[Bug]: Error creating Datazone domain

[mlnrt]

Terraform Core Version

1.7.4

AWS Provider Version

5.73.0

Affected Resource(s)

• aws_datazone_domain

Expected Behavior

The Datazone domain should be created

Actual Behavior

Using Terraform, the creation of the domain fails without providing a useful error.

Relevant Error/Panic Output Snippet

Error: creating AWS DataZone Domain ("test"): operation error DataZone: CreateDomain, https response error StatusCode: 403, RequestID: , deserialization failed, failed to decode response body, invalid character '<' looking for beginning of value

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.73, < 6.0"
    }
  }
  required_version = ">= 1.7.4"
}

### KMS Key for Datazone

data "aws_iam_policy_document" "datazone_kms_key" {
  statement {
    sid = "Enable IAM User Permissions"

    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
      ]
    }
    actions   = ["kms:*"]
    resources = ["*"]
  }
}

resource "aws_kms_key" "datazone_kms_key" {
  description             = "Encryption key for the DataZone Test domain"
  deletion_window_in_days = 7
  policy                  = data.aws_iam_policy_document.datazone_kms_key.json
  enable_key_rotation     = true
}

resource "aws_kms_alias" "datazone_kms_key" {
  name          = "alias/datazone-test-domain-key"
  target_key_id = aws_kms_key.datazone_kms_key.key_id
}

### Datazone IAM Execution role

data "aws_iam_policy_document" "datazone_domain_execution_role_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole", "sts:TagSession"]
    effect  = "Allow"
    principals {
      type        = "Service"
      identifiers = ["datazone.amazonaws.com"]
    }
    condition {
      test     = "StringEquals"
      variable = "aws:SourceAccount"
      values   = [data.aws_caller_identity.current.account_id]
    }
  }
}

resource "aws_iam_role" "datazone_domain_execution_role" {
  name               = "datazone_test_execution_role"
  assume_role_policy = data.aws_iam_policy_document.datazone_domain_execution_role_assume_role_policy.json
}

resource "aws_iam_policy_attachment" "datazone_domain_execution_role_assume_role_policy_attachment" {
  name       = "datazone-execution-role-default-policy-attachment"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDataZoneDomainExecutionRolePolicy"
  roles      = [aws_iam_role.datazone_domain_execution_role.name]
}

data "aws_iam_policy_document" "datazone_domain_execution_role_custom_policy" {
  statement {
    sid = "AllowDatazoneDomainExecutionRoleToKMSKey"
    actions = [
      "kms:Decrypt",
      "kms:DescribeKey",
      "kms:GenerateDataKey"
    ]
    effect    = "Allow"
    resources = [aws_kms_key.datazone_kms_key.arn]
  }
}

resource "aws_iam_policy" "datazone_domain_execution_role_custom_policy" {
  name        = "datazone_test_execution_role_custom_policy"
  description = "Custom policy for the Datazone domain execution role"
  policy      = data.aws_iam_policy_document.datazone_domain_execution_role_custom_policy.json
}

resource "aws_iam_policy_attachment" "datazone_domain_execution_role_custom_policy_attachment" {
  name       = "datazone-execution-role-custom-policy-attachment"
  policy_arn = aws_iam_policy.datazone_domain_execution_role_custom_policy.arn
  roles      = [aws_iam_role.datazone_domain_execution_role.name]
}

### Datazone domain

resource "aws_datazone_domain" "test" {
  name                  = "test"
  description           = "Datazone test domain"
  domain_execution_role = aws_iam_role.datazone_domain_execution_role.arn
  kms_key_identifier    = aws_kms_key.datazone_kms_key.arn
}

Steps to Reproduce

Once the KMS key and execution role are created with Terraform (see code above), creating the Datazone domain using the AWS console with the same parameters works but creating the "aws_datazone_domain" "test" resource fails.

Debug Output

Initializing plugins and modules...
{"@level":"info","@message":"Terraform 1.7.4","@module":"terraform.ui","@timestamp":"2024-10-29T07:58:42.693362+01:00","terraform":"1.7.4","type":"version","ui":"1.2"}
{"@level":"info","@message":"aws_datazone_domain.test: Plan to create","@module":"terraform.ui","@timestamp":"2024-10-29T07:58:46.134842+01:00","change":{"resource":{"addr":"aws_datazone_domain.test","module":"","resource":"aws_datazone_domain.test","implied_provider":"aws","resource_type":"aws_datazone_domain","resource_name":"test","resource_key":null},"action":"create"},"type":"planned_change"}
{"@level":"info","@message":"aws_datazone_domain.test: Creating...","@module":"terraform.ui","@timestamp":"2024-10-29T07:58:46.530312+01:00","hook":{"resource":{"addr":"aws_datazone_domain.test","module":"","resource":"aws_datazone_domain.test","implied_provider":"aws","resource_type":"aws_datazone_domain","resource_name":"test","resource_key":null},"action":"create"},"type":"apply_start"}
{"@level":"info","@message":"aws_datazone_domain.test: Creation errored after 0s","@module":"terraform.ui","@timestamp":"2024-10-29T07:58:46.570776+01:00","hook":{"resource":{"addr":"aws_datazone_domain.test","module":"","resource":"aws_datazone_domain.test","implied_provider":"aws","resource_type":"aws_datazone_domain","resource_name":"test","resource_key":null},"action":"create","elapsed_seconds":0},"type":"apply_errored"}
{"@level":"error","@message":"Error: creating AWS DataZone Domain (\"test\"): operation error DataZone: CreateDomain, https response error StatusCode: 403, RequestID: , deserialization failed, failed to decode response body, invalid character '\u003c' looking for beginning of value","@module":"terraform.ui","@timestamp":"2024-10-29T07:58:46.837506+01:00","diagnostic":{"severity":"error","summary":"creating AWS DataZone Domain (\"test\"): operation error DataZone: CreateDomain, https response error StatusCode: 403, RequestID: , deserialization failed, failed to decode response body, invalid character '\u003c' looking for beginning of value","detail":"operation error DataZone: CreateDomain, https response error StatusCode: 403, RequestID: , deserialization failed, failed to decode response body, invalid character '\u003c' looking for beginning of value","address":"aws_datazone_domain.test","range":{"filename":"datazone.tf","start":{"line":1,"column":39,"byte":38},"end":{"line":1,"column":40,"byte":39}},"snippet":{"context":"resource \"aws_datazone_domain\" \"test\"","code":"resource \"aws_datazone_domain\" \"test\" {","start_line":1,"highlight_start_offset":38,"highlight_end_offset":39,"values":[]}},"type":"diagnostic"}
Operation failed: failed running terraform apply (exit 1)

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.