[Bug]: unable to create cost and usage resource reports from a member account in an OU

[dhanakane]

Terraform Core Version

1.5.0

AWS Provider Version

5.39.1

Affected Resource(s)

aws_cur_report_definition

Expected Behavior

Cost and usage report should be created

Actual Behavior

An error is thrown, stating the resource cannot be created

Relevant Error/Panic Output Snippet

aws_cur_report_definition.hourly_usage: Creating...
╷
│ Error: creating Cost And Usage Report Definition (foo-usage-report): ValidationException: 
│ 
│   with aws_cur_report_definition.hourly_usage,
│   on main.tf line 41, in resource "aws_cur_report_definition" "hourly_usage":
│   41: resource "aws_cur_report_definition" "hourly_usage" {
│ 
╵

Terraform Configuration Files

// Define report for AWS billing
resource "aws_cur_report_definition" "hourly_usage" {
  provider                   = aws.east
  report_name                = "${local.account_name}-usage-report"
  time_unit                  = "DAILY"
  format                     = "textORcsv"
  compression                = "GZIP"
  additional_schema_elements = ["RESOURCES"]
  s3_bucket                  = aws_s3_bucket.billing.id
  s3_region                  = local.region
  s3_prefix                  = local.s3_prefix
  additional_artifacts = ["QUICKSIGHT"]
}

Steps to Reproduce

Run a terraform init, plan and apply

Debug Output

2024-03-05T10:40:42.941Z [ERROR] provider.terraform-provider-aws_v5.39.1_x5
: Response contains error diagnostic: tf_req_id=f7082085-104b-b4b2-e9e4-f2e
634e125e5 @caller=github.com/hashicorp/terraform-plugin-go@v0.22.0/tfprotov
5/internal/diag/diagnostics.go:58 diagnostic_summary="creating Cost And Usa
ge Report Definition (foo-usage-report): ValidationException: " tf_provider
_addr=registry.terraform.io/hashicorp/aws diagnostic_severity=ERROR tf_prot
o_version=5.4 tf_resource_type=aws_cur_report_definition tf_rpc=ApplyResour
ceChange @module=sdk.proto diagnostic_detail= timestamp=2024-03-05T10:40:42
.940Z
2024-03-05T10:40:42.942Z [DEBUG] State storage *remote.State declined to pe
rsist a state snapshot
2024-03-05T10:40:42.942Z [ERROR] vertex "aws_cur_report_definition.hourly_u
sage" error: creating Cost And Usage Report Definition (foo-usage-report): 
ValidationException:

│ Error: creating Cost And Usage Report Definition (foo-usage-report): ValidationException: 
│ 
│   with aws_cur_report_definition.hourly_usage,
│   on main.tf line 43, in resource "aws_cur_report_definition" "hourly_usage":
│   43: resource "aws_cur_report_definition" "hourly_usage" {
│ 
╵

Panic Output

No response

Important Factoids

I am not running this using the master account associated with the account that requires the report.

References

I've seen this issue, which looked similar, which led me to believe this was an account issue. However, in the latest version of the provider, there is no longer a statement saying this resource can only be used by the master account (looks like this was dropped from 5.0.1). Perhaps the documentation is not up to date?

For reference, creating a cost and usage report from the console using the same account running the Terraform works.

I am unable to test with the master account at present. I'm hoping this is a bug as it would be very useful to be able to run this report outside the master account.

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @dhanakane 👋 Thank you for taking the time to raise this! It looks like your debug logging cuts off before some of the more relevant information. Are you able to supply a more complete output of the debug logs (redacted as needed)?

[dhanakane]

@justinretzolk thanks for taking a look. I'm happy to provide more output from the debug log if you can let me know how much you require. I've tried to supply logging from where the first error in the logs occurs. I can have a go at redacting and supplying more if you can give me some guidance on what could be useful.

[dhanakane]

@justinretzolk
Apologies if my terminal has messed formatting up for the logs. I've tried best as I can to redact data and stitch the output back together:

Plan: 1 to add, 0 to change, 0 to destroy.
2024-03-11T10:39:33.176Z [DEBUG] command: asking for input: "\nDo you want to perform these actions?"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

2024-03-11T10:39:38.293Z [INFO]  backend/local: apply calling Apply
2024-03-11T10:39:38.293Z [DEBUG] Building and walking apply graph for NormalMode plan
2024-03-11T10:39:38.294Z [DEBUG] Resource state not found for node "aws_cur_report_definition.hourly_usage", instance aws_cur_report_definition.hourly_usage
2024-03-11T10:39:38.294Z [DEBUG] ProviderTransformer: "aws_s3_bucket.billing (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2024-03-11T10:39:38.294Z [DEBUG] ProviderTransformer: "data.aws_iam_policy_document.billing_bucket_access (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2024-03-11T10:39:38.294Z [DEBUG] ProviderTransformer: "aws_cur_report_definition.hourly_usage" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/hashicorp/aws"].east
2024-03-11T10:39:38.294Z [DEBUG] ProviderTransformer: "aws_cur_report_definition.hourly_usage (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"].east
2024-03-11T10:39:38.294Z [DEBUG] ProviderTransformer: "aws_s3_bucket_policy.MyAWSResource (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2024-03-11T10:39:38.294Z [DEBUG] ProviderTransformer: "aws_budgets_budget.ec2 (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2024-03-11T10:39:38.294Z [DEBUG] ReferenceTransformer: "local.account_name (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "aws_cur_report_definition.hourly_usage" references: [local.region (expand) local.account_name (expand) aws_s3_bucket.billing (expand) local.s3_prefix (expand)]
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"].east" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "aws_budgets_budget.ec2 (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "aws_s3_bucket.billing (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "data.aws_iam_policy_document.billing_bucket_access (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "local.region (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "aws_cur_report_definition.hourly_usage (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "aws_s3_bucket_policy.MyAWSResource (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] ReferenceTransformer: "local.s3_prefix (expand)" references: []
2024-03-11T10:39:38.295Z [DEBUG] pruneUnusedNodes: aws_s3_bucket_policy.MyAWSResource (expand) is no longer needed, removing
2024-03-11T10:39:38.295Z [DEBUG] pruneUnusedNodes: aws_budgets_budget.ec2 (expand) is no longer needed, removing
2024-03-11T10:39:38.295Z [DEBUG] pruneUnusedNodes: data.aws_iam_policy_document.billing_bucket_access (expand) is no longer needed, removing
2024-03-11T10:39:38.296Z [DEBUG] Starting graph walk: walkApply
2024-03-11T10:39:38.297Z [DEBUG] created provider logger: level=debug
2024-03-11T10:39:38.297Z [INFO]  provider: configuring client automatic mTLS
2024-03-11T10:39:38.303Z [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terr aform-provider-aws_v5.39.1_x5]
2024-03-11T10:39:38.327Z [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5 pid=70561
2024-03-11T10:39:38.327Z [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5
2024-03-11T10:39:38.405Z [INFO]  provider.terraform-provider-aws_v5.39.1_x5: configuring server automatic mTLS: timestamp=2024-03-11T10:39:38.404Z
2024-03-11T10:39:38.409Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: plugin address: address=/var/folders/9g/sswnzkcj3pz2h7x5ygt6w_8m0000gn/T/plugin4123692624 network=unix timestamp=2024-03-11T10:39:38.409Z
2024-03-11T10:39:38.409Z [DEBUG] provider: using plugin: version=5
2024-03-11T10:39:38.413Z [DEBUG] created provider logger: level=debug
2024-03-11T10:39:38.413Z [INFO]  provider: configuring client automatic mTLS
2024-03-11T10:39:38.415Z [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terr aform-provider-aws_v5.39.1_x5]
2024-03-11T10:39:38.417Z [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5 pid=70562
2024-03-11T10:39:38.417Z [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5
2024-03-11T10:39:38.481Z [INFO]  provider.terraform-provider-aws_v5.39.1_x5: configuring server automatic mTLS: timestamp=2024-03-11T10:39:38.481Z
2024-03-11T10:39:38.486Z [DEBUG] provider: using plugin: version=5
2024-03-11T10:39:38.486Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: plugin address: address=/var/folders/9g/sswnzkcj3pz2h7x5ygt6w_8m0000gn/T/plugin2651312650 network=unix timestamp=2024-03-11T10:39:38.486Z
2024-03-11T10:39:38.695Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Configuring Terraform AWS Provider: @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:134 tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider timestamp=2024-03-11T10:39:38.695Z
2024-03-11T10:39:38.695Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Resolving credentials provider: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider @module=aws.aws-base timestamp=2024-03-11T10:39:38.695Z
2024-03-11T10:39:38.695Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Using profile: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_aws.profile=foo-account tf_aws.profile.source=envvar tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider timestamp=2024-03-11T10:39:38.695Z
