Here's the issue I'm hitting. I have Terraform that is deploying an ECS Service backed by an RDS database (in this case MariaDB, but the engine doesn't matter).
The plan and apply work just fine locally. However, in my Github Actions pipeline, it fails with:
Error: reading RDS DB Subnet Group (subnet-group): empty result
│
│ with aws_db_subnet_group.db_subnet_group,
│ on main.tf line 236, in resource "aws_db_subnet_group" "db_subnet_group":
│ 236: resource "aws_db_subnet_group" "db_subnet_group" {
Here's my resource:
resource "aws_db_subnet_group" "ss_db_subnet_group" {
subnet_ids = [aws_subnet.SS_PublicSubnet1.id, aws_subnet.SS_PublicSubnet2.id]
}
Pretty straight forward. The resource appears to create, but gets marked tainted as evidenced by terraform state show
First I thought maybe it needed some dependence (depends_on) on the subnets or the VPC
Not the case. Really stumped as to what's tainting the resource.
After many fits and starts, I found the problem. It was IAM permissions. Setting TF_LOG=DEBUG provided the necessary clue:
[DEBUG] provider.terraform-provider-aws_v4.30.0_x5:
<Message>User: arn:aws:iam::***:user/user is not authorized to perform:
rds:DescribeDBSubnetGroups on resource:
arn:aws:rds:<region>:***:subgrp:terraform-blah
because no identity-based policy allows the rds:DescribeDBSubnetGroups action
</Message>
It's unfortunate that instead of erroring on creating the subnet group, Terraform decided to taint it instead. Would have saved me a lot of time had it simply failed on creating the resource.
But anyway, if you ever see an error similar to this, try starting here. Didn't find much on the net related to this error.