403 error when trying to create resource "opensearch_snapshot_repository"

[syurevich]

What is the bug?

It might be not a bug but some misconfiguration...

I am trying to register snapshot repository using resource "opensearch_snapshot_repository" as per documentation 1 and 2.
But I keep getting the following error.

opensearch_snapshot_repository.index_backups: Creating...

│ Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

However, I can successfully register snapshot repository with the following curl command using exactly the same IAM credentials.
This likely means that there might be a difference in how the requests are being authenticated.
The --aws-sigv4 option in the curl command ensures that the request is properly signed using AWS Signature Version 4.
I am not sure how to achieve it with Terraform.

curl --request PUT https://opensearch-domain-endpoint/_snapshot/index-backups-repo --user $AWS_ACCESS_KEY:$AWS_SECRET_KEY --aws-sigv4 "aws:amz:eu-central-1:es" --header "Content-Type: application/json" -d'
{
  "type": "s3",
  "settings": {
    "bucket": "opensearch-snapshots",
    "base_path": "snapshots",
    "region": "eu-central-1",
    "role_arn": "arn:aws:iam::xxxxxxxxxxxx:role/opensearch-snapshot-operations"
  }
}'

How can one reproduce the bug?

I use the following configuration for Terraform in addition to the required resources related to roles, policies, etc.

provider "opensearch" {
  alias    = "test-01--snapshot-repository"
  url      = "https://opensearch-domain-endpoint"
  aws_access_key = var.aws_access_key
  aws_secret_key = var.aws_secret_key
  aws_region     = "eu-central-1"
  aws_signature_service = "aws:amz:eu-central-1:es"
  healthcheck = false  
}

resource "opensearch_snapshot_repository" "index_backups" {
  provider = opensearch.test-01--snapshot-repository
  name     = "index-backups-repo"
  type     = "s3"
  settings = {
    bucket = "opensearch-snapshots",
    base_path = "snapshots",
    region = "eu-central-1",
    role_arn = "arn:aws:iam::xxxxxxxxxxxx:role/opensearch-snapshot-operations"
  }
}

What is the expected behavior?

Snapshot repository is successfully registered.

What is your host/environment?

Ubuntu 22.04.5 LTS

[andrross]

Catch All Triage - 1

[mglotov]

@syurevich Hi. I had the same issue. Try to set the opensearch_version in the provider configuration.
The provider checks the version of the Opensearch cluster before creating any resources, but it does it using basic_auth creds (username/password).
The corresponding code https://github.com/opensearch-project/terraform-provider-opensearch/blob/main/provider/provider.go#L396