Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve error message when hitting service limit on aws_ssoadmin_account_assignment #22952

Closed
lorengordon opened this issue Feb 4, 2022 · 8 comments · Fixed by #33152
Closed

Improve error message when hitting service limit on aws_ssoadmin_account_assignment #22952

lorengordon opened this issue Feb 4, 2022 · 8 comments · Fixed by #33152
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ssoadmin Issues and PRs that pertain to the ssoadmin service.
Milestone
v5.14.0

Comments

@lorengordon
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.70.0

(I know this is slightly older, but I checked the release notes and found no updates for this resource)

Affected Resource(s)

  • aws_ssoadmin_account_assignment

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_ssoadmin_account_assignment" "this" {
  for_each = local.sso_account_assignments
  provider = aws.sso

  instance_arn       = local.sso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn

  principal_id   = data.aws_identitystore_group.this[each.key].id
  principal_type = "GROUP"

  target_id   = local.parent_account_id
  target_type = "AWS_ACCOUNT"
}

Expected Behavior

Display the error that AWS returns, so I can take appropriate action. In this case, request a limit increase.

You have exceeded AWS SSO limits. Cannot create ApplicationProfile. The limit is 50 for id xxx. Please refer to https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html

Actual Behavior

aws_ssoadmin_account_assignment.this["..."]: Creating...
╷
│ Error: error waiting for SSO Account Assignment for GROUP (...) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│   with aws_ssoadmin_account_assignment.this["..."],
│   on main.tf line 1497, in resource "aws_ssoadmin_account_assignment" "this":
│ 1497: resource "aws_ssoadmin_account_assignment" "this" {

Steps to Reproduce

  1. terraform apply
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/ssoadmin Issues and PRs that pertain to the ssoadmin service. labels Feb 4, 2022
@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Feb 16, 2022
@ghost ghost mentioned this issue Apr 27, 2022
Closed
@bhatiaparas177
Copy link

It is mostly the issue with the inline policy associated with the permission set. If you click on edit inline policy it will show you the error. It's kinda annoying that this message clearly does not specify the root cause.

@dmorina
Copy link

dmorina commented Jan 27, 2023

Any plans to address this? It's still an issue as of v4.52.0

@khouse
Copy link

khouse commented Feb 20, 2023

I hit this with trying to associate an account with one that wasn't a member of the org OU, so a cleaner error message would've been helpful in debugging this

@aasier
Copy link

aasier commented Feb 24, 2023

Hi! All,

I solved this issue doing some investigations with the aws-cli,

aws sso-admin list-account-assignment-creation-status --instance-arn arn-xxxxxxx-xxx

aws sso-admin describe-account-assignment-creation-status --instance-arn arn-xxxxx-xxxx --account-assignment-creation-request-id request-id-xxxxxxxx

In my case, the issue was by lack of grants in the service-account that I am using.
It would be nice to add more description in the error to avoid extra effort to find the root of cause.

Have a nice day!! ;)

@aurimasmick aurimasmick mentioned this issue Feb 26, 2023
Open
@novekm
Copy link
Contributor

novekm commented Jun 20, 2023

I also found the root cause was similar for me - the customer managed IAM policy didn't already exist in the account I was trying to use it in (via account_assignment). I finally noticed it when I saw there were only 3 errors but I had 4 account ids assigned. Running TF in debug mode also shows this:

"FailureReason":"Received a 404 status error: Not supported policy arn:aws:iam::1234567890:policy/TestPolicy."
Which still isn't fully clear, but is more helpful than the current error message. As mentioned earlier, the sso resources need to be updated with more descriptive error messages to improve customer experience when troubleshooting.

@dancorne dancorne mentioned this issue Aug 23, 2023
Merged
@dancorne
Copy link
Contributor

This got fixed in #33121 so should be resolved in the next release 🤞 The error message being printed is now the FailureReason returned from AWS, rather than nil.

@github-actions github-actions bot added this to the v5.14.0 milestone Aug 23, 2023
@github-actions
Copy link

This functionality has been released in v5.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ssoadmin Issues and PRs that pertain to the ssoadmin service.
Projects
None yet
Milestone
v5.14.0
8 participants
@khouse @dmorina @lorengordon @dancorne @aasier @bhatiaparas177 @justinretzolk @novekm