us-east-1 net.peer.name=rds.us-east-1.amazonaws.com http.flavor=1.1 http.method=POST http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************JT4P/20230911/us-east-1/rds/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.x_amz_date=20230911T160051Z http.request.header.x_amz_security_token=***** http.request_content_length=83 tf_resource_type=aws_db_instance tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:96 aws.service=RDS http.request.body="Action=DescribeDBInstances&DBInstanceIdentifier=ex-role-duration&Version=2014-10-31
" http.url=https://rds.us-east-1.amazonaws.com/ http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.0 (+https://www.terraform.io) terraform-provider-aws/5.16.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.45.4 (go1.20.7; darwin; arm64)" tf_req_id=3100157c-cf94-adee-3dfd-f43cf3e4a917 @module=aws aws.sdk=aws-sdk-go http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-09-11T12:00:51.634-0400
2023-09-11T12:00:51.880-0400 [DEBUG] provider.terraform-provider-aws_v5.16.1_x5: HTTP Response Received: http.response.header.x_amzn_requestid=4c894840-8822-499e-9674-0b1278666b61 http.status_code=200 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=3100157c-cf94-adee-3dfd-f43cf3e4a917 tf_rpc=ApplyResourceChange http.duration=244 http.response.header.strict_transport_security=max-age=31536000 http.response.body="<DescribeDBInstancesResponse xmlns="http://rds.amazonaws.com/doc/2014-10-31/">
  <DescribeDBInstancesResult>
    <DBInstances>
      <DBInstance>
        <AllocatedStorage>20</AllocatedStorage>
        <EnabledCloudwatchLogsExports>
          <member>general</member>
        </EnabledCloudwatchLogsExports>
        <AssociatedRoles/>
        <DBParameterGroups>
          <DBParameterGroup>
            <DBParameterGroupName>ex-role-duration-20230911154053437200000002</DBParameterGroupName>
            <ParameterApplyStatus>in-sync</ParameterApplyStatus>
          </DBParameterGroup>
        </DBParameterGroups>
        <AvailabilityZone>us-east-1b</AvailabilityZone>
        <SecondaryAvailabilityZone>us-east-1a</SecondaryAvailabilityZone>
        <DBSecurityGroups/>
        <PerformanceInsightsKMSKeyId>arn:aws:kms:us-east-1:556105087578:key/2e5b0e8a-c1b1-4959-8d89-f9c4b8dbb3da</PerformanceInsightsKMSKeyId>
        <PerformanceInsightsRetentionPeriod>7</PerformanceInsightsRetentionPeriod>
        <EngineVersion>8.0.33</EngineVersion>
        <MasterUsername>complete_mysql</MasterUsername>
        <CertificateDetails>
          <ValidTill>2024-08-22T17:08:50Z</ValidTill>
          <CAIdentifier>rds-ca-2019</CAIdentifier>
        </CertificateDetails>
        <InstanceCreateTime>2023-09-11T15:44:35.296Z</InstanceCreateTime>
        <DBInstanceClass>db.t4g.medium</DBInstanceClass>
        <StorageThroughput>0</StorageThroughput>
        <HttpEndpointEnabled>false</HttpEndpointEnabled>
        <ReadReplicaDBInstanceIdentifiers/>
        <CustomerOwnedIpEnabled>false</CustomerOwnedIpEnabled>
        <MonitoringInterval>0</MonitoringInterval>
        <DBInstanceStatus>available</DBInstanceStatus>
        <BackupRetentionPeriod>1</BackupRetentionPeriod>
        <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/2e5b0e8a-c1b1-4959-8d89-f9c4b8dbb3da</KmsKeyId>
        <OptionGroupMemberships>
          <OptionGroupMembership>
            <OptionGroupName>ex-role-duration-20230911154053436900000001</OptionGroupName>
            <Status>in-sync</Status>
          </OptionGroupMembership>
        </OptionGroupMemberships>
        <DedicatedLogVolume>false</DedicatedLogVolume>
        <LatestRestorableTime>2023-09-11T16:00:02Z</LatestRestorableTime>
        <BackupTarget>region</BackupTarget>
        <CACertificateIdentifier>rds-ca-2019</CACertificateIdentifier>
        <DbInstancePort>0</DbInstancePort>
        <DbiResourceId>db-CFU52RWE774IJZXP55SZ4P3ZCM</DbiResourceId>
        <PreferredBackupWindow>03:00-06:00</PreferredBackupWindow>
        <DeletionProtection>false</DeletionProtection>
        <DBInstanceIdentifier>ex-role-duration</DBInstanceIdentifier>
        <DBInstanceArn>arn:aws:rds:us-east-1:556105087578:db:ex-role-duration</DBInstanceArn>
        <Endpoint>
          <HostedZoneId>Z2R2ITUGPM61AM</HostedZoneId>
          <Address>ex-role-duration.chyayesnoqgq.us-east-1.rds.amazonaws.com</Address>
          <Port>3306</Port>
        </Endpoint>
        <Engine>mysql</Engine>
        <MaxAllocatedStorage>100</MaxAllocatedStorage>
        <MasterUserSecret>
          <SecretStatus>active</SecretStatus>
          <SecretArn>arn:aws:secretsmanager:us-east-1:556105087578:secret:rds!db-680f76a6-7427-4854-8e06-b6690dadca1c-u60qhw</SecretArn>
          <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/4f97f290-dc27-4204-81cf-8fbcdd86e86f</KmsKeyId>
        </MasterUserSecret>
        <PubliclyAccessible>false</PubliclyAccessible>
        <IAMDatabaseAuthenticationEnabled>false</IAMDatabaseAuthenticationEnabled>
        <NetworkType>IPV4</NetworkType>
        <ActivityStreamStatus>stopped</ActivityStreamStatus>
        <PerformanceInsightsEnabled>true</PerformanceInsightsEnabled>
        <DBName>completeMysql</DBName>
        <MultiAZ>true</MultiAZ>
        <DomainMemberships/>
        <StorageEncrypted>true</StorageEncrypted>
        <DBSubnetGroup>
          <VpcId>vpc-076677b3700448de7</VpcId>
          <Subnets>
            <Subnet>
              <SubnetIdentifier>subnet-0a94adcfa86a35d99</SubnetIdentifier>
              <SubnetStatus>Active</SubnetStatus>
[truncated...]" http.response_content_length=6467 tf_mux_provider=*schema.GRPCProviderServer @module=aws aws.operation=DescribeDBInstances aws.service=RDS aws.sdk=aws-sdk-go http.response.header.date="Mon, 11 Sep 2023 16:00:50 GMT" tf_resource_type=aws_db_instance @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:144 aws.region=us-east-1 http.response.header.content_type=text/xml timestamp=2023-09-11T12:00:51.879-0400
2023-09-11T12:00:51.881-0400 [DEBUG] provider.terraform-provider-aws_v5.16.1_x5: HTTP Request Sent: http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************JT4P/20230911/us-east-1/rds/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" aws.region=us-east-1 aws.service=RDS tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=3100157c-cf94-adee-3dfd-f43cf3e4a917 aws.operation=DescribeDBInstances http.request.header.x_amz_date=20230911T160051Z http.request_content_length=145 http.url=https://rds.us-east-1.amazonaws.com/ http.request.header.x_amz_security_token=***** net.peer.name=rds.us-east-1.amazonaws.com tf_resource_type=aws_db_instance tf_rpc=ApplyResourceChange aws.sdk=aws-sdk-go http.method=POST http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.0 (+https://www.terraform.io) terraform-provider-aws/5.16.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.45.4 (go1.20.7; darwin; arm64)" tf_mux_provider=*schema.GRPCProviderServer @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:96 @module=aws http.flavor=1.1 http.request.body="Action=DescribeDBInstances&Filters.Filter.1.Name=dbi-resource-id&Filters.Filter.1.Values.Value.1=db-CFU52RWE774IJZXP55SZ4P3ZCM&Version=2014-10-31
