[Bug]: EC2 root volume creation fails when TagPolicies are present

[ETisREAL]

Terraform Core Version

1.7.2

AWS Provider Version

5.34.0

Affected Resource(s)

aws_instance

Expected Behavior

I have this SCP Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceMandatoryTagsPresence",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/infrastructure": "true",
          "aws:RequestTag/stage": "true"
        }
      }
    },
    {
      "Sid": "DenyMandatoryTagsRemoval",
      "Effect": "Deny",
      "Action": [
        "ec2:DeleteTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/infrastructure": "false",
          "aws:RequestTag/stage": "false"
        }
      }
    }
  ]
}

This is how I am creating the EC2 instance:

resource "aws_instance" "ec2_instance" {
  ami           = data.aws_ami.al2023_ami.id
  instance_type = var.instance_type

  root_block_device {
    volume_size = 10
    tags        = merge({
      Name = "EC2_root_block_device"
    }, var.tags)
  }

  tags = merge({
    Name = "EC2_instance"
  }, var.tags)
}

and finally these are the tags I am setting:

module "backups" {
  source        = "./modules/ec2-backups"
  instance_type = "t2.micro"
  tags          = {
    infrastructure = "tf"
    stage          = "STG"
  }
}

The required tags are getting set on the resources, both the EC2 instance and the root EBS volume (even the plan shows it)

Actual Behavior

The request fails with an explicit deny.

This only happens if the policy applies to volumes as well. If I remove the volume restriction, it creates the resources as it should.

Apparently this issue should have gotten fixed with this PR #6396 Unfortunately the issue is alive and well, at least for the root volume

Relevant Error/Panic Output Snippet

╷
│ Error: creating EC2 Instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::851725412353:assumed-role/AWSReservedSSO_Staging-AdministratorAccess_2760ed54e811856f/staging-user is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:eu-central-1:851725412353:volume/* with an explicit deny in a service control policy. Encoded authorization failure message: 8P057QR9qwAzU6KiP-hTV9qfcnwr2oZ82zTkctGjDHwmxfxHeklP0xMbjLrWvgSaHdcy6cizTBN52bb7KTXevRa5IPZS3_QMcA7S7ULX2YI-f6pV6mvZ52cLjl0XQ-hZya7dgWE3fJzA4q-6im2Evpor09rFNlIhHd77c3FLZUBA31fmL501ButYEdgKCORGWjVjBgKCdgMx1ixVRPn1SVUcLv3TLAMXY623_H7r8-FpHzD3DYUEohi4-ghlxyIaQIc-F1gJf06qqKbT0zycUpU_1yW-_16wYvz-_dsGCuXr7Prmc2MrF__oLI6-ceEAmYX32f7XOR35l1Mj_NE0rUM8WCuGxpOPrQfVIltBVerQwB9PAVtdcV5jUx6Y_Du9S7pRlneKiXEeCN11FbGVlOEX0o3vmueuDVUNdHxpBEuyHWjDxsbBd5iiKDGoLN1h5vX4-XPFBe8iOuoHovgCQ6rz75bMuIy7xFUf_iiV6Gg2jrPyxFrMOU0jR5BSLoMJQD31kgNrBalDGeeS0JEa-6YiaT2KXyqDFxeOLtyeCaQdALK0jWa8BZLWJmMaZsnU_1zctBaRhovTWTUGAAxCLEnECZFKKYpcwVLK_GlVAEqUsoEB5QZvfn4v0kut78b7ukJhi-e0fwOieiscjiM3BeRF1SEzHmxOsFLFEnXkLlZCB2Y_EybBW0SH5L0aohsm2Hs6NV75ibXFcF7m0Z_V0PwWmFQseGiwsVFcrxbJN8pbw5ce5nHiBCSTgZ-cPaqf_37Gn1kfpSpXEYCoXa57T1XCV2UjKWdRN2gf-R68HzRrTitjgMWZaZ1NYC05p6Id9rExgeg8EVPIqayL2syOIfwLOuO-XN5Bpa323hGFhPj2yfRvv88
│       status code: 403, request id: 7c570852-fd34-497b-8d15-2a2b50d4d6c6

Terraform Configuration Files

terraform { backend "s3" { bucket = "janji-terraform-bucket" key = "tfstate" region = "eu-central-1" profile = "janji" } required_providers { aws = { source = "hashicorp/aws" version = "~> 5.30" } } }

provider "aws" { region = var.aws_region profile = "janji" default_tags { tags = { Environment = "Test" Owner = "TFProviders" Project = "Test" } } }

Steps to Reproduce

1. Create an SCP policy with the snippet I provided
2. Create an EC2 instance tagging both the instance itself and the root volume

