Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_bedrockagent_agent resource fails to destroy when an alias created outside Terraform exists #37161

Open
acwwat opened this issue Apr 29, 2024 · 2 comments · May be fixed by #37586
Open

[Bug]: aws_bedrockagent_agent resource fails to destroy when an alias created outside Terraform exists #37161

acwwat opened this issue Apr 29, 2024 · 2 comments · May be fixed by #37586
Labels
bug Addresses a defect in current functionality. service/bedrock Issues and PRs that pertain to the bedrock service. service/bedrockagent Issues and PRs that pertain to the bedrockagent service. service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service.

Comments

@acwwat
Copy link
Contributor

acwwat commented Apr 29, 2024
edited

Terraform Core Version

1.6.6

AWS Provider Version

5.47.0

Affected Resource(s)

aws_bedrockagent_agent

Expected Behavior

Resource is destroyed successfully.

Actual Behavior

Resource fails to destroy with the error below.

Relevant Error/Panic Output Snippet

Updated: 2024-05-18: The resource is now returning a better error message:

╷
│ Error: deleting Bedrock Agent (7HNG5UEHZC)
│
│ operation error Bedrock Agent: DeleteAgent, https response error StatusCode: 409, RequestID: c654de85-1b5c-4907-b8c3-578d508f259b, ConflictException: Could  
│ not delete Agent with ID 7HNG5UEHZC, since it has active aliases
╵
aws_iam_role_policy.bedrock_agent_forex_asst: Destroying... [id=AmazonBedrockExecutionRoleForAgents_ForexAssistant:AmazonBedrockAgentBedrockFoundationModelPolicy_ForexAssistant]
aws_bedrockagent_agent.forex_asst: Destroying... [id=BJP8AZXZTV]
aws_iam_role_policy.bedrock_agent_forex_asst: Destruction complete after 0s
╷
│ Error: waiting for Bedrock Agent (BJP8AZXZTV) delete
│
│ unexpected state 'PREPARED', wanted target ''. last error: %!s(<nil>)
╵

Terraform Configuration Files

locals {
  model_id = "anthropic.claude-3-haiku-20240307-v1:0"
}

data "aws_caller_identity" "this" {}

data "aws_region" "this" {}

data "aws_iam_policy" "lambda_basic_execution" {
  name = "AWSLambdaBasicExecutionRole"
}

data "aws_bedrock_foundation_model" "this" {
  model_id = local.model_id
}

locals {
  account_id = data.aws_caller_identity.this.account_id
  region     = data.aws_region.this.name
}

resource "aws_iam_role" "bedrock_agent_forex_asst" {
  name = "AmazonBedrockExecutionRoleForAgents_ForexAssistant"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "bedrock.amazonaws.com"
        }
        Condition = {
          StringEquals = {
            "aws:SourceAccount" = local.account_id
          }
          ArnLike = {
            "aws:SourceArn" = "arn:aws:bedrock:${local.region}:${local.account_id}:agent/*"
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy" "bedrock_agent_forex_asst" {
  name = "AmazonBedrockAgentBedrockFoundationModelPolicy_ForexAssistant"
  role = aws_iam_role.bedrock_agent_forex_asst.name
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = "bedrock:InvokeModel"
        Effect   = "Allow"
        Resource = data.aws_bedrock_foundation_model.this.model_arn
      }
    ]
  })
}

resource "aws_bedrockagent_agent" "forex_asst" {
  agent_name              = "ForexAssistant"
  agent_resource_role_arn = aws_iam_role.bedrock_agent_forex_asst.arn
  description             = "An assisant that provides forex rate information."
  foundation_model        = data.aws_bedrock_foundation_model.this.model_id
  instruction             = "You are an assistant that looks up today's currency exchange rates. A user may ask you what the currency exchange rate is for one currency to another. They may provide either the currency name or the three-letter currency code. If they give you a name, you may first need to first look up the currency code by its name."
}

Steps to Reproduce

  1. Ensure that you have requested access to the Claude 3 Haiku model.
  2. Initialize and apply the Terraform configuration above to create the resources.
  3. In the AWS Management Console, open the agent in the Bedrock console.
  4. Create a new alias, for example beta.
  5. Run terraform destroy and see that it fails with the error message.

Debug Output

No response

Panic Output

No response

Important Factoids

I am able to delete the agent in the AWS Management Console, so I think the Terraform resource should be able to do the same.

References

No response

Would you like to implement a fix?

None
@acwwat acwwat added the bug Addresses a defect in current functionality. label Apr 29, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/bedrock Issues and PRs that pertain to the bedrock service. service/bedrockagent Issues and PRs that pertain to the bedrockagent service. service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service. labels Apr 29, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Apr 29, 2024
@justinretzolk justinretzolk removed service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service. needs-triage Waiting for first response or review from a maintainer. service/bedrock Issues and PRs that pertain to the bedrock service. labels Apr 30, 2024
@github-actions github-actions bot added service/bedrock Issues and PRs that pertain to the bedrock service. service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service. labels May 18, 2024
@acwwat
Copy link
Contributor Author

acwwat commented May 18, 2024

Similar to that of action group, the DeleteAgent API has a SkipResourceInUseCheck flag that can force the deletion. Adding support for this flag will address the issue, so I'll work on it.

@acwwat acwwat linked a pull request May 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/bedrock Issues and PRs that pertain to the bedrock service. service/bedrockagent Issues and PRs that pertain to the bedrockagent service. service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add skip_resource_in_use_check arg to aws_bedrockagent_agent acwwat/terraform-provider-aws
2 participants
@acwwat @justinretzolk