Confusing error message for AWS recipe

[rynowak]

Steps to reproduce

1. Use the recipe here: https://github.com/rynowak/demo-recipes/tree/main/aws/terraform/redis-memorydb
2. Delete the required_providers block from the Terraform module and republish it
3. Create an EKS cluster and configure radius to have credentials for AWS
4. Deploy an application that using your modified

Observed behavior

When you omit the required_providers.aws block Radius will not inject the AWS credentials. This is an authoring mistake in the recipe, but the error message is confusing.

This fails to deploy with an error like:

Error: {
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please see the details for the specific operation that failed.",
  "target": "/planes/radius/local/resourceGroups/az-core-demo/providers/Microsoft.Resources/deployments/rad-deploy-670146c5-1980-4e4c-af14-4a2c58bb6448",
  "details": [
    {
      "code": "ResourceDeploymentFailure",
      "message": "Failed",
      "target": "/planes/radius/local/resourceGroups/az-core-demo/providers/Applications.Datastores/redisCaches/db",
      "details": [
        {
          "code": "RecipeDeploymentFailed",
          "message": "terraform apply failure: exit status 1\n\nError: creating MemoryDB Subnet Group (redis-db-21da58fea841090c): AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/eksctl-prod-aws-nodegroup-ng-<redacted> is not authorized to perform: memorydb:CreateSubnetGroup on resource: arn:aws:memorydb:us-west-2:<redacted> because no identity-based policy allows the memorydb:CreateSubnetGroup action\n\tstatus code: 400, request id: 96e484e2-19a8-41f4-8983-8a8e94d62a7d\n\n  with module.default.module.memory_db.aws_memorydb_subnet_group.this[0],\n  on .terraform/modules/default.memory_db/main.tf line 118, in resource \"aws_memorydb_subnet_group\" \"this\":\n 118: resource \"aws_memorydb_subnet_group\" \"this\" {\n\n"
        }
      ]
    }
  ]
}

The interesting part is this:

AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/eksctl-prod-aws-nodegroup-ng-<redacted> is not authorized to perform: memorydb:CreateSubnetGroup

Because this is an EKS cluster, the Terraform driver already has access to AWS credentials associated with the node. This is confusing, and if you didn't know how EKS works, it might take a while to figure it out.

Desired behavior

Best: Radius can detect the use of the AWS provider in the nested module.

In this example I'm using a module from the public gallery: https://github.com/rynowak/demo-recipes/blob/main/aws/terraform/redis-memorydb/main.tf#L23

However, the Terraform driver can't figure out that I needed AWS credentials.

OK: Better guidance, error messages, or troubleshooting guides.

Workaround

This was an authoring mistake, so fixing the bug in my module resolves the issue.

rad Version

v0.30.0-rc3

Operating system

No response

Additional context

No response

Would you like to support us?

• [ ] Yes, I would like to support you

AB#11093

[radius-triage-bot[bot]]

:wave: @rynowak Thanks for filing this bug report.

A project maintainer will review this report and get back to you soon. If you'd like immediate help troubleshooting, please visit our Discord server.

For more information on our triage process please visit our triage overview

[radius-triage-bot[bot]]

:+1: We've reviewed this issue and have agreed to add it to our backlog. Please subscribe to this issue for notifications, we'll provide updates when we pick it up.

We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue.

For more information on our triage process please visit our triage overview

[nicolejms]

This was an intentional decision. A fix could be to improve documentation to mention section is required. and any TF error message should point to our docs.