aws_codebuild_project creation fails when dependent on aws_iam_role due to IAM eventual consistency

[kerr-bighealth]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.19
+ provider.aws v2.45.0

Affected Resource(s)

• aws_codebuild_project when dependent on aws_iam_role

Terraform Configuration Files

terraform {
}

provider "aws" {
  region = "us-west-2"
}


data "aws_iam_policy_document" "infra_terraform_codebuild_assume_role" {
  statement {
    principals {
      type = "Service"
      identifiers = [
        "codebuild.amazonaws.com",
      ]
    }
    actions = [
      "sts:AssumeRole",
    ]
  }
}

resource "aws_iam_role" "infra_terraform_codebuild" {
  name               = "TESTING-iam-eventual-consistency"
  assume_role_policy = data.aws_iam_policy_document.infra_terraform_codebuild_assume_role.json
}

resource "aws_codebuild_project" "this" {
  name         = "TESTING-iam-eventual-consistency"
  service_role = aws_iam_role.infra_terraform_codebuild.arn

  artifacts {
    type = "NO_ARTIFACTS"
  }

  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "aws/codebuild/standard:3.0"
    type         = "LINUX_CONTAINER"
  }

  source {
    type     = "GITHUB"
    location = "https://github.com/hashicorp/terraform.git"
  }
}

Debug Output

terraform-aws-iam-eventual-consistency-codebuild.log

Panic Output

N/A

Expected Behavior

The aws_iam_role is created, then the aws_codebuild_project is created.

Actual Behavior

The aws_iam_role is created, but the aws_codebuild_project resource fails with error.

Error: Error creating CodeBuild project: InvalidInputException. Debug log further indicates this error: CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::...

I see the relevant code looks for a substring of this error message and waits up to 5 minutes. However, I can repro this issue across all of my AWS accounts. Waiting a minute and retrying clears the issue, so I believe there is something amiss with the retry logic.

Steps to Reproduce

1. terraform init
2. terraform apply

Important Factoids

References

[bflad]

Hi @kerr-bighealth 👋 Thank you for reporting this issue and sorry you are running into trouble. This is a similar report to #11642 / #11682 so to consolidate discussions and efforts, I'm going to close this issue in preference of the existing ones. The good news is that this should be resolved via AWS Go SDK update today and Terraform AWS Provider release tomorrow. 👍

[kerr-bighealth]

@bflad Thank you - I didn't see the open items in my cursory search, so my apologies there.

[ghost]

This has been released in version 2.46.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!