[Bug]: provider assume_role configuration doesn't work with "known after apply" roles

[samuelrivas]

Terraform Core Version

1.5.7

AWS Provider Version

5.67.0

Affected Resource(s)

This affects the provider configuration, when using assume_role

Expected Behavior

When specifying a role output by a resource, terraform should still be able to plan and deploy, assuming that the resource can be created before any AWS resource.

Actual Behavior

This stopped working in version 5.67.0, I suspect is related to pr 39255.

It seems that this will be partially fixed in the release 5.68.0 (not yet released at the time of writing this) and the error becomes a warning, but it still states that it will be an error in the future.

Relevant Error/Panic Output Snippet

With version 5.67.0

│ Error: Missing required argument
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 14, in provider "aws":
│   14: provider "aws" {
│
│ The argument "role_arn" is required, but no definition was found.

With locally compiled HEAD (what's going to be version 5.68.0

│ Warning: Missing required argument
│
│   with provider["samscorp.com/testing/aws"],
│   on main.tf line 12, in provider "aws":
│   12: provider "aws" {
│
│ The argument "role_arn" is required, but no definition was found.
│
│ This will be an error in a future release.
╵

Terraform Configuration Files

Running terraform plan with the following configuration fails

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "5.67.0"
    }
  }
}

resource "random_pet" "this" {
}

provider "aws" {
  assume_role {
    role_arn = random_pet.this.id
  }
}

resource "aws_s3_bucket" "this" {
  bucket = "test-bucket"
}

output "pet" {
  value = random_pet.this.id
}

This is just to illustrate that a role created by the same terraform configuration breaks the provider configuration, I don't expect a random pet name to be a valid role name :)

Steps to Reproduce

Run terraform init && terraform plan, it should fail with

| Error: Missing required argument
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 14, in provider "aws":
│   14: provider "aws" {
│
│ The argument "role_arn" is required, but no definition was found.
╵

Debug Output

No response

Panic Output

No response

Important Factoids

When run with a locally compiled head (f9b51addd3c716e41e82df73c50033d1d26831d2), it outputs a warning instead:

Terraform will perform the following actions:

  # aws_s3_bucket.this will be created
  + resource "aws_s3_bucket" "this" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "test-bucket"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # random_pet.this will be created
  + resource "random_pet" "this" {
      + id        = (known after apply)
      + length    = 2
      + separator = "-"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + pet = (known after apply)
╷
│ Warning: Missing required argument
│
│   with provider["samscorp.com/testing/aws"],
│   on main.tf line 14, in provider "aws":
│   14: provider "aws" {
│
│ The argument "role_arn" is required, but no definition was found.
│
│ This will be an error in a future release.
╵

References

I suspect that this change introduced the problem: https://github.com/hashicorp/terraform-provider-aws/pull/39255/files

Also that this fix changes the error to a warning: https://github.com/hashicorp/terraform-provider-aws/pull/39328

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

The full solution to this will require implementing support for Terraform's currently experimental "deferred actions" feature.