stumins
commented
7 months ago Hi @bmorrissirromb,
Thanks for letting us know about the improper resource type for the policy action. Is this causing an active issue for you while using AFT?
Closed bmorrissirromb closed 3 months ago
stumins
commented
7 months ago Hi @bmorrissirromb,
Thanks for letting us know about the improper resource type for the policy action. Is this causing an active issue for you while using AFT?
bmorrissirromb
commented
7 months ago @stumins I don't think it is -- I think we have upstream failures that are causing the StopExecution call to be made, so that's our current blocker. But we do get CloudTrail failures for insufficient permissions to run StopExecution.
stumins
commented
7 months ago Understood, thanks for the context - I've added a backlog item for us to fix this policy.
Sanjan611
commented
4 months ago We've addressed this in the latest AFT release!
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/releases/tag/1.12.0
Terraform Version & Prov:
AFT Version: (Can be found in the AFT Management Account in the SSM Parameter
/aft/config/aft/version)CURRENT
Terraform Version & Provider Versions
N/A
Bug Description
aft-invoke-customizations-execution-roleis givenstates:StopExecutionpermissions but the resource that is specified does not give it any permissions to stop executions, as it specifiesstateMachineresources and notexecutionresources.https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/26667e52d0e2f46e3213239933a1c8fcf1a83166/modules/aft-customizations/iam/role-policies/aft_states_invoke_customizations_policy.tpl#L29
Expected behavior
Add
"arn:${data_aws_partition_current_partition}:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:execution:aft-*"to the resources allowed by this statementRelated Logs Provide any related logs or error messages to help explain your problem.
Additional context Add any other context about the problem here.