search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.72k stars 9.08k forks source link

[Enhancement]: better log apply failure messages for aws_verifiedpermissions_policy #38417

Open ryancausey opened 1 month ago

ryancausey commented 1 month ago

Description

I ran into a resource sequencing issue that was not immediately apparent because of the generic error message returned during an apply failure. The aws_verifiedpermissions_policy resource will fail to apply with a generic "invalid input" error if the aws_verifiedpermissions_policy_store it is created within has the validation_settings set to STRICT mode, and the schema is not present yet. The debug logs show that the Go SDK returns a more detailed error message within the "fieldList" attribute, and my request is that these more detailed error messages be surfaced in the apply error message shown by terraform.

Affected Resource(s) and/or Data Source(s)

Potential Terraform Configuration

resource "aws_verifiedpermissions_policy_store" "test_policy_store" {
  description = "The policy store for an example."

  validation_settings {
    mode = "STRICT"
  }
}

resource "aws_verifiedpermissions_schema" "test_policy_schema" {
  policy_store_id = aws_verifiedpermissions_policy_store.test_policy_store.policy_store_id

  definition {
    value = file("verified_permissions_schema.json")
  }
}

resource "aws_verifiedpermissions_policy" "test_static_policy" {
  policy_store_id = aws_verifiedpermissions_policy_store.test_policy_store.policy_store_id

  definition {
    static {
      description = "A sample static policy."
      statement   = <<EOF
permit(
  principal,
  action,
  resource
);
EOF
    }
  }
}

References

Terraform error message:

╷
│ Error: creating AWS Verified Permissions Policy ("5pCYcR4vudCWGmeArdR2qy"): operation error VerifiedPermissions: CreatePolicy, https response error StatusCode: 400, RequestID: 50501d3e-a8cc-467e-92b0-f43c85b5029d, ValidationException: Invalid input
│ 
│   with aws_verifiedpermissions_policy.jurisdiction_view,
│   on verified_permissions.tf line 17, in resource "aws_verifiedpermissions_policy" "jurisdiction_view":
│   17: resource "aws_verifiedpermissions_policy" "jurisdiction_view" {
│ 
│ operation error VerifiedPermissions: CreatePolicy, https response error
│ StatusCode: 400, RequestID: 50501d3e-a8cc-467e-92b0-f43c85b5029d,
│ ValidationException: Invalid input
╵

Relevant log snippet showing the more detailed message being available within the "fieldList" attribute:

2024-07-18T07:14:23.665Z [DEBUG] provider.terraform-provider-aws_v5.58.0_x5: HTTP Response Received: http.response.header.date="Thu, 18 Jul 2024 07:14:23 GMT" rpc.method=CreatePolicy rpc.system=aws-api @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:45 http.duration=86 http.response.header.access_control_allow_origin=* tf_req_id=263b1f44-91e0-c5ee-b1b7-62ccf72e223c tf_resource_type=aws_verifiedpermissions_policy aws.region=us-west-2 http.response.body="{"message":"Invalid input","fieldList":[{"path":"/definition","message":"No schema present - automatically failing all validation."}],"__type":"smithy.framework#ValidationException"}
" tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.content_type=application/x-amz-json-1.0 http.response.header.x_amzn_requestid=50501d3e-a8cc-467e-92b0-f43c85b5029d rpc.service=VerifiedPermissions tf_mux_provider=*proto5server.Server http.response_content_length=182 http.status_code=400 tf_aws.sdk=aws-sdk-go-v2 tf_aws.signing_region= @module=aws http.response.header.access_control_expose_headers=* http.response.header.vary=[origin, access-control-request-method, access-control-request-headers] tf_rpc=ApplyResourceChange timestamp=2024-07-18T07:14:23.664Z

Would you like to implement a fix?

None

github-actions[bot] commented 1 month ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue