[Bug]: Vague error reported when invalid aws_ssoadmin_permission_set_inline_policy

[Almenon]

Terraform Core Version

1.3.6

AWS Provider Version

4.66.1

Affected Resource(s)

When you have a invalid aws_ssoadmin_permission_set_inline_policy a vague error is reported, making it difficult to track down the root cause.

Expected Behavior

The error from AWS, "Invalid input value for InlinePolicy", should be reported

If you're wondering how I know this is the actual error, see debug logs.

Actual Behavior

unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)

Relevant Error/Panic Output Snippet

╷
│ Error: provisioning SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83): error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│ 
│   with aws_ssoadmin_permission_set_inline_policy.Frontend_and_Backend,
│   on frontend_and_backend.tf line 19, in resource "aws_ssoadmin_permission_set_inline_policy" "Frontend_and_Backend":
│   19: resource "aws_ssoadmin_permission_set_inline_policy" "Frontend_and_Backend" {
│ 
╵

Terraform Configuration Files

resource "aws_ssoadmin_permission_set" "example_team" {
  name             = "example_team"
  session_duration = "PT8H"
  instance_arn     = tolist(data.aws_ssoadmin_instances.my_instances.arns)[0]
}

data "aws_iam_policy_document" "example_team" {
  statement {
    sid = "1"
    actions   = [
      "s3:*"
    ]
    resources = [
      "arn:aws:s3:us-east-1:${local.example-account-id}:example-bucket",
    ]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "example_team" {
  inline_policy      = data.aws_iam_policy_document.example_team.json
  instance_arn       = tolist(data.aws_ssoadmin_instances.my_instances.arns)[0]
  permission_set_arn = aws_ssoadmin_permission_set.example_team.arn
}


data "aws_identitystore_group" "example_team" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.my_instances.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = "AWS IAM Identity Center (Example Team)"
    }
  }
}

resource "aws_ssoadmin_account_assignment" "dev-example_team" {
  for_each           = toset([local.example-account-id])
  instance_arn       = aws_ssoadmin_permission_set.example_team.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.example_team.arn

  principal_id   = data.aws_identitystore_group.example_team.group_id
  principal_type = "GROUP"

  target_id   = each.key
  target_type = "AWS_ACCOUNT"
  depends_on = [ aws_ssoadmin_managed_policy_attachment.example_team, aws_ssoadmin_permission_set_inline_policy.example_team ]
}

Steps to Reproduce

1. Create a permissionset with a valid policy
2. make the policy invalid (for example, using a region or account ID in a S3 ARN)
3. Try applying the change