" timestamp=2023-09-11T12:00:51.881-0400
2023-09-11T12:00:52.099-0400 [DEBUG] provider.terraform-provider-aws_v5.16.1_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.36/logger.go:144 @module=aws aws.sdk=aws-sdk-go http.response.header.x_amzn_requestid=dfa3ccfb-310c-4c75-8503-f74113342801 http.response_content_length=6467 http.status_code=200 tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_db_instance tf_rpc=ApplyResourceChange aws.operation=DescribeDBInstances aws.region=us-east-1 http.response.header.content_type=text/xml tf_provider_addr=registry.terraform.io/hashicorp/aws http.duration=217 http.response.header.strict_transport_security=max-age=31536000 tf_req_id=3100157c-cf94-adee-3dfd-f43cf3e4a917 aws.service=RDS http.response.body="<DescribeDBInstancesResponse xmlns="http://rds.amazonaws.com/doc/2014-10-31/">
  <DescribeDBInstancesResult>
    <DBInstances>
      <DBInstance>
        <AllocatedStorage>20</AllocatedStorage>
        <EnabledCloudwatchLogsExports>
          <member>general</member>
        </EnabledCloudwatchLogsExports>
        <AssociatedRoles/>
        <DBParameterGroups>
          <DBParameterGroup>
            <DBParameterGroupName>ex-role-duration-20230911154053437200000002</DBParameterGroupName>
            <ParameterApplyStatus>in-sync</ParameterApplyStatus>
          </DBParameterGroup>
        </DBParameterGroups>
        <AvailabilityZone>us-east-1b</AvailabilityZone>
        <SecondaryAvailabilityZone>us-east-1a</SecondaryAvailabilityZone>
        <DBSecurityGroups/>
        <PerformanceInsightsKMSKeyId>arn:aws:kms:us-east-1:556105087578:key/2e5b0e8a-c1b1-4959-8d89-f9c4b8dbb3da</PerformanceInsightsKMSKeyId>
        <PerformanceInsightsRetentionPeriod>7</PerformanceInsightsRetentionPeriod>
        <EngineVersion>8.0.33</EngineVersion>
        <MasterUsername>complete_mysql</MasterUsername>
        <CertificateDetails>
          <ValidTill>2024-08-22T17:08:50Z</ValidTill>
          <CAIdentifier>rds-ca-2019</CAIdentifier>
        </CertificateDetails>
        <InstanceCreateTime>2023-09-11T15:44:35.296Z</InstanceCreateTime>
        <DBInstanceClass>db.t4g.medium</DBInstanceClass>
        <StorageThroughput>0</StorageThroughput>
        <HttpEndpointEnabled>false</HttpEndpointEnabled>
        <ReadReplicaDBInstanceIdentifiers/>
        <CustomerOwnedIpEnabled>false</CustomerOwnedIpEnabled>
        <MonitoringInterval>0</MonitoringInterval>
        <DBInstanceStatus>available</DBInstanceStatus>
        <BackupRetentionPeriod>1</BackupRetentionPeriod>
        <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/2e5b0e8a-c1b1-4959-8d89-f9c4b8dbb3da</KmsKeyId>
        <OptionGroupMemberships>
          <OptionGroupMembership>
            <OptionGroupName>ex-role-duration-20230911154053436900000001</OptionGroupName>
            <Status>in-sync</Status>
          </OptionGroupMembership>
        </OptionGroupMemberships>
        <DedicatedLogVolume>false</DedicatedLogVolume>
        <LatestRestorableTime>2023-09-11T16:00:02Z</LatestRestorableTime>
        <BackupTarget>region</BackupTarget>
        <CACertificateIdentifier>rds-ca-2019</CACertificateIdentifier>
        <DbInstancePort>0</DbInstancePort>
        <DbiResourceId>db-CFU52RWE774IJZXP55SZ4P3ZCM</DbiResourceId>
        <PreferredBackupWindow>03:00-06:00</PreferredBackupWindow>
        <DeletionProtection>false</DeletionProtection>
        <DBInstanceIdentifier>ex-role-duration</DBInstanceIdentifier>
        <DBInstanceArn>arn:aws:rds:us-east-1:556105087578:db:ex-role-duration</DBInstanceArn>
        <Endpoint>
          <HostedZoneId>Z2R2ITUGPM61AM</HostedZoneId>
          <Address>ex-role-duration.chyayesnoqgq.us-east-1.rds.amazonaws.com</Address>
          <Port>3306</Port>
        </Endpoint>
        <Engine>mysql</Engine>
        <MaxAllocatedStorage>100</MaxAllocatedStorage>
        <MasterUserSecret>
          <SecretStatus>active</SecretStatus>
          <SecretArn>arn:aws:secretsmanager:us-east-1:556105087578:secret:rds!db-680f76a6-7427-4854-8e06-b6690dadca1c-u60qhw</SecretArn>
          <KmsKeyId>arn:aws:kms:us-east-1:556105087578:key/4f97f290-dc27-4204-81cf-8fbcdd86e86f</KmsKeyId>
        </MasterUserSecret>
        <PubliclyAccessible>false</PubliclyAccessible>
        <IAMDatabaseAuthenticationEnabled>false</IAMDatabaseAuthenticationEnabled>
        <NetworkType>IPV4</NetworkType>
        <ActivityStreamStatus>stopped</ActivityStreamStatus>
        <PerformanceInsightsEnabled>true</PerformanceInsightsEnabled>
        <DBName>completeMysql</DBName>
        <MultiAZ>true</MultiAZ>
        <DomainMemberships/>
        <StorageEncrypted>true</StorageEncrypted>
        <DBSubnetGroup>
          <VpcId>vpc-076677b3700448de7</VpcId>
          <Subnets>
            <Subnet>
              <SubnetIdentifier>subnet-0a94adcfa86a35d99</SubnetIdentifier>
              <SubnetStatus>Active</SubnetStatus>
[truncated...]" http.response.header.date="Mon, 11 Sep 2023 16:00:51 GMT" timestamp=2023-09-11T12:00:52.099-0400
2023-09-11T12:00:52.103-0400 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value for module.db.module.db_instance.aws_db_instance.this[0], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .customer_owned_ip_enabled: was null, but now cty.False
      - .custom_iam_instance_profile: was null, but now cty.StringVal("")
      - .replicate_source_db: was null, but now cty.StringVal("")
      - .domain: was null, but now cty.StringVal("")
      - .domain_iam_role_name: was null, but now cty.StringVal("")
2023-09-11T12:00:52.125-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-09-11T12:00:52.138-0400 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.16.1/darwin_arm64/terraform-provider-aws_v5.16.1_x5 pid=88130
2023-09-11T12:00:52.138-0400 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

I'm trying to understand what the expectations are for Terraform in handling AWS credentials when assuming roles.

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

justinretzolk commented 1 year ago

Hey @jkerry 👋 Thanks for taking the time to raise this! I'm fairly certain that the assume_role.duration argument adjusts the time that the token retrieved during role assumption is valid for, and that the the underlying SDK will attempt to refresh the token at the end of the duration (this is backed up by a Reddit comment made by one of the Terraform Core team engineers when discussing the S3 backend -- I typically wouldn't link to Reddit, but his response was quite thorough!). If your end goal is to have the Terraform run fail after the credential has expired, I believe you would need to configure the role policy to set a maximum session duration, as the token will not be automatically renewed in the case of session expiry.

kjenney commented 1 year ago

Can this be documented properly somewhere? I looked through the provider documentation as well as the source code in this repo, and this was not apparent to me at all.

kjenney commented 1 year ago

Still waiting for a response here. Somebody that understands exactly how this assume_role.duration works should update the documentation so that users can also understand exactly how it works.