[Bug]: Permission issue when using awscc_ssmquicksetup_configuration_manager Resource

[roshan-virtixhealth]

Terraform Core Version

1.9.8

AWS Provider Version

1.17.0

Affected Resource(s)

• awscc_ssmquicksetup_configuration_manager

Expected Behavior

Create the Organization Patch Policy

Actual Behavior

Terraform plan runs fine, however when doing a apply, it errors out.

Relevant Error/Panic Output Snippet

awscc_ssmquicksetup_configuration_manager.aws_ssmquicksetup_cm_patchmgr_v1: Creating...
╷
│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with awscc_ssmquicksetup_configuration_manager.aws_ssmquicksetup_cm_patchmgr_v1,
│   on sm_quicksetup_configmgr_patchmgr.tf line 5, in resource "awscc_ssmquicksetup_configuration_manager" "aws_ssmquicksetup_cm_patchmgr_v1":
│    5: resource "awscc_ssmquicksetup_configuration_manager" aws_ssmquicksetup_cm_patchmgr_v1 {
│ 
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Access denied for operation
│ 'AWS::SSMQuickSetup::ConfigurationManager'.. ErrorCode: AccessDenied

Terraform Configuration Files

resource "awscc_ssmquicksetup_configuration_manager" aws_ssmquicksetup_cm_patchmgr_v1 {
  configuration_definitions = [ {
    type = "AWSQuickSetupType-PatchPolicy"
    local_deployment_administration_role_arn = aws_iam_role.iam_role_ssm_patch_pol_cf_admin.arn
    local_deployment_execution_role_name = aws_iam_role.iam_role_ssm_cf_patch_pol_cf_executions.name
    parameters = {
      "ConfigurationOptionsInstallNextInterval": "true",
      "ConfigurationOptionsInstallNextInterval": "true",
      "ConfigurationOptionsInstallValue": "cron(0 2 ? * SUN *)",
      "ConfigurationOptionsPatchOperation": "ScanAndInstall",
        "ConfigurationOptionsScanNextInterval": "false",
        "ConfigurationOptionsScanValue": "cron(0 1 * * ? *)",
        "HasDeletedBaseline": "false",
        "IsPolicyAttachAllowed": "true",
        "OutputBucketRegion": "",
        "OutputLogEnableS3": "false",
        "OutputS3BucketName": "",
        "OutputS3KeyPrefix": "",
        "PatchBaselineRegion": "us-east-2",
        "PatchBaselineUseDefault": "custom",
        "PatchPolicyName": "SM_QuickSetup_PatchMgr_Org_Policy_v1",
        "RateControlConcurrency": "5",
        "RateControlErrorThreshold": "0%",
        "RebootOption": "RebootIfNeeded",
        "ResourceGroupName": "",
        "SelectedPatchBaselines": templatefile("sm_quicksetup_configmgr_patchmgr_selectedPatchBaelines.tpl", {WIN_PATCH_BASELINE_OS = "${aws_ssm_patch_baseline.sm_patch_baseline-org-windows-v1.operating_system}", 
                                      WIN_PATCH_BASELINE_ID = "${aws_ssm_patch_baseline.sm_patch_baseline-org-windows-v1.id}", 
                                      WIN_PATCH_BASELINE_NAME = "${aws_ssm_patch_baseline.sm_patch_baseline-org-windows-v1.name}",
                                      WIN_PATCH_BASELINE_DESC = "${aws_ssm_patch_baseline.sm_patch_baseline-org-windows-v1.description}"}),
        "TargetInstances": "",
        "TargetOrganizationalUnits": join(",", var.ouid_enable_quick_setup_patch_policy),
        "TargetRegions": "us-east-2",
        "TargetTagKey": "patch_policy",
        "TargetTagValue": "true",
        "TargetType": "Tags"

    }
  } ]
}

Steps to Reproduce

• create resource using awscc_ssmquicksetup_configuration_manager
• Create Permission set with inline policy for the roles used by terraform using this doc:https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-getting-started.html#quick-setup-getting-started-iam

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @roshan-virtixhealth 👋 Thank you for taking the time to raise this! It looks like you're actually looking for the awscc provider, rather than aws. Since I'm able, I'm going to transfer the issue to the appropriate repository, but wanted to give you a heads up in case you run into any issues with awscc in the future.

[quixoticmonk]

Thank you opening the issue @roshan-virtixhealth . What permissions do you have on the role which is provisioning the resource awscc_ssmquicksetup_configuration_manager ?

[roshan-virtixhealth]

I have Administrator and then added all these iam perm to the permissiong sets: https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-getting-started.html#quick-setup-getting-started-iam

[roshan-virtixhealth]

This turned out be a wrong permission set in the org account, was able to resolve it. Thanks for looking into it, going to close the case.