search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

Provisioning Customizations role has insufficient permissions for CloudWatch Events #365

Closed k3ypad closed 11 months ago

k3ypad commented 1 year ago

Terraform Version & Prov: Terraform: v0.15.5 AWS: 5.6.2 Note these were selected by AFT

AFT Version: 1.10.3

Bug Description While updating provisioning customisations to trigger a new state machine the following error occurs in the ct-aft-account-provisioning-customizations CodeBuild Job.

Error: updating Step Functions State Machine (arn:aws:states:ap-southeast-2:XXXXXXXX:stateMachine:aft-account-provisioning-customizations): AccessDeniedException: 'arn:aws:iam::XXXXXXXX:role/aft-account-provisioning-customizations-role' is not authorized to create managed-rule.
status code: 400, request id: XXXX-XXXX-XXXXX
 
with aws_sfn_state_machine.aft_account_provisioning_customizations,
 on states.tf line 1, in resource "aws_sfn_state_machine" "aft_account_provisioning_customizations":
 1: resource "aws_sfn_state_machine" "aft_account_provisioning_customizations" {

To Reproduce Steps to reproduce the behaviour:

  1. Create new StepFunction flow to be triggered during Provisioning Customisations.
  2. Update customizatioins.asl.json to trigger said StepFunction.
  3. Push to provisioning customisation repo and observe CodePipeline fail with above error.
  4. Update the policy attached to aft-account-provisioning-customizations-role to allow for event:*
  5. Rerun pipeline.
  6. Pipeline succeeds.

An official AWS Workshop was followed as part of these steps: https://controltower.aws-management.tools/automation/aft_custom/

Expected behaviour Pipeline/Terraform succeeds without needing to modify aft-account-provisioning-customizations-role IAM policy

snebhu3 commented 1 year ago

@k3ypad thank you for reaching out. The workshop linked above is managed by another team within AWS. I have reached out to them internally. They will be able to respond soon and help on this.

wellsiau-aws commented 1 year ago

@k3ypad , are you able to retry the codebuild to see if this issue persisted? I suspect that the IAM role permission eventual consistency as the root cause.

snebhu3 commented 11 months ago

@k3ypad please feel free to reach out in case of additional questions.