Debug Output

http.response.body= | | | arn:aws:sts::851725412353:assumed-role/AWSReservedSSO_Staging-AdministratorAccess_2760ed54e811856f/staging-user | AROA*****TW5G:staging-user | 851725412353 | | | ebc47c36-37e0-48e5-9393-b0bf87e68b7a | | rpc.service=STS tf_mux_provider="schema.GRPCProviderServer" http.duration=307 http.response.header.content_type=text/xml @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:47 timestamp="2024-02-05T09:26:18.544+0100" 2024-02-05T09:26:18.544+0100 [INFO] provider.terraform-provider-aws_v5.34.0_x5: Retrieved caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:39 @module=aws.aws-base tf_mux_provider="schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d4b1447d-6d7d-0b22-b84a-df76746761ef tf_rpc=ConfigureProvider timestamp="2024-02-05T09:26:18.544+0100" 2024-02-05T09:26:18.547+0100 [DEBUG] Resource instance state not found for node "module.backups.data.aws_ami.al2023_ami", instance module.backups.data.aws_ami.al2023_ami 2024-02-05T09:26:18.547+0100 [DEBUG] ReferenceTransformer: "module.backups.data.aws_ami.al2023_ami" references: [] 2024-02-05T09:26:18.552+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Request Sent: http.request.header.x_amz_security_token="*" http.request_content_length=185 rpc.service=EC2 http.url=https://ec2.eu-central-1.amazonaws.com/ http.request.header.x_amz_date=20240205T082618Z @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.47/logger.go:109 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA****WLPY/20240205/eu-central-1/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=****" tf_mux_provider="schema.GRPCProviderServer" @module=aws http.method=POST http.request.body= | Action=DescribeImages&Filter.1.Name=architecture&Filter.1.Value.1=x86_64&Filter.2.Name=name&Filter.2.Value.1=al2023-ami-2023%2A&IncludeDeprecated=false&Owner.1=amazon&Version=2016-11-15 http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" rpc.system=aws-api tf_aws.sdk=aws-sdk-go http.flavor=1.1 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.2 (+https://www.terraform.io) terraform-provider-aws/5.34.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.49.24 (go1.20.12; linux; amd64)" tf_req_id=a73ca108-6064-e174-5626-61238fe9e338 tf_rpc=ReadDataSource aws.region=eu-central-1 net.peer.name=ec2.eu-central-1.amazonaws.com rpc.method=DescribeImages tf_data_source_type=aws_ami tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2024-02-05T09:26:18.552+0100" 2024-02-05T09:26:19.158+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Response Received: http.status_code=200 tf_mux_provider="*schema.GRPCProviderServer" @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.47/logger.go:157 http.response.header.cache_control="no-cache, no-store" tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.content_type=text/xml;charset=UTF-8 http.response.header.strict_transport_security="max-age=31536000; includeSubDomains" rpc.system=aws-api tf_req_id=a73ca108-6064-e174-5626-61238fe9e338 http.response.header.server=AmazonEC2 http.response.header.x_amzn_requestid=78f976a7-57ea-4bd2-9d57-61fc27608bb9 tf_data_source_type=aws_ami @module=aws aws.region=eu-central-1 http.response.header.vary=accept-encoding rpc.method=DescribeImages rpc.service=EC2 http.response.body= | <?xml version="1.0" encoding="UTF-8"?> | | 78f976a7-57ea-4bd2-9d57-61fc27608bb9 | | | ami-024f768332f080c5e | amazon/al2023-ami-2023.3.20231218.0-kernel-6.1-x86_64 | available | 137112412989 | 2023-12-15T02:10:49.000Z | true | x86_64 | machine | simple | amazon | al2023-ami-2023.3.20231218.0-kernel-6.1-x86_64 | Amazon Linux 2023 AMI 2023.3.20231218.0 x86_64 HVM kernel-6.1 | ebs | /dev/xvda | | | /dev/xvda | | snap-00099e2296a49daa3 | 8 | true | gp3 | 3000 | false | 125 | | | | hvm | xen | true | Linux/UNIX | RunInstances | uefi-preferred | v2.0 | 2024-03-14T02:11:00.000Z | | | ami-09024b009ae9e7adf | amazon/al2023-ami-2023.3.20240122.0-kernel-6.1-x86_64 | available | 137112412989 | 2024-01-20T00:06:46.000Z | true | x86_64 | machine | simple | amazon | al2023-ami-2023.3.20240122.0-kernel-6.1-x86_64 | Amazon Linux 2023 AMI 2023.3.20240122.0 x86_64 HVM kernel-6.1 | ebs | /dev/xvda | | | /dev/xvda | | snap-0213b3d8f06c22f65 | 8 | true | gp3 | 3000 | false | 125 | | | | hvm | xen | true | Linux/UNIX | RunInstances | uefi-preferred | v2.0 | 2024-04-19T00:07:00.000Z | | | ami-0292a7daeeda6b851 | amazon/al2023-ami-2023.3.20240117.0-kernel-6.1-x86_64 | [truncated...] tf_rpc=ReadDataSource http.duration=605 http.response.header.date="Mon, 05 Feb 2024 08:26:18 GMT" tf_aws.sdk=aws-sdk-go timestamp="2024-02-05T09:26:19.158+0100" 2024-02-05T09:26:19.159+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] aws_ami - adding block device mapping: map[device_name:/dev/xvda ebs:map[delete_on_termination:true encrypted:false iops:3000 snapshot_id:snap-0f2cb3b54923f557a throughput:125 volume_size:8 volume_type:gp3] virtual_name:] 2024-02-05T09:26:19.162+0100 [DEBUG] Resource instance state not found for node "module.backups.aws_instance.ec2_instance", instance module.backups.aws_instance.ec2_instance 2024-02-05T09:26:19.162+0100 [DEBUG] ReferenceTransformer: "module.backups.aws_instance.ec2_instance" references: [] 2024-02-05T09:26:19.162+0100 [DEBUG] refresh: module.backups.aws_instance.ec2_instance: no state, so not refreshing 2024-02-05T09:26:19.171+0100 [WARN] Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for module.backups.aws_instance.ec2_instance, but we are tolerating it because it is using the legacy plugin SDK. The following problems may be the cause of any confusing errors from downstream operations:

