dms-vpc-role not created before aws_dms_replication_instance

[ghost]

This issue was originally opened by @neovasili as hashicorp/terraform#20346. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.11.11

Terraform Configuration Files

resource "aws_dms_replication_instance" "dynamodb-import-instance" {
	engine_version 			= "3.1.2"
	multi_az 			= "false"
	publicly_accessible 		= "false"
	replication_instance_class 	= "${ var.dms_replication_instance_type }"
	replication_instance_id 	= "${ var.replication_instance_id }"

	tags {
		description = "test"
	}
}

resource "aws_iam_role" "dms-vpc-role" {
  name = "dms-vpc-role"

  assume_role_policy = "${ data.aws_iam_policy_document.dms-vpc-role-policy.json }"
}

data "aws_iam_policy_document" "dms-vpc-role-policy" {
  statement {
    actions = [ "sts:AssumeRole" ]

    principals {
      type        = "Service"
      identifiers = [ "dms.amazonaws.com" ]
    }
  }
}

Crash Output

Error: Error applying plan:

1 error(s) occurred:

• aws_dms_replication_instance.dynamodb-import-instance: 1 error(s) occurred:

• aws_dms_replication_instance.dynamodb-import-instance: error creating DMS Replication Instance: AccessDeniedFault: The IAM Role arn:aws:iam::xxxxxxxx:role/dms-vpc-role is not configured properly.
  status code: 400, request id: xxxxxxxxx

Expected Behavior

Apply complete! Resources: X added, 0 changed, 0 destroyed.

Actual Behavior

Fails to apply because iam role is created after dms replication instance

Steps to Reproduce

terraform apply

Additional context

If you perform a secondary terraform apply all changes are applied perfectly

[phillycheeze]

I get the same error when trying to create a replication instance with an additional aws_dms_replication_subnet_group.

Error:

module.datawarehouse.aws_dms_replication_subnet_group.dms: Creating...

Error: AccessDeniedFault: The IAM Role arn:aws:iam::123456789:role/dms-vpc-role is not configured properly.
	status code: 400, request id: 8cfa6491-8762-40a3-a1bb-31cc63a5a0f3

  on modules/datawarehouse/dms.tf line 4, in resource "aws_dms_replication_subnet_group" "dms":
   4: resource "aws_dms_replication_subnet_group" "dms" {

[phillycheeze]

So the resource assumes that a Role already exists to create the resources. This isn't the case if you have never created a DMS resource in your account before.

A quick way to solve this is to go into your AWS console and create a temp DMS replication instance. Once it is created, delete it. AWS will provision the roles for you and the terraform script will use them from now on.

It would be nice if Terraform documented this somewhere or provided a useful error message. I had to look at the original pull request to find out that this was assumed functionality.

For a full solution, you'd have to create the roles manually and name them exactly as terraform/AWS expects them. I suspect this will be a bad idea and causes issues later on. The roles/policies are quite complex.

[bflad]

Thanks for the heads up, @phillycheeze 👍 This is indeed a documentation issue on our end and as such am marking this issue accordingly.

The DMS service is where the specifically named IAM Role requirement comes from: https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.APIRole.html

Here is an example configuration that can accomplish the creation of these roles, using the available AWS managed service policies that automatically receive updates:

data "aws_iam_policy_document" "dms_assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      identifiers = ["dms.amazonaws.com"]
      type        = "Service"
    }
  }
}

resource "aws_iam_role" "dms-access-for-endpoint" {
  assume_role_policy = "${data.aws_iam_policy_document.dms_assume_role.json}"
  name               = "dms-access-for-endpoint"
}

resource "aws_iam_role_policy_attachment" "dms-access-for-endpoint-AmazonDMSRedshiftS3Role" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"
  role       = "${aws_iam_role.dms-access-for-endpoint.name}"
}

resource "aws_iam_role" "dms-cloudwatch-logs-role" {
  assume_role_policy = "${data.aws_iam_policy_document.dms_assume_role.json}"
  name               = "dms-cloudwatch-logs-role"
}

resource "aws_iam_role_policy_attachment" "dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"
  role       = "${aws_iam_role.dms-cloudwatch-logs-role.name}"
}

resource "aws_iam_role" "dms-vpc-role" {
  assume_role_policy = "${data.aws_iam_policy_document.dms_assume_role.json}"
  name               = "dms-vpc-role"
}

resource "aws_iam_role_policy_attachment" "dms-vpc-role-AmazonDMSVPCManagementRole" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
  role       = "${aws_iam_role.dms-vpc-role.name}"
}

I have submitted a pull request to update the documentation here: #9173

Hope this helps.

[phillycheeze]

Thanks @bflad ! This probably goes without saying, but if aws has already created the roles for you, that code sample won't work since it'll throw an error saying the roles already exist. In that case, it's probably better to go and delete the roles that aws created for you. Just a heads up if anyone runs into this problem.

[leeuw471]

I am still getting the error the first run, a second apply straight after and it does work.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!