Terraform-provider-aws: Active directory resource stuck at "still creating", times out

Created on 20 Aug 2018 · 5Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.8
aws provider 1.32.0_x4

Affected Resource(s)

aws_directory_service_directory

Terraform Configuration Files

resource "aws_directory_service_directory" "aws_ad" {
  name     = "${var.ad_name}"
  password = "${random_string.AD_password.result}"
  edition  = "Standard"
  type     = "MicrosoftAD"

  vpc_settings {
    vpc_id     = "${aws_vpc.testVPC.id}"
    subnet_ids = ["${aws_subnet.private.*.id}"]
  }

  tags {
    Name = "test"
  }
}

Debug Output

Relevant part of log:
https://pastebin.com/cMFFtnqe

This goes on until it times out or I ctrl-c
terraform-provider-aws says 1.31.0_x4 but I have since updated this to 1.32.0_x4 with the same issue

Expected Behavior

After the directory has finished creating, Terraform should change the resource state to complete.

Actual Behavior

State stays as creating and the console displays "aws_directory_service_directory.AD: Still creating..." and then times out after 60 minutes. Running terraform refresh after this sets the state to complete.

Steps to Reproduce

Create tf file with aws_directory_service_directory resource
terraform apply

I think this is because the credentials expire because ADs take so long to create but terraform doesn't catch that.

bug provider servicdirectoryservice

Source

farhank3389

👍1

Most helpful comment

Turns out that this a problem with aws-vault. The default ttl for aws-vault assumed role credentials is 15 minutes according to this: https://github.com/99designs/aws-vault/issues/59.

It is fixed in https://github.com/99designs/aws-vault/pull/64 with a command line flag to specify ttl.

farhank3389 on 29 Aug 2018

❤2

All 5 comments

Hi @farhank3389 👋 Sorry you are running into trouble here. It does appear you are correct according to your debug logs:

2018-08-20T15:03:37.240+0100 [DEBUG] plugin.terraform-provider-aws_v1.31.0_x4.exe: 2018/08/20 15:03:37 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ds/DescribeDirectories failed, will retry, error ExpiredTokenException: The security token included in the request is expired

Unfortunately the Terraform AWS provider does not handle this situation gracefully at the moment. We have quite a few reports of this issue if you search through here: https://github.com/terraform-providers/terraform-provider-aws/issues?q=is%3Aopen+is%3Aissue+label%3Abug+label%3Aprovider 🙁

Are you assuming an IAM role to perform this operation? A workaround would be to increase the max session duration for that IAM role (e.g. max_session_duration in the aws_iam_role resource) if you can.

bflad on 20 Aug 2018

@bflad Thanks for the info. I'll have a look at that link.

farhank3389 on 20 Aug 2018

@bflad I had a look at the second link but I am already assuming a role using aws vault. The default max_session_duration time is 1 hour but the directory finishes within an hour so I'm not sure why the token is becoming invalid.

In the meantime, I am letting it time out and then importing the resource to terraform and manually adding the password in the statefile. Are there any other workarounds that are less manual?

Thanks

farhank3389 on 24 Aug 2018

Turns out that this a problem with aws-vault. The default ttl for aws-vault assumed role credentials is 15 minutes according to this: https://github.com/99designs/aws-vault/issues/59.

It is fixed in https://github.com/99designs/aws-vault/pull/64 with a command line flag to specify ttl.

farhank3389 on 29 Aug 2018

❤2

Thanks @farhank3389 for posting the reference for this fix. Life-saver.