[Bug]: Error: reading AWS SSO Identity Store Group Data Source: operation error identitystore: GetGroupId, https response error StatusCode: 400

[popsicleslayer]

Terraform Core Version

1.3.6

AWS Provider Version

4.45

Affected Resource(s)

data "aws_identitystore_group"

Expected Behavior

Terraform should have been planned and applied as usual. There should be no problem retrieving any of the information regarding the identity store group.

Actual Behavior

For every request made there is an HTTPS response error

Relevant Error/Panic Output Snippet

`│ Error: reading AWS SSO Identity Store Group Data Source (): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: xxxxxxxxx, AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/role/configure is not authorized to perform: identitystore:GetGroupId because no identity-based policy allows the identitystore:GetGroupId action
│ 
│   with module.readonly_assignment.data.aws_identitystore_group.this["email@email.com"],
│   on .terraform/modules/readonly_assignment/main.tf line 1, in data "aws_identitystore_group" "this":
│    1: data "aws_identitystore_group" "this" {
`

Terraform Configuration Files

Data source:

data "aws_identitystore_group" "this" {
  for_each          = local.group_list
  identity_store_id = local.identity_store_id

   alternate_identifier {
     unique_attribute {
       attribute_path  = "DisplayName"
       attribute_value = each.key
     }
   }
}

Role permissions:

...
{
            "Sid": "IdentityStore",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:ListUsers",
                "identitystore:DescribeGroup",
                "identitystore:ListGroups"
            ],
            "Resource": "*"
        }

Steps to Reproduce

terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

At first, I thought that this was filter field deprecation related, but after modifying the code to use the new block (alternate_identifier), the error persisted. Only reverting to a provider version = 4.37 allowed the plan to succeed. I reverted this far back, as this code is part of a pipeline that runs on a monthly cron job, and that was the version available when it last succeeded.

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[mariusmitrofan]

Same here!

Issue still persists in version 4.46.0

Later edit: Tried with v4.42.0 and it seems it also does not work. Had to revert back to v4.34.0.

Later later edit: Looks like my error is somewhat different.

│ Error: reading AWS SSO Identity Store Group Data Source (obfuscated-groupid): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: a96491c6-d116-43ae-a8db-2291b7d8307e, api error UnknownOperationException: UnknownError

│ 

│   with module.sso.data.aws_identitystore_group.this["obfuscatedgroup@obfuscateddomain.com"],

│   on ../../../modules/sso/data.tf line 4, in data "aws_identitystore_group" "this":

│    4: data "aws_identitystore_group" "this" {

[Phylu]

I think, this is a duplicate of: #27830

[ewbankkit]

@popsicleslayer We were unable to reproduce this in our acceptance tests, so I went ahead and restored the old filter functionality (using the ListGroups API) in #28937.
If this does not fix the problem, please open a new issue.
Thanks.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.