[Bug]: error listing tags in aws_vpclattice_service_network data source

[bturbes]

Terraform Core Version

1.10.3, 1.8.2, 1.8.0

AWS Provider Version

5.85.0

Affected Resource(s)

• aws_vpclattice_service_network data source

Expected Behavior

The aws_vpclattice_service_network data source should successfully look up the service network, even when shared across accounts with RAM.

Actual Behavior

There is an error listing the tags on the service network.

Relevant Error/Panic Output Snippet

Error: listing tags for VPC Lattice Service Network (arn:aws:vpc-lattice:us-east-1:************:servicenetwork/sn-*****************): operation error VPC Lattice: ListTagsForResource, https response error StatusCode: 403, RequestID: ************************************, AccessDeniedException: User: arn:aws:sts::************:assumed-role/*** is not authorized to perform: vpc-lattice:ListTagsForResource on resource: arn:aws:vpc-lattice:us-east-1:************:servicenetwork/sn-*****************

Terraform Configuration Files

data "aws_vpclattice_service_network" "service_network" {
  service_network_identifier = var.service_network_id
}

Steps to Reproduce

• Create a VPC Lattice Service network in AWS Account 1
• Share Service Network with AWS Account 2
• Using credentials in AWS Account 2, run a terraform plan with a aws_vpclattice_service_network data source pointed at the Service Network

Debug Output

No response

Panic Output

No response

Important Factoids

• Pinning to version 5.84.0 of the AWS provider resolves this issue for us.
• We are using the AWSRAMPermissionVpcLatticeServiceNetworkReadWrite managed permissions when sharing the service network with other accounts. My understanding is that this is a complete list of actions able to be taken on shared Service Networks.

References

This issue seems similar #32938 along with it's corresponding pull-request #32939

Screenshot of AWSRAMPermissionVpcLatticeServiceNetworkReadWrite

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Relates #21202.

[YakDriver]

This regression results from this change in #41019:

// @SDKDataSource("aws_vpclattice_service_network", name="Service Network")
- // @Tags
+ // @Tags(identifierAttribute="arn")
+ // @Testing(tagsTest=false)
func dataSourceServiceNetwork() *schema.Resource {

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.