I think this is related to the AWS provider and not Terraform itself, so hopefully it is okay to post here.
I’m running into a strange issue getting AccessDenied errors when creating load balancer rules.
My Terraform role has a policy following ABAC principles that expects a certain tag to be passed to Create and a certain tag on the resource for Modify/Delete actions. A very trimmed down version (including only LB stuff) of what that looks like would be like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Create",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*Tags",
"elasticloadbalancing:Create*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"Team"
]
},
"StringEqualsIfExists": {
"aws:RequestTag/Team": "MyTeam"
}
}
},
{
"Sid": "ModifyDelete",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Delete*",
"elasticloadbalancing:Modify*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Team": "MyTeam"
}
}
},
{
"Sid": "Read",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*"
],
"Resource": "*"
}
]
}
For the Terraform resources I am creating:
- aws_lb - supports tags
- aws_lb_listener - does not support tags
- aws_lb_listener_rule - does not support tags
For the corresponding IAM Actions:
- CreateLoadBalancer - supports aws:RequestTags & aws:Tags
- CreateListener - supports aws:RequestTags & aws:Tags
- CreateRule - supports aws:RequestTags & aws:Tags
AWS CLI manual supports this documentation as well
Now when my Terraform runs:
- aws_lb - creates resource successfully, with tags passed in
- aws_lb_listener - creates resource successfully, with no tags passed in
- aws_lb_listener_rule - resource creation fails, with no tags passed in
LB Listener Rule error:
Error: Error creating LB Listener Rule: AccessDenied: User: arn:aws:sts::ACCOUNTID:assumed-role/MYROLE/MYSESSION is not authorized to perform: elasticloadbalancing:CreateRule on resource:
arn:aws:elasticloadbalancing:MYREGION:ACCOUNTID:listener/app/MYLB/MYLISTENER/MYLISTENERID
status code: 403, request id: REQUESTID
I validated this error manually via CLI assuming the same role.
aws elbv2 create-rule --listener-arn 'arn:aws:elasticloadbalancing:MYREGION:ACCOUNTID:listener/app/MYLB/MYLISTENER/MYLISTENERID' --conditions 'Field=path-pattern,Values=/api/*' --priority 99 --actions 'Type=fixed-response,FixedResponseConfig={StatusCode=500}' --tags Key=Team,Value=MyTeam
Result = success
aws elbv2 create-rule --listener-arn 'arn:aws:elasticloadbalancing:MYREGION:ACCOUNTID:listener/app/MYLB/MYLISTENER/MYLISTENERID' --conditions 'Field=path-pattern,Values=/api/*' --priority 99 --actions 'Type=fixed-response,FixedResponseConfig={StatusCode=500}'
Result = failure, same error as Terraform
Sorry, I know this is a lot of text.
I would be expecting the Terraform aws_lb_listener resource creation to fail, in the same manner the aws_lb_listener_rule resource fails, since neither have tags passed to them. My guess is the aws_lb_listener resource is getting the tags from the aws_lb resource, but the aws_lb_listener_rule is NOT getting the tags from the aws_lb_listener.
Does anyone have any ideas? Any help would be appreciated!