### Terraform Version ```shell Terraform v1.13.4 on darwin_arm64 ``` ### Terraform Configuration Files ***.tftest.hcl** ```terraform provider "aws" { region = "#####" alias = "team_role" assume_role { role_arn = "arn:aws:iam::######:role/#########" } } run "scps_deny_iam_user_creation" { module { source = "./scp-tests/modules/iam-user" } providers = { aws = aws.team_role } expect_failures = [ aws_iam_user.this, ] } ``` **scp-tests/modules/iam-user/main.tf** ```terraform resource "aws_iam_user" "this" { name = "scp-test-deny" } terraform { required_providers { aws = { source = "hashicorp/aws" } } } ``` ### Debug Output ``` run "scps_deny_iam_user_creation"... fail ╷ │ Error: Missing expected failure │ │ on ####.tftest.hcl line 40, in run "scps_deny_iam_user_creation": │ 40: aws_iam_user.this, │ │ The checkable object, aws_iam_user.this, was expected to report an error │ but did not. ╵ ╷ │ Error: creating IAM User (scp-test-deny): operation error IAM: CreateUser, https response error StatusCode: 403, RequestID: #########, api error AccessDenied: User: arn:aws:sts::#########:assumed-role/##########/aws-go-sdk is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::#########:user/scp-test-deny with an explicit deny in a service control policy │ │ with aws_iam_user.this, │ on ############### line 1, in resource "aws_iam_user" "this": │ 1: resource "aws_iam_user" "this" { │ ╵ ``` ### Expected Behavior * `expect_failure` catches permission error as well and test is successful ### Actual Behavior * Test fails with an error showing that the action is prevented by SCPs ### Steps to Reproduce 1. Create a role that does allow creation of AWS IAM users (or AdministratorAccess for the sake of the test) in a member account. 2. Create an SCP that denies the creation of AWS IAM users. 3. Run the test above which should verify that the SCP kicks in and prevents the role from creating the resource ### Additional Context What I wanted to achieve was integration tests for my SCPs in AWS. A negative test would mean that as a team I try to perform an action which is restricted by SCPs. So my assumption was to use `expect_failure` which would catch the resulting error and proof that the SCP works as designed. However if it's a permission problem, the error is not being catched by `expect_failure`. Is that an expected behavior? If so, is there a chance for a feature that reflects my use case and the assumed behavior? Either in `expect_failure` or a different assertion? ### References _No response_ ### Generative AI / LLM assisted development? _No response_