Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_backup_selection.selection: error creating Backup Selection: InvalidParameterValueException #10511

Open
tbugfinder opened this issue Oct 15, 2019 · 5 comments 路 May be fixed by #10687

Comments

@tbugfinder
Copy link

@tbugfinder tbugfinder commented Oct 15, 2019

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.14

Affected Resource(s)

  • aws_backup_selection

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

       2019-10-15T12:24:03.672+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: Action=DescribeSubnets&SubnetId.1=subnet-0xxxxxx8df&Version=2016-11-15
       2019-10-15T12:24:03.672+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: -----------------------------------------------------
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: 2019/10/15 12:24:03 [DEBUG] [aws-sdk-go] DEBUG: Response Backup/CreateBackupSelection Details:
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: ---[ RESPONSE ]--------------------------------------
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: HTTP/1.1 400 Bad Request
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: Connection: close
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: Content-Length: 295
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: Content-Type: application/json
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: Date: Tue, 15 Oct 2019 10:24:02 GMT
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: X-Amzn-Errortype: InvalidParameterValueException:http://internal.amazon.com/coral/com.amazonaws.services.cryo/
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: X-Amzn-Requestid: ae13be5f-a155-45c3-b886-24c72cbd7fd9
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4:
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4:
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: -----------------------------------------------------
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: 2019/10/15 12:24:03 [DEBUG] [aws-sdk-go] {"Code":"ERROR_3018","Context":"arn:aws:iam::126666663812:role/ROLE
resname","Message":"IAM Role arn:aws:iam::126666663812:role/ROLEresname is not authorized to call tag:GetResources
","Type":null}
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: 2019/10/15 12:24:03 [DEBUG] [aws-sdk-go] DEBUG: Validate Response Backup/CreateBackupSelection failed, attempt 0/25, e
rror InvalidParameterValueException: IAM Role arn:aws:iam::126666663812:role/ROLEresname is not authorized to call tag:GetResources
       2019-10-15T12:24:03.028+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4:   status code: 400, request id: ae13be5f-a155-45c3-b886-24c72cbd7fd9
       2019/10/15 12:24:03 [ERROR] root.mymodule: eval: *terraform.EvalApplyPost, err: 1 error occurred:
        * aws_backup_selection.selection: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::126666663812:role/ROLEresname is not authorized to call tag:GetResources
        status code: 400, request id: ae13be5f-a155-45c3-b886-24c72cbd7fd9

       2019/10/15 12:24:03 [ERROR] root.mymodule: eval: *terraform.EvalSequence, err: 1 error occurred:
        * aws_backup_selection.selection: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::126666663812:role/ROLEresname is not authorized to call tag:GetResources
        status code: 400, request id: ae13be5f-a155-45c3-b886-24c72cbd7fd9

       2019/10/15 12:24:03 [TRACE] [walkApply] Exiting eval tree: module.mymodule.aws_backup_selection.selection

       Error: Error applying plan:

       2019/10/15 12:24:03 [DEBUG] plugin: waiting for all plugin processes to complete...
       1 error occurred:
        * module.mymodule.aws_backup_selection.selection: 1 error occurred:
       2019-10-15T12:24:03.039+0200 [DEBUG] plugin.terraform-provider-random_v2.2.1_x4: 2019/10/15 12:24:03 [ERR] plugin: plugin server: accept unix /tmp/plugin229438604: use of closed network connection
       2019-10-15T12:24:03.039+0200 [DEBUG] plugin.terraform-provider-aws_v2.32.0_x4: 2019/10/15 12:24:03 [ERR] plugin: plugin server: accept unix /tmp/plugin054189175: use of closed network connection
        * aws_backup_selection.selection: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::126666663812:role/ROLEresname is not authorized to call tag:GetResources
        status code: 400, request id: ae13be5f-a155-45c3-b886-24c72cbd7fd9


Panic Output

N/A

Expected Behavior

It should retry.
My code doesn't fail always, but sometimes :-|

Actual Behavior

It Errors out after first try (as per my understanding).

Steps to Reproduce

  1. terraform apply

Important Factoids

References

@tbugfinder

This comment has been minimized.

Copy link
Author

@tbugfinder tbugfinder commented Oct 19, 2019

I've created the following main.tf file based on terraform default documentation:

$ cat main.tf
provider "random" {
  version = "2.0.0"
}

resource "random_id" "id" {
  keepers {
    lifecycle = "${terraform.workspace}"
  }

  byte_length = 4
}

locals {
  id = "${random_id.id.hex}"
}


resource "aws_iam_role" "example" {
  name               = "example-${local.id}"
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["sts:AssumeRole"],
      "Effect": "allow",
      "Principal": {
        "Service": ["backup.amazonaws.com"]
      }
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "example" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  role       = "${aws_iam_role.example.name}"
}

resource "aws_backup_plan" "example" {
  name = "tf_example_backup_plan-${local.id}"

  rule {
    rule_name         = "tf_example_backup_rule"
    target_vault_name = "${aws_backup_vault.example.name}"
    schedule          = "cron(0 12 * * ? *)"
  }
}

resource "aws_backup_selection" "example" {
  iam_role_arn = "${aws_iam_role.example.arn}"
  name         = "tf_example_backup_selection-${local.id}"
  plan_id      = "${aws_backup_plan.example.id}"

  selection_tag {
    type  = "STRINGEQUALS"
    key   = "foo"
    value = "bar"
  }
}

resource "aws_backup_vault" "example" {
  name        = "example_backup_vault-${local.id}"
  #kms_key_arn = "${aws_kms_key.example.arn}"
}

This code is executed in a loop until the error is raised.

