Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create service linked role #3695

Closed
jinnko opened this issue Mar 9, 2018 · 4 comments
Closed

Unable to create service linked role #3695

jinnko opened this issue Mar 9, 2018 · 4 comments

Comments

@jinnko
Copy link
Contributor

jinnko commented Mar 9, 2018

Terraform Version

Terraform v0.11.3
+ provider.aws v1.10.0

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_iam_role

Terraform Configuration Files

resource "aws_iam_role" "AWSServiceRoleForECS" {
  name = "AWSServiceRoleForECS"

  path        = "/aws-service-role/ecs.amazonaws.com/"
  description = "ECS Service Linked Role"

  assume_role_policy = "${data.aws_iam_policy_document.ecs_arp.json}"
}

data "aws_iam_policy_document" "ecs_arp" {
  statement = {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals = {
      type        = "Service"
      identifiers = ["ecs.amazonaws.com"]
    }
  }
}

resource "aws_iam_role_policy_attachment" "AWSServiceRoleForECS" {
  role       = "${aws_iam_role.AWSServiceRoleForECS.name}"
  policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy"
}

Debug Output

aws_iam_role.AWSServiceRoleForECS: Creating...
  arn:                   "" => "<computed>"
  assume_role_policy:    "" => "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ecs.amazonaws.com\"\n      }\n    }\n  ]\n}"
  create_date:           "" => "<computed>"
  description:           "" => "ECS Service Linked Role"
  force_detach_policies: "" => "false"
  name:                  "" => "AWSServiceRoleForECS"
  path:                  "" => "/aws-service-role/ecs.amazonaws.com/"
  unique_id:             "" => "<computed>"

Error: Error applying plan:

1 error(s) occurred:

* aws_iam_role.AWSServiceRoleForECS: 1 error(s) occurred:

* aws_iam_role.AWSServiceRoleForECS: Error creating IAM Role AWSServiceRoleForECS: InvalidInput: Path prefix '/aws-service-role/' can only be used for AWS Service linked Roles
	status code: 400, request id: d1cbb0ea-23b5-11e8-a956-bd410b5cb362

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Panic Output

None

Expected Behavior

Some way to create Service Linked Roles.

Actual Behavior

Failed to create the role - see debug output.

Steps to Reproduce

  1. terraform apply

Important Factoids

None

References

No other obvious issues I could find.
@jinnko
Copy link
Contributor Author

jinnko commented Mar 9, 2018

Creating the role via the CLI as follows works:

aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com

Then importing into the state with the definition as above works:

$ terraform import aws_iam_role.AWSServiceRoleForECS AWSServiceRoleForECS  
aws_iam_role.AWSServiceRoleForECS: Importing from ID "AWSServiceRoleForECS"...
aws_iam_role.AWSServiceRoleForECS: Import complete!
  Imported aws_iam_role (ID: AWSServiceRoleForECS)
aws_iam_role.AWSServiceRoleForECS: Refreshing state... (ID: AWSServiceRoleForECS)

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

However when this is done the state file doesn't contain the policy reference to the AmazonECSServiceRolePolicy while the IAM console does contain the link. Additionally when attempting to apply the aws_iam_role_policy_attachment there is an error as follows:

aws_iam_role_policy_attachment.AWSServiceRoleForECS: Creating...
  policy_arn: "" => "arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy"
  role:       "" => "AWSServiceRoleForECS"

Error: Error applying plan:

1 error(s) occurred:

* aws_iam_role_policy_attachment.AWSServiceRoleForECS: 1 error(s) occurred:

* aws_iam_role_policy_attachment.AWSServiceRoleForECS: [WARN] Error attaching policy arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy to IAM Role AWSServiceRoleForECS: UnmodifiableEntity: Cannot perform the operation on the protected role 'AWSServiceRoleForECS' - this role is only modifiable by AWS
	status code: 400, request id: 5a44bd46-23bf-11e8-bb20-27965214ee31

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

@swestcott
Copy link
Contributor

Is this a duplicate of #921?

@catsby
Copy link
Contributor

catsby commented Apr 5, 2018

I believe so! Thanks, closing in favor of #921

@catsby catsby closed this as completed Apr 5, 2018
@ghost
Copy link

ghost commented Apr 6, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@swestcott @catsby @jinnko