search

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.
https://terragrunt.gruntwork.io/
MIT License
8.09k stars 981 forks source link

Cross aws s3 cannot obtain bucket information normally #3442

Closed colinlabs closed 3 weeks ago

colinlabs commented 1 month ago

Describe the bug

We created an s3 bucket in account A, and then s3 tested and granted access to a role in account B. The bucket information could be correctly read in terraform, but terragunant could not correctly obtain bucekt information at noon.

Error: 

$ terragrunt plan
ERRO[0001] Error checking if bucket iac-terraform-states is have root access: MethodNotAllowed: The specified method is not allowed against this resource.
        status code: 405, request id: HRC9C67M26ABCANB, host id: JeLyKvfn/qWS67omoYSqtoPp4pmlX66DcJQKLeG8rLv/0bEeyT6tfXKBMfxlWP1pCpNnbKA7QIE= 
ERRO[0001] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

config:

remote_state {
  backend = "s3"
  config = {
    bucket = "iac-terraform-states"     # s3 buckets in different accounts
    key            = "aws/iac/${path_relative_to_include()}/terraform.tfstate"
    region         = "ap-southeast-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
}

s3 policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:role/accountA
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::iac-terraform-states/*",
                "arn:aws:s3:::iac-terraform-states"
            ]
        }
    ]
}

Expected behavior

It can be similar to terraform's behavior, and can read bucekt information across aws accounts.

Versions

colinlabs commented 1 month ago

Find a description:https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html

If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.
yhakbar commented 1 month ago

Hey @colinlabs ,

Try setting disable_bucket_update = true in your remote_state --> config configurations, and share if you still experience the same error.

By default, Terragrunt will attempt to make sure all relevant backend resources available for use by checking to see if they're provisioned, etc. It can be confusing, but a lot of users configure certain authentication configurations for OpenTofu/Terraform, thinking the same authentication configurations will be used by Terragrunt, but they aren't.

If disabling bucket updates solves your issue, you can either chose to manage the backend resources manually, or investigate the issue with --terragrunt-log-level debug.

Overall, this issue has more to do with AWS authentication than how Terragrunt functions.

colinlabs commented 3 weeks ago

@yhakbar thanks, It's work to me