When creating the aws_appconfig_configuration_profile, the IAM role specified via the retrieval_role_arn can be assumed properly for creating the resource.
Actual Behavior
A permission error happens occasionally.
As a workaround, I added a time_sleep dependency of 10 seconds to the aws_appconfig_configuration_profile which seem to improve things, but still fails for the same reason from time to time.
Relevant Error/Panic Output Snippet
╷
│ Error: creating AppConfig Configuration Profile (s3) for Application (3atugpj): operation error AppConfig: CreateConfigurationProfile, https response error StatusCode: 400, RequestID: f77a17f6-b682-49f1-b93e-a59d26d3aca8, BadRequestException: Error trying to assume role arn:aws:iam::<account>:role/<resource>
│
│ with module.infrastructure.aws_appconfig_configuration_profile.default,
│ on ../common/integration/app_config.tf line 13, in resource "aws_appconfig_configuration_profile" "default":
│ 13: resource "aws_appconfig_configuration_profile" "default" {
│
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.
Use the given snippet to create an AppConfig having a configuration profile that is backed by an object inside an S3 bucket.
Debug Output
No response
Panic Output
No response
Important Factoids
This error doesn't happen all the time. There must be some sort of race condition that occasionally makes this fail. Expecting the IAM role to be not fully propagated and ready when AppConfig already tries to use it for creating the configuration profile.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.6.1
AWS Provider Version
5.52.0
Affected Resource(s)
Expected Behavior
When creating the
aws_appconfig_configuration_profile
, the IAM role specified via theretrieval_role_arn
can be assumed properly for creating the resource.Actual Behavior
A permission error happens occasionally.
As a workaround, I added a
time_sleep
dependency of 10 seconds to theaws_appconfig_configuration_profile
which seem to improve things, but still fails for the same reason from time to time.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Use the given snippet to create an AppConfig having a configuration profile that is backed by an object inside an S3 bucket.
Debug Output
No response
Panic Output
No response
Important Factoids
This error doesn't happen all the time. There must be some sort of race condition that occasionally makes this fail. Expecting the IAM role to be not fully propagated and ready when AppConfig already tries to use it for creating the configuration profile.
References
No response
Would you like to implement a fix?
None