Cloud Posse
Error creating SSO permission set TerraformUpdateAccess #97
-
|
When running The creation of the permission sets gets stuck with the following error trying to set an empty string to the dynamo permissions. │ Error: putting SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-xxx/ps-xxx) Inline Policy: operation error SSO Admin: PutInlinePolicyToPermissionSet, https response error StatusCode: 400, RequestID: xxx, ValidationException: Invalid PermissionsPolicy Document {"Statement":[{"Action":["s3:PutObject","s3:ListBucket","s3:GetObject"],"Effect":"Allow","Resource":["arn:aws:s3:::xxx-core-use1-root-tfstate/*","arn:aws:s3:::xxx-core-use1-root-tfstate"],"Sid":"TerraformStateBackendS3Bucket"},{"Action":["dynamodb:PutItem","dynamodb:GetItem","dynamodb:DeleteItem"],"Effect":"Allow","Resource":"","Sid":"TerraformStateBackendDynamoDbTable"}],"Version":"2012-10-17"}.Given that we create the state backend with the lock in S3 instead of dynamo ( |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Thanks for catching that! You are correct - since we're using I’m updating the policy now so that the DynamoDB permissions are omitted when S3 locking is enabled. I’ll have a PR up shortly to address this. Appreciate you pointing it out! |
Beta Was this translation helpful? Give feedback.
-
|
Here's the fix. Will have this merged shortly: cloudposse-terraform-components/aws-identity-center#43 |
Beta Was this translation helpful? Give feedback.
-
|
Released with v1.537.0 |
Beta Was this translation helpful? Give feedback.
Thanks for catching that! You are correct - since we're using
s3_state_lock_enabled: true, the DynamoDB table isn’t being used for state locking and the associated IAM permissions should not be included in the permission set.I’m updating the policy now so that the DynamoDB permissions are omitted when S3 locking is enabled. I’ll have a PR up shortly to address this.
Appreciate you pointing it out!