Running into permissions and parameter issues when attempting to deploy the source tf stack #26
Description
What exactly are you trying to do?
Apply the terraform for the source module
What have you tried so far?
I am using the prerequisite role as described in examples/source-bootstrap/permissions.tf
Output of any commands you have tried
[Container] 2024/11/18 18:00:55.337133 Running command terraform apply -input=false tfplan
module.source.aws_iam_role.backup: Creating...
module.source.aws_kms_key.aws_backup_key: Creating...
aws_kms_key.backup_notifications: Creating...
aws_s3_bucket.backup_reports: Creating...
module.source.aws_backup_framework.main: Creating...
module.source.aws_kms_key.aws_backup_key: Creation complete after 9s [id=0c142fed-16b3-438a-a0e5-54cf4e40e3a0]
module.source.aws_kms_alias.backup_key: Creating...
module.source.aws_backup_vault.main: Creating...
aws_kms_key.backup_notifications: Creation complete after 9s [id=e34ea7af-ad6f-4c43-a379-250d46bcc0d1]
module.source.aws_backup_vault.main: Creation complete after 1s [id=eu-west-2-245642******-backup-vault]
module.source.aws_backup_vault_policy.vault_policy: Creating...
module.source.aws_backup_plan.default: Creating...
module.source.aws_backup_plan.default: Creation complete after 0s [id=a7121be7-1ad7-4f6e-b2b0-86e6429191d0]
module.source.awscc_backup_restore_testing_plan.backup_restore_testing_plan: Creating...
module.source.aws_backup_vault_policy.vault_policy: Creation complete after 0s [id=eu-west-2-245642******-backup-vault]
module.source.aws_kms_alias.backup_key: Creation complete after 1s [id=alias/dev/backup-key]
╷
│ Error: creating S3 Bucket (tf-backup-source-backup-reports20241118180100137100000001): operation error S3: CreateBucket, https response error StatusCode: 403, RequestID: 13BR4KVNR10GPMS5, HostID: dto+k2Xsy+heAtSTkXtRDQeq0phSdniokIVHd5B15Fz71xW4cWXvRTVjctZjd1eNSJSLBSPjeRAuETWklmNMBNSWrpyv3bem, api error AccessDenied: User: arn:aws:sts::245642******:assumed-role/cid-tf-backup-source-role/TerraformBackup-Session is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::tf-backup-source-backup-reports20241118180100137100000001" because no identity-based policy allows the s3:CreateBucket action
│
│ with aws_s3_bucket.backup_reports,
│ on aws-backups.tf line 35, in resource "aws_s3_bucket" "backup_reports":
│ 35: resource "aws_s3_bucket" "backup_reports" {
│
╵
╷
│ Error: creating Backup Framework (eu_west_2_245642******_backup_framework): operation error Backup: CreateFramework, https response error StatusCode: 400, RequestID: c8116e1e-dee0-44f2-893d-c47d4eb18767, InvalidParameterValueException: Invalid value for the parameter principalArnList in control BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED. Expected comma-separated list of valid IAM principal ARNs.
│
│ with module.source.aws_backup_framework.main,
│ on ../../modules/aws-backup-source/backup_framework.tf line 1, in resource "aws_backup_framework" "main":
│ 1: resource "aws_backup_framework" "main" {
│
╵
╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│
│ with module.source.awscc_backup_restore_testing_plan.backup_restore_testing_plan,
│ on ../../modules/aws-backup-source/backup_restore_testing.tf line 1, in resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan":
│ 1: resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
│
│ Calling Cloud Control API service CreateResource operation returned:
│ operation error CloudControl: CreateResource, https response error
│ StatusCode: 400, RequestID: 63f0227e-36a7-4f72-b676-7d3e6e5285cf, api error
│ AccessDeniedException: User:
│ arn:aws:sts::245642******:assumed-role/cid-tf-backup-source-role/TerraformBackup-Session
│ is not authorized to perform: cloudformation:CreateResource on resource:
│ arn:aws:cloudformation:eu-west-2:245642******:resource/* because no
│ identity-based policy allows the cloudformation:CreateResource action
╵
╷
│ Error: creating IAM Role (tf-backup-sourceBackupRole): operation error IAM: CreateRole, https response error StatusCode: 403, RequestID: 57d39ffe-43e5-402a-9d8b-aca2272cfc00, api error AccessDenied: User: arn:aws:sts::245642******:assumed-role/cid-tf-backup-source-role/TerraformBackup-Session is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::245642******:role/tf-backup-sourceBackupRole because no identity-based policy allows the iam:CreateRole action
│
│ with module.source.aws_iam_role.backup,
│ on ../../modules/aws-backup-source/iam.tf line 14, in resource "aws_iam_role" "backup":
│ 14: resource "aws_iam_role" "backup" {
│
╵Additional context
Adding permissions is easy enough, but has this been deployed before with the defined permissions and I'm missing something??
The bit below is the primary issue, especially since the instruction is to not make changes to the modules
│ Error: creating Backup Framework (eu_west_2_245642******_backup_framework): operation error Backup: CreateFramework, https response error StatusCode: 400, RequestID: c8116e1e-dee0-44f2-893d-c47d4eb18767, InvalidParameterValueException: Invalid value for the parameter principalArnList in control BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED. Expected comma-separated list of valid IAM principal ARNs.
│
│ with module.source.aws_backup_framework.main,
│ on ../../modules/aws-backup-source/backup_framework.tf line 1, in resource "aws_backup_framework" "main":
│ 1: resource "aws_backup_framework" "main" {
Code of Conduct
- I agree to follow this project's Code of Conduct
Sensitive Information Declaration
- I confirm that neither PII/PID nor sensitive data are included in this form