-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Assigning multiple role policies using aws_iam_role_policy_attachment fails with ConcurrentModification error #34371
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
I updated last week from 5.20.0 to 5.24.0 and started to see these errors. So I think this was introduced earlier than 5.25.0 |
I switched
to
and apply now succeeds. |
This does not fail reliably for me. So it seems to depend on a race condition. Something to keep in mind when trying to bisect. |
Sorry, to clarify: It does not fail reliably for me with our actual code. Tested the example given in the report and that fails always. Probably the high amount of attachments makes it easier to hit the race condition. |
I have started seeing this with version 3.76.1. I suspect AWS IAM behaviour has changed. |
Just wanted to report I am also seeing this with:
as of today. |
Yes, I tried bisecting this. But found no version with which it actually works. So it looks indeed like AWS-side change. |
|
Fixes hashicorp#34371 Signed-off-by: Frank Lichtenheld <[email protected]>
I haven't changed Terraform or Terraform AWS version recently and I started to see this today. I also observe the problem on older branches. So this is regression on AWS side. I agree that retries on conflict may be needed to solve this problem. |
We had a regression suite run on our end early Friday without this issue. Saturday/Sunday have been failures. We run our regressions against us-west-2 but given IAM is a global service region specifics may not matter in this case. I also made some changes late yesterday to run against us-east-1 and was able to replicate the issue there to. We are using 1.5.5 of terraform and the latest AWS provider. Downgrading a few minors didn't help at all. At the moment we just re-run the terraform and it's working. |
Tried to implement some testing for my patch. But now I can't reproduce the issue anymore. Maybe AWS fixed their stuff? |
@flichtenheld thanks for making the PR. I just tried recreating the issue twice this evening (Pacific Time) and was unsuccessful. My team's infra-regression suites are working fine this afternoon, which is great. Hopefully, your PR can get merged in soon so that we can avoid this issue in the future. |
We have the same issue but with |
FTR the error went away yesterday afternoon so I contacted AWS to get some explanation. I was told that recently AWS made changes in IAM API, in particular AttachRolePolicy, AttachUserPolicy, and AttachGroupPolicy started to throw ConcurrentModificationException in case of concurrent requests. After the change AWS noticed elevated ConcurrentModification errors when calling IAM APIs. Because of that the issue has been resolved and the service is operating normally. Will try to clarify if "resolved" means that the feature was rolled back or something else. |
Got some updates from AWS side:
Hope that helps |
This functionality has been released in v5.26.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Core Version
1.6.2
AWS Provider Version
5.25.0
Affected Resource(s)
aws_iam_role_policy_attachment
Expected Behavior
It should be possible to assign multiple policies to the same role.
Actual Behavior
When multiple policies are assigned, it very often fails with ConcurrentModification exception. It may be related to some changes in AWS, since the same code, with the same version of terraform and aws provider was working last week.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
apply the provided terraform. Or create new terraform, which assigns 8 polices to a role
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: