Hello Team,
I’m unsure if this is the correct channel to post this, and I’m looking for an ETA. Since last Friday, we have been experiencing SSM destruction/replacement issues. Our Terraform provider version is 5.94.1. I was under the impression that this issue would be expedited. Could you please provide an update on when it is expected to be resolved?
opened 08:03AM - 04 Apr 25 UTC
bug
service/ssm
needs-triage
### Terraform and AWS Provider Version
```console
Terraform v1.11.3
on linux_am… d64
+ provider registry.terraform.io/hashicorp/aws v5.93.0
```
### Affected Resource(s) or Data Source(s)
* `aws_ssm_document`
### Expected Behavior
terraform destroy should delete the ssm document successfully.
### Actual Behavior
In certain regions (tested us-west-2, us-east-1, us-east-2) terraform deletes the ssm document but fails with error
`Error: waiting for SSM Document (pulse.georgetest.service_control) delete: operation error SSM: DescribeDocument, https response error StatusCode: 400, RequestID: 6f5c387e-2899-426c-ba08-4265e34d4ff6, InvalidDocument: No matching value was found for Name.`
when waiting for it to delete and as a result does not remove from state file.
Running destroy again also returns the same error when refreshing for the plan.
### Relevant Error/Panic Output
Error when destroying the resource
```console
aws_ssm_document.service_control: Destroying... [id=pulse.georgetest.service_control]
╷
│ Error: waiting for SSM Document (pulse.georgetest.service_control) delete: operation error SSM: DescribeDocument, https response error StatusCode: 400, RequestID: 6f5c387e-2899-426c-ba08-4265e34d4ff6, InvalidDocument: No matching value was found for Name.
│
│
╵
```
Error when rerunning destroy (plan failure)
```console
aws_ssm_document.service_control: Refreshing state... [id=pulse.georgetest.service_control]
╷
│ Error: reading SSM Document (pulse.georgetest.service_control): operation error SSM: DescribeDocument, https response error StatusCode: 400, RequestID: c0b72355-3571-4633-8b8e-e2ec29829f23, InvalidDocument: No matching value was found for Name.
│
│ with aws_ssm_document.service_control,
│ on main.tf line 32, in resource "aws_ssm_document" "service_control":
│ 32: resource "aws_ssm_document" "service_control" {
│
╵
```
### Sample Terraform Configuration
<details>
<summary>Click to expand configuration</summary>
```hcl
provider "aws" {
region = var.aws_region
}
terraform {
required_version = "~> 1.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
variable "aws_region" {
description = "The AWS region"
type = string
}
resource "aws_ssm_document" "service_control" {
name = "pulse.georgetest.service_control"
document_type = "Command"
document_format = "JSON"
target_type = "/AWS::EC2::Instance"
content = jsonencode({
schemaVersion = "2.2"
description = "Test command document."
parameters = {
P1 = {
type = "String"
description = "A Parameter"
}
}
mainSteps = [
{
name = "Run"
action = "aws:runShellScript"
timeoutSeconds = 600
inputs = {
runCommand = [
"echo Running with parameter {{P1}}"
]
}
}
]
})
}
```
</details>
### Steps to Reproduce
destroy Fails in us-west-2
1. terraform apply -var us-west-2
2. terraform destroy -var us-west-2
destroy successful in us-west-1 (as of writing)
1. terraform apply -var us-west-1
2. terraform destroy -var us-west-1
### Debug Logging
https://gist.github.com/gchristidis/82b03c4c9f0bb71614a443239d48c26b
there are 2 files one for us-west-2 where it fails and one for ap-southeast-2 (success)
### GenAI / LLM Assisted Development
n/a
### Important Facts and References
Looking at the logs it appears the message in the InvalidDocument response type for the DescribeDocument API has changed.
From
```
http.response.body=
| {"__type":"InvalidDocument","Message":"Document with name pulse.georgetest.service_control does not exist."}
```
to
```
http.response.body=
| {"__type":"InvalidDocument","Message":"No matching value was found for Name."}
```
### Would you like to implement a fix?
No
Thank you in advance