When an aws_dynamodb_table resource is created with the import_table option, but insufficient IAM permissions are set, the error that's displayed doesn't indicate the real reason for the failure (missing IAM permission).
Current output:
Error: creating AWS DynamoDB Table (<table_name>): unexpected state 'FAILED', wanted target 'COMPLETED'. last error: %!s(<nil>)
However, if the TF_LOG_PROVIDER environment variable is set to DEBUG, the missing permission is acknowledged:
<date> http.response.body=
<date> | {"ImportTableDescription":{...,"FailureMessage":"User: arn:aws:sts::123456789012:assumed-role/<role> is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:eu-west-2:123456789012:log-group:/aws-dynamodb/imports:log-stream:<id>/info because no identity-based policy allows the logs:CreateLogStream action",...}}
Suggested output:
Error: creating AWS DynamoDB Table (<table_name>): FailureMessage is "<content from response.body>"
e.g.
Error: creating AWS DynamoDB Table (<table_name>): FailureMessage is "User: arn:aws:sts::123456789012:assumed-role/<role> is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:eu-west-2:123456789012:log-group:/aws-dynamodb/imports:log-stream:<id>/info because no identity-based policy allows the logs:CreateLogStream action"
[!TIP]
If you log into the AWS Console and view the import DynamoDB → Imports from S3 → \<select import> it does show the IAM permission failure reason.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Description
When an
aws_dynamodb_table
resource is created with theimport_table
option, but insufficient IAM permissions are set, the error that's displayed doesn't indicate the real reason for the failure (missing IAM permission).Current output:
However, if the
TF_LOG_PROVIDER
environment variable is set toDEBUG
, the missing permission is acknowledged:Suggested output:
e.g.
Affected Resource(s) and/or Data Source(s)
aws_dynamodb_table
Potential Terraform Configuration
References
Would you like to implement a fix?
No