Here is my aws_iam_role definition in terraform
resource "aws_iam_role" "server_role" {
name = "server-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeEnvironment",
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
but i got this error when I try to run terraform plan:
Error: Error applying plan:
1 error(s) occurred:
aws_iam_role.server_role: 1 error(s) occurred:
aws_iam_role.server_role: Error creating IAM Role server-role: MalformedPolicyDocument: AssumeRole policy may
only specify STS AssumeRole actions. status code: 400, request id:
55f1bfaf-a121-11e9-acaf-bb57d635757b
I basically want to allow the server to read/write S3 buckets and read/write SQS queues.
Apparently I cannot add all these sqs:* and s3:* in the same place. How can I do it in terraform?
you are confused IAM Policy and IAM assume role Policy.
Try like below. It will create IAM Profile for EC2 and you can attach it to your EC2 instances.
resource "aws_iam_role" "server_role" {
name = "server-role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy" "server_policy" {
name = "server_policy"
path = "/"
description = "TBD"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Resource": [
"*"
]
,
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "server_policy" {
role = "${aws_iam_role.server_role.name}"
policy_arn = "${aws_iam_policy.server_policy.arn}"
}
resource "aws_iam_instance_profile" "server" {
name = "server_profile"
role = "${aws_iam_role.server_role.name}"
}
Related
just want to ask if this has been a known issue on Terraform v0.11, I'm trying to mount efs to lambda however it seems being blocked on the part of querying the efs access point.
data.aws_efs_access_point.pogi: data.aws_efs_access_point.pogi: Error reading EFS access point : AccessDeniedException:
status code: 403, request id: 123k23s-1434-4421-as4ds-asd021390asdjj
my tf code below:
data "aws_efs_access_point" "pogi" {
access_point_id = "fsap-p0gigwap0h"
}
resource "aws_lambda_function" "pogi_function" {
function_name = "pogi-na-gwapo-pa"
...
file_system_config {
arn = "${data.aws_efs_access_point.pogi.arn}"
local_mount_path = "/mnt/pogi-mo"
}
}
NOTE: My tf code above is working when data source part is commented and arn value is hard coded
I'm using this IAM Role to deploy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt143441432",
"Action": [
"lambda:AddPermission",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "arn:aws:lambda:us-east-1:1234567898765:function:pogi-*"
},
{
"Sid": "Stmt143441432",
"Action": [
"elasticfilesystem:Describe*",
"elasticfilesystem:List*"
],
"Effect": "Allow",
"Resource": "arn:aws:elasticfilesystem:us-east-1:1234567898765:file-system/*"
}
]
}
I have created resources for log_group for list of given job names
resource "aws_cloudwatch_log_group" "logGroups" {
count = length(var.jobnames)
name = format("/aws/lambda/%s", format(local.function_name_format, var.jobnames[count.index]))
retention_in_days = 7
}
and now for the each log resource i am creating an iam policy
resource "aws_iam_policy" "base_iam_policy" {
count = length(var.jobnames)
name = format(local.base_iam_policy_name_format, var.jobnames[count.index])
path = "/"
description = "Base IAM policy for creating a lambda"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"${element(aws_cloudwatch_log_group.logGroups.*.arn, count.index)}*"
]
},
{
"Action": [
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "${var.region}"
}
}
}
]
}
EOF
}
The issue is that for each BASE_IAM_POLICY, the resource for CreateLogStream is same. Looks like
in this "${element(aws_cloudwatch_log_group.logGroups.*.arn, count.index)}*" count is not getting incremented ?
Honestly, this seems like a bug in terraform. In the meantime I'd recommend indexing the elements directly, like the following
"${aws_cloudwatch_log_group.logGroups[count.index].arn}*"
This question already has answers here:
MalformedPolicyDocument error when creating policy via terraform
(2 answers)
Closed 3 years ago.
I am trying to create a lambda role and attach policies to it so it can start and stop ec2 instance. I will be triggering the lambda using cloudwatch.
I am getting this error:
"Error: Error creating IAM Role lambdaRole: MalformedPolicyDocument: JSON strings must not have leading spaces
status code: 400, request id: d6a86c41-6601-43af-9040-81f6e6a76ec8
on iam.tf line 11, in resource "aws_iam_role" "lambdaRole":
11: resource "aws_iam_role" "lambdaRole" {"
terraform {
backend "s3" {
region = "us-west-2"
bucket = "gitlegionbucket"
key = "ec2/terraform.tfstate"
dynamodb_table = "tf-state-lock"
}
}
resource "aws_iam_role" "lambdaRole" {
name = "lambdaRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "attach-policies" {
role = "${aws_iam_role.lambdaRole.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
I was also facing the same error. I have directly copied the code from the question.
The way it worked was for me was to start the { i.e the start of the policy after the EOF line immediately without any spaces.
resource "aws_iam_role" "lambdaRole" {
name = "lambdaRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "attach-policies" {
role = "${aws_iam_role.lambdaRole.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
terraform output:
aws_iam_role.lambdaRole: Creating...
aws_iam_role.lambdaRole: Creation complete after 2s [id=lambdaRole]
aws_iam_role_policy_attachment.attach-policies: Creating...
aws_iam_role_policy_attachment.attach-policies: Creation complete after 1s [id=lambdaRole-20191107141649610400000001]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
Alright, I found a solution to this problem. I moved the jsons into different files and I just referred to those files instead.
like this, policy = "${file("lambda-policy.json")}"
and this I have in "lambda-policy.json" :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:StartInstances",
"logs:",
"ec2:StopInstances"
],
"Resource": ""
}
]
}
I have an aws_lb that I want to log to an S3 bucket.
What I have unsuccessfully tried to do:
data "aws_elb_service_account" "main" {}
data "aws_iam_policy_document" "bucket_policy" {
statement {
sid = ""
actions = ["s3:PutObject"]
resources = ["arn:aws:s3:::my-bucket/*"]
principals {
type = "AWS"
identifiers = ["${data.aws_elb_service_account.main.arn}"]
}
}
}
I also tried this:
resource "aws_iam_role" "lb-logs-role" {
name = "lb-logs-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "elasticloadbalancing.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = {
Name = "lb-logs-role"
Environment = terraform.workspace
Management = "Managed by Terraform"
}
}
resource "aws_iam_role_policy" "s3-logs-access" {
name = "s3-logs-access"
role = aws_iam_role.lb-logs-role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
EOF
}
This is the error I am seeing:
Error: Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: my-bucket. Please check S3bucket permission
status code: 400, request id: 5b629210-9738-11e9-bcc6-6f3b4f22bf28
on modules/tableau-linux/lb.tf line 1, in resource "aws_lb" "main":
1: resource "aws_lb" "main" {
Any ideas?
It looks like the API will request the ACL of the bucket to see if it has permission, and populate the initial folder structure, therefore the even though the aws_elb_service_account has permissions to putObject in the bucket the api call will fail. This policy is what the AWS web console creates when it creates the S3 bucket for you, and it solved it for me.
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket_policy" "lb-bucket-policy" {
bucket = aws_s3_bucket.lb-log-storage-s3.id
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
},
"Action": [
"s3:PutObject"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}"
}
]
}
POLICY
}
It seems the issue is with your policy but you can try my code using aws_lb, Here is the complete configuration to launch to LB in default VPC and create bucket named test-bucket-1-unique-name, policy and LB named test-http-lb. Along with SG and Route53 entry that is commented.
# Creating Load Balancer
resource "aws_lb" "httplb" {
name = "test-http-lb"
internal = false
load_balancer_type = "application"
security_groups = ["${aws_security_group.lbsg.id}"]
subnets = ["subnet-99fdf8e0", "subnet-902b0ddb"]
enable_deletion_protection = false
access_logs {
bucket = "${aws_s3_bucket.bucket.bucket}"
prefix = "http-lb"
enabled = true
}
tags = {
Environment = "test-http"
}
}
# Creating Security Groups for Load Balancer
resource "aws_security_group" "lbsg" {
name = "test-loadbalancer-sg"
description = "test-Allow LB traffic"
tags = {
Name = "test-SG-Balancer"
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTP"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
#uncomment this if you want to add route53 record
# resource "aws_route53_record" "web" {
# zone_id = "${data.aws_route53_zone.primary.zone_id}"
# name = "${var.env_prefix_name}.ironman.co
# type = "A"
# alias {
# name = "${aws_lb.httplb.dns_name}"
# zone_id = "${aws_lb.httplb.zone_id}"
# evaluate_target_health = true
# }
# }
data "aws_elb_service_account" "main" {}
# Creating policy on S3, for lb to write
resource "aws_s3_bucket_policy" "lb-bucket-policy" {
bucket = "${aws_s3_bucket.bucket.id}"
policy = <<POLICY
{
"Id": "testPolicy1561031527701",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "testStmt1561031516716",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::test-bucket-1-for-lb-logs/http-lb/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
resource "aws_s3_bucket" "bucket" {
bucket = "test-bucket-1-for-lb-logs"
acl = "private"
region = "us-west-2"
versioning {
enabled = false
}
force_destroy = true
}
Then go to your S3 bucket and verify TestFile.
Here are the logs from terraform
This one stumped me also, but I got it working with this
{
Effect : "Allow",
Principal : {
"AWS" : "arn:aws:iam::127311923021:root"
},
Action : [
"s3:PutObject"
],
Resource : "${aws_s3_bucket.logging_bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
}
Where does 127311923021 come from, you ask? Believe me, I did too! This AWS document says it is the ID of the AWS account for Elastic Load Balancing for your Region (us-east-1 in this case). It has a large table of these magic numbers!
I am setting up cloud security and I need to:
Select type of trusted entity > Another AWS account
Account ID: xxxxxxxxxx
External ID: xxxxxxxxxx
Attach the SecurityAudit Policy (which is already in AWS)
I'm not sure how to add an already existing policy or where to add the ids. I can't seem to work out a solution from the terraform documentation.
../Core/iam_roles.tf
# BEGIN 'foo'
resource "aws_iam_role" "foo" {
name = "${terraform.workspace}_Foo"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"automation.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "foo" {
policy_arn = "${aws_iam_policy.security_audit.arn}"
role = "${aws_iam_role.foo.name}"
}
Any help would be much appreciated!
If you're attaching a policy that already exists in the account, I would use a data source to query it. You have to know the ARN to use the IAM policy data source so it's not much different than specifying the ARN directly in the aws_iam_role_policy_attachment resource except it allows the terraform plan command to validate that the policy exists before running apply, it's an extra safeguard for you. The data source also gives you more information about the resource should you need it.
data "aws_iam_policy" "security_audit" {
arn = "arn:aws:iam::${var.target_account_id}:policy/SecurityAudit"
}
# BEGIN 'foo'
resource "aws_iam_role" "foo" {
name = "${terraform.workspace}_Foo"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"automation.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${var.other_aws_account_id}:role/your_role_name_and_path_here"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "foo" {
policy_arn = "${data.aws_iam_policy.security_audit.arn}"
role = "${aws_iam_role.foo.name}"
}
`# BEGIN 'Foo'
resource "aws_iam_role" "foo" {
name = "${terraform.workspace}_Foo"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::INSERT_ACCOUNT_NUMBER:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "INSERT_EXTERNAL_ID"
}
}
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "foo" {
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
role = "${aws_iam_role.foo.name}"
}
resource "aws_iam_instance_profile" "foo" {
name = "${terraform.workspace}_Foo"
role = "${aws_iam_role.foo.name}"
}
# END
`