Pull request #466 is a breaking changeย #468
Description
Description
Pull request https://github.com/terraform-aws-modules/terraform-aws-ec2-instance/pull/466/changes causes a breaking change for people that don't give SSM get access to their terraform process.
Versions
-
Module version [Required]:
-
Terraform version:
Tofu 1.110 -
Provider version(s):
6.1.5
Reproduction Code [Required]
Steps to reproduce the behavior:
- Pass an AMI ID
- Execute with a AWS access key that doesn't have SSM Get Param Access
Expected behavior
Should create resource with AMI ID
Actual behavior
Get the following error:
Error: reading SSM Parameter (/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64): operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: f008fc74-69a5-4378-b7f1-80aa483eb053, api error AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/xxxx-stack-role/aws-go-sdk-xxxx is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1::parameter/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64 with an explicit deny in an identity-based policy
Additional context
I'd suggest just reverting:
I think the error there may have been you were passing a computed value into it.
Another suggestion is we could introduce another boolean variable to indicate whether you want to use an SSM param to fetch the AMI ID or not.