The code was applied successfully for 3 times and failed after - see attached (encrypted logs).

2019-10-19T19:12:36.721+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4:
2019-10-19T19:12:36.721+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4:
2019-10-19T19:12:36.721+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4: -----------------------------------------------------
2019-10-19T19:12:36.721+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4: 2019/10/19 19:12:36 [DEBUG] [aws-sdk-go] {"Code":"ERROR_3018","Context":"arn:aws:iam::121212121212:role/example-67c8a75a","Message":"IAM Role arn:aws:iam::121212121212:role/example-67c8a75a is not authorized to call tag:GetResources","Type":null}
2019-10-19T19:12:36.721+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4: 2019/10/19 19:12:36 [DEBUG] [aws-sdk-go] DEBUG: Validate Response Backup/CreateBackupSelection failed, attempt 0/25, error InvalidParameterValueException: IAM Role arn:aws:iam::121212121212:role/example-67c8a75a is not authorized to call tag:GetResources
2019-10-19T19:12:36.721+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4:  status code: 400, request id: 0be67a96-44e1-43ba-9e33-efdd82a4faa0
2019/10/19 19:12:36 [TRACE] root: eval: *terraform.EvalWriteState
2019/10/19 19:12:36 [TRACE] root: eval: *terraform.EvalApplyProvisioners
2019/10/19 19:12:36 [TRACE] root: eval: *terraform.EvalIf
2019/10/19 19:12:36 [TRACE] root: eval: *terraform.EvalWriteState
2019/10/19 19:12:36 [TRACE] root: eval: *terraform.EvalWriteDiff
2019/10/19 19:12:36 [TRACE] root: eval: *terraform.EvalApplyPost
2019/10/19 19:12:36 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error occurred:
        * aws_backup_selection.example: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::121212121212:role/example-67c8a75a is not authorized to call tag:GetResources
        status code: 400, request id: 0be67a96-44e1-43ba-9e33-efdd82a4faa0

2019/10/19 19:12:36 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error occurred:
        * aws_backup_selection.example: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::121212121212:role/example-67c8a75a is not authorized to call tag:GetResources
        status code: 400, request id: 0be67a96-44e1-43ba-9e33-efdd82a4faa0

2019/10/19 19:12:36 [TRACE] [walkApply] Exiting eval tree: aws_backup_selection.example
2019/10/19 19:12:36 [TRACE] dag/walk: upstream errored, not walking "meta.count-boundary (count boundary fixup)"
2019/10/19 19:12:36 [TRACE] dag/walk: upstream errored, not walking "provider.aws (close)"
2019/10/19 19:12:36 [TRACE] dag/walk: upstream errored, not walking "root"
2019/10/19 19:12:36 [TRACE] Preserving existing state lineage "933bb3ad-332b-f487-f8f3-feb0201354ac"
2019/10/19 19:12:36 [TRACE] Preserving existing state lineage "933bb3ad-332b-f487-f8f3-feb0201354ac"
2019/10/19 19:12:36 [TRACE] Preserving existing state lineage "933bb3ad-332b-f487-f8f3-feb0201354ac"
2019/10/19 19:12:36 [DEBUG] plugin: waiting for all plugin processes to complete...
ESC[31m
ESC[1mESC[31mError: ESC[0mESC[0mESC[1mError applying plan:

1 error occurred:
        * aws_backup_selection.example: 1 error occurred:
        * aws_backup_selection.example: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::121212121212:role/example-67c8a75a is not authorized to call tag:GetResources
2019-10-19T19:12:36.728+0200 [DEBUG] plugin.terraform-provider-aws_v2.33.0_x4: 2019/10/19 19:12:36 [ERR] plugin: plugin server: accept unix /tmp/plugin933888988: use of closed network connection
        status code: 400, request id: 0be67a96-44e1-43ba-9e33-efdd82a4faa0





Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.ESC[0m


logging-tf-apply.20191019T1910.log.gpg.gz

@tbugfinder

This comment has been minimized.

Copy link
Author

@tbugfinder tbugfinder commented Oct 19, 2019

$ grep APPL logging-tf-apply.20191019T1910.log
  APPLIED SUCCESSFULLY   \n
  APPLIED SUCCESSFULLY   \n
  APPLIED SUCCESSFULLY   \n
@tbugfinder

This comment has been minimized.

Copy link
Author

@tbugfinder tbugfinder commented Oct 27, 2019

Still failing with provider version 2.33.

@tbugfinder

This comment has been minimized.

Copy link
Author

@tbugfinder tbugfinder commented Oct 30, 2019

Probably raised due to eventual consistency of IAM.
https://github.com/terraform-providers/terraform-provider-aws/pull/6709/files

@tbugfinder

This comment has been minimized.

Copy link
Author

@tbugfinder tbugfinder commented Oct 30, 2019

Nevertheless the downstream service should implement retries.

@tbugfinder tbugfinder referenced a pull request that will close this issue Oct 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can鈥檛 perform that action at this time.