search

terraform-aws-modules / terraform-aws-atlantis

Terraform module to deploy Atlantis on AWS Fargate 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/atlantis/aws
Apache License 2.0
520 stars 351 forks source link

Missing secretsmanager:GetSecretValue policy action #374

Closed igorjanevski closed 11 months ago

igorjanevski commented 11 months ago

Description

The module is using the ECS module as a source for the ECS resources. It creates ECS task/service role without policy for reading secrets from secrets manager.

The ECS Fargate tasks are failing due to missing permission to read the secrets.

We need the IAM policy in place for this to be functional. Currently we do it by manual edit of the IAM policy but this creates a difference in the TF plan later:

# module.shared.module.atlantis.module.ecs_service.aws_iam_policy.task_exec[0] will be updated in-place
  ~ resource "aws_iam_policy" "task_exec" {
        id          = "arn:aws:iam::032650762539:policy/atlantis-20231116125849259700000003"
        name        = "atlantis-20231116125849259700000003"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action   = [
                            "logs:PutLogEvents",
                            "logs:CreateLogStream",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "Logs"
                    },
                  ~ {
                      ~ Action   = [
                            # (3 unchanged elements hidden)
                            "ecr:BatchCheckLayerAvailability",
                          - "secretsmanager:GetSecretValue",
                        ]
                        # (3 unchanged attributes hidden)
                    },
                    {
                        Action   = "ssm:GetParameters"
                        Effect   = "Allow"
                        Resource = "arn:aws:ssm:*:*:parameter/*"
                        Sid      = "GetSSMParams"
                    },
                    # (1 unchanged element hidden)
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags        = {
            "Environment" = "preproduction"
            "Terraform"   = "true"
        }
        # (6 unchanged attributes hidden)
    }
bryantbiggs commented 11 months ago

We have https://github.com/terraform-aws-modules/terraform-aws-atlantis/blob/5dedfb1b36fc761c4fec65f88a6b84f230bd914f/main.tf#L402C3-L402C24 which has a default value, but users are encouraged to provide the specific ARNs (or [] if they wish to remove the permission). This maps to the permission in the ECS service module https://github.com/terraform-aws-modules/terraform-aws-ecs/blob/32f1169f8fd2f1beb224a0b0f040d8825eb01c05/modules/service/main.tf#L825-L831

github-actions[bot] commented 10 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.