Debug Output

" aws.service=STS http.duration=9 tf_mux_provider=*schema.GRPCProviderServer tf_rpc=ConfigureProvider aws.operation=GetCallerIdentity aws.region=us-west-2 aws.sdk=aws-sdk-go-v2 @module=aws.aws-base timestamp=2023-05-17T12:53:28.475-0700
2023-05-17T12:53:28.476-0700 [INFO]  provider.terraform-provider-aws_v4.66.1_x5: Retrieved caller identity from STS: tf_rpc=ConfigureProvider @module=aws.aws-base tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=85033c75-9d4b-00e1-be6a-1262be21517e @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.25/logging/logger.go:33 timestamp=2023-05-17T12:53:28.475-0700
2023-05-17T12:53:28.481-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: Calling provider defined Provider Configure: @caller=github.com/hashicorp/terraform-plugin-framework@v1.2.0/internal/fwserver/server_configureprovider.go:12 @module=sdk.framework tf_req_id=85033c75-9d4b-00e1-be6a-1262be21517e tf_rpc=ConfigureProvider tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2023-05-17T12:53:28.481-0700
2023-05-17T12:53:28.481-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: Called provider defined Provider Configure: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @module=sdk.framework @caller=github.com/hashicorp/terraform-plugin-framework@v1.2.0/internal/fwserver/server_configureprovider.go:20 tf_mux_provider=*proto5server.Server tf_req_id=85033c75-9d4b-00e1-be6a-1262be21517e timestamp=2023-05-17T12:53:28.481-0700
2023-05-17T12:53:28.485-0700 [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_ssoadmin_permission_set_inline_policy.example_and_Backend, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .inline_policy: planned value cty.StringVal("{\"Statement\":[{\"Effect\":\"Allow\",\"NotAction\":[\"dynamodb:DeleteTable\",\"dynamodb:DeleteBackup\"],\"Resource\":[\"arn:aws:dynamodb:*:500336891328:table/example-dev-*\",\"arn:aws:dynamodb:*:240567706711:table/example-*\"],\"Sid\":\"\"},{\"Action\":[\"dynamodb:List*\",\"dynamodb:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:*:*:table/example-*\",\"Sid\":\"\"},{\"Action\":\"cloudformation:ValidateTemplate\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:cloudformation:us-east-1:240567706711:*\",\"Sid\":\"\"},{\"Action\":\"cloudformation:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:cloudformation:us-east-1:240567706711:stack/fes-*\",\"Sid\":\"\"},{\"Action\":[\"s3:PutObject\",\"s3:PutEncryptionConfiguration\",\"s3:PutBucketPolicy\",\"s3:PutBucketAcl\",\"s3:ListBucket\",\"s3:GetObject\",\"s3:GetEncryptionConfiguration\",\"s3:GetBucketPolicy\",\"s3:DeleteObject\",\"s3:DeleteBucketPolicy\",\"s3:DeleteBucket\",\"s3:CreateBucket\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:us-east-1:240567706711:fes-*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}") does not match config value cty.StringVal("{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"NotAction\": [\n        \"dynamodb:DeleteTable\",\n        \"dynamodb:DeleteBackup\"\n      ],\n      \"Resource\": [\n        \"arn:aws:dynamodb:*:500336891328:table/example-dev-*\",\n        \"arn:aws:dynamodb:*:240567706711:table/example-*\"\n      ]\n    },\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"dynamodb:List*\",\n        \"dynamodb:Describe*\"\n      ],\n      \"Resource\": \"arn:aws:dynamodb:*:*:table/example-*\"\n    },\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"cloudformation:ValidateTemplate\",\n      \"Resource\": \"arn:aws:cloudformation:us-east-1:240567706711:*\"\n    },\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"cloudformation:*\",\n      \"Resource\": \"arn:aws:cloudformation:us-east-1:240567706711:stack/fes-*\"\n    },\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"s3:PutObject\",\n        \"s3:PutEncryptionConfiguration\",\n        \"s3:PutBucketPolicy\",\n        \"s3:PutBucketAcl\",\n        \"s3:ListBucket\",\n        \"s3:GetObject\",\n        \"s3:GetEncryptionConfiguration\",\n        \"s3:GetBucketPolicy\",\n        \"s3:DeleteObject\",\n        \"s3:DeleteBucketPolicy\",\n        \"s3:DeleteBucket\",\n        \"s3:CreateBucket\"\n      ],\n      \"Resource\": \"arn:aws:s3:us-east-1:240567706711:fes-*\"\n    }\n  ]\n}") nor prior value cty.StringVal("{\"Statement\":[{\"Effect\":\"Allow\",\"NotAction\":[\"dynamodb:DeleteTable\",\"dynamodb:DeleteBackup\"],\"Resource\":[\"arn:aws:dynamodb:*:500336891328:table/example-dev-*\",\"arn:aws:dynamodb:*:240567706711:table/example-*\"],\"Sid\":\"\"},{\"Action\":[\"dynamodb:List*\",\"dynamodb:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:*:*:table/example-*\",\"Sid\":\"\"},{\"Action\":\"cloudformation:ValidateTemplate\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:cloudformation:us-east-1:240567706711:*\",\"Sid\":\"\"},{\"Action\":\"cloudformation:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:cloudformation:us-east-1:240567706711:stack/fesf-*\",\"Sid\":\"\"},{\"Action\":[\"s3:PutObject\",\"s3:PutEncryptionConfiguration\",\"s3:PutBucketPolicy\",\"s3:PutBucketAcl\",\"s3:ListBucket\",\"s3:GetObject\",\"s3:GetEncryptionConfiguration\",\"s3:GetBucketPolicy\",\"s3:DeleteObject\",\"s3:DeleteBucketPolicy\",\"s3:DeleteBucket\",\"s3:CreateBucket\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:us-east-1:240567706711:fes-*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}")
aws_ssoadmin_permission_set_inline_policy.example_and_Backend: Modifying... [id=arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83,arn:aws:sso:::instance/ssoins-7907b36b3fef0172]
2023-05-17T12:53:28.485-0700 [INFO]  Starting apply for aws_ssoadmin_permission_set_inline_policy.example_and_Backend
2023-05-17T12:53:28.485-0700 [DEBUG] aws_ssoadmin_permission_set_inline_policy.example_and_Backend: applying the planned Update change
2023-05-17T12:53:28.487-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: HTTP Request Sent: http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.6 (+https://www.terraform.io) terraform-provider-aws/4.66.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.255 (go1.19.8; darwin; arm64)" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.26/logger.go:90 aws.region=us-west-2 http.request.body={"InlinePolicy":"{\"Statement\":[{\"Effect\":\"Allow\",\"NotAction\":[\"dynamodb:DeleteTable\",\"dynamodb:DeleteBackup\"],\"Resource\":[\"arn:aws:dynamodb:*:500336891328:table/example-dev-*\",\"arn:aws:dynamodb:*:240567706711:table/example-*\"],\"Sid\":\"\"},{\"Action\":[\"dynamodb:List*\",\"dynamodb:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:*:*:table/example-*\",\"Sid\":\"\"},{\"Action\":\"cloudformation:ValidateTemplate\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:cloudformation:us-east-1:240567706711:*\",\"Sid\":\"\"},{\"Action\":\"cloudformation:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:cloudformation:us-east-1:240567706711:stack/fes-*\",\"Sid\":\"\"},{\"Action\":[\"s3:PutObject\",\"s3:PutEncryptionConfiguration\",\"s3:PutBucketPolicy\",\"s3:PutBucketAcl\",\"s3:ListBucket\",\"s3:GetObject\",\"s3:GetEncryptionConfiguration\",\"s3:GetBucketPolicy\",\"s3:DeleteObject\",\"s3:DeleteBucketPolicy\",\"s3:DeleteBucket\",\"s3:CreateBucket\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:us-east-1:240567706711:fes-*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}","InstanceArn":"arn:aws:sso:::instance/ssoins-7907b36b3fef0172","PermissionSetArn":"arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83"}[truncated...] http.request.header.x_amz_target=SWBExternalService.PutInlinePolicyToPermissionSet aws.operation=PutInlinePolicyToPermissionSet http.request.header.x_amz_date=20230517T195328Z http.request_content_length=1262 http.method=POST tf_mux_provider=*schema.GRPCProviderServer tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 tf_resource_type=aws_ssoadmin_permission_set_inline_policy aws.service="SSO Admin" http.request.header.content_type=application/x-amz-json-1.1 http.url=https://sso.us-west-2.amazonaws.com/ net.peer.name=sso.us-west-2.amazonaws.com @module=aws aws.sdk=aws-sdk-go http.flavor=1.1 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************HKW7/20230517/us-west-2/sso/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=*****" timestamp=2023-05-17T12:53:28.486-0700
2023-05-17T12:53:28.692-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.26/logger.go:138 aws.operation=PutInlinePolicyToPermissionSet http.response.body={} http.response_content_length=2 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 @module=aws aws.service="SSO Admin" http.response.header.content_type=application/x-amz-json-1.1 http.response.header.x_amzn_requestid=23f5282c-a53a-481e-8290-10d56de51bfb http.status_code=200 tf_rpc=ApplyResourceChange aws.region=us-west-2 aws.sdk=aws-sdk-go http.duration=205 http.response.header.date="Wed, 17 May 2023 19:53:28 GMT" tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_ssoadmin_permission_set_inline_policy timestamp=2023-05-17T12:53:28.692-0700
2023-05-17T12:53:28.692-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: [DEBUG] Waiting for state to become: [success]
2023-05-17T12:53:28.693-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: HTTP Request Sent: aws.service="SSO Admin" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************HKW7/20230517/us-west-2/sso/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=*****" http.request.header.content_type=application/x-amz-json-1.1 http.request.header.x_amz_target=SWBExternalService.ProvisionPermissionSet http.request_content_length=197 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.6 (+https://www.terraform.io) terraform-provider-aws/4.66.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.255 (go1.19.8; darwin; arm64)" http.method=POST tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.26/logger.go:90 @module=aws aws.operation=ProvisionPermissionSet http.flavor=1.1 net.peer.name=sso.us-west-2.amazonaws.com tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 tf_resource_type=aws_ssoadmin_permission_set_inline_policy aws.region=us-west-2 aws.sdk=aws-sdk-go http.request.body={"InstanceArn":"arn:aws:sso:::instance/ssoins-7907b36b3fef0172","PermissionSetArn":"arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83","TargetType":"ALL_PROVISIONED_ACCOUNTS"} http.request.header.x_amz_date=20230517T195328Z http.url=https://sso.us-west-2.amazonaws.com/ tf_mux_provider=*schema.GRPCProviderServer timestamp=2023-05-17T12:53:28.692-0700
2023-05-17T12:53:28.886-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.26/logger.go:138 @module=aws http.response.header.content_type=application/x-amz-json-1.1 tf_rpc=ApplyResourceChange aws.region=us-west-2 http.response.body={"PermissionSetProvisioningStatus":{"PermissionSetArn":"arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83","RequestId":"53065524-a946-4d1a-9d4c-57b756a395e3","Status":"IN_PROGRESS"}} http.response.header.x_amzn_requestid=53065524-a946-4d1a-9d4c-57b756a395e3 http.status_code=200 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 http.duration=193 http.response.header.date="Wed, 17 May 2023 19:53:28 GMT" http.response_content_length=204 aws.operation=ProvisionPermissionSet aws.sdk=aws-sdk-go aws.service="SSO Admin" tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_ssoadmin_permission_set_inline_policy timestamp=2023-05-17T12:53:28.886-0700
2023-05-17T12:53:28.887-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: [DEBUG] Waiting for state to become: [SUCCEEDED]
2023-05-17T12:53:33.891-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: HTTP Request Sent: http.request.header.x_amz_target=SWBExternalService.DescribePermissionSetProvisioningStatus http.request_content_length=137 http.url=https://sso.us-west-2.amazonaws.com/ net.peer.name=sso.us-west-2.amazonaws.com tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 @module=aws http.request.body={"InstanceArn":"arn:aws:sso:::instance/ssoins-7907b36b3fef0172","ProvisionPermissionSetRequestId":"53065524-a946-4d1a-9d4c-57b756a395e3"} tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_ssoadmin_permission_set_inline_policy http.flavor=1.1 tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.26/logger.go:90 aws.region=us-west-2 aws.sdk=aws-sdk-go aws.service="SSO Admin" tf_provider_addr=registry.terraform.io/hashicorp/aws aws.operation=DescribePermissionSetProvisioningStatus http.method=POST http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************HKW7/20230517/us-west-2/sso/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=*****" http.request.header.content_type=application/x-amz-json-1.1 http.request.header.x_amz_date=20230517T195333Z http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.3.6 (+https://www.terraform.io) terraform-provider-aws/4.66.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.255 (go1.19.8; darwin; arm64)" timestamp=2023-05-17T12:53:33.891-0700
2023-05-17T12:53:33.985-0700 [DEBUG] provider.terraform-provider-aws_v4.66.1_x5: HTTP Response Received: http.response.header.content_type=application/x-amz-json-1.1 http.response.header.x_amzn_requestid=126bff84-18d2-4eb5-b601-a29177993e71 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.26/logger.go:138 aws.service="SSO Admin" http.duration=94 aws.sdk=aws-sdk-go http.response.body="{"PermissionSetProvisioningStatus":{"CreatedDate":1.684353208868E9,"FailureReason":"Received a 400 status error: Invalid input value for InlinePolicy.","PermissionSetArn":"arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83","RequestId":"53065524-a946-4d1a-9d4c-57b756a395e3","Status":"FAILED"}}" tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_ssoadmin_permission_set_inline_policy tf_rpc=ApplyResourceChange aws.region=us-west-2 http.response.header.date="Wed, 17 May 2023 19:53:34 GMT" http.response_content_length=315 http.status_code=200 tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 @module=aws aws.operation=DescribePermissionSetProvisioningStatus timestamp=2023-05-17T12:53:33.985-0700
2023-05-17T12:53:33.985-0700 [ERROR] provider.terraform-provider-aws_v4.66.1_x5: Response contains error diagnostic: diagnostic_detail= diagnostic_severity=ERROR tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f6c8ab71-8ae8-04dc-b8dc-020e1805edf9 @caller=github.com/hashicorp/terraform-plugin-go@v0.15.0/tfprotov5/internal/diag/diagnostics.go:55 tf_rpc=ApplyResourceChange tf_resource_type=aws_ssoadmin_permission_set_inline_policy @module=sdk.proto diagnostic_summary="provisioning SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83): error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)" tf_proto_version=5.3 timestamp=2023-05-17T12:53:33.985-0700
2023-05-17T12:53:33.986-0700 [ERROR] vertex "aws_ssoadmin_permission_set_inline_policy.example_and_Backend" error: provisioning SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83): error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-7907b36b3fef0172/ps-4162861f9c010c83) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[Almenon]

It would also be nice if aws_iam_policy_document caught invalid ARN's like this during the plan, but that's more of a feature request

[github-actions]

This functionality has been released in v5.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.