User is not permitted to perform operation: CreateEnvironmentProfile (Service: DataZone)

[molivo123]

Community Note

Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.0.7
on linux_amd64

provider registry.terraform.io/hashicorp/aws v5.43.0
provider registry.terraform.io/hashicorp/awscc v0.73.0

Affected Resource(s)

AWSCC and Amazon Datazone

env_profile.tf

resource "awscc_datazone_environment_profile" "example_profile" {
    aws_account_id = var.child_account_id
    aws_account_region = var.aws_region
    domain_identifier = awscc_datazone_domain.this.id
    environment_blueprint_identifier = "DefaultGlueData"
    name = "datazone-environment-profile"
    project_identifier = awscc_datazone_project.engineering_project.name
}

project.tf

resource "awscc_datazone_project" "engineering_project" {
  domain_identifier = awscc_datazone_domain.this.id
  name              = "engineering_test_project"
}

iam.tf

data "aws_caller_identity" "current" {}

resource "awscc_iam_role" "awscc_datazone_role" {
  path = "/service-role/"
  assume_role_policy_document = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "datazone.amazonaws.com"
        },
        "Action" : [
          "sts:AssumeRole",
          "sts:TagSession"
        ],
        "Condition" : {
          "StringEquals" : {
            "aws:SourceAccount" : data.aws_caller_identity.current.account_id
          },
          "ForAllValues:StringLike" : {
            "aws:TagKeys" : "datazone*"
          }
        }
      }
    ]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonDataZoneDomainExecutionRolePolicy"]
}

/*
data "aws_iam_policy_document" "datazone_create_environment_profile" {
  statement {
    actions = ["datazone:CreateEnvironmentProfile"]
    resources = ["*"]
    effect    = "Allow"
  }
}
resource "aws_iam_role_policy" "create_environment_profile_policy" {
  name   = "DataZoneCreateEnvironmentProfile"
  role   = awscc_iam_role.awscc_datazone_role.id
  policy = data.aws_iam_policy_document.datazone_create_environment_profile.json
}
*/

Debugging Output

awscc_datazone_environment_profile.example_profile: Creating...
╷
│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with awscc_datazone_environment_profile.example_profile,
│   on env_profile.tf line 1, in resource "awscc_datazone_environment_profile" "example_profile":
│    1: resource "awscc_datazone_environment_profile" "example_profile" {
│ 
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: User is not permitted to
│ perform operation: CreateEnvironmentProfile (Service: DataZone, Status Code: 403, Request ID: 957d4fd2-58eb-4896-b862-ae14885a2c96). ErrorCode: AccessDenied

Expected Behavior

environment profile should be able to be created

Actual Beavior

terraform apply erroring out on environment profile creation

Steps to Reproduce

terraform plan/apply

[quixoticmonk]

Thank you for opening the issue. Unless the blueprint is enabled in your account/region you would need

resource "awscc_datazone_environment_blueprint_configuration" "this" {
    domain_identifier = awscc_datazone_domain.this.id
    enabled_regions=["us-east-1"]
    environment_blueprint_identifier = "DefaultDataLake"
}

[quixoticmonk]

The project_identifier is not the name and the environment_blueprint_identifier can be pulled from the awscc_datazone_environment_blueprint_configuration.

resource "awscc_datazone_environment_profile" "example_profile" {
  aws_account_id                   = data.aws_caller_identity.current.account_id
  aws_account_region               = "us-east-1"
  domain_identifier                = awscc_datazone_domain.this.domain_id
  environment_blueprint_identifier = awscc_datazone_environment_blueprint_configuration.this.environment_blueprint_id
  name                             = "dev"
  project_identifier               = awscc_datazone_project.engineering_project.project_id
}

resource "awscc_datazone_environment_blueprint_configuration" "this" {
  domain_identifier                = awscc_datazone_domain.this.domain_id
  enabled_regions                  = ["us-east-1"]
  environment_blueprint_identifier = "DefaultDataLake"
    manage_access_role_arn=awscc_iam_role.awscc_datazone_role.arn
    provisioning_role_arn=awscc_iam_role.awscc_datazone_role.arn
}

[molivo123]

@quixoticmonk Thank you for your response! I followed your advice and was able to get past that error however I have another which I was hoping you could help me with after I changed my code to match what you recommended. It seems like now my apply is stuck on creating the environment:

awscc_datazone_environment.example_environment: Creating...
awscc_datazone_environment.example_environment: Still creating... [10s elapsed]
awscc_datazone_environment.example_environment: Still creating... [20s elapsed]
awscc_datazone_environment.example_environment: Still creating... [30s elapsed]
awscc_datazone_environment.example_environment: Still creating... [40s elapsed]
awscc_datazone_environment.example_environment: Still creating... [50s elapsed]
awscc_datazone_environment.example_environment: Still creating... [1m0s elapsed]
awscc_datazone_environment.example_environment: Still creating... [1m10s elapsed]
awscc_datazone_environment.example_environment: Still creating... [1m20s elapsed]
awscc_datazone_environment.example_environment: Still creating... [1m30s elapsed]
awscc_datazone_environment.example_environment: Still creating... [1m40s elapsed]
awscc_datazone_environment.example_environment: Still creating... [1m50s elapsed]
awscc_datazone_environment.example_environment: Still creating... [2m0s elapsed]
awscc_datazone_environment.example_environment: Still creating... [2m10s elapsed]
╷
│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with awscc_datazone_environment.example_environment,
│   on environment.tf line 1, in resource "awscc_datazone_environment" "example_environment":
│    1: resource "awscc_datazone_environment" "example_environment" {
│ 
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Environment company_env with
│ id cdz57ne9221lzk and domain id dzd_56vhbgooce2is0 failed to stabilize due to internal failure, last deployment status Deployment(DeploymentId=b6twvkfp1c3zps,
│ DeploymentStatus=FAILED, DeploymentType=CREATE, FailureReason=EnvironmentError(Code=400, Message=Environment blueprint configuration needs to enable atleast one
│ region), IsDeploymentComplete=true). ErrorCode: NotStabilized

[quixoticmonk]

@molivo123 Will try to reproduce this on my end. Looks similar to the CC api's response as in #1562

@wellsiau-aws Do you prefer this issue being closed for the original environment profile one since this is for the environment resource and tracked under a different one?

[wellsiau-aws]

thanks for reporting this issue, I would prefer we keep this issue open for further investigation.

[molivo123]

@quixoticmonk I will spin up another issue for this in the meantime, since this new issue seems to be different than the original I mentioned in the beginning of this issue

[quixoticmonk]

│ Error: AWS SDK Go Service Operation Incomplete
│
│   with awscc_datazone_environment.this,
│   on main.tf line 80, in resource "awscc_datazone_environment" "this":
│   80: resource "awscc_datazone_environment" "this" {
│
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Environment dev
│ with id dt39addcsoru7b and domain id dzd_5t84u6i8txa947 failed to stabilize due to internal failure, last deployment status
│ Deployment(DeploymentId=5qo8jxeu7g2unb, DeploymentStatus=FAILED, DeploymentType=CREATE, FailureReason=EnvironmentError(Code=400, Message=Environment
│ blueprint configuration needs to enable atleast one region), IsDeploymentComplete=true). ErrorCode: NotStabilized

There is an error on the project

Environment Status: Create Failed
Environment blueprint configuration needs to enable atleast one region

[quixoticmonk]

@molivo123 The blueprint configuration requires additional regional parameters for the environment to be provisioned. Sample update below. I was able to provision the environment within the datazone project.

resource "awscc_datazone_environment_blueprint_configuration" "this" {
  domain_identifier                = awscc_datazone_domain.this.domain_id
  enabled_regions                  = ["us-east-1"]
  environment_blueprint_identifier = "DefaultDataLake"
  manage_access_role_arn           = awscc_iam_role.awscc_datazone_role.arn
  provisioning_role_arn            = awscc_iam_role.awscc_datazone_role.arn
  regional_parameters = [ {
    parameters = {
        "S3Location": "s3:/<bucket_name>"
    }
    region = "us-east-1"
  } ]
}

Keep in mind that the service role would require access to Athena Workgroups and Lakeformation for the environment to be provisioned.

[wellsiau-aws]

I believe @quixoticmonk comment above addresses this problem. I am going to go ahead and close this issue.