Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awscc_iam_role : ConcurrentOperationException on create-resource operation #2196

Open
quixoticmonk opened this issue Feb 7, 2025 · 1 comment
Open

awscc_iam_role : ConcurrentOperationException on create-resource operation #2196

quixoticmonk opened this issue Feb 7, 2025 · 1 comment
Labels
bug needs-triage

Comments

@quixoticmonk
Copy link
Collaborator

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.10.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.86.0
+ provider registry.terraform.io/hashicorp/awscc v1.28.0
+ provider registry.terraform.io/hashicorp/local v2.5.2
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/random v3.6.3
+ provider registry.terraform.io/kreuzwerker/docker v3.0.2

Affected Resource(s)

  • awscc_iam_role

Terraform Configuration Files

The configuration being deployed is the Terraform code contained in https://github.com/aws-samples/generate-awscc-with-bedrock-claude-computer-use/tree/main/terraform.

Debug Output

The debug output shows

2025-02-04T18:16:26.526-0500 [DEBUG] provider.terraform-provider-awscc_v1.27.0_x5: HTTP Request Sent:
  http.request.body=

  | {"ClientToken":"terraform-2025020423162650860000000f","DesiredState":
"{\"AssumeRolePolicyDocument\":\"{\\\"Statement\\\":[{\\\"Action\\\":\\\"sts:AssumeRole\\\",\\\"Effect\\\":\\\"Allow\\\",\\\
"Principal\\\":{\\\"Service\\\":\\\"lambda.amazonaws.com\\\"}}],\\\"Version\\\":\\\"2012-10-17\\\"}\",\"Path\":\"/\",\"RoleName\":\"awscc-tool-use-aqn4-delete\",\"Tags\":[{\"Key\":\"Application\",
\"Value\":\"awscc_tool_use\"},{\"Key\":\"Solution\",\"Value\":\"awscc-tool-use\"}]}","TypeName":"AWS::IAM::Role"}
   http.request.header.amz_sdk_request="attempt=1; max=25" 
tf_resource_type=awscc_iam_role http.url=https://cloudcontrolapi.us-west-2.amazonaws.com/
 rpc.service=CloudControl http.request.header.x_amz_security_token="*****" cfn_type=AWS::IAM::Role http.request.header.x_amz_date=20250204T231626Z tf_provider_addr=registry.terraform.io/hashicorp/awscc aws.region=us-west-2 http.method=POST http.request_content_length=502 tf_aws.sdk=aws-sdk-go-v2 @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 http.request.header.x_amz_target=CloudApiService.CreateResource rpc.system=aws-api tf_aws.signing_region="" tf_req_id=61d5e7a8-2985-267b-92b6-eb99f438f710 rpc.method=CreateResource http.request.header.amz_sdk_invocation_id=cbddca15-778d-4219-9696-3d2934e6d0c9 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************6VVM/20250204/us-west-2/cloudcontrolapi/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.request.header.content_type=application/x-amz-json-1.0 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.10.0 (+https://www.terraform.io) terraform-provider-awscc/dev (+https://registry.terraform.io/providers/hashicorp/awscc) aws-sdk-go-v2/1.34.0 ua/2.1 os/macos lang/go#1.22.7 md/GOOS#darwin md/GOARCH#amd64 api/cloudcontrol#1.23.8" @module=awscc net.peer.name=cloudcontrolapi.us-west-2.amazonaws.com tf_rpc=ApplyResourceChange timestamp=2025-02-04T18:16:26.509-0500
   
2025-02-04T18:16:26.526-0500 [DEBUG] provider.terraform-provider-awscc_v1.27.0_x5: HTTP Request Sent:
  http.request.body=
  | {"ClientToken":"terraform-2025020423162650830000000e","DesiredState":"{\"AssumeRolePolicyDocument\":\"{\\\"Statement\\\":[{\\\"Action\\\":\\\"sts:AssumeRole\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":{\\\"Service\\\":\\\"lambda.amazonaws.com\\\"}}],\\\"Version\\\":\\\"2012-10-17\\\"}\",\"Path\":\"/\",\"RoleName\":\"awscc-tool-use-aqn4-delete\",\"Tags\":[{\"Key\":\"Application\",\"Value\":\"awscc_tool_use\"},{\"Key\":\"Solution\",\"Value\":\"awscc-tool-use\"}]}","TypeName":"AWS::IAM::Role"}
   http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.x_amz_date=20250204T231626Z tf_resource_type=awscc_iam_role tf_aws.sdk=aws-sdk-go-v2 tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************6VVM/20250204/us-west-2/cloudcontrolapi/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.request_content_length=502 rpc.method=CreateResource tf_req_id=6b25f307-be6d-6e56-fae2-e90a34d62b03 aws.region=us-west-2 @module=awscc http.request.header.x_amz_security_token="*****" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.10.0 (+https://www.terraform.io) terraform-provider-awscc/dev (+https://registry.terraform.io/providers/hashicorp/awscc) aws-sdk-go-v2/1.34.0 ua/2.1 os/macos lang/go#1.22.7 md/GOOS#darwin md/GOARCH#amd64 api/cloudcontrol#1.23.8" net.peer.name=cloudcontrolapi.us-west-2.amazonaws.com rpc.service=CloudControl cfn_type=AWS::IAM::Role http.request.header.amz_sdk_invocation_id=615bb11d-933e-402d-9a3b-90803d5118e7 http.url=https://cloudcontrolapi.us-west-2.amazonaws.com/ tf_aws.signing_region="" http.method=POST http.request.header.x_amz_target=CloudApiService.CreateResource tf_provider_addr=registry.terraform.io/hashicorp/awscc http.request.header.content_type=application/x-amz-json-1.0 rpc.system=aws-api timestamp=2025-02-04T18:16:26.509-0500

Panic Output

Expected Behavior

The stack of resources specified in the configuration should be provisioned.

Actual Behavior

The resource provisioning fails with the following message

│ Error: AWS SDK Go Service Operation Unsuccessful
│
│   with awscc_iam_role.delete_resource,
│   on iam.tf line 27, in resource "awscc_iam_role" "delete_resource":
│   27: resource "awscc_iam_role" "delete_resource" {
│
│ Calling Cloud Control API service CreateResource operation returned: operation error
│ CloudControl: CreateResource, https response error StatusCode: 400, RequestID:
│ 32d933ac-7cd6-4a4f-ac2e-0126c54c25a9, ConcurrentOperationException: Concurrent operation
│ found for resource awscc-tool-use-etxe-delete with RequestToken
│ 2ca683d2-369a-4e33-b923-166c7af0effe

Steps to Reproduce

  1. git clone https://github.com/aws-samples/generate-awscc-with-bedrock-claude-computer-use
  2. cd terraform
  3. terraform apply

Important Factoids

References
@BondAnthony BondAnthony mentioned this issue Feb 7, 2025
Merged
@BondAnthony
Copy link
Collaborator

This boils down to duplicate resources with the same name. The following example will attempt to create the same IAM role with identifier test-role.

resource "awscc_iam_role" "delete_resource" {
  role_name = "test-role"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      },
    ]
  })
}

resource "awscc_iam_role" "review_resource" {
  role_name = "test-role"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      },
    ]
  })
}

The first execution of the above configuration will fail with the ConcurrentOperationException. CCAPI prevented the user from creating a duplicate resource, although the error doesn't clearly state that. The second Terraform apply will return a user friendly error 'AWS::IAM::Role' with identifier 'test-role' already exists..

One could force Terraform to show a successful plan by using -target and apply only one role. Downside to this is the second apply sees the first role as tainted and replaces it. When all said and done Terraform thinks it's managing two resources in CCAPI, but only one exists within AWS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BondAnthony @quixoticmonk