2024-03-11T10:39:38.695Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Loading configuration: @module=aws.aws-base tf_rpc=ConfigureProvider tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer timestamp=2024-03-11T10:39:38.695Z
2024-03-11T10:39:38.696Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: [DEBUG] missing_context: For profile: foo-account, overriding region value, defined in /Users/foo-user/.aws/config with a region value found in a duplicate profile defined at file /Users/foo-user/.aws/credentials. 
2024-03-11T10:39:38.696Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5:  tf_aws.sdk=aws-sdk-go-v2
2024-03-11T10:39:38.696Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Retrieving credentials: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws t
f_mux_provider=*schema.GRPCProviderServer tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider timestamp=2024-03-11T10:39:38.696Z
2024-03-11T10:39:38.696Z [INFO]  provider.terraform-provider-aws_v5.39.1_x5: Retrieved credentials: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a @module=aws.aws-base tf_aws.credentials_source="SharedConfigCredentials: /Users/foo-user/.aws/credentials" tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:39 timestamp=2024-03-11T10:39:38.696Z
2024-03-11T10:39:38.696Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Loading configuration: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider timestamp=2024-03-11T10:39:38.696Z
2024-03-11T10:39:38.697Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: [DEBUG] missing_context: For profile: foo-account, overriding region value, defined in /Users/foo-user/.aws/config with a region value found in a duplicate profile defined at file /Users/foo-user/.aws/credentials. 
2024-03-11T10:39:38.697Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5:  tf_aws.sdk=aws-sdk-go-v2
2024-03-11T10:39:38.697Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Creating AWS SDK v1 session: @module=aws tf_mux_provider=*schema.GRPCProviderServer tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:158 tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2024-03-11T10:39:38.697Z
2024-03-11T10:39:38.698Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Retrieving AWS account details: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:173 @module=aws timestamp=2024-03-11T10:39:38.697Z
2024-03-11T10:39:38.698Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Retrieving caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2024-03-11T10:39:38.698Z
2024-03-11T10:39:38.698Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: HTTP Request Sent: aws.region=us-east-1 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=<redacted>/20240311/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" net.peer.name=sts.us-east-1.amazonaws.com http.request.header.x_amz_date=20240311T103938Z rpc.method=GetCallerIdentity rpc.system=aws-api @caller=github.
com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 http.request.body="Action=GetCallerIdentity&Version=2011-06-15 " http.url=https://sts.us-east-1.amazonaws.com/ tf_aws.sdk=aws-sdk-go-v2 http.request.header.amz_sdk_invocation_id=7fbcdd5b-19a9-4e52-933e-5dc492136b22 tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base http.request.header.content_type=application/x-www-form-urlencoded http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.0 (+https://www.terraform.io) terraform-provider-aws/5.39.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.25.2 os/macos lang/go#1.21.7 md/GOOS#darwin md/ GOARCH#arm64 api/sts#1.28.1" tf_rpc=ConfigureProvider http.method=POST rpc.service=STS tf_aws.signing_region= http.request.header.amz_sdk_request="attempt=1; max=25" http.request_content_length=43 http.request.header.x_amz_security_token=***** tf_mux_provider=*schema.GRPCProviderServer tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a timestamp=2024-03-11T10:39:38.698Z
2024-03-11T10:39:38.764Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Configuring Terraform AWS Provider: @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:134 tf_mux_provider=*schema.GRPCProviderServer @module=aws tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 tf_rpc=ConfigureProvider timestamp=2024-03-11T10:39:38.764Z
2024-03-11T10:39:38.764Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Resolving credentials provider: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 @module=aws.aws-base timestamp=2024-03-11T10:39:38.764Z
2024-03-11T10:39:38.764Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Using profile: tf_aws.profile.source=envvar tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7
 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_aws.profile=foo-account timestamp=2024-03-11T10:39:38.764Z
2024-03-11T10:39:38.764Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Loading configuration: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2024-03-11T10:39:38.764Z
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: [DEBUG] missing_context: For profile: foo-account, overriding region value, defined in /Users/foo-user/.aws/config with a region value found in a duplicate profile defined at file /Users/foo-user/.aws/credentials. 
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5:  tf_aws.sdk=aws-sdk-go-v2
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Retrieving credentials: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp=2024-03-11T10:39:38.765Z