• .get_password_data: planned value cty.False for a non-computed attribute
• .user_data_replace_on_change: planned value cty.False for a non-computed attribute
• .source_dest_check: planned value cty.True for a non-computed attribute
• .cpu_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .maintenance_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .ephemeral_block_device: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .metadata_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .private_dns_name_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .capacity_reservation_specification: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .ebs_block_device: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .instance_market_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .network_interface: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .enclave_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .root_block_device[0].delete_on_termination: planned value cty.True for a non-computed attribute 2024-02-05T09:26:19.171+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF" 2024-02-05T09:26:19.176+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.34.0/linux_amd64/terraform-provider-aws_v5.34.0_x5 pid=7383 2024-02-05T09:26:19.176+0100 [DEBUG] provider: plugin exited 2024-02-05T09:26:19.176+0100 [DEBUG] building apply graph to check for errors 2024-02-05T09:26:19.176+0100 [DEBUG] Resource state not found for node "module.backups.aws_instance.ec2_instance", instance module.backups.aws_instance.ec2_instance 2024-02-05T09:26:19.176+0100 [DEBUG] ProviderTransformer: "module.backups.aws_instance.ec2_instance" (terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/hashicorp/aws"] 2024-02-05T09:26:19.176+0100 [DEBUG] ProviderTransformer: "module.backups.aws_instance.ec2_instance (expand)" (terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"] 2024-02-05T09:26:19.176+0100 [DEBUG] ProviderTransformer: "module.backups.data.aws_ami.al2023_ami (expand)" (terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"] 2024-02-05T09:26:19.177+0100 [DEBUG] ReferenceTransformer: "var.aws_account" references: [] 2024-02-05T09:26:19.177+0100 [DEBUG] ReferenceTransformer: "var.certificate_arn" references: [] 2024-02-05T09:26:19.177+0100 [DEBUG] ReferenceTransformer: "var.ansible_ipv4_cidr_block" references: [] 2024-02-05T09:26:20.130+0100 [INFO] provider.terraform-provider-aws_v5.34.0_x5: Retrieved credentials: @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:39 tf_aws.credentials_source=SSOProvider tf_mux_provider="schema.GRPCProviderServer" timestamp="2024-02-05T09:26:20.130+0100" 2024-02-05T09:26:20.130+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Loading configuration: @module=aws.aws-base tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:47 tf_mux_provider="schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2024-02-05T09:26:20.130+0100" 2024-02-05T09:26:20.131+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Creating AWS SDK v1 session: tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:156 @module=aws tf_mux_provider="schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2024-02-05T09:26:20.131+0100" 2024-02-05T09:26:20.132+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Retrieving AWS account details: tf_mux_provider="schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:171 @module=aws timestamp="2024-02-05T09:26:20.132+0100" 2024-02-05T09:26:20.132+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Retrieving caller identity from STS: @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider tf_mux_provider="schema.GRPCProviderServer" tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:47 timestamp="2024-02-05T09:26:20.132+0100" 2024-02-05T09:26:20.133+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Request Sent: http.request.body= | Action=GetCallerIdentity&Version=2011-06-15 tf_aws.sdk=aws-sdk-go-v2 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:47 net.peer.name=sts.eu-central-1.amazonaws.com http.request.header.amz_sdk_invocation_id=be7163a4-92b2-4fad-9c1c-3ad788a5d3ee http.request.header.amz_sdk_request="attempt=1; max=25" http.request_content_length=43 rpc.system=aws-api tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 rpc.service=STS rpc.method=GetCallerIdentity http.request.header.content_type=application/x-www-form-urlencoded @module=aws.aws-base tf_aws.signing_region="" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA****IORQ/20240205/eu-central-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*" http.url=https://sts.eu-central-1.amazonaws.com/ tf_mux_provider="schema.GRPCProviderServer" tf_rpc=ConfigureProvider aws.region=eu-central-1 http.request.header.x_amz_date=20240205T082620Z http.request.header.x_amz_security_token="" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.2 (+https://www.terraform.io) terraform-provider-aws/5.34.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.24.1 os/linux lang/go#1.20.12 md/GOOS#linux md/GOARCH#amd64 api/sts#1.26.7" tf_provider_addr=registry.terraform.io/hashicorp/aws http.method=POST timestamp="2024-02-05T09:26:20.133+0100" 2024-02-05T09:26:20.254+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Response Received: tf_aws.signing_region="" tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:47 http.response.header.x_amzn_requestid=9e7c0c44-8bd9-484d-a55c-c511d00958bb http.status_code=200 rpc.service=STS tf_mux_provider="*schema.GRPCProviderServer" http.duration=113 http.response.header.content_type=text/xml http.response.header.date="Mon, 05 Feb 2024 08:26:20 GMT" http.response_content_length=490 aws.region=eu-central-1 rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base http.response.body= | | | arn:aws:sts::851725412353:assumed-role/AWSReservedSSO_Staging-AdministratorAccess_2760ed54e811856f/staging-user | AROA*****TW5G:staging-user | 851725412353 | | | 9e7c0c44-8bd9-484d-a55c-c511d00958bb | | rpc.method=GetCallerIdentity tf_rpc=ConfigureProvider timestamp="2024-02-05T09:26:20.254+0100" 2024-02-05T09:26:20.254+0100 [INFO] provider.terraform-provider-aws_v5.34.0_x5: Retrieved caller identity from STS: tf_req_id=c17d1f10-1eec-7710-4d83-7a835083a2b9 tf_rpc=ConfigureProvider @module=aws.aws-base tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.46/logging/tf_logger.go:39 timestamp="2024-02-05T09:26:20.254+0100" 2024-02-05T09:26:20.267+0100 [WARN] Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for module.backups.aws_instance.ec2_instance, but we are tolerating it because it is using the legacy plugin SDK. The following problems may be the cause of any confusing errors from downstream operations:
• .get_password_data: planned value cty.False for a non-computed attribute
• .user_data_replace_on_change: planned value cty.False for a non-computed attribute
• .source_dest_check: planned value cty.True for a non-computed attribute
• .ephemeral_block_device: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .metadata_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .private_dns_name_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .capacity_reservation_specification: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .ebs_block_device: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .instance_market_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .network_interface: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .enclave_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .root_block_device[0].delete_on_termination: planned value cty.True for a non-computed attribute
• .cpu_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
• .maintenance_options: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead 2024-02-05T09:26:20.268+0100 [INFO] Starting apply for module.backups.aws_instance.ec2_instance 2024-02-05T09:26:20.268+0100 [DEBUG] module.backups.aws_instance.ec2_instance: applying the planned Create change 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "maintenance_options" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "metadata_options" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "cpu_options" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "network_interface" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "enclave_options" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "ipv6_addresses" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "secondary_private_ips" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "network_interface" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "capacity_reservation_specification" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "instance_market_options" from ComputedKeys 2024-02-05T09:26:20.269+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "private_dns_name_options" from ComputedKeys 2024-02-05T09:26:20.270+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "ebs_block_device" from ComputedKeys 2024-02-05T09:26:20.270+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "ephemeral_block_device" from ComputedKeys 2024-02-05T09:26:20.270+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "security_groups" from ComputedKeys 2024-02-05T09:26:20.270+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] setting computed for "vpc_security_group_ids" from ComputedKeys 2024-02-05T09:26:20.270+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Request Sent: tf_resource_type=aws_instance rpc.system=aws-api tf_rpc=ApplyResourceChange http.request_content_length=72 http.url=https://ec2.eu-central-1.amazonaws.com/ net.peer.name=ec2.eu-central-1.amazonaws.com rpc.method=DescribeImages http.request.body= | Action=DescribeImages&ImageId.1=ami-02fe204d17e0189fb&Version=2016-11-15 http.request.header.x_amz_security_token="" tf_mux_provider="schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.request.header.x_amz_date=20240205T082620Z tf_aws.sdk=aws-sdk-go tf_req_id=0391dd22-f88b-d034-e47c-669aac6caf38 http.flavor=1.1 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA****IORQ/20240205/eu-central-1/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=" rpc.service=EC2 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.47/logger.go:109 aws.region=eu-central-1 http.method=POST http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.2 (+https://www.terraform.io) terraform-provider-aws/5.34.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.49.24 (go1.20.12; linux; amd64)" timestamp="2024-02-05T09:26:20.270+0100" 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Response Received: @module=aws http.response.header.server=AmazonEC2 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=0391dd22-f88b-d034-e47c-669aac6caf38 tf_resource_type=aws_instance http.response.header.vary=accept-encoding http.status_code=200 tf_rpc=ApplyResourceChange http.response.body= | <?xml version="1.0" encoding="UTF-8"?