search

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.
https://terragrunt.gruntwork.io/
MIT License
7.96k stars 967 forks source link

Cross aws s3 cannot obtain bucket information normally #3442

Open colinlabs opened 4 days ago

colinlabs commented 4 days ago

Describe the bug

We created an s3 bucket in account A, and then s3 tested and granted access to a role in account B. The bucket information could be correctly read in terraform, but terragunant could not correctly obtain bucekt information at noon.

Error: 

$ terragrunt plan
ERRO[0001] Error checking if bucket iac-terraform-states is have root access: MethodNotAllowed: The specified method is not allowed against this resource.
        status code: 405, request id: HRC9C67M26ABCANB, host id: JeLyKvfn/qWS67omoYSqtoPp4pmlX66DcJQKLeG8rLv/0bEeyT6tfXKBMfxlWP1pCpNnbKA7QIE= 
ERRO[0001] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

config:

remote_state {
  backend = "s3"
  config = {
    bucket = "iac-terraform-states"     # s3 buckets in different accounts
    key            = "aws/iac/${path_relative_to_include()}/terraform.tfstate"
    region         = "ap-southeast-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
}

s3 policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:role/accountA
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::iac-terraform-states/*",
                "arn:aws:s3:::iac-terraform-states"
            ]
        }
    ]
}

Expected behavior

It can be similar to terraform's behavior, and can read bucekt information across aws accounts.

Versions

colinlabs commented 4 days ago

Find a description:https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html

If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.