2024-03-11T10:39:38.765Z [INFO]  provider.terraform-provider-aws_v5.39.1_x5: Retrieved credentials: tf_rpc=ConfigureProvider @module=aws.aws-base tf_aws.credentials_source="SharedConfigCredentials: /Users/foo-user/.aws/credentials" tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:39 timestamp=2024-03-11T10:39:38.765Z
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Loading configuration: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer timestamp=2024-03-11T10:39:38.765Z
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: [DEBUG] missing_context: For profile: foo-account, overriding region value, defined in /Users/foo-user/.aws/config with a region value found in a duplicate profile defined at file /Users/foo-user/.aws/credentials. 
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5:  tf_aws.sdk=aws-sdk-go-v2
2024-03-11T10:39:38.765Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Creating AWS SDK v1 session: @module=aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:158 tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2024-03-11T10:39:38.765Z
2024-03-11T10:39:38.766Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Retrieving AWS account details: tf_rpc=ConfigureProvider tf_provider_addr=registry.terraform.io/hashicorp/aws tf_mux_provider=*schema.GRPCProviderServer tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:173 @module=aws timestamp=2024-03-11T10:39:38.766Z
2024-03-11T10:39:38.766Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: Retrieving caller identity from STS: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 timestamp=2024-03-11T10:39:38.766Z
2024-03-11T10:39:38.766Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: HTTP Request Sent: http.request.body="Action=GetCallerIdentity&Version=2011-06-15
" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=<redacted>/20240311/eu-west-2/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.x_amz_security_token=***** http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.0 (+https://www.terraform.io) terraform-provider-aws/5.39.1 (+https:
//registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.25.2 os/macos lang/go#1.21.7 md/GOOS#darwin md/GOARCH#arm64 api/sts#1.28.1" net.peer.name=sts.eu-west-2.amazonaws.com rpc.service=STS http.url=https://sts.eu-west-2.amazonaws.com/ rpc.method=GetCallerIdentity tf_aws.sdk=aws-sdk-go-v2 http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.x_amz_date=20240311T103938Z rpc.system=aws-api aws.region=eu-west-2 http.method=POST tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-b
ase/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_mux_provider=*schema.GRPCProviderServer http.request.header.content_type=application/x-www-form-urlencoded http.request_content_length=43 tf_aws.signing_region= @module=aws.aws-base http.request.header.amz_sdk_invocation_id=0cb58c93-1171-48b9-918e-9cb07d28114b timestamp=2024-03-11T10:39:38.766Z
2024-03-11T10:39:38.840Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: HTTP Response Received: rpc.method=GetCallerIdentity tf_aws.signing_region= tf_mux_provider=*schema.GRPCProviderServer @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 http.response.header.content_type=text/xml http.status_code=200 rpc.service=STS rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base aws.region=eu-west-2 http.duration=74 http.response.header.date="Mon, 11 Mar 2024 10:39:38 GMT" tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 http.response_content_length=446 tf_rpc=ConfigureProvider http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::<account-number-redacted>:assumed-role/<redacted-role-name>/<redacted></Arn>
    <UserId><redacted>:<redacted></UserId>
    <Account><account-number-redacted></Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>2112d43c-8e1f-48eb-8356-e49cf15bb680</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" http.response.header.x_amzn_requestid=2112d43c-8e1f-48eb-8356-e49cf15bb680 timestamp=2024-03-11T10:39:38.840Z
2024-03-11T10:39:38.840Z [INFO]  provider.terraform-provider-aws_v5.39.1_x5: Retrieved caller identity from STS: tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e3adf295-4880-a955-9d41-79745f437eb7 tf_rpc=ConfigureProvider @module=aws.aws-base @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:39 timestamp=2024-03-11T10:39:38.840Z
2024-03-11T10:39:38.842Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-11T10:39:38.845Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5 pid=70562
2024-03-11T10:39:38.845Z [DEBUG] provider: plugin exited
2024-03-11T10:39:39.246Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: HTTP Response Received: http.response.header.content_type=text/xml http.response_content_length=446 rpc.method=GetCallerIdentity http.duration=547 http.response.body="<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::<account-number-redacted>:assumed-role/<redacted-role-name>/<redacted></Arn>
    <UserId><redacted>:<redacted></UserId>
    <Account><account-number-redacted></Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>977bc793-90ab-41be-a63b-9196fa6e7ff4</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
" rpc.service=STS tf_aws.sdk=aws-sdk-go-v2 tf_rpc=ConfigureProvider @module=aws.aws-base aws.region=us-east-1 http.response.header.x_amzn_requestid=977bc793-90ab-41be-a63b-9196fa6e7ff4 http.status_code=200 tf_aws.signing_region= tf_mux_provider=*schema.GRPCProvid
erServer @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:47 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a http.response.header.date="Mon, 11 Mar 2024 10:39:38 GMT" rpc.system=aws-api timestamp=2024-03-11T10:39:39.246Z
2024-03-11T10:39:39.246Z [INFO]  provider.terraform-provider-aws_v5.39.1_x5: Retrieved caller identity from STS: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=d73641c7-ca2c-b0ac-d31c-34328321326a tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.48/logging/tf_logger.go:39 @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer timestamp=2024-03-11T10:39:39.246Z
2024-03-11T10:39:39.253Z [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_cur_report_definition.hourly_usage, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .report_versioning: planned value cty.StringVal("CREATE_NEW_REPORT") for a non-computed attribute
      - .refresh_closed_reports: planned value cty.True for a non-computed attribute
aws_cur_report_definition.hourly_usage: Creating...
2024-03-11T10:39:39.253Z [INFO]  Starting apply for aws_cur_report_definition.hourly_usage
2024-03-11T10:39:39.253Z [DEBUG] aws_cur_report_definition.hourly_usage: applying the planned Create change
2024-03-11T10:39:39.256Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: HTTP Request Sent: rpc.method=PutReportDefinition rpc.service="Cost and Usage Report Service" tf_resource_type=aws_cur_report_definition aws.region=us-east-1 http.request.body="{"ReportDefinition":{"AdditionalArtifacts":["QUICKSIGHT"],"AdditionalSchemaElements":["RESOURCES"],"Compression":"GZIP","Format":"textORcsv","RefreshClosedReports":true,"ReportName":"foo-usage-report","ReportVersioning":"CREATE_NEW_REPORT","S3Bucket":"<redacted-S3-bucket-name","S3Prefix":"billing/","S3Region":"eu-west-2","TimeUnit":"DAILY"}}
" http.request.header.x_amz_target=AWSOrigamiServiceGatewayService.PutReportDefinition http.request_content_length=348 net.peer.name=cur.us-east-1.amazonaws.com rpc.system=aws-api tf_mux_provider=*schema.GRPCProviderServer @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.49/logger.go:109 tf_req_id=eaf8985f-19e6-0753-4412-8bbee0b7762f http.request.header.x_amz_security_token=***** http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.0 (+https://www.terraform.io) terraform-provider-aws/5.39.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.50.29 (go1.21.7; darwin; arm64)" tf_provider_addr=registry.terraform.io/hashicorp/aws http.flavor=1.1 http.url=https://cur.us-east-1.amazonaws.com/ tf_rpc=ApplyResourceChange @module=aws http.request.header.x_amz_date=20240311T103939Z http.request.header.authorization="AWS4-HMAC-SHA256 Credential=<redacted>/20240311/us-east-1/cur/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=***
**" tf_aws.sdk=aws-sdk-go http.method=POST http.request.header.content_type=application/x-amz-json-1.1 timestamp=2024-03-11T10:39:39.256Z
2024-03-11T10:39:40.822Z [DEBUG] provider.terraform-provider-aws_v5.39.1_x5: HTTP Response Received: rpc.method=PutReportDefinition rpc.service="Cost and Usage Report Service" tf_req_id=eaf8985f-19e6-0753-4412-8bbee0b7762f tf_rpc=ApplyResourceChange aws.region=us-east-1 http.duration=1566 http.response.header.x_amzn_requestid=860f834b-9d61-42b0-adaa-b25226d48a1d http.status_code=400 tf_resource_type=aws_cur_report_definition @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.49/logger.go:157 @module=aws http.response.body="{"__type":"ValidationException"}
" tf_provider_addr=registry.terraform.io/hashicorp/aws rpc.system=aws-api tf_aws.sdk=aws-sdk-go tf_mux_provider=*schema.GRPCProviderServer http.response.header.content_type=application/x-amz-json-1.1 http.response.header.date="Mon, 11 Mar 2024 10:39:40 GMT" http.response_content_length=32 timestamp=2024-03-11T10:39:40.822Z
2024-03-11T10:39:40.822Z [ERROR] provider.terraform-provider-aws_v5.39.1_x5: Response contains error diagnostic: tf_req_id=eaf8985f-19e6-0753-4412-8bbee0b7762f tf_resource_type=aws_cur_report_definition tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_summary="creating Cost And Usage Report Definition (foo-usage-report): ValidationException: " tf_proto_version=5.4 tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-go@v0.22.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail= diagnostic_severity=ERROR timestamp=2024-03-11T10:39:40.822Z
2024-03-11T10:39:40.822Z [DEBUG] State storage *remote.State declined to persist a state snapshot
2024-03-11T10:39:40.822Z [ERROR] vertex "aws_cur_report_definition.hourly_usage" error: creating Cost And Usage Report Definition (foo-usage-report): ValidationException:
2024-03-11T10:39:40.822Z [DEBUG] states/remote: state read serial is: 3; serial is: 3
2024-03-11T10:39:40.822Z [DEBUG] states/remote: state read lineage is: d913f43a-2aaf-3c77-4c8c-e286e2788cf8; lineage is: d913f43a-2aaf-3c77-4c8c-e286e2788cf8
╷
│ Error: creating Cost And Usage Report Definition (foo-usage-report): ValidationException: 
│ 
│   with aws_cur_report_definition.hourly_usage,
│   on main.tf line 43, in resource "aws_cur_report_definition" "hourly_usage":
│   43: resource "aws_cur_report_definition" "hourly_usage" {
│ 
╵
2024-03-11T10:39:40.824Z [DEBUG] [aws-sdk-go] DEBUG: Request dynamodb/GetItem Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: dynamodb.eu-west-2.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.5.0 aws-sdk-go/1.44.122 (go1.20; darwin; arm64)
Content-Length: 160
Accept-Encoding: identity
Authorization: AWS4-HMAC-SHA256 Credential=<redacted>/20240311/eu-west-2/dynamodb/aws4_request, SignedHeaders=accept-encoding;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=f2ffca33e9d4749a04e690685bf0722d8e6554
472e349b9e1d6dec07e17b53ca
Content-Type: application/x-amz-json-1.0
X-Amz-Date: 20240311T103940Z
X-Amz-Security-Token: <redacted>
X-Amz-Target: DynamoDB_20120810.GetItem