> | | 320c7913-ba3e-4d03-8f28-008426117a16 | | | ami-02fe204d17e0189fb | amazon/al2023-ami-2023.3.20240131.0-kernel-6.1-x86_64 | available | 137112412989 | 2024-01-26T01:00:56.000Z | true | x86_64 | machine | simple | amazon | al2023-ami-2023.3.20240131.0-kernel-6.1-x86_64 | Amazon Linux 2023 AMI 2023.3.20240131.0 x86_64 HVM kernel-6.1 | ebs | /dev/xvda | | | /dev/xvda | | snap-0f2cb3b54923f557a | 8 | true | gp3 | 3000 | false | 125 | | | | hvm | xen | true | Linux/UNIX | RunInstances | uefi-preferred | v2.0 | 2024-04-25T01:01:00.000Z | | | rpc.system=aws-api aws.region=eu-central-1 http.response.header.date="Mon, 05 Feb 2024 08:26:20 GMT" http.response.header.strict_transport_security="max-age=31536000; includeSubDomains" http.response.header.x_amzn_requestid=320c7913-ba3e-4d03-8f28-008426117a16 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.47/logger.go:157 http.response.header.content_type=text/xml;charset=UTF-8 tf_mux_provider="schema.GRPCProviderServer" http.duration=171 rpc.method=DescribeImages rpc.service=EC2 tf_aws.sdk=aws-sdk-go http.response.header.cache_control="no-cache, no-store" timestamp="2024-02-05T09:26:20.442+0100" 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] Creating EC2 Instance: { 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: BlockDeviceMappings: [{ 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: DeviceName: "/dev/xvda", 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Ebs: { 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: DeleteOnTermination: true, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: VolumeSize: 10 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: } 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }], 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: ClientToken: "terraform-20240205082620442300000001", 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: DisableApiTermination: false, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: EbsOptimized: false, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HibernationOptions: { 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Configured: false 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: ImageId: "ami-02fe204d17e0189fb", 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: InstanceType: "t2.micro", 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: MaxCount: 1, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: MinCount: 1, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Monitoring: { 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Enabled: false 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Placement: { 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: AvailabilityZone: "" 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.442+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: TagSpecifications: [{ 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: ResourceType: "instance", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Tags: [ 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: { 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Key: "Name", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Value: "EC2_instance" 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: { 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Key: "infrastructure", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Value: "tf" 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: { 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Key: "Environment", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Value: "Test" 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: { 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Key: "Owner", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Value: "TFProviders" 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: { 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Key: "Project", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Value: "Test" 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }, 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: { 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Key: "stage", 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: Value: "STG" 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: } 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: ] 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: }] 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: } 2024-02-05T09:26:20.443+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: [DEBUG] Waiting for state to become: [success] 2024-02-05T09:26:20.444+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Request Sent: http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.2 (+https://www.terraform.io) terraform-provider-aws/5.34.