enabled = false doesn't work with [requester|accepter]_aws_assume_role_arn because of enabled ternary on the provider definition #81
Labels
bug
🐛 An issue with the system
Comments
tommij
added a commit
to tommij/terraform-aws-vpc-peering-multi-account
that referenced
this issue
Dec 4, 2023
aknysh
pushed a commit
that referenced
this issue
Jan 25, 2024
* remove enabled flags to fix #81 * requested make init/readme * another make readme commit
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Bug
when running enabled = false, terraform doesn't assume roles on account of the defined assume_role variable as it is not for_eached: [edit, garbled]
https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account/blob/82ba0a4b1612aa7b5e93c188aeb799e1640601a5/requester.tf#L67C5-L67C88
terraform-aws-vpc-peering-multi-account/accepter.tf
Line 9 in 82ba0a4
as a result, teardown is not possible if using either of:
this causes: Error: reading EC2 VPC Peering Connection (pcx-vpc_peering_id): UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::0123456789:assumed-role/some_role is not authorized to perform: ec2:DescribeVpcPeeringConnections because no identity-based policy allows the ec2:DescribeVpcPeeringConnections action
Expected Behavior
setting enabled = false should plan/teardown successfully when using requester_aws_assume_role_arn | accepter_aws_assume_role_arn
Steps to Reproduce
Screenshots
No response
Environment
No response
Additional Context
I believe the provider should always be enabled, including the role_arn part, so removing the enabled ternary part:
for_each = local.enabled && var.accepter_aws_assume_role_arn != "" ? ["true"] : []to ->
for_each = var.[accepter|requester]_aws_assume_role_arnshould fix the issue. will likely draft a pr later.
The text was updated successfully, but these errors were encountered: