Why does Terraform fail to provision google_cloudfunctions_function_iam_member? - google-cloud-platform

While I am able to provision a single HTTP-triggered GCP cloud function and call it publicly, I can't seem to provision my second function to be called publicly as well.
I have the editor role assigned to my Terraform service account.
google_cloudfunctions_function_iam_member.v2invoker: Creating...
╷
│ Error: Error applying IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": Error setting IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": googleapi: Error 403: Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/myproject/locations/us-central1/functions/v2' (or resource may not exist).
│
│ with google_cloudfunctions_function_iam_member.v2invoker,
│ on main.tf line 460, in resource "google_cloudfunctions_function_iam_member" "v2invoker":
│ 460: resource "google_cloudfunctions_function_iam_member" "v2invoker" {
Clarification - the function resource itself is provisioned correctly, only the iam_member resource isn't.
My Terraform config:
resource "google_cloudfunctions_function" "v2" {
name = "v2"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "v2"
trigger_http = true
}
resource "google_cloudfunctions_function_iam_member" "v2invoker" {
project = google_cloudfunctions_function.v2.project
region = google_cloudfunctions_function.v2.region
cloud_function = google_cloudfunctions_function.v2.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-v2" {
value = google_cloudfunctions_function.v2.https_trigger_url
}
Added the terraform config for the first (successful) function:
resource "google_cloudfunctions_function" "helloWorld" {
name = "helloWorld"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "helloWorld"
trigger_http = true
}
# IAM entry so all users can invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.helloWorld.project
region = google_cloudfunctions_function.helloWorld.region
cloud_function = google_cloudfunctions_function.helloWorld.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-helloWorld" {
value = google_cloudfunctions_function.helloWorld.https_trigger_url
}
The current service account used by terraform is one I created with "Editor" role.

According to GCP IAM documentation:
Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. See the section above for more information on how to check if a role has the permissions that you need.
Your editor role definitely doesn't have access to perform the cloudfunctions.functions.setIamPolicy action on the cloud function (as the error message mentions).
Assign the Cloud Functions Admin role (roles/cloudfunctions.admin) to the service account.
It should definitely have all permissions required for anything cloud function-related, including but not limited to setting IAM policies on functions.

Related

Using a multi-region S3 accesspoint with sagemaker (terraform)

I have a sagemaker model that will be deployed in different aws regions. This model will download models from an s3 bucket that is in region x. As long as the model is deployed in region x, the endpoint works.
However, when I deploy the sagemaker model from region y, it fails with the message.
Error: error creating SageMaker model: ValidationException: Could not
access model data at s3://mmmm/. Please ensure that the role
"arn:aws:iam::xxxx:role/dev-xxx-iam-role" exists and that its trust
relationship policy allows the action "sts:AssumeRole" for the service
principal "sagemaker.amazonaws.com". Also ensure that the role has
"s3:GetObject" permissions and that the object is located in region x.
My iam role permissions are as follows:
resource "aws_iam_policy_attachment" "sm_full_access_attach" {
name = "sm-full-access-attachment"
roles = [aws_iam_role.sagemaker_inferencer_iam_role.name]
policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
}
resource "aws_iam_policy_attachment" "s3_full_access_attach" {
name = "s3-full-access-attachment"
roles = [aws_iam_role.sagemaker_inferencer_iam_role.name]
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
with the assume role policy of:
data "aws_iam_policy_document" "sm_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["sagemaker.amazonaws.com"]
}
}
}
The iam role is as follows:
resource "aws_iam_role" "sagemaker_inferencer_iam_role" {
name = "${var.app_environment}-inferencer-sm-${var.aws_region}-iam-role"
assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json
}
And the above works for same region buckets.
I can of course create have buckets in each region with replication rules from the original bucket. However, this is costly as the model files are huge. So I created a multi-region accesspoint for my original bucket with an alias zzz.mrap
However, when I specify the accesspoint alias in the aws_sagemaker_model resource as follows:
resource "aws_sagemaker_model" "sagemaker_multimodel" {
name = "${var.app_environment}-inferencer-sm-${var.aws_region}-model"
execution_role_arn = aws_iam_role.sagemaker_inferencer_iam_role.arn
primary_container {
image = local.multi_model_inferencer_container_name
mode = "MultiModel"
model_data_url = "s3://zzz.mrap/"
}
}
I get the following error:
Error: error creating SageMaker model: ValidationException: Could not
access model data at s3://zzzz.mrap/. Please ensure that the role
"arn:aws:iam::878435376106:role/dev-xxx-iam-role" exists and that its
trust relationship policy allows the action "sts:AssumeRole" for the
service principal "sagemaker.amazonaws.com". Also ensure that the role
has "s3:GetObject" permissions and that the object is located in
region x.
AWS says that I only have to replace the bucket name by the alias and that they support sagemaker, however this does not seem to be the case.
What am I doing wrong?

GCP Failure binding role cloudsql client to a SA through Terraform

When trying to bind cloudsql client role to a SA in GCP with Terraform next error is produce:
Error setting IAM policy for service account '{}': googleapi: Error 400: Role roles/cloudsql.client is not supported for this resource., badRequest
This is my terraform code on file main.tf:
resource "google_service_account" "default" {
account_id = var.service_account_name
display_name = "ECB API Caller Cloud Function SA"
}
data "google_iam_policy" "default" {
binding {
members = ["serviceAccount:${google_service_account.default.email}"]
role = "roles/cloudsql.client"
}
}
resource "google_service_account_iam_policy" "default" {
service_account_id = google_service_account.default.name
policy_data = data.google_iam_policy.default.policy_data
}
Edit: Sorted
After further investigation I found out a way. Not completely sure why, but as far as I am able to understand, you cannot allocate this role to the user but the other way around.
Whatever, this code snippet does the trick:
resource "google_service_account" "default" {
account_id = var.service_account_name
display_name = "ECB API Caller Cloud Function SA"
}
resource "google_project_iam_binding" "project" {
project = var.project_id
role = "roles/cloudsql.client"
members = [
"serviceAccount:${google_service_account.default.email}",
]

Error Attaching IAM Role to an Instance Profile

I am trying to attach an IAM role to an instance profile for aws karpenter to be able to provision nodes on my behalf. I have already created the role, role-karpenter, from the console.
Below is the terraform script:
data "aws_iam_role" "karpenter_node_group_role" {
name = "role-karpenter"
}
resource "aws_iam_instance_profile" "karpenter" {
name = "KarpenterNodeInstanceProfile"
role = data.aws_iam_role.karpenter_node_group_role.name
}
This is the Error I am getting:
removing role arn:aws:iam::xxxx:role/role-karpenter from IAM instance profile KarpenterNodeInstanceProfile-cluster: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.#_-
│ status code: 400, request id: 7e631745-e7cb-4542-b19f-2b3872c8cbc3
Options I have tried:
I have used all these different terraform attribute references for the role
# name attribute
role = data.aws_iam_role.karpenter_node_group_role.name
# id attribute
role = data.aws_iam_role.karpenter_node_group_role.id
# arn attribute
role = data.aws_iam_role.karpenter_node_group_role.arn
The fix for me was to remove the resource from the state file and rerun it again
terraform state rm module.eks.aws_iam_instance_profile.karpenter
Then
terraform plan && terraform apply

How can i provision IAM Role in aws with terraform?

as i'm new with terraform, i'd like to ask your help once i got stuck for almost a day.
When trying to apply a IAC to deploy a Nginx service into a ECS(EC2 launch type) on aws i'm facing the following problem:
Error: Error creating IAM Role nginx-iam_role: MalformedPolicyDocument: Has prohibited field Resource status code: 400, request id: 0f1696f4-d86b-4ad1-ba3b-9453f3beff2b
I have already checked the documentation and the syntax is fine. What else could be wrong?
Following the snippet code creating the IAM infra:
provider "aws" {
region = "us-east-2"
}
data "aws_iam_policy_document" "nginx-doc-policy" {
statement {
sid = "1"
actions = [
"ec2:*"
]
resources = ["*"]
}
}
resource "aws_iam_role" "nginx-iam_role" {
name = "nginx-iam_role"
path = "/"
assume_role_policy = "${data.aws_iam_policy_document.nginx-doc-policy.json}"
}
resource "aws_iam_group_policy" "nginx-group-policy" {
name = "my_developer_policy"
group = "${aws_iam_group.nginx-iam-group.name}"
policy = "${data.aws_iam_policy_document.nginx-doc-policy.json}"
}
resource "aws_iam_group" "nginx-iam-group" {
name = "nginx-iam-group"
path = "/"
}
resource "aws_iam_user" "nginx-user" {
name = "nginx-user"
path = "/"
}
resource "aws_iam_user_group_membership" "nginx-membership" {
user = "${aws_iam_user.nginx-user.name}"
groups = ["${aws_iam_group.nginx-iam-group.name}"]
}
If you guys need the remaining code: https://github.com/atilasantos/iac-terraform-nginx.git
You are trying to use the aws_iam_policy_document.nginx-doc-policy policy as an assume_role_policy which does not work as an assume role policy needs to define a principal that you trust and want to grant access to assume the role you are creating.
An assume role policy could look like this is you want to grant access to the role to EC2 instances via instance profiles. At the end you can attach your initial role via a new resource as an inline policy to the role:
data "aws_iam_policy_document" "instance-assume-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "nginx-iam_role" {
name = "nginx-iam_role"
path = "/"
assume_role_policy = data.aws_iam_policy_document.instance-assume-role-policy.json
}
resource "aws_iam_role_policy" "role_policy" {
name = "role policy"
role = aws_iam_role.nginx-iam_role.id
policy = data.aws_iam_policy_document.nginx-doc-policy.json
}
Instead of attaching the policy as an inline policies you can also create an IAM Policy and attach it to the various iam resources. (e.g.: aws_iam_policy and aws_iam_role_policy_attachment for roles.)
We created a bunch of open-source IAM modules (and others) to make IAM handling easier: Find them here on github. But there are more modules out there that you can try.

Terraform: depends_on for module not working as expected in AWS

I am new to terraform. I was working with terraform v0.12 previously and since I wanted to bring in a dependency between modules, I started using terraform v0.13 recently. I am trying to create an IAM role and attach a few policies to the created role. But the issue arises in policy attachment to the role. Few policies are getting attached to the role but some policies throw an error saying no such role exists while the other policies are attached to the role properly. Is there anything wrong in my implementation?
module.tf
provider "aws" {
region = "ap-southeast-1"
}
#Control Plane role and policies
module "ControlPlane_Role" {
source = "../../templates/IAM/roles"
role_name = var.EKS-master-role
}
module "ControlPlane_Policy1" {
source = "../../templates/IAM/aws_policy"
role_name = var.EKS-master-role
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
depends_on = [module.ControlPlane_Role.role_create]
}
module "ControlPlane_Policy2" {
source = "../../templates/IAM/aws_policy"
role_name = var.EKS-master-role
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
depends_on = [module.ControlPlane_Role.role_create]
}
templates/IAM/roles/role.tf
resource "aws_iam_role" "role_create" {
assume_role_policy = data.aws_iam_policy_document.trusted_entity.json
name = var.role_name
}
aws_policy.tf
resource "aws_iam_role_policy_attachment" "aws_policy" {
role = var.role_name
policy_arn = var.policy_arn
}
I'll be passing the variable files separately and there are no issues with that.
Error:
Error: Error attaching policy arn:aws:iam::aws:policy/AmazonEKSClusterPolicy to IAM Role EKS-master: NoSuchEntity: The role with name EKS-master cannot be found.
Error attaching policy arn:aws:iam::aws:policy/AmazonEKSServicePolicy to IAM Role EKS-master: NoSuchEntity: The role with name EKS-master cannot be found.
If I re-run the command terraform apply again on the same resources without any change, the policies are getting attached.
You shouldn't use depends_on except for some exceptional cases. From the templates/IAM/roles, define an output that is the name of the role and in the other modules pass this output (role_name = module.ControlPlane_Role.output_role_name). With this setup, the dependency graph is clear (create the role, create the things that depend on the role) instead of having to manually define dependencies with depends_on.