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.49.24 (go1.20.12; linux; amd64)" tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=0391dd22-f88b-d034-e47c-669aac6caf38 tf_resource_type=aws_instance http.method=POST http.request.body= | Action=RunInstances&BlockDeviceMapping.1.DeviceName=%2Fdev%2Fxvda&BlockDeviceMapping.1.Ebs.DeleteOnTermination=true&BlockDeviceMapping.1.Ebs.VolumeSize=10&ClientToken=terraform-20240205082620442300000001&DisableApiTermination=false&EbsOptimized=false&HibernationOptions.Configured=false&ImageId=ami-02fe204d17e0189fb&InstanceType=t2.micro&MaxCount=1&MinCount=1&Monitoring.Enabled=false&Placement.AvailabilityZone=&TagSpecification.1.ResourceType=instance&TagSpecification.1.Tag.1.Key=Name&TagSpecification.1.Tag.1.Value=EC2_instance&TagSpecification.1.Tag.2.Key=infrastructure&TagSpecification.1.Tag.2.Value=tf&TagSpecification.1.Tag.3.Key=Environment&TagSpecification.1.Tag.3.Value=Test&TagSpecification.1.Tag.4.Key=Owner&TagSpecification.1.Tag.4.Value=TFProviders&TagSpecification.1.Tag.5.Key=Project&TagSpecification.1.Tag.5.Value=Test&TagSpecification.1.Tag.6.Key=stage&TagSpecification.1.Tag.6.Value=STG&Version=2016-11-15 http.request.header.x_amz_date=20240205T082620Z tf_aws.sdk=aws-sdk-go aws.region=eu-central-1 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA****IORQ/20240205/eu-central-1/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*" net.peer.name=ec2.eu-central-1.amazonaws.com tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.request.header.x_amz_security_token="" tf_rpc=ApplyResourceChange http.flavor=1.1 http.url=https://ec2.eu-central-1.amazonaws.com/ rpc.system=aws-api rpc.service=EC2 rpc.method=RunInstances @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.47/logger.go:109 http.request_content_length=927 timestamp="2024-02-05T09:26:20.443+0100" 2024-02-05T09:26:20.875+0100 [DEBUG] provider.terraform-provider-aws_v5.34.0_x5: HTTP Response Received: tf_mux_provider="schema.GRPCProviderServer" tf_rpc=ApplyResourceChange @module=aws http.response.header.content_type=text/xml;charset=UTF-8 http.response.header.vary=accept-encoding @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.47/logger.go:157 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_instance http.response.header.date="Mon, 05 Feb 2024 08:26:20 GMT" http.response.header.x_amzn_requestid=a0f62ebe-66a4-4f18-9e2b-3e32cc94ae9c rpc.method=RunInstances rpc.service=EC2 rpc.system=aws-api tf_aws.sdk=aws-sdk-go tf_req_id=0391dd22-f88b-d034-e47c-669aac6caf38 http.response.header.cache_control="no-cache, no-store" http.response.header.server=AmazonEC2 http.response.header.strict_transport_security="max-age=31536000; includeSubDomains" http.status_code=403 http.duration=431 http.response.body= | <?xml version="1.0" encoding="UTF-8"?> | UnauthorizedOperationYou are not authorized to perform this operation. User: arn:aws:sts::851725412353:assumed-role/AWSReservedSSO_Staging-AdministratorAccess_2760ed54e811856f/staging-user is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:eu-central-1:851725412353:volume/* with an explicit deny in a service control policy. Encoded authorization failure message: H8F0jDN9KPpyINgZ_awdx-5x8V****2mlg-8s7BMT2XtQtq9K-dd6ksaMpx2kyi8V2ZJkCEl_fIbWRVrVbBXlfFyEtGp3vjlIhvg7oTdfLuyUlUpinVtMu7Zr-zbwPQMayIU4IPv9ZIo9cbt4rqmBhEIaVpKDgUUO_HcpcfEH4gYTOCwLsc820hDkt5q2Zk-iod6QHLbleXt1I-O4s0WiwKwG1yuhwmJPR_m5NiYesvy4sxeBDH8-y5CyGzMDb2zasa8BUEd1hReR9gwDlDgzip0hBXG6AAnJNzzuRigD3x3iBMHEqgu7TuO_kfELGBEOzWX3zy89agOIo8qb0ztXV6WIrAsEBcIERUDeo8qpF8qTKPtr0BdSCc9US488WzXUGC9UZrTE6e34xfswPdtyAmplyEidCAASK8TGJ7-PMz_qfP5TUA4obYD7ez21NBD0l8SC9x-1Jd5GCclwsaX7v8xNt_Qby3YeU81AqCHh4NgUW8tkNA-xzT5KqxJaBvvGegAlaoXjj0qT5Xg7ZcRxEKif2H98EGf-_3wHPbsCEodfcCMRubQ6mWjsHPmdgvaQ-PwKfcRI2VhUEHtMdZki98wwm0_lol5mFJS3ggYeF9VlWJ6CH0fRYn8gt7pMVtJYsMD8CIcHyl5z9C1Kspq0Ci6Imb2iNs7CRXqxM5s3A8G5FREc2Ujf2WUBH8WrFd9ZUC8TqgUwUtZEOdvDvVoUafI_MW0gnYWQ6wGXAvAhH6qV9zKy_e-yBIBqGKNDe9SJ7rf3PTQAwxuU-kVG6o_znkph5xB9b4gzCRs6PujUR1NkYbt6CR3WQSXk76gwKML9voglsz63BVZqRD4qXOX6QE0RQa0f62ebe-66a4-4f18-9e2b-3e32cc94ae9c aws.region=eu-central-1 timestamp="2024-02-05T09:26:20.875+0100" 2024-02-05T09:26:20.876+0100 [ERROR] provider.terraform-provider-aws_v5.34.0_x5: Response contains error diagnostic: tf_req_id=0391dd22-f88b-d034-e47c-669aac6caf38 tf_resource_type=aws_instance diagnostic_severity=ERROR diagnostic_summary= | creating EC2 Instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::851725412353:assumed-role/AWSReservedSSO_Staging-AdministratorAccess_2760ed54e811856f/staging-user is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:eu-central-1:851725412353:volume/ with an explicit deny in a service control policy. Encoded authorization failure message: H8F0jDN9KPpyINgZ_awdx-5x8V34ntzRNtdI5Uqz5sS4Bj6mIUboysBgNK2mlg-8s7BMT2XtQtq9K-dd6ksaMpx2kyi8V2ZJkCEl_fIbWRVrVbBXlfFyEtGp3vjlIhvg7oTdfLuyUlUpinVtMu7Zr-zbwPQMayIU4IPv9ZIo9cbt4rqmBhEIaVpKDgUUO_HcpcfEH4gYTOCwLsc820hDkt5q2Zk-iod6QHLbleXt1I-O4s0WiwKwG1yuhwmJPR_m5NiYesvy4sxeBDH8-y5CyGzMDb2zasa8BUEd1hReR9gwDlDgzip0hBXG6AAnJNzzuRigD3x3iBMHEqgu7TuO_kfELGBEOzWX3zy89agOIo8qb0ztXV6WIrAsEBcIERUDeo8qpF8qTKPtr0BdSCc9US488WzXUGC9UZrTE6e34xfswPdtyAmplyEidCAASK8TGJ7-PMz_qfP5TUA4obYD7ez21NBD0l8SC9x-1Jd5GCclwsaX7v8xNt_Qby3YeU81AqCHh4NgUW8tkNA-xzT5KqxJaBvvGegAlaoXjj0qT5Xg7ZcRxEKif2H98EGf-_3wHPbsCEodfcCMRubQ6mWjsHPmdgvaQ-PwKfcRI2VhUEHtMdZki98wwm0_lol5mFJS3ggYeF9VlWJ6CH0fRYn8gt7pMVtJYsMD8CIcHyl5z9C1Kspq0Ci6Imb2iNs7CRXqxM5s3A8G5FREc2Ujf2WUBH8WrFd9ZUC8TqgUwUtZEOdvDvVoUafI_MW0gnYWQ6wGXAvAhH6qV9zKy_e-yBIBqGKNDe9SJ7rf3PTQAwxuU-kVG6o_znkph5xB9b4gzCRs6PujUR1NkYbt6CR3WQSXk76gwKML9voglsz63BVZqRD4qXOX6QE0RQ | \tstatus code: 403, request id: a0f62ebe-66a4-4f18-9e2b-3e32cc94ae9c tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_detail="" tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/diag/diagnostics.go:62 tf_proto_version=5.4 timestamp="2024-02-05T09:26:20.876+0100" 2024-02-05T09:26:20.877+0100 [DEBUG] State storage remote.State declined to persist a state snapshot 2024-02-05T09:26:20.877+0100 [ERROR] vertex "module.backups.aws_instance.ec2_instance" error: creating EC2 Instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::851725412353:assumed-role/AWSReservedSSO_Staging-AdministratorAccess_2760ed54e811856f/staging-user is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:eu-central-1:851725412353:volume/* with an explicit deny in a service control policy. Encoded authorization failure message: H8F0jDN9KPpyINgZ_awdx-5x8V34ntzRNtdI5Uqz5sS4Bj6mIUboysBgNK2mlg-8s7BMT2XtQtq9K-dd6ksaMpx2kyi8V2ZJkCEl_fIbWRVrVbBXlfFyEtGp3vjlIhvg7oTdfLuyUlUpinVtMu7Zr-zbwPQMayIU4IPv9ZIo9cbt4rqmBhEIaVpKDgUUO_HcpcfEH4gYTOCwLsc820hDkt5q2Zk-iod6QHLbleXt1I-O4s0WiwKwG1yuhwmJPR_m5NiYesvy4sxeBDH8-y5CyGzMDb2zasa8BUEd1hReR9gwDlDgzip0hBXG6AAnJNzzuRigD3x3iBMHEqgu7TuO_kfELGBEOzWX3zy89agOIo8qb0ztXV6WIrAsEBcIERUDeo8qpF8qTKPtr0BdSCc9US488WzXUGC9UZrTE6e34xfswPdtyAmplyEidCAASK8TGJ7-PMz_qfP5TUA4obYD7ez21NBD0l8SC9x-1Jd5GCclwsaX7v8xNt_Qby3YeU81AqCHh4NgUW8tkNA-xzT5KqxJaBvvGegAlaoXjj0qT5Xg7ZcRxEKif2H98EGf-_3wHPbsCEodfcCMRubQ6mWjsHPmdgvaQ-PwKfcRI2VhUEHtMdZki98wwm0_lol5mFJS3ggYeF9VlWJ6CH0fRYn8gt7pMVtJYsMD8CIcHyl5z9C1Kspq0Ci6Imb2iNs7CRXqxM5s3A8G5FREc2Ujf2WUBH8WrFd9ZUC8TqgUwUtZEOdvDvVoUafI_MW0gnYWQ6wGXAvAhH6qV9zKy_e-yBIBqGKNDe9SJ7rf3PTQAwxuU-kVG6o_znkph5xB9b4gzCRs6PujUR1NkYbt6CR3WQSXk76gwKML9voglsz63BVZqRD4qXOX6QE0RQ status code: 403, request id: a0f62ebe-66a4-4f18-9e2b-3e32cc94ae9c 2024-02-05T09:26:20.878+0100 [DEBUG] states/remote: state read serial is: 17; serial is: 17 2024-02-05T09:26:20.878+0100 [DEBUG] states/remote: state read lineage is: 0db25b36-e53e-548c-b9f9-3a9e62927628; lineage is: 0db25b36-e53e-548c-b9f9-3a9e62927628 2024-02-05T09:26:20.878+0100 [INFO] backend-s3: Uploading remote state: tf_backend.operation=Put tf_backend.req_id=6fbf7331-a208-88ac-b48e-569496298204 tf_backend.s3.bucket=janji-terraform-bucket tf_backend.s3.path=tfstate 2024-02-05T09:26:20.878+0100 [DEBUG] backend-s3: HTTP Request Sent: aws.region=eu-central-1 aws.s3.bucket=janji-terraform-bucket aws.s3.key=tfstate rpc.method=PutObject rpc.service=S3 rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 tf_aws.signing_region="" tf_backend.operation=Put tf_backend.req_id=6fbf7331-a208-88ac-b48e-569496298204 tf_backend.s3.bucket=janji-terraform-bucket tf_backend.s3.path=tfstate http.request.header.x_amz_decoded_content_length=3144 http.request.header.x_amz_date=20240205T082620Z http.request.header.amz_sdk_invocation_id=ab709c2b-3d03-4b28-aa98-00e4d6e55b2a http.method=PUT http.url=https://janji-terraform-bucket.s3.eu-central-1.amazonaws.com/tfstate?x-id=PutObject http.request_content_length=3224 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA****FYBV/20240205/eu-central-1/s3/aws4_request, SignedHeaders=accept-encoding;amz-sdk-invocation-id;content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-sdk-checksum-algorithm;x-amz-security-token;x-amz-trailer, Signature=" net.peer.name=janji-terraform-bucket.s3.eu-central-1.amazonaws.com http.request.header.amz_sdk_request="attempt=1; max=5" http.request.header.x_amz_content_sha256=STREAMING-UNSIGNED-PAYLOAD-TRAILER http.request.header.content_encoding=aws-chunked http.request.body="[Redacted: 3.1 KB (3,224 bytes), Type: application/json]" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.2 (+https://www.terraform.io) aws-sdk-go-v2/1.24.0 os/linux lang/go#1.21.5 md/GOOS#linux md/GOARCH#amd64 api/s3#1.47.5 ft/s3-transfer" http.request.header.x_amz_security_token="" http.request.header.x_amz_trailer=x-amz-checksum-sha256 http.request.header.content_type=application/json http.request.header.accept_encoding=identity http.request.header.x_amz_sdk_checksum_algorithm=SHA256 2024-02-05T09:26:20.933+0100 [DEBUG] backend-s3: HTTP Response Received: aws.region=eu-central-1 aws.s3.bucket=janji-terraform-bucket aws.s3.key=tfstate rpc.method=PutObject rpc.service=S3 rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 tf_aws.signing_region="" tf_backend.operation=Put tf_backend.req_id=6fbf7331-a208-88ac-b48e-569496298204 tf_backend.s3.bucket=janji-terraform-bucket tf_backend.s3.path=tfstate http.duration=54 http.status_code=200 http.response.header.date="Mon, 05 Feb 2024 08:26:21 GMT" http.response.header.x_amz_server_side_encryption=AES256 http.response.body="" http.response.header.x_amz_id_2="2YdTt+7bLlKJ2m493JtNLczRhjVzWN81QzkX9DfylgMLYj/bVpTNz/JLBkU9iWCDQA9xnOClMLQ=" http.response.header.x_amz_request_id=0Z7B4JP3XCJHZQGK http.response.header.etag="\"b98ce6367c26763c0e8ae848068bbd40\"" http.response.header.x_amz_checksum_sha256=G/CkrWHwJaZqyPgKbLvg/A2m6njmEb7jzzKKGnYLBVU= http.response.header.server=AmazonS3 2024-02-05T09:26:20.935+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF" 2024-02-05T09:26:20.951+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.34.0/linux_amd64/terraform-provider-aws_v5.34.0_x5 pid=7404 2024-02-05T09:26:20.951+0100 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

