search

diodonfrost / terraform-aws-lambda-nuke

Terraform module that creates a lambda to destroy all resources in an AWS account.
Apache License 2.0
20 stars 15 forks source link

ERROR (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. #1

Closed exequielrafaela closed 4 years ago

exequielrafaela commented 4 years ago

Issue summary

This ERROR it's not actually affecting the lambda-nuke functionality. As you can see below ec2 (instance, keypair, volume) network_security (sec group) resources are being terminated as expected.

I've validated that the resource "aws_iam_role_policy" "nuke_database" {} was properly created in our AWS account and they include the necessary "elasticache:DeleteCacheParameterGroup" permissions (https://github.com/diodonfrost/terraform-aws-lambda-nuke/blob/master/main.tf) but seeing the ERROR probably as the recommended actions states, it seems that IAM Service Linked Roles are needed under this scenario.

aws ref-links:

Lambda Log output

START RequestId: 9d18789d-688e-4239-affb-c144fbc40b09 Version: $LATEST
Terminate instances i-0c9ca23a3d4069924

[ERROR] 2019-11-05T21:23:17.576Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:17.714Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:17.797Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:17.967Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:18.36Z 9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:18.191Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:18.328Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:18.516Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:18.589Z    9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

[ERROR] 2019-11-05T21:23:19.58Z 9d18789d-688e-4239-affb-c144fbc40b09    Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

Nuke Key Pair test
END RequestId: 9d18789d-688e-4239-affb-c144fbc40b09
REPORT RequestId: 9d18789d-688e-4239-affb-c144fbc40b09  Duration: 10408.87 ms   Billed Duration: 10500 ms   Memory Size: 128 MB Max Memory Used: 108 MB

Testing scenario

#
# Providers
#
provider "aws" {
  region  = us-east-1
  profile = var.profile
}

#
# Backend Config (partial)
#
terraform {
  required_version = ">= 0.12.13"

  backend "s3" {
    key = "dev/cloud-nuke/terraform.tfstate"
  }
}

#===========================================#
# Lambda Nuke                             
#===========================================#
variable "cloudwatch_schedule_expression" {
  description = "Define the aws cloudwatch event rule schedule expression, eg: everyday at 22hs cron(0 22 ? * MON-FRI *)"
  type        = string
  default     = "cron(0 00 ? * FRI *)"
}

variable "name" {
  description = "Define name to use for lambda function, cloudwatch event and iam role"
  type        = string
  default     = "cloud-nuke-everything"
}

variable "exclude_resources" {
  description = "Define the resources that will not be destroyed, eg: key_pair,eip,network_security,autoscaling,ebs,ec2,ecr,eks,elasticbeanstalk,elb,spot,dynamodb,elasticache,rds,redshift,cloudwatch,endpoint,efs,glacier,s3"
  type        = string
  default     = "s3,dynamodb,vpc"
}

variable "older_than" {
  description = "Only destroy resources that were created before a certain period, eg: 0d, 1d, ... ,7d etc"
  type        = string
  default     = "0d"
}

module "nuke_everything_older_than_7d" {
  source = "git::git@github.com:binbashar/terraform-aws-lambda-nuke.git?ref=2.1.2"

  name                           = "${var.project}-${var.environment}-${var.name}"
  cloudwatch_schedule_expression = var.cloudwatch_schedule_expression
  exclude_resources              = var.exclude_resources
  older_than                     = var.older_than
}

CC: @diego-ojeda-binbash

diodonfrost commented 4 years ago

Hi @exequielrafaela

it's like the Lambda try to delete a Default Parameter Groups but we can't modify or delete the parameter settings of a default parameter group.

I'll try to reproduce the error on my side.

exequielrafaela commented 4 years ago

@diodonfrost Just wondering if you were you finally able to reproduce the error. Thanks.

diodonfrost commented 4 years ago

@exequielrafaela When I try it in a default aws account I have no error

But when I try it in custom aws account with aws landing zone I got this error:

Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

Unexpected error: An error occurred (ServiceLinkedRoleNotFoundFault) when calling the DeleteCacheParameterGroup operation: This action cannot be completed due to insufficient permissions. (Recommended action) Please create new role using IAM API CreateServiceLinkedRole.

I think the lambda tries to delete a Elasticache default parameter groups Only aws can manage this settings.

I have no idea why in a default aws account we do not have the same error

exequielrafaela commented 4 years ago

@diodonfrost I've seen -> https://github.com/binbashar/terraform-aws-lambda-nuke/commit/cd1ee74fb2a5b809403c76f3aa4279a3b835532e in your latest release (https://github.com/diodonfrost/terraform-aws-lambda-nuke/releases/tag/2.6.0) is this actually related with the open issue?

diodonfrost commented 4 years ago

@exequielrafaela yes indeed