Skip to content

AWS Cloud Control resources are not creating #30

@megan-bower4

Description

@megan-bower4

What exactly are you trying to do?

When trying to create the awscc resources for the restore testing plan, we are getting blocked. The error suggests it is a permissions issue, but no amount of elevating permissions fixed it.

We are getting blocked at the terraform plan stage, not the apply stage.

Image

What have you tried so far?

We tried to narrow down what role was missing permissions by elevating every role, but still the error persisted. We checked that we could make a restore testing plan manually in the console and that was fine. We then tried to assign that to the other resources vie terraform but that didn't work.

Our fix in the end was to upgrade our aws provider version and use the alternate aws_backup_restore_testing_plan and aws_backup_restore_testing_selection modules. They require aws 5.83.0 or higher.

Output of any commands you have tried

Error: AWS SDK Go Service Operation Unsuccessful
│ 
│   with module.source.awscc_backup_restore_testing_plan.backup_restore_testing_plan,
│   on ../../modules/aws-backup-source/backup_restore_testing.tf line 1, in resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan":
│    1: resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
│ 
│ Calling Cloud Control API service GetResource operation returned: operation
│ error CloudControl: GetResource, https response error StatusCode: 400,
│ RequestID: be37988d-ec8a-4140-a0ee-3e684eba15ab, api error
│ AccessDeniedException: User:
│ arn:aws:sts::***:assumed-role/nhse-cpm--mgmt--github-ci/github-actions-ci-ee96428
│ is not authorized to perform: cloudformation:GetResource on resource:
│ arn:aws:cloudformation:eu-west-2:***:resource/* because no
│ identity-based policy allows the cloudformation:GetResource action

Additional context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Sensitive Information Declaration

  • I confirm that neither PII/PID nor sensitive data are included in this form

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions