AWS Cloud Control resources are not creating #30
Description
What exactly are you trying to do?
When trying to create the awscc resources for the restore testing plan, we are getting blocked. The error suggests it is a permissions issue, but no amount of elevating permissions fixed it.
We are getting blocked at the terraform plan stage, not the apply stage.
What have you tried so far?
We tried to narrow down what role was missing permissions by elevating every role, but still the error persisted. We checked that we could make a restore testing plan manually in the console and that was fine. We then tried to assign that to the other resources vie terraform but that didn't work.
Our fix in the end was to upgrade our aws provider version and use the alternate aws_backup_restore_testing_plan and aws_backup_restore_testing_selection modules. They require aws 5.83.0 or higher.
Output of any commands you have tried
Error: AWS SDK Go Service Operation Unsuccessful
│
│ with module.source.awscc_backup_restore_testing_plan.backup_restore_testing_plan,
│ on ../../modules/aws-backup-source/backup_restore_testing.tf line 1, in resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan":
│ 1: resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
│
│ Calling Cloud Control API service GetResource operation returned: operation
│ error CloudControl: GetResource, https response error StatusCode: 400,
│ RequestID: be37988d-ec8a-4140-a0ee-3e684eba15ab, api error
│ AccessDeniedException: User:
│ arn:aws:sts::***:assumed-role/nhse-cpm--mgmt--github-ci/github-actions-ci-ee96428
│ is not authorized to perform: cloudformation:GetResource on resource:
│ arn:aws:cloudformation:eu-west-2:***:resource/* because no
│ identity-based policy allows the cloudformation:GetResource actionAdditional context
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Sensitive Information Declaration
- I confirm that neither PII/PID nor sensitive data are included in this form