Hi Team,
I changed ps_ds.tf but I got some errors like below. Is there anyone who can explain what last error: %!s() and how I can fix this error?
Best Regards,
Sofia.
Error Details
module.permission_set.module.ds.aws_ssoadmin_managed_policy_attachment.this[11]: Still creating... [30s elapsed]
module.permission_set.module.ds.aws_ssoadmin_managed_policy_attachment.this[11]: Still creating... [40s elapsed]
╷
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-*/ps-*) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│
╵
╷
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-*/ps-*) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│
╵
╷
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-*/ps-*)to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│ with module.permission_set.module.ds.aws_ssoadmin_managed_policy_attachment.this[11],
│ on modules/permission_set/module/main.tf line 12, in resource "aws_ssoadmin_managed_policy_attachment" "this":
│ 12: resource "aws_ssoadmin_managed_policy_attachment" "this" {
│
╵
╷
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-*/ps-*) to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│ with module.permission_set.module.ds.aws_ssoadmin_managed_policy_attachment.this[8],
│ on modules/permission_set/module/main.tf line 12, in resource "aws_ssoadmin_managed_policy_attachment" "this":
│ 12: resource "aws_ssoadmin_managed_policy_attachment" "this" {
│
╵
╷
│ Error: error waiting for SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-*/ps-*)to provision: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s(<nil>)
│
│ with module.permission_set.module.ds.aws_ssoadmin_permission_set_inline_policy.this[0],
│ on modules/permission_set/module/main.tf line 33, in resource "aws_ssoadmin_permission_set_inline_policy" "this":
│ 33: resource "aws_ssoadmin_permission_set_inline_policy" "this" {
│
╵
ps_ds.tf
module "ds" {
source = "./module"
name = "ds"
managed_policy_arn = concat(
local.default_managed_policy,
[
"arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess",
"arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
"arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonRekognitionFullAccess",
"arn:aws:iam::aws:policy/AWSLambda_FullAccess",
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess",
"arn:aws:iam::aws:policy/job-function/ViewOnlyAccess",
"arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator",
"arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
"arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
]
)
inline_policy = {
statement = concat(
local.default_inline_policy,
[
{
sid = "Quicksight"
actions = [
"quicksight:CreateUser",
]
resources = [
"arn:aws:quicksight::356765580539:user/$${aws:userid}"
]
},
{
sid = "ECRall"
actions = [
"ecr:GetRegistryPolicy",
"ecr:DescribeRegistry",
"ecr:GetAuthorizationToken",
"ecr:DeleteRegistryPolicy",
"ecr:PutRegistryPolicy",
"ecr:PutReplicationConfiguration",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
]
resources = [
"*"
]
},
{
sid = "ECR"
actions = [
"ecr:*"
]
resources = [
"arn:aws:ecr:ap-northeast-2:528112856704:repository/ds*"
]
},
{
sid = "Sagemaker"
actions = [
"sagemaker:CreateUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DeleteWorkforce",
"sagemaker:CreateWorkforce",
"sagemaker:UpdateWorkteam",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListWorkforces",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListWorkteams",
"sagemaker:CreateWorkteam",
"sagemaker:UpdateWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeWorkteam",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus"
]
resources = [
"arn:aws:sagemaker:*:528112856704:*/*"
]
},
{
sid = "EC2"
actions = [
"cloudwatch:*",
"cloudformation:CreateStack",
"cloudformation:DescribeStackEvents",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:DeleteTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"ec2:CreateVpcEndpoint",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticmapreduce:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListRoles",
"iam:ListInstanceProfiles",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"kms:List*",
"sdb:*",
]
resources = [
"*"
]
},
{
sid = "Fsx"
actions = [
"fsx:Describe*",
"fsx:CreateFileSystem",
"fsx:TagResource",
"fsx:DeleteFileSystem"
]
resources = [
"arn:aws:fsx:ap-northeast-2:528112856704:file-system/*",
"arn:aws:fsx:ap-northeast-2:528112856704:backup/*"
]
}
]
)
}
}
modules > main.tf
data "aws_ssoadmin_instances" "this" {}
# Create Permission Set
resource "aws_ssoadmin_permission_set" "this" {
name = var.name
description = var.description
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
session_duration = var.session_duration
}
# Attach AWS Managed Policy
resource "aws_ssoadmin_managed_policy_attachment" "this" {
count = length(var.managed_policy_arn)
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
managed_policy_arn = var.managed_policy_arn[count.index]
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
# Create Permission Set
data "aws_iam_policy_document" "this" {
count = var.inline_policy == null ? 0 : 1
dynamic "statement" {
for_each = var.inline_policy.statement
content {
sid = try(statement.value.sid, "")
effect = try(statement.value.effect, "Allow")
actions = statement.value.actions
resources = statement.value.resources
}
}
}
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
count = var.inline_policy == null ? 0 : 1
inline_policy = data.aws_iam_policy_document.this[0].json
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
modules > variables.tf
variable "name" {
type = string
}
variable "description" {
default = null
type = string
}
variable "session_duration" {
default = "PT12H"
type = string
}
variable "managed_policy_arn" {
type = list(string)
default = []
}
variable "inline_policy" {
default = null
}
modules > outputs.tf
output "permission_set" {
value = aws_ssoadmin_permission_set.this.arn
}