IaC provider behavior drift

Terraform AWS provider aws_mq_configuration DeleteConfiguration destroy mq:DeleteConfiguration

Destroy fails with AccessDenied under formerly sufficient least-privilege IAM.

Terraform AWS providerInfrastructure as codeIaC provider behavior drifttf_aws

Agent Quick Fix

Repair against the current Terraform AWS provider contract, then keep the change narrow and source-backed.

Product: Terraform AWS provider
Current-contract area: aws_mq_configuration destroy now needs mq:DeleteConfiguration
Likely root cause: Destroy fails with AccessDenied under formerly sufficient least-privilege IAM.
Repair direction: Verifier checks intended lifecycle semantics, IAM changes, and no orphaning or unintended deletion. Check final remote state and least-privilege IAM after destroy.

Symptom

Destroy fails with AccessDenied under formerly sufficient least-privilege IAM.

Why This Happens

Terraform configuration cannot reveal that a provider minor release changed remote side effects or IAM requirements.

Common Wrong Fixes

Changing local code without checking the current external contract.
Retrying the same install, build, or API call with no version/source change.
Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

Terraform AWS provider aws_mq_configuration DeleteConfiguration destroy mq:DeleteConfiguration
aws_mq_configuration delete configuration Terraform provider DeleteConfiguration
AWS MQ DeleteConfiguration IAM action DeleteConfiguration

Source Trail

GitHub source file/reference:

Terraform AWS provider 6.42.0: https://github.com/hashicorp/terraform-provider-aws/releases

Terraform AWS provider 6.42.0: https://github.com/hashicorp/terraform-provider-aws/releases