Closed loganpowell closed 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Upon further investigation, I've gotten terraform to successfully deploy
after making this change
resource "aws_iam_role" "firehose_role" {
name = "iam_firehose_role"
assume_role_policy = jsonencode({
Version : "2012-10-17",
Statement : [
{
Effect : "Allow",
Action : "sts:AssumeRole",
Principal : {
- Service : "firehose.amazonaws.com"
+ Service : "pinpoint.us-east-1.amazonaws.com"
}
}
]
})
}
However, looking at the console, the IAM role hasn't been applied
Ok, got it working with this setup:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.32.0"
}
}
}
provider "aws" {
alias = "email"
region = "us-east-1"
profile = "default"
}
resource "aws_iam_role" "pinpoint_role" {
name = "iam_firehose_role"
assume_role_policy = jsonencode({
Version : "2012-10-17",
Statement : [
{
Effect : "Allow",
Action : "sts:AssumeRole",
Principal : {
Service : "pinpoint.amazonaws.com"
},
Sid : ""
}
]
})
}
resource "aws_iam_role_policy" "firehose_policy" {
name = "pinpoint_firehose_policy"
role = aws_iam_role.pinpoint_role.id
policy = jsonencode({
Version : "2012-10-17",
Statement : [{
Effect : "Allow",
Action : [
"firehose:PutRecordBatch",
"firehose:DescribeDeliveryStream"
],
Resource : [
"arn:aws:firehose:us-east-1:*:*/*"
]
}]
})
}
resource "aws_s3_bucket" "firehose_events" {
bucket = "pinpoint-error"
}
resource "aws_s3_bucket_acl" "bucket_acl" {
bucket = aws_s3_bucket.firehose_events.id
acl = "private"
}
resource "aws_iam_role" "firehose_role" {
name = "firehose_test_role"
assume_role_policy = jsonencode({
Version : "2012-10-17",
Statement : [
{
Effect : "Allow",
Action : "sts:AssumeRole",
Principal : {
Service : "firehose.amazonaws.com"
},
Sid : ""
}
]
})
}
# Grant FH Role Permissions to S3
resource "aws_iam_role_policy" "s3_policy" {
name = "s3_fh_policy"
role = aws_iam_role.firehose_role.id
policy = jsonencode({
Version : "2012-10-17",
Statement : [{
Effect : "Allow",
Action : [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
Resource : [
"arn:aws:s3:::${aws_s3_bucket.firehose_events.id}",
"arn:aws:s3:::${aws_s3_bucket.firehose_events.id}/*"
]
}]
})
}
resource "aws_kinesis_firehose_delivery_stream" "fh_destination" {
name = "firehose"
destination = "extended_s3"
extended_s3_configuration {
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = aws_s3_bucket.firehose_events.arn
prefix = "!{timestamp:yyyy/MM/dd}/"
error_output_prefix = "!{timestamp:yyyy/MM/dd}/!{firehose:error-output-type}"
buffer_interval = 360 # range: 60 to 900 seconds
buffer_size = 64 # range: 64 to 128 MiB
}
}
resource "aws_pinpoint_app" "my_app" {
name = "elvis_lives"
}
resource "aws_pinpoint_event_stream" "pinpoint_firehose" {
application_id = aws_pinpoint_app.my_app.id
destination_stream_arn = aws_kinesis_firehose_delivery_stream.fh_destination.arn
role_arn = aws_iam_role.pinpoint_role.arn
}
It might be good to add this to the docs as an example and save others some time.
Thank you for terraform! 🙏
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Terraform Core Version
1.3.0
AWS Provider Version
4.32.0
Affected Resource(s)
Expected Behavior
I found an issue reporting the same error, which was closed, but I believe I may be experiencing it still...
I'm trying to configure Pinpoint to send events to a Kinesis Firehose and have tried a number of variations of roles/policies and settings - all of which fail.
Actual Behavior
Terraform performs beautifully on everything else then chokes on the Pinpoint Stream put op.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
replace
<account id>
in theaws_iam_role_policy.firehose_policy
with any account id and runterraform apply
Debug Output
Panic Output
Important Factoids
No response
References
Would you like to implement a fix?
No response