search

mongodb / terraform-provider-mongodbatlas

Terraform MongoDB Atlas Provider: Deploy, update, and manage MongoDB Atlas infrastructure as code through HashiCorp Terraform
https://registry.terraform.io/providers/mongodb/mongodbatlas
Mozilla Public License 2.0
242 stars 168 forks source link

error: error reading cloud provider access cloud provider access role not found in mongodbatlas, please create it first #781

Closed kavibritto closed 2 years ago

kavibritto commented 2 years ago

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v1.0.10
on windows_amd64
+ provider registry.terraform.io/hashicorp/aws v3.64.0
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/mongodb/mongodbatlas v1.0.2

Your version of Terraform is out of date! The latest version
is 1.2.4. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration File


resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
  project_id    = mongodbatlas_project.xeniapp_atlas_project.id
  provider_name = "AWS"
}

resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
  project_id = mongodbatlas_project.xeniapp_atlas_project.id
  role_id    = mongodbatlas_cloud_provider_access_setup.setup_only.role_id

  aws {
    iam_assumed_role_arn = aws_iam_role.atlas-kms-iam-role.arn
  }
}

resource "mongodbatlas_encryption_at_rest" "test" {
  project_id = mongodbatlas_project.xeniapp_atlas_project.id

  aws_kms_config {
    enabled                = true
    customer_master_key_id = aws_kms_key.a.key_id
    region                 = "US_EAST_1"
    role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
  }

}

resource "aws_kms_key" "a" {}

resource "aws_kms_alias" "a" {
  name          = "alias/${var.env_name}-mongodb-rest"
  target_key_id = aws_kms_key.a.key_id
}
resource "aws_iam_role" "atlas-kms-iam-role" {
  name = "iam-role-for-kms-${var.env_name}"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config[0].atlas_aws_account_arn}"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config[0].atlas_assumed_role_external_id}"
        }
      }
    }
  ]
}
EOF
}

resource "aws_kms_grant" "a" {
  name              = "my-grant"
  key_id            = aws_kms_key.a.key_id
  grantee_principal = aws_iam_role.atlas-kms-iam-role.arn
  operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]

}

Steps to Reproduce

  1. terraform init
  2. terraform apply
  3. At 1st run the code works fine. then i changed the config name then did the terraform apply i got this error

    Expected Behavior

    Encrypt at rest should enabled

Actual Behavior

Errored ╷ │ Error: error reading cloud provider access cloud provider access role not found in mongodbatlas, please create it first │ │ ╵ Operation failed: failed running terraform plan (exit 1)

Debug Output

Crash Output

Additional Context

References

martinstibbe commented 2 years ago

@selfieebritto Just to clarify which config value are you editing before second apply ?

resource "aws_kms_grant" "a" { name = "my-grant"

Zuhairahmed commented 2 years ago

@selfieebritto just following up if you can clarify per @martinstibbe request?

kavibritto commented 2 years ago

Guys I actually used 

terraform state rm <module name>

to remove the mongodbatlas_cloud_provider_access_setup from my state file. then it started working.

Thank you for your time