[Bug]: aws_servicecatalog_principal_portfolio_association does not correctly clean up IAM_PATTERN principal types

[mc-etcher]

Terraform Core Version

1.5.1

AWS Provider Version

5.5.0

Affected Resource(s)

• aws_servicecatalog_principal_portfolio_association

Expected Behavior

When you run a terraform destroy the principal type should be disassociated, regardless if it is a type of IAM or of IAM_PATTERN.

Actual Behavior

When you run a terraform destroy the principal types of IAM are successfully deleted, but the principal types of IAM_PATTERN are retained.

This behavior is explained by how the golang SDK is called.

If you have a principal type of IAM_PATTERN and you call DisassociatePrincipalFromPortfolio without specifying a PrincipalType of IAM_PATTERN in the DisassociatePrincipalFromPortfolioInput you'll receive An error occurred (ResourceNotFoundException) when calling the DisassociatePrincipalFromPortfolio operation.

The AWS Provider is treating this resource not found exception as believing the resource is already cleaned up, and skips the removal.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_servicecatalog_portfolio" "portfolio" {
  name          = "some_name"
  description   = "some_description"
  provider_name = "some_provider"
}

resource "aws_servicecatalog_principal_portfolio_association" "allowed_spoke_principals" {
  portfolio_id   = aws_servicecatalog_portfolio.portfolio.id
  principal_arn  = "arn:aws:iam:::role/SCEndUser"
  principal_type = "IAM_PATTERN"
}

Steps to Reproduce

• Provision a aws_servicecatalog_portfolio resource
• Add an IAM Pattern Principal to the Portfolio using the aws_servicecatalog_principal_portfolio_association resource
• Run a terraform plan to create the resources
• Run a terraform destroy and receive an error
  • Error: deleting Service Catalog Portfolio (port-************): ResourceInUseException: Portfolio port--************): still has associated Principals

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[davidadixon]

👍

[tanyuzhuo]

I am having the same issue - when will this be fixed roughly?
Currently we have to delete the access manually in the console as a work-around

[mc-etcher]

@tanyuzhuo - while I can't comment on a timeline, I can point you to the Prioritization Guide - one of the factors that helps is as follows We prioritze work based on a number of factors, including community feedback, issue/PR reactions, as well as the source of the request.

Please be sure to 👍 a PR proposed to address the issue - #32243

[boxrick]

Upvoted fix... does anyone have any potential workarounds in the meanwhile? Perhaps an AWS-CLI type command to disassociate on run of destroy?

https://docs.aws.amazon.com/cli/latest/reference/servicecatalog/disassociate-principal-from-portfolio.html

[boxrick]

Workaround for anyone struggling:

resource "aws_servicecatalog_principal_portfolio_association" "allow_all_to_launch" {
  for_each       = var.portfolios
  portfolio_id   = aws_servicecatalog_portfolio.this[each.key].id
  principal_arn  = "arn:aws:iam:::role/*"
  principal_type = "IAM_PATTERN"

  ## This is a workaround for this bug, we manually disassociate this principal as we destroy it
  provisioner "local-exec" {
    when    = destroy
    command = "aws servicecatalog disassociate-principal-from-portfolio --portfolio-id ${self.portfolio_id} --principal-type IAM_PATTERN --principal-arn arn:aws:iam:::role/*"
  }
}

[silvaalbert]

@ewbankkit This is a good fix that would alleviate some pain for some that are having to implement workarounds (see above)

[github-actions]

This functionality has been released in v5.16.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.