No response

References

PRs that supposedly fixed the behaviour #6396 #17412

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[Pavankumar66]

I'm also facing the similar issue with such an SCP policy. Do we have a timeline when the related fix will be implemented in Terraform ?

Note: In CloudFormation this is already being handled with the property PropagateTagsToVolumeOnCreation.

[nantiferov]

If you use provider version > v5.39 and tags are generic enough to put them to provider default_tags, it might fix issue with SCP tags enforcement.

However, keep in mind that if you change tags in default_tags, terraform will try to remove them 😞 , issue https://github.com/hashicorp/terraform-provider-aws/issues/38301

P.S. In general, I dig a little bit here and with tags defined in provider default_tags they're set for volume in RunInstances API call, but in generic case they're set properly, but after RunInstances succeeds, example:

# without tags in default_tags:
http.request.body=
  Action=RunInstances
  ...
  TagSpecification.1.ResourceType=instance
  TagSpecification.1.Tag.1.Key=foo
  TagSpecification.1.Tag.1.Value=bar

# with tags in provider default_tags
http.request.body=
  Action=RunInstances
  ...
  TagSpecification.1.ResourceType=instance
  TagSpecification.1.Tag.1.Key=foo
  TagSpecification.1.Tag.1.Value=bar
...
  TagSpecification.2.ResourceType=volume
  TagSpecification.2.Tag.1.Key=foo
  TagSpecification.2.Tag.1.Value=bar

[ETisREAL]

@nantiferov Thanks, will keep it in mind :) Much appreciate the feedback