search

aws-samples / aws-cudos-framework-deployment

Command Line Interface tool for Cloud Intelligence Dashboards deployment
https://catalog.workshops.aws/awscid
MIT No Attribution
382 stars 147 forks source link

cur-setup-source broken S3 bucket policy for regions different than us-east-1 #880

Closed mfelisze closed 2 weeks ago

mfelisze commented 2 weeks ago

Hi Team,

In terraform module cur-setup-source, for S3 bucket policy you are referring to default aws provider region in cur statements:

data "aws_region" "this" {}
statement {
    sid    = "AllowReadBilling"
    effect = "Allow"
    actions = [
      "s3:GetBucketAcl",
      "s3:GetBucketPolicy",
    ]
    principals {
      type        = "Service"
      identifiers = ["billingreports.amazonaws.com"]
    }
    resources = [
      aws_s3_bucket.this.arn,
      "${aws_s3_bucket.this.arn}/*",
    ]
    condition {
      test     = "StringEquals"
      values   = ["arn:${data.aws_partition.this.partition}:cur:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:definition/*"]
      variable = "aws:SourceArn"
    }
    condition {
      test     = "StringEquals"
      values   = [data.aws_caller_identity.this.account_id]
      variable = "aws:SourceAccount"
    }
  }
  statement {
    sid    = "AllowWriteBilling"
    effect = "Allow"
    actions = [
      "s3:PutObject",
    ]
    principals {
      type        = "Service"
      identifiers = ["billingreports.amazonaws.com"]
    }
    resources = [
      "${aws_s3_bucket.this.arn}/*",
    ]
    condition {
      test     = "StringLike"
      values   = ["arn:${data.aws_partition.this.partition}:cur:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:definition/*"]
      variable = "aws:SourceArn"
    }
    condition {
      test     = "StringEquals"
      values   = [data.aws_caller_identity.this.account_id]
      variable = "aws:SourceAccount"
    }
  }

For cur statement it needs to be always us-east-1, no matter in which region the bucket is created. The current code causes ValidationException error:

 Error: creating Cost And Usage Report Definition (cid-cur): ValidationException:

Cheers, Mateusz.

iakov-aws commented 2 weeks ago

This is a regression indeed. fixing in https://github.com/aws-samples/aws-cudos-framework-deployment/pull/881/files

@sean-nixon can you check?

iakov-aws commented 2 weeks ago

Must be fixed now. Can you check?

mfelisze commented 2 weeks ago

Thanks @iakov-aws, works fine now!