{"ConsistentRead":true,"Key":{"LockID":{"S":"<redacted-prefix>/terraform.tfstate"}},"ProjectionExpression":"LockID, Info","TableName":"<redacted-table-name>"}
-----------------------------------------------------
2024-03-11T10:39:40.919Z [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/GetItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 331
Content-Type: application/x-amz-json-1.0
Date: Mon, 11 Mar 2024 10:39:40 GMT
Server: Server
X-Amz-Crc32: 3371568331
X-Amzn-Requestid: 7VU4TVM9MF48G0R77VT5U2LOAFVV4KQNSO5AEMVJF66Q9ASUAAJG

-----------------------------------------------------
2024-03-11T10:39:40.919Z [DEBUG] [aws-sdk-go] {"Item":{"LockID":{"S":"<redacted-statefilename>.tfstate"},"Info":{"S":"{\"ID\":\"05d8a99e-7d83-2986-4878-4147b295c44d\",\"Operation\":\"OperationTypeApply\",\"Info\":\"\",\"Who\":\"foo-user@L67P416KMX\",\"Versio
n\":\"1.5.0\",\"Created\":\"2024-03-11T10:39:25.616175Z\",\"Path\":\"<redacted-statefilename>"}"}}}
2024-03-11T10:39:40.919Z [DEBUG] [aws-sdk-go] DEBUG: Request dynamodb/DeleteItem Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: dynamodb.eu-west-2.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.5.0 aws-sdk-go/1.44.122 (go1.20; darwin; arm64)
Content-Length: 100
Accept-Encoding: identity
Authorization: AWS4-HMAC-SHA256 Credential=<redacted>/20240311/eu-west-2/dynamodb/aws4_request, SignedHeaders=accept-encoding;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=3b2b2612653a6a88e203b5c062715f1a3707fc
1f36fe3ca6f917c8a9bdb0670b
Content-Type: application/x-amz-json-1.0
X-Amz-Date: 20240311T103940Z
X-Amz-Security-Token: <redacted>
X-Amz-Target: DynamoDB_20120810.DeleteItem

