AWS: Error creating KMS Key

[muneebmaster]

I'm trying to deploy to AWS using https://github.com/GoogleCloudPlatform/anthos-samples/tree/main/anthos-multi-cloud/AWS and I am getting the following "error creating KMS key" errors during 'terraform apply':

│ Error: error creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│
│   with module.kms.aws_kms_key.control_plane_root_volume_encryption_kms_key,
│   on modules/kms/main.tf line 57, in resource "aws_kms_key" "control_plane_root_volume_encryption_kms_key":
│   57: resource "aws_kms_key" "control_plane_root_volume_encryption_kms_key" {
│
╵
╷
│ Error: error creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│
│   with module.kms.aws_kms_key.node_pool_root_volume_encryption_kms_key,
│   on modules/kms/main.tf line 141, in resource "aws_kms_key" "node_pool_root_volume_encryption_kms_key":
│  141: resource "aws_kms_key" "node_pool_root_volume_encryption_kms_key" {

[muneebmaster]

This issue was also reported here: https://github.com/GoogleCloudPlatform/anthos-samples/issues/357. Creating a role with the name "AWSServiceRoleForAutoScaling" resolves the issue, however there's no indication of that in the error message. Any way to catch that or create the role through the tf scripts?

[Shabirmean]

CC @GoogleCloudPlatform/anthos-multicloud to provide feedback!

[bourgeoisor]

@bkauf is this something you can take a look at?

[findmyname666]

From AWS DOC:

Amazon EC2 Auto Scaling creates the AWSServiceRoleForAutoScaling service-linked role for you the first time that you create an Auto Scaling group, unless you manually create a custom suffix service-linked role and specify it when creating the group.

If you are deploying Anthos to the account without any auto-scaling group created during the whole life-time of the account the role is missing.

AWS DOC encourages user to created own role AWSServiceRoleForAutoScaling with different naming (custom suffix) and use it ... however I didn't find any option how to point Anthos to the newly created role.

[rmb938]

Ran into the same issue, had to manually create the role then update these lines to set it to the role name. It probably would make sense to have the terraform create this role so it can references it in the correct places instead of assuming it exists already.

https://github.com/GoogleCloudPlatform/anthos-samples/blob/b4ddb6cab525742af5ff446e8b8dc95f7fdef02d/anthos-multi-cloud/AWS/modules/kms/main.tf#L76 https://github.com/GoogleCloudPlatform/anthos-samples/blob/b4ddb6cab525742af5ff446e8b8dc95f7fdef02d/anthos-multi-cloud/AWS/modules/kms/main.tf#L104 https://github.com/GoogleCloudPlatform/anthos-samples/blob/b4ddb6cab525742af5ff446e8b8dc95f7fdef02d/anthos-multi-cloud/AWS/modules/iam_scope_down/main.tf#L76

Then update this line https://github.com/GoogleCloudPlatform/anthos-samples/blob/b4ddb6cab525742af5ff446e8b8dc95f7fdef02d/anthos-multi-cloud/AWS/modules/kms/main.tf#L126 and add "${data.aws_caller_identity.current.arn}" to the list. Without this I got The new key policy will not allow you to update the key policy in the future.

Edit: Oh actually, there isn't a way to tell GKE anothos about the new Service-linked role when creating a auto scaling group so it uses the default of AWSServiceRoleForAutoScaling which doesn't have the correct permissions...

[iniinikoski]

Ouch... Good findings @rmb938 - this is an issue for sure :/

[minherz]

Thank you, @rmb938. Appreciate that you've shared your findings with us. We will work to add it to the sample.

[minherz]

Due to limit capacity the work on integrating this fix is postponed. If anyone interested to contribute to the sample by integrating these changes, please look into CONTRIBUTING.md.