search

RootPrivileges / terragrunt-aws-modules

MIT License
0 stars 0 forks source link

Audit bucket has unknown pending changes #7

Open RootPrivileges opened 4 years ago

RootPrivileges commented 4 years ago

Whenever a module uses module.audit_log_bucket_policy, the state cannot determine whether a change needs to be made. This causes the process to hang, waiting on manual intervention from the user.

If possible, rework the flow (which is a module to ensure that the policy allows writing for each child account) to not block the execution. 

# module.audit_log_bucket_policy.data.aws_iam_policy_document.audit_log_policy will be read during apply                                                                                                                                                                         
  # (config refers to values not yet known)       

# module.audit_log_bucket_policy.aws_s3_bucket_policy.audit_logs will be updated in-place
  ~ resource "aws_s3_bucket_policy" "audit_logs" {
        bucket = "logging.domain.com"
        id     = "logging.domain.com"
      ~ policy = jsonencode(                         
            {                            
              - Statement = [
                  - {
                      - Action    = "s3:GetBucketAcl"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "config.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::logging.domain.com"
                      - Sid       = "AWSCloudTrailAclCheckForConfig"
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - s3:x-amz-acl = "bucket-owner-full-control"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "config.amazonaws.com"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::logging.domain.com/AWSLogs/o-aaaaaaaaaa/Config/*",
                          - "arn:aws:s3:::logging.domain.com/AWSLogs/000000000000/Config/*",
                          - "arn:aws:s3:::logging.domain.com/AWSLogs/111111111111/Config/*",
                        ]
                      - Sid       = "AWSCloudTrailWriteForConfig"
                    },
                  - {
                      - Action    = "s3:GetBucketAcl"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "cloudtrail.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::logging.domain.com"
                      - Sid       = "AWSCloudTrailAclCheckForCloudTrail"
                    },
                  - {
                      - Action    = [
                          - "s3:ListBucket",
                          - "s3:GetBucketLocation",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::000000000000:root"
                        }
                      - Resource  = "arn:aws:s3:::logging.domain.com"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "s3:ListBucket",
                          - "s3:GetBucketLocation",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::111111111111:root"
                        }
                      - Resource  = "arn:aws:s3:::logging.domain.com"
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
    }