{"Key":{"LockID":{"S":"<redacted-statefilename>.tfstate"}},"TableName":"<redacted-table-name>"}
-----------------------------------------------------
2024-03-11T10:39:40.974Z [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/DeleteItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Content-Type: application/x-amz-json-1.0
Date: Mon, 11 Mar 2024 10:39:40 GMT
Server: Server
X-Amz-Crc32: 2745614147
X-Amzn-Requestid: NN2D6MK7M9UCGQ9OG4NBUQI76JVV4KQNSO5AEMVJF66Q9ASUAAJG

-----------------------------------------------------
2024-03-11T10:39:40.974Z [DEBUG] [aws-sdk-go] {}
2024-03-11T10:39:40.975Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-11T10:39:40.983Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.39.1/darwin_arm64/terraform-provider-aws_v5.39.1_x5 pid=70561
2024-03-11T10:39:40.983Z [DEBUG] provider: plugin exited

[justinretzolk]

Thanks for the update @dhanakane. That looks like it'll be much more helpful for whoever picks this one up once it gets prioritized 🙂

[itsmesuniljacob]

Hi @justinretzolk , Any update on this? I am also facing the same issue. Is this resolved?

[SimenAsphaug]

Facing the same issue here aswell.

resource "aws_cur_report_definition" "report_definition" {
  report_name                = "CUR-Report"
  time_unit                  = "DAILY"
  format                     = "Parquet"
  compression                = "Parquet"
  additional_schema_elements = ["RESOURCES"]
  s3_prefix                  = "cur/${data.aws_caller_identity.current.account_id}"
  s3_bucket                  = aws_s3_bucket.test.arn
  report_versioning          = "OVERWRITE_REPORT"
  s3_region                  = var.aws_region
  additional_artifacts       = ["ATHENA"]
  provider                   = aws.us-east-1
}

Error: creating Cost And Usage Report Definition (CUR-Report): operation error Cost and Usage Report Service: PutReportDefinition, https response error StatusCode: 400, RequestID: XXXXXXXXXXXXX, ValidationException: 

   with module.metrics-and-alarms.aws_cur_report_definition.report_definition,
   on ../cur.tf line 1, in resource "aws_cur_report_definition" "report_definition":
    1: resource "aws_cur_report_definition" "report_definition" {

[tammyisaninja]

What is your s3 bucket policy for the bucket that was applied? Initially I was hitting this error but when I manually created from the console, they applied this bucket policy on my s3 bucket, then when I tried again it worked.

Try adding this s3 bucket policy and replacing the bucket name and account id accordingly.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AWSBillingReportsGetBucket",
            "Effect": "Allow",
            "Principal": {
                "Service": "billingreports.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:cur:us-east-1:<account-id>:definition/*",
                    "aws:SourceAccount": "<account-id>"
                }
            }
        },
        {
            "Sid": "AWSBillingReportsDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "billingreports.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket name>/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:cur:us-east-1:<account-id>:definition/*",
                    "aws:SourceAccount": "<account-id>"
                }
            }
        }
    ]
}

[atsushi-matsui]

I encountered a similar error, but the error was resolved by setting a usage reporting policy for S3 as pointed out here.

Setting up an Amazon S3 bucket for Cost and Usage Reports

[hans-zand]

The bug is there however , it come from the region in the configuration, you should not that billing is global service and need to be defined under us-east-1 , so you can simply change the region to static value and issue will be solved.