aws_ssoadmin_account_assignment and others won't create because of a failed provisioning

[aviau]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_ssoadmin_account_assignment
• aws_ssoadmin_permission_set_inline_policy

Terraform Configuration Files

These two resources don't work at all on a new account.

data "aws_ssoadmin_instances" "all" {}

locals {
  aws_iam_identity_center_instance = {
    id  = tolist(data.aws_ssoadmin_instances.all.identity_store_ids)[0]
    arn = tolist(data.aws_ssoadmin_instances.all.arns)[0]
  }
}


data "aws_identitystore_group" "developers" {
  identity_store_id = local.aws_iam_identity_center_instance.id
  filter {
    attribute_path  = "DisplayName"
    attribute_value = "developers"
  }
}

resource "aws_ssoadmin_permission_set" "developers" {
  name         = "developers"
  instance_arn = local.aws_iam_identity_center_instance.arn
}

resource "aws_ssoadmin_account_assignment" "developers" {
  instance_arn       = aws_ssoadmin_permission_set.developers.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.developers.arn

  principal_id   = data.aws_identitystore_group.developers.group_id
  principal_type = "GROUP"

  target_id   = xxxxx
  target_type = "AWS_ACCOUNT"
}

Expected Behavior

• No error.

Actual Behavior

aws_ssoadmin_account_assignment.developers: Creating...
╷
│ Error: error waiting for SSO Account Assignment for GROUP (c4084468-e081-70e9-67db-b19c3a225188) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│   with aws_ssoadmin_account_assignment.developers,
│   on aws_iam_identity_center.tf line 38, in resource "aws_ssoadmin_account_assignment" "developers":
│   38: resource "aws_ssoadmin_account_assignment" "developers" {

This same error happens when creating a number of sso-related resources. The docs say that the terraform module attempts to trigger a provisioning when some of them change, which is not possible when the permissions sets were not yet assigned to an account. I feel like this triggers a catch-22 where its impossible to actually use the terraform module without having created stuff manually in the ui before.

[frankpengau]

What I've seem to have found, is that there seems to be quite a strict flow for the aws sso resources.

1. Create Permission Set
2. Attach Managed/Inline Policy to Permission Set
3. Assign Permission Set to Account (Account Assignment)

The parallelism (parallel processing) nature of terraform would sometimes cause problems if it tries to attach policies when a permission set doesn't exist or if a permission set is already assigned to an account and then when you attach policies, it would trigger the ProvisionPermissionSet API Call, due to the way that ssoadmin works for updating permission sets. It can cause unnecessarily large number of API Calls and hit throttling exception.

[dynnamitt]

version '1.2.7'

• Installed hashicorp/aws v4.64.0 (signed by HashiCorp)

Same error , there is only one api call:
aws_ssoadmin_account_assignment.
Since permission-set + policy + account already exist

Oddly in my case: The Issue only arise in ONE account in our organization: Master Account

aws_ssoadmin_account_assignment.a["KH.App.AWS.CMP/master/AWSSecurityHubReadOnlyAccess"]: Creating...
aws_ssoadmin_account_assignment.a["KH.App.AWS.CMP/master/AWSSecurityHubReadOnlyAccess"]: Still creating... [10s elapsed]
╷
│ Error: waiting for SSO Account Assignment for GROUP (93671bac31-4f5b72cc-2e6b-4501-b450-8b6e8991[69](https://gitlab.com/ruter-as/cmp/eks/unique-team-policies/-/jobs/4164302930#L69)d0) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│ 
│   with aws_ssoadmin_account_assignment.a["KH.App.AWS.CMP/master/AWSSecurityHubReadOnlyAccess"],
│   on assignments.tf line 57, in resource "aws_ssoadmin_account_assignment" "a":
│   57: resource "aws_ssoadmin_account_assignment" "a" {
│ 
╵

[joestump]

I have seen this error pop up if the target account does not have the permission boundary referenced in the permission set already in the account.

[dimisjim]

A temp solution to this is to increase the quota for "managed policies per role": (+ waiting for some time for the quota change to get propagated (even if it says it has been applied)) https://discuss.hashicorp.com/t/unexpected-state-failed-wanted-target-succeeded-last-error-s-nil/42775

[Almenon]

Note that this error could also be because of a invalid IAM policy. See #31456

[uname223]

I encountered a similar issue, and here's how I discovered the solution.

My setup:

1. Assuming the deployment role in the organization root (where SSO is configured).
2. Using the same region in the provider where SSO is set up.

Steps I followed:

1. Attempted to assign a permission set to all accounts within the organization.
2. Encountered no issues except for the org root account.
3. Ran Terraform in debug mode to investigate further.
4. Discovered that my organization role was lacking permissions for "iam:CreateRole" and "iam:PutRolePolicy," so I added those permissions to the role.
5. Added additional permissions to avoid potential issues.
6. Voila! It worked!

One tricky aspect was that in my setup, the process was failing, but I couldn't find any meaningful CloudTrail logs. Even when using the AWS CLI in debug mode, no errors were apparent. Only when running Terraform in debug mode did I gain insight into what was happening.

Please note: When assigning permission sets to the org root account or the SSO management account (which is the same in my case), be sure to add any additional permissions required by the role executing the changes.

PS: I encountered 403 errors when I didn't specify the region in the provider. Make sure to specify the same region where your SSO is deployed.

[github-actions]

This functionality has been released in v5.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.