I am trying to provision an ECS cluster with terraform, everything seems to work well up until I am creating the ecs service:
resource "aws_ecs_service" "ecs-service" {
name = "ecs-service"
iam_role = "${aws_iam_role.ecs-service-role.name}"
cluster = "${aws_ecs_cluster.ecs-cluster.id}"
task_definition = "${aws_ecs_task_definition.my_cluster.family}"
desired_count = 1
load_balancer {
target_group_arn = "${aws_alb_target_group.ecs-target-group.arn}"
container_port = 80
container_name = "my_cluster"
}
}
and the IAM role is:
resource "aws_iam_role" "ecs-service-role" {
name = "ecs-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "ecs-service-role-attachment" {
role = "${aws_iam_role.ecs-service-role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
}
I am getting the following error message:
aws_ecs_service.ecs-service: 1 error(s) occurred:
aws_ecs_service.ecs-service: InvalidParameterException: Unable to assume role and validate the specified targetGroupArn. Please verify
that the ECS service role being passed has the proper permissions.
In assume_role_policy, can you change the "Principal" line to as mentioned below: You are having ec2.amazonaws.com.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
Related
I reference the code at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile, I created iam.tf file. I tried to attach the policy to an ec2 instance. I got an error:
aws_iam_role.role: Creating...
Error: failed creating IAM Role (jenkins_server_role): MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: c2b8db57-357f-4657-a692-a3e6026a6b7b
with aws_iam_role.role,
on iam.tf line 6, in resource "aws_iam_role" "role":
6: resource "aws_iam_role" "role" Releasing state lock. This may take a few moments...
ERRO[0011] Terraform invocation failed in /home/pluo/works/infra/jenkins
ERRO[0011] 1 error occurred:
* exit status 1
Here is the iam.tf:
resource "aws_iam_instance_profile" "jenkins_server" {
name = "jenkins_server"
role = aws_iam_role.role.name
}
resource "aws_iam_role" "role" {
name = "jenkins_server_role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
EOF
}
Here is the module to create ec2 instance.
module "ec2" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "4.1.4"
name = var.ec2_name
ami = var.ami
instance_type = var.instance_type
availability_zone = var.availability_zone
subnet_id = data.terraform_remote_state.vpc.outputs.public_subnets[0]
vpc_security_group_ids = [aws_security_group.WebServerSG.id]
associate_public_ip_address = true
key_name = var.key_name
monitoring = true
iam_instance_profile = aws_iam_instance_profile.jenkins_server.name
enable_volume_tags = false
root_block_device = [
{
encrypted = true
volume_type = "gp3"
throughput = 200
volume_size = 100
tags = {
Name = "jenkins_server"
}
},
]
tags = {
Name = "WebServerSG"
}
}
Your assume_role_policy is incorrect. For ec2 instances it should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
Then you current assume_role_policy should be written in aws_iam_role_policy instead.
Just to provide more information on top of the good answer from Marcin. In AWS IAM roles there are two kinds of policies you might specify (which at first might be confusing):
assume role policy - i.e. "who"/what can assume this role, as Marcin mentions here you would like to specify that EC2 instances can assume this role - i.e. act in this role
role policy - i.e. what can this role do; in your case it will be all these elasticloadbalancing, cloudwatch, etc.
So, putting that into Terraform perspective:
the former should go to assume_role_policy of a aws_iam_role
the latter should go to a separate resource "iam_role_policy"
Goal :
I am trying to create the following things A terraform template to
create KMS keys This template should create the key and two IAM roles.
The roles would be one for admin functions and one that allows
encrypt/decrypt I have written the following code
Am I doing the correct thing to achieve my goal?
provider "aws"
{
access_key = "*****************"
secret_key = "4ZJaLh***********"
region = "us-east-1"
}
resource "aws_kms_key" "test_key" {
description = "KMS Test key"
}
resource "aws_kms_alias" "alias" {
name = "alias/test_key"
target_key_id = "${aws_kms_key.test_key.key_id}"
}
#IAM Role and Policy
resource "aws_iam_policy" "kms_user_policy" {
name = "KMS-User-Policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role" "kms_user_role" {
name = "kms_user_role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
roles = ["${aws_iam_role.kms_user_role.name}"]
policy_arn = "${aws_iam_policy.kms_user_policy.arn}"
}
I'm currently trying to automate AWS account provisioning, and one the steps is to create IAM ROLE, with Identity provider(for federated user access).
I searched, and checked Terraform documentation, but cannot find any information about creating such role, or attaching provider to a role.
I can create both just fine, but they are independent.
here is portion of the code:
resource "aws_iam_saml_provider" "default" {
name = "ADFS-TEST"
saml_metadata_document = "${file("../../FederationMetadata.xml")}"
}
resource "aws_iam_role" "role" {
name = "test-Admins"
}
figured out. here is full block
resource "aws_iam_saml_provider" "test" {
name = "ADFS-TEST"
saml_metadata_document = "${file("../../FederationMetadata.xml")}"
}
resource "aws_iam_role" "role" {
name = "ADFStest-Admins"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "${aws_iam_saml_provider.test.arn}"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
EOF
}
resource "aws_iam_role_policy" "admins" {
name = "Admin-Policy"
#description = "A test policy"
role = "${aws_iam_role.role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
Thank you! It works for me.
I just change aws_iam_role_policy to use the aws_iam_role_policy_attachment:
resource "aws_iam_role_policy_attachment" "attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
I am new bie to terraform and I am trying to create a service role for creating a spot instances, Please let me know what is the Service name i should use for spot instances? Does Service: "ec2.amazonaws.com" help to create spot instances?
I also noticed that in aws console, we have an option to select an use case for ec2 spot instances. Does terraform also have an option to select the use case?
Terraform version : Terraform v0.11.0
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
What you have is part of the steps to create an Instance Profile for an EC2 instance to assume an IAM role( step 3 below).
Create an IAM policy for the Role.
Create the IAM role and attach the policy.
Give the EC2 instance permission to assume the role.
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = "${aws_iam_role.test_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_spot_fleet_request" "cheap_compute" {
iam_fleet_role = "arn:aws:iam::12345678:role/spot-fleet"
spot_price = "0.03"
allocation_strategy = "diversified"
target_capacity = 6
valid_until = "2019-11-04T20:44:20Z"
launch_specification {
instance_type = "m4.10xlarge"
ami = "ami-1234"
spot_price = "2.793"
placement_tenancy = "dedicated"
}
launch_specification {
instance_type = "m4.4xlarge"
iam_instance_profile = "${aws_iam_role.test_role.name}"
ami = "ami-5678"
key_name = "my-key"
spot_price = "1.117"
availability_zone = "us-west-1a"
subnet_id = "subnet-1234"
weighted_capacity = 35
root_block_device {
volume_size = "300"
volume_type = "gp2"
}
tags {
Name = "spot-fleet-example"
}
}
}
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
https://www.terraform.io/docs/providers/aws/r/instance.html#iam_instance_profile
https://www.terraform.io/docs/providers/aws/r/iam_role_policy.html
https://www.terraform.io/docs/providers/aws/r/spot_fleet_request.html
My TF code is giving me an error:
/*
* Policy: AmazonEC2ReadOnlyAccess
*/
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}
]
}
EOF
I copied and pasted the Policy from https://console.aws.amazon.com/iam/home?region=us-west-2#/policies/arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess$jsonEditor
* aws_iam_role.<role name>: Error creating IAM Role <role name>: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: <request id>
Not sure why it's saying Resource is prohibited.
Need to define assume_role_policy with sts:AssumeRole (Who can assume this role, ex: EC2 service).
Policy can be directly attached using aws_iam_role_policy_attachment instead of duplicating existing policy.
resource "aws_iam_role" "ec2_iam_role" {
name = "ec2_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "ec2-read-only-policy-attachment" {
role = "${aws_iam_role.ec2_iam_role.name}"
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}
I had faced similar issue when using role arn. When I tried using aws_iam_role_policy_attachment - I was getting error for role name having unsupported characters.
What worked for me for to create a aws_iam_role_policy as below:
resource "aws_iam_role_policy" "api-invoker" {
provider = <some provider>
role = aws_iam_role.api-invoker.id
policy = data.aws_iam_policy_document.execute-api.json
}
data "aws_iam_policy_document" "execute-api" {
statement {
sid = "all"
actions = [
"execute-api:*",
]
resources = [
"*"
]
}
}
I have faced the same issue while i am creating a policy to assume role from another AWS account. So, I have added another AWS account Id in the trusted entities then the problem is resolved.
#create i am user for account-1
resource "aws_iam_user" "user-1" {
name = "my-user"
tags = {
"Name" = "my-user"
}
}
# create policy for 2nd account
resource "aws_iam_policy" "prod_s3" {
provider = aws.aws02
name = "prod_s3"
description = "allow assuming prod_s3 role"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "sts:AssumeRole",
Resource = "arn:aws:iam::940883708906:user/my-user"
}]
})
}
# Attach the policy
resource "aws_iam_user_policy_attachment" "prod_s3" {
provider = aws.aws02
user = aws_iam_user.user-1.name
policy_arn = aws_iam_policy.prod_s3.arn
}
# create assume role
resource "aws_iam_role" "prod_list_s3" {
provider = aws.aws02
name = "role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "sts:AssumeRole",
Principal = { "AWS" : "arn:aws:iam::${data.aws_caller_identity.utils.account_id}:root" }
}]
})
}
# output arn
output "role-arn" {
value = aws_iam_role.prod_list_s3.arn
}
# create caller identity
data "aws_caller_identity" "utils" {
provider = aws.aws02
}
# create s3 full access for 2nd account and attach the file
resource "aws_iam_policy" "s3_all" {
provider = aws.aws02
name = "s3_all"
description = "allows listing all s3 buckets"
policy = file("role_permissions_policy.json")
}
# inside the file
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
**strong text**
# Attach the assume role
resource "aws_iam_policy_attachment" "s3-all-att" {
name = "list s3 buckets policy to role"
roles = ["${aws_iam_role.prod_list_s3.name}"]
policy_arn = aws_iam_policy.s3_all.arn
provider = aws.aws02