Open mklosittam opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @mklosittam 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply debug logs (redacted as needed) as well?
Has anyone found any solution for the above error I am also getting the same error. when a wildcard(*) is used for the principal then it successfully creates the policy, but couldn't able to fetch the value(arn or name) of the IAM role/user
Same here, I am facing the same error. Any ideas about how to work this around?
Same here, I am facing the same error. Any ideas about how to work this around?
Need to run the terraform apply 2 times.
Hope this helps.
Same here, I am facing the same error. Any ideas about how to work this around?
Need to run the terraform apply 2 times.
- Run with policy having wildcard(*)
- Then using the required arn.
Hope this helps.
Thanks, well, I will have to adapt my bitbucket pipeline and add an extra step... Will be ugly but it is what it is.
Another workaround for this is to use external provider and data source with the AWS CLI to get the role after creation.
data "external" "iam_role_retrieval" {
program = ["bash", "${path.module}/iam_role.sh", var.profile_primary, var.iam_role.name]
depends_on = [var.iam_role]
}
resource "aws_api_gateway_rest_api_policy" "policy" {
...
depends_on = [data.external.iam_role_retrieval]
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
Principal : data.external.iam_role_retrieval.result["arn"],
...
and the bash script would just do something like use the AWS CLI to attempt to get the role
#!/bin/bash
# Assign arguments to variables for better readability
PROFILE=$1
ROLE_NAME=$2
# Loop up to 3 times
for i in {1..3}; do
sleep 5
# Fetch the IAM role
result=$(aws iam get-role --profile "$PROFILE" --role-name "$ROLE_NAME" --output json)
# Check if role was found
if [[ $? -eq 0 ]]; then
# Extract the ARN from the JSON result
arn=$(echo "$result" | jq -r '.Role.Arn')
echo '{ "success": "true", "arn": "'"$arn"'" }'
exit 0
fi
done
# Output an empty JSON object if the desired state is not found
echo '{ "success": "false", "arn": null }'
Discovered this is actually a racing condition from when the aws_iam_role
is created and then is attached by the aws_api_gateway_rest_api_policy
. depends_on
also doesn't seem to work or wait long enough. I was able to workaround this by using the terraform time_sleep resource. No need for local_exec or other hacks.
Example:
# aws_iam_role can take a few seconds to propgate it's ARN before being consumed
# by other resources. This resource will wait for the role to be available before
# creating the API GW resource policy
resource "time_sleep" "iam_role_propagation" {
create_duration = "30s"
triggers = {
iam_role_arn = aws_iam_role.gw_access.arn
}
}
resource "aws_api_gateway_rest_api_policy" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
policy = data.aws_iam_policy_document.resource_policy.json
}
data "aws_iam_policy_document" "resource_policy" {
statement {
sid = "Resource"
effect = "Allow"
resources = ["${aws_api_gateway_rest_api.this.execution_arn}/*/*"]
principals {
type = "AWS"
identifiers = [time_sleep.iam_role_propagation.triggers["iam_role_arn"]]
}
actions = [
"execute-api:Invoke"
]
}
}
Terraform Core Version
1.3.8
AWS Provider Version
4.54.0
Affected Resource(s)
Expected Behavior
I should be able to deploy (or
apply
) all of this successfully.Actual Behavior
I get an error. Curiously, after
apply
fails the first time, if i runplan
andapply
again, it succeeds the second time. Also, if Iapply
the 3 resources one by one, it also succeeds. This makes me think that the resource dependency tree is not being resolved correctly, but I don't see what the problem is in the code.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
main.tf
file.terraform plan -out=.terraform.tfplan
terraform apply .terraform.tfplan
NOTE:
backend.tf
andprovider.tf
files have been omitted, since they are very stub. Everything else in my deployment works, except for these 3 resources along with their data.Debug Output
Panic Output
No response
Important Factoids
Curiously, after
apply
fails the first time, if i runplan
andapply
again, it succeeds the second time. Also, if Iapply
the 3 resources one by one, it also succeeds. This makes me think that the resource dependency tree is not being resolved correctly, but I don't see what the problem is in the code.I searched online, but the only thing that seems relevant, isn't really helping me: https://stackoverflow.com/questions/54780301/invalid-policy-document-please-check-the-policy-syntax-and-ensure-that-principa
References
No response
Would you like to implement a fix?
No