search

cookiecutter-openedx / cookiecutter-openedx-devops

Open edX Tutor on Kubernetes implemented with Terraform
GNU Affero General Public License v3.0
41 stars 16 forks source link

MalformedPolicyDocumentException on creating KMS key #62

Open Markchau opened 11 months ago

Markchau commented 11 months ago

Describe the bug When I try to run terragrunt apply on the openedx_devops/terraform/stacks/service/kubernetes, I encounter the MalformedPolicyDocumentException on creating the KMS key, this is the following error:

│ Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│ 
│   with module.eks.module.kms.aws_kms_key.this[0],
│   on .terraform/modules/eks.kms/main.tf line 8, in resource "aws_kms_key" "this":
│    8: resource "aws_kms_key" "this" {
│

Workflow This the full workflow on running the terraform & terragrunt command:

cd ./terraform/common/cookiecutter_meta
terraform init
terraform apply

cd ../../stacks/service
terragrunt run-all init

cd vpc
terragrunt apply -target module.cookiecutter_meta
terragrunt apply

cd ../kubernetes
terragrunt apply -target module.cookiecutter_meta
terragrunt apply

Getting the above error on the last step of commands. I didn't add any new IAM user as owner with admin permission in the kms_key_owners list and map_users list in the terraform/stacks/service/kubernetes/terragrunt.hcl files on first trial, just using default setting of including the IAM user for the bastion server inside these two list. Then this error happened. On the second trial, I try to add a new IAM user with admin permission but the same error occurred again.

Expected behavior The error above does not occur.

Additional context It will be a great gratitude if you can help me on resolving this issue. Thank you for your time to work on this.

cm-aulasneo commented 3 months ago

Hi @Markchau, we are having the same issue!

were you able to resolve it?

cm-aulasneo commented 2 months ago

hi @Markchau and @lpm0073 ! i found a work-around this! you need to create bastion user in order to kms policy well formatted.

you can do this with aws cli

aws iam create-user --user-name ${local.namespace}-bastion --path /system/bastion-user/

change ${local.namespace} with your real name space.

after that bastion module will fail because user already exists.

im working to solve it , will send a pr soon, this will solve both problems

lpm0073 commented 1 month ago

great solution. thank you!