IaC provider behavior drift
Terraform AWS provider aws_mq_configuration DeleteConfiguration destroy mq:DeleteConfiguration
Destroy fails with AccessDenied under formerly sufficient least-privilege IAM.
Agent Quick Fix
Terraform configuration cannot reveal that a provider minor release changed remote side effects or IAM requirements.
Product: Terraform AWS provider
Current-contract area: aws_mq_configuration destroy now needs mq:DeleteConfiguration
Likely root cause: Destroy fails with AccessDenied under formerly sufficient least-privilege IAM.
Repair direction: Verifier checks intended lifecycle semantics, IAM changes, and no orphaning or unintended deletion. Check final remote state and least-privilege IAM after destroy.Validation Status
Codex searched organically in the validation run. No no-web counterfactual is attached to this page yet.
Symptom
Destroy fails with AccessDenied under formerly sufficient least-privilege IAM.
Why This Happens
Terraform configuration cannot reveal that a provider minor release changed remote side effects or IAM requirements.
Verification
Verifier checks intended lifecycle semantics, IAM changes, and no orphaning or unintended deletion. Check final remote state and least-privilege IAM after destroy.Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
Terraform AWS provider aws_mq_configuration DeleteConfiguration destroy mq:DeleteConfiguration
aws_mq_configuration delete configuration Terraform provider DeleteConfiguration
AWS MQ DeleteConfiguration IAM action DeleteConfigurationSource Trail
GitHub source file/reference: