Closed bmorrissirromb closed 3 months ago
Hi @bmorrissirromb,
Thanks for letting us know about the improper resource type for the policy action. Is this causing an active issue for you while using AFT?
@stumins I don't think it is -- I think we have upstream failures that are causing the StopExecution call to be made, so that's our current blocker. But we do get CloudTrail failures for insufficient permissions to run StopExecution.
Understood, thanks for the context - I've added a backlog item for us to fix this policy.
We've addressed this in the latest AFT release!
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/releases/tag/1.12.0
Terraform Version & Prov:
AFT Version: (Can be found in the AFT Management Account in the SSM Parameter
/aft/config/aft/version
)CURRENT
Terraform Version & Provider Versions
N/A
Bug Description
aft-invoke-customizations-execution-role
is givenstates:StopExecution
permissions but the resource that is specified does not give it any permissions to stop executions, as it specifiesstateMachine
resources and notexecution
resources.https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/26667e52d0e2f46e3213239933a1c8fcf1a83166/modules/aft-customizations/iam/role-policies/aft_states_invoke_customizations_policy.tpl#L29
Expected behavior
Add
"arn:${data_aws_partition_current_partition}:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:execution:aft-*"
to the resources allowed by this statementRelated Logs Provide any related logs or error messages to help explain your problem.
Additional context Add any other context about the problem here.