Plan should not fail unexpectedly due to missing permissions. Maybe documentation/release notes just needs to be updated. The addition of step function validation is a welcome one, just needs to be clearer what needs to be done to support it when upgrading to 5.67.0 .
Additionally, the plan only fails when step function definition changes are included, which allows the new provider version to plan successfully without the permission until someone changes a step function definition.
Actual Behavior
After upgrading to 5.67 and above, plan fails if the step function definition changes are included and planning role is missing states:ValidateStateMachineDefinition.
Relevant Error/Panic Output Snippet
Error: validating Step Functions State Machine definition: operation error SFN: ValidateStateMachineDefinition, https response error StatusCode: 400, RequestID: REDACTED, api error AccessDeniedException: REDACTED is not authorized to perform: states:ValidateStateMachineDefinition on resource: REDACTED:stateMachine:* because no identity-based policy allows the states:ValidateStateMachineDefinition action
Terraform Configuration Files
# ...
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = "my-state-machine"
role_arn = aws_iam_role.iam_for_sfn.arn
publish = true
type = "EXPRESS"
definition = <<EOF
{
"Comment": "A Hello World example of the Amazon States Language using an AWS Lambda Function",
"StartAt": "HelloWorld",
"States": {
"HelloWorld": {
"Type": "Task",
"Resource": "${aws_lambda_function.lambda.arn}",
"End": true
}
}
}
EOF
}
Steps to Reproduce
Run terraform plan using a role that does not have the states:ValidateStateMachineDefinition
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.2.9
AWS Provider Version
5.67.0
Affected Resource(s)
Expected Behavior
Plan should not fail unexpectedly due to missing permissions. Maybe documentation/release notes just needs to be updated. The addition of step function validation is a welcome one, just needs to be clearer what needs to be done to support it when upgrading to 5.67.0 .
Additionally, the plan only fails when step function definition changes are included, which allows the new provider version to plan successfully without the permission until someone changes a step function definition.
Actual Behavior
After upgrading to 5.67 and above, plan fails if the step function definition changes are included and planning role is missing
states:ValidateStateMachineDefinition
.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Run
terraform plan
using a role that does not have thestates:ValidateStateMachineDefinition
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None