airbnb
Deploy errors using the IAM Group
Background
Deployments by AWS users in the IAM Group do not appear to be working.
Detailed below are the setup steps I went through while debugging this.
Am I missing something?
Steps to Reproduce
I downloaded the IAM Group Terraform file from the [setup documentation] locally and replaced the account and prefix variable values then created the IAM Group with Terraform. I then created a new deploy user, added it to the group, and ran ./manage.py deploy.
The first deployment returned two "…not authorized to perform kms:TagResource" errors. I saw the comment about adding the generated KMS keys to the IAM Group Terraform file but it seemed a little strange to need to go back and modify that file after the fact with any hard-coded values so I added the kms:TagResource action to the relevant statement and updated the IAM Group's policy with Terraform. Deploying again returned a "MalformedPolicyDocumentException" error which appears to be a known issue with this Terraform provider? Running the deploy step again got past that error but then returned a "…not authorized to perform lambda:CreateEventSourceMapping" error at which point I ended up giving up and deploying with an admin account.
Desired Change
The least-privilege permissions Terraform file creates a working policy for deploy users.
OK, I think I found the culprit, in terraform/kms.tf
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
}
the root is simply assumed as a default, while in my case the user ARN is "arn:aws:iam::${var.aws_account_id}:user/foobar"
So I changed it to
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.aws_account_id}:${var.aws_account_name}"]
}
and defined aws_account_name in terraform/variables.tf and terraform/terraform.tfvars accordingly. Will push a PR soon with this and lots of other mods ;-) stay tuned!