Describe the bug
terragrunt init --backend-bootstrap fails to create the DynamoDB lock table in environments where an AWS Service Control Policy (SCP) requires tags to be present on the dynamodb:CreateTable API call.
Terragrunt prompts to create the DynamoDB lock table, but the bootstrap process fails because the table creation request does not satisfy the SCP requirements. As a result, I cannot bootstrap the DynamoDB lock table during init.
This looks very similar to the already reported backend bootstrap issue for S3 bucket creation under tag-enforcing SCPs, except this time the problem affects the DynamoDB lock table bootstrap path. The earlier report describes Terragrunt backend bootstrap failing when required tags are not passed at resource creation time.
Reproducing bugs
When running terragrunt init --backend-bootstrap, DynamoDB lock table creation fails in AWS environments where an SCP enforces mandatory tags on dynamodb:CreateTable.
Terragrunt attempts to create the lock table, but the CreateTable request is denied by the SCP because the required tags are not included in the initial create call.
Steps To Reproduce
Configure an AWS SCP that denies dynamodb:CreateTable unless specific tags are present in the request.
Define a remote_state block using an S3 backend with DynamoDB state locking enabled.
Configure Terragrunt to bootstrap the backend resources automatically.
terragrunt init --backend-bootstrap
ERROR operation error DynamoDB: CreateTable, https response error StatusCode: 400, RequestID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, api error AccessDeniedException: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/<ROLE_NAME>/<USER> is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:<REGION>:<ACCOUNT_ID>:table/<TABLE_NAME> with an explicit deny in a service control policy
Expected behavior
When --backend-bootstrap is used and the remote state configuration includes tags for the DynamoDB lock table, Terragrunt should:
pass the required tags in the initial CreateTable API call, if supported
or provide a mechanism to pass tags during table creation
or clearly document that DynamoDB lock table bootstrap is not compatible with tag-enforcing SCPs
Versions
- Terragrunt version: v1.0.0
- OpenTofu/Terraform version: OpenTofu v1.11.3
- Environment details (Ubuntu 20.04, Windows 10, etc.): aws-cli/2.34.1 Python/3.13.11
Describe the bug
terragrunt init --backend-bootstrapfails to create the DynamoDB lock table in environments where an AWS Service Control Policy (SCP) requires tags to be present on thedynamodb:CreateTableAPI call.Terragrunt prompts to create the DynamoDB lock table, but the bootstrap process fails because the table creation request does not satisfy the SCP requirements. As a result, I cannot bootstrap the DynamoDB lock table during
init.This looks very similar to the already reported backend bootstrap issue for S3 bucket creation under tag-enforcing SCPs, except this time the problem affects the DynamoDB lock table bootstrap path. The earlier report describes Terragrunt backend bootstrap failing when required tags are not passed at resource creation time.
Reproducing bugs
When running terragrunt init --backend-bootstrap, DynamoDB lock table creation fails in AWS environments where an SCP enforces mandatory tags on dynamodb:CreateTable.
Terragrunt attempts to create the lock table, but the CreateTable request is denied by the SCP because the required tags are not included in the initial create call.
Steps To Reproduce
Configure an AWS SCP that denies dynamodb:CreateTable unless specific tags are present in the request.
Define a remote_state block using an S3 backend with DynamoDB state locking enabled.
Configure Terragrunt to bootstrap the backend resources automatically.
Expected behavior
When --backend-bootstrap is used and the remote state configuration includes tags for the DynamoDB lock table, Terragrunt should:
pass the required tags in the initial CreateTable API call, if supported
or provide a mechanism to pass tags during table creation
or clearly document that DynamoDB lock table bootstrap is not compatible with tag-enforcing SCPs
Versions