loads of errors when permission to view org is missing #51

Closed marafa-sugarcrm closed 1 month ago

marafa-sugarcrm commented 1 year ago

there are loads of errors when i do not have permissions to view the org info runtime 6 seconds
. ../../scripts/
Found Error: │ Error: listing AWS Organization (<redacted>) accounts: AccessDeniedException: You don't have permissions to access this resource. .... (pass for now)
import.log adjust
--> Validate Fixer
Success! The configuration is valid.
awsandy commented 1 year ago

committed change that should hopefully skip around these when you don't have access

marafa-sugarcrm commented 1 year ago

i see this now


perhaps i should explain, i am using AWS SSO and my permission set is the aws default admin role. so i do have access to IAM

i am also still seeing the issue

. ../../scripts/
aws --profile addoptify --region eu-west-1 --output json logs describe-log-groups
Importing aws_cloudwatch_log_group /ecs/test-AgentTaskDefinition-P9GMBYE6H5RR2 _ecs_test-AgentTaskDefinition-P9GMBYE6H5RR2
Importing aws_cloudwatch_log_group RDSOSMetrics RDSOSMetrics
Waiting for 3 Terraform imports
Importing aws_cloudwatch_log_group test-ECSLogGroup-1IJZW5XQ6ZAKA test-ECSLogGroup-1IJZW5XQ6ZAKA
Wait completed ..... imported 2
aws_cloudwatch_log_group /ecs/test-AgentTaskDefinition-P9GMBYE6H5RR2 tf files
aws_cloudwatch_log_group RDSOSMetrics tf files
aws_cloudwatch_log_group test-ECSLogGroup-1IJZW5XQ6ZAKA tf files
Starting state mv for aws_cloudwatch_log_group
Consolidated state aws_cloudwatch_log_group.RDSOSMetrics
Consolidated state aws_cloudwatch_log_group._ecs_test-AgentTaskDefinition-P9GMBYE6H5RR2
Consolidated state aws_cloudwatch_log_group.test-ECSLogGroup-1IJZW5XQ6ZAKA
Found Error: │ Error: listing AWS Organization (o-org-id) accounts: AccessDeniedException: You don't have permissions to access this resource. .... (pass for now)
import.log adjust
--> Validate Fixer
Success! The configuration is valid.
awsandy commented 1 year ago

what was the corresponding command you used ? when you saw the skipping etc commands

skipping iam stuff can be by design - because when other resources are found the necessary iam is pulled in as a dependency

If you still want ALL the iam stuff you can always do a subsequent: ./ -t iam -c yes -f yes

(committed another change to get more output on the skipping - as there's two reasons that can happen)

marafa-sugarcrm commented 1 year ago

corresponding command . just aws2tf with -v yes

awsandy commented 1 year ago

committed more changes to help track this down - also please run with debug on:

./ -v yes -d yes

This will help me track down the "Found Error: │ Error: listing AWS Organization (o-4oizb4q5g1) accounts:"

as it will exit soon after the error occurs (-d yes)

marafa-sugarcrm commented 1 year ago

cmd: ./ -d -v yes

t= pre=* i= exclude=iam
loop through providers
. ../../scripts/
aws --profile profile --region region --output json ec2 describe-transit-gateways --transit-gateway-ids yes --filters "Name=state,Values=available"
aws --profile profile --region region --output json  ec2 describe-transit-gateways --transit-gateway-ids yes --filters "Name=state,Values=available" : You don't have access for this resource
Success! The configuration is valid. runtime 11 seconds
. ../../scripts/
aws --profile profile --region region --output json organizations describe-organization
aws_organizations_organization o-??? import
│ Error: listing AWS Organization (o-???) accounts: AccessDeniedException: You don't have permissions to access this resource.

aws_organizations_organization.o-???: Importing from ID "o-???"...
No state file was found!

State management commands require a state file. Run this command
in a directory where Terraform has been run or use the -state flag
to point the command to a specific state location.
Found Error: │ Error: listing AWS Organization (o-???) accounts: AccessDeniedException: You don't have permissions to access this resource.
debug flag is on so exiting ....
awsandy commented 1 month ago

Handled a lot better in python version , so closing, reopen if still an issue