hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

[Enhancement]: aws_dynamodb_table import_table FAILED log improvements #38946

Open chrisbloe-nhse opened 2 months ago

chrisbloe-nhse commented 2 months ago

Description

When an aws_dynamodb_table resource is created with the import_table option, but insufficient IAM permissions are set, the error that's displayed doesn't indicate the real reason for the failure (missing IAM permission).

Current output:

Error: creating AWS DynamoDB Table (<table_name>): unexpected state 'FAILED', wanted target 'COMPLETED'. last error: %!s(<nil>)

However, if the TF_LOG_PROVIDER environment variable is set to DEBUG, the missing permission is acknowledged:

<date>   http.response.body=
<date>   | {"ImportTableDescription":{...,"FailureMessage":"User: arn:aws:sts::123456789012:assumed-role/<role> is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:eu-west-2:123456789012:log-group:/aws-dynamodb/imports:log-stream:<id>/info because no identity-based policy allows the logs:CreateLogStream action",...}}

Suggested output:

Error: creating AWS DynamoDB Table (<table_name>): FailureMessage is "<content from response.body>"

e.g.

Error: creating AWS DynamoDB Table (<table_name>): FailureMessage is "User: arn:aws:sts::123456789012:assumed-role/<role> is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:eu-west-2:123456789012:log-group:/aws-dynamodb/imports:log-stream:<id>/info because no identity-based policy allows the logs:CreateLogStream action"

[!TIP] If you log into the AWS Console and view the import DynamoDBImports from S3 → \<select import> it does show the IAM permission failure reason.

Affected Resource(s) and/or Data Source(s)

aws_dynamodb_table

Potential Terraform Configuration

No change

References

Would you like to implement a fix?

No

github-actions[bot] commented 2 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue