Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loads of errors when permission to view org is missing #51

Open
marafa-sugarcrm opened this issue Jun 12, 2023 · 6 comments
Open

loads of errors when permission to view org is missing #51

marafa-sugarcrm opened this issue Jun 12, 2023 · 6 comments

Comments

@marafa-sugarcrm
Copy link

there are loads of errors when i do not have permissions to view the org info

225-get-cvpn-endpoints.sh runtime 6 seconds
-------------------------------------------------------------------
. ../../scripts/227-get-vpn-connections.sh
Found Error: │ Error: listing AWS Organization (<redacted>) accounts: AccessDeniedException: You don't have permissions to access this resource. .... (pass for now)
import.log adjust
--> Validate Fixer
Success! The configuration is valid.
@awsandy
Copy link
Contributor

awsandy commented Jun 12, 2023

committed change that should hopefully skip around these when you don't have access

@marafa-sugarcrm
Copy link
Author

marafa-sugarcrm commented Jun 12, 2023
edited
Loading

i see this now

skipping 030-get-iam-users.sh
skipping 034-get-iam-groups.sh
skipping 050-get-iam-roles.sh
skipping 051-get-iam-role-policies.sh
skipping 052-get-iam-attached-role-policies.sh
skipping 055-get-iam-policies.sh
skipping 056-get-iam-instance-profile.sh
skipping 057-get-iam-access-key.sh

perhaps i should explain, i am using AWS SSO and my permission set is the aws default admin role. so i do have access to IAM

i am also still seeing the issue

. ../../scripts/070-get-cw-log-grp.sh
ncpu=32
aws --profile addoptify --region eu-west-1 --output json logs describe-log-groups
Importing aws_cloudwatch_log_group /ecs/test-AgentTaskDefinition-P9GMBYE6H5RR2 _ecs_test-AgentTaskDefinition-P9GMBYE6H5RR2
Importing aws_cloudwatch_log_group RDSOSMetrics RDSOSMetrics
Waiting for 3 Terraform imports
Importing aws_cloudwatch_log_group test-ECSLogGroup-1IJZW5XQ6ZAKA test-ECSLogGroup-1IJZW5XQ6ZAKA
Wait completed ..... imported 2
aws_cloudwatch_log_group /ecs/test-AgentTaskDefinition-P9GMBYE6H5RR2 tf files
aws_cloudwatch_log_group RDSOSMetrics tf files
aws_cloudwatch_log_group test-ECSLogGroup-1IJZW5XQ6ZAKA tf files
Starting state mv for aws_cloudwatch_log_group
Consolidated state aws_cloudwatch_log_group.RDSOSMetrics
Consolidated state aws_cloudwatch_log_group._ecs_test-AgentTaskDefinition-P9GMBYE6H5RR2
Consolidated state aws_cloudwatch_log_group.test-ECSLogGroup-1IJZW5XQ6ZAKA
Found Error: │ Error: listing AWS Organization (o-org-id) accounts: AccessDeniedException: You don't have permissions to access this resource. .... (pass for now)
import.log adjust
--> Validate Fixer
Success! The configuration is valid.

@awsandy
Copy link
Contributor

awsandy commented Jun 12, 2023

what was the corresponding aws2tf.sh command you used ?
when you saw the skipping 030-get-iam-users.sh
etc commands

skipping iam stuff can be by design - because when other resources are found the necessary iam is pulled in as a dependency

If you still want ALL the iam stuff you can always do a subsequent:
./aws2tf.sh -t iam -c yes -f yes

(committed another change to get more output on the skipping - as there's two reasons that can happen)

@marafa-sugarcrm
Copy link
Author

corresponding command . just aws2tf with -v yes

@awsandy
Copy link
Contributor

awsandy commented Jun 12, 2023

committed more changes to help track this down - also please run with debug on:

./aws2tf.sh -v yes -d yes

This will help me track down the "Found Error: │ Error: listing AWS Organization (o-4oizb4q5g1) accounts:"

as it will exit soon after the error occurs (-d yes)

@marafa-sugarcrm
Copy link
Author

cmd: ./aws2tf.sh -d -v yes

t= pre=* i= exclude=iam
loop through providers
. ../../scripts/type-get-transitgw.sh
aws --profile profile --region region --output json ec2 describe-transit-gateways --transit-gateway-ids yes --filters "Name=state,Values=available"
aws --profile profile --region region --output json  ec2 describe-transit-gateways --transit-gateway-ids yes --filters "Name=state,Values=available" : You don't have access for this resource
Success! The configuration is valid.

type-get-transitgw.sh runtime 11 seconds
-------------------------------------------------------------------
. ../../scripts/010-get-organization.sh
aws --profile profile --region region --output json organizations describe-organization
aws_organizations_organization o-??? import

│ Error: listing AWS Organization (o-???) accounts: AccessDeniedException: You don't have permissions to access this resource.
│
│
╵

aws_organizations_organization.o-???: Importing from ID "o-???"...
No state file was found!

State management commands require a state file. Run this command
in a directory where Terraform has been run or use the -state flag
to point the command to a specific state location.
Found Error: │ Error: listing AWS Organization (o-???) accounts: AccessDeniedException: You don't have permissions to access this resource.
debug flag is on so exiting ....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@awsandy @marafa-sugarcrm