Closed oc-stephen-bennett closed 1 year ago
I'm also encountering this issue as well
I'm also encountering this error
After doing some debugging worked around the issue with the following amendment to the example...
data "aws_iam_policy_document" "create_in_network" {
statement {
sid = "CreateInNetwork"
actions = [
"ec2:CreateNetworkInterface",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion"
]
resources = ["arn:aws:ec2:*:*:subnet/${PRIVATE_SUBNET_YOUR_EMR_CLUSTER_IS_USING}"]
}
}
resource "aws_iam_policy" "emr_create_in_network" {
name = "emr_create_in_network"
description = "extra policy for EMR cluster setup"
policy = data.aws_iam_policy_document.create_in_network.json
}
module "emr" {
source = "terraform-aws-modules/emr/aws"
version = "1.0.0"
...
ec2_attributes = {
# Instance groups only support one Subnet/AZ
# Subnets should be private subnets and tagged with
# { "for-use-with-amazon-emr-managed-policies" = true }
subnet_id = PRIVATE_SUBNET_YOUR_EMR_CLUSTER_IS_USING
}
...
service_iam_role_policies = {
"AmazonEMRServicePolicy_v2": "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2", # THIS IS THE DEFAULT VALUE FOR THIS ATTRIBUTE
"CreatInNetwork": aws_iam_policy.emr_create_in_network.arn # THIS FIXES THE CLUSTER FAILURE
}
I suspect this is related to the v2 managed policies - without a full reproduction it will be difficult to tell though.
Have you all enabled the appropriate tag on the subnets used/passed to EMR? https://github.com/terraform-aws-modules/terraform-aws-emr/blob/d987b8d45038f8424896aa68e632f7570a19bdc0/examples/private-cluster/main.tf#L265-L270
See main README just before Usage
:
anyone able to confirm if the above guidance solves their permission issues?
Hello @bryantbiggs, you are correct. After applying the tags to Private Subnet, I was able to solve the insufficient EC2 permissions issue.
Thanks.
Any suggestions on how to better surface this in the docs? I'm open to ideas
yes i finally put 2 and 2 together to see that it was that policy, I would question the merit of adding the tagging condition
To be clear, this is coming from Amazon and how they have scoped permissions. In this module I have tagged all the relevant resources accordingly but I cannot ensure the appropriate networking resources are tagged based on the intended architecture since those are outside of this module
closing this for now - please feel free to provide feedback on how we can better improve the documentation to make this functionality more clear to users in the future
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
When doing a deployment via the example it generates an error with:
terraform code used:
versions.tf