You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
as a result, teardown is not possible if using either of:
requester_aws_assume_role_arn
accepter_aws_assume_role_arn
this causes: Error: reading EC2 VPC Peering Connection (pcx-vpc_peering_id): UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::0123456789:assumed-role/some_role is not authorized to perform: ec2:DescribeVpcPeeringConnections because no identity-based policy allows the ec2:DescribeVpcPeeringConnections action
Expected Behavior
setting enabled = false should plan/teardown successfully when using requester_aws_assume_role_arn | accepter_aws_assume_role_arn
Steps to Reproduce
start multi-account peering with requester_aws_assume_role_arn or accepter_aws_assume_role_arn
apply
set enabled = false
plan -> permission denied (assuming the role terraform is running as initially doesn't have permissions to either of the two accounts - and would depend on role chaining)
Screenshots
No response
Environment
No response
Additional Context
I believe the provider should always be enabled, including the role_arn part, so removing the enabled ternary part:
Describe the Bug
when running enabled = false, terraform doesn't assume roles on account of the defined assume_role variable as it is not for_eached: [edit, garbled]
https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account/blob/82ba0a4b1612aa7b5e93c188aeb799e1640601a5/requester.tf#L67C5-L67C88
terraform-aws-vpc-peering-multi-account/accepter.tf
Line 9 in 82ba0a4
as a result, teardown is not possible if using either of:
this causes: Error: reading EC2 VPC Peering Connection (pcx-vpc_peering_id): UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::0123456789:assumed-role/some_role is not authorized to perform: ec2:DescribeVpcPeeringConnections because no identity-based policy allows the ec2:DescribeVpcPeeringConnections action
Expected Behavior
setting enabled = false should plan/teardown successfully when using requester_aws_assume_role_arn | accepter_aws_assume_role_arn
Steps to Reproduce
Screenshots
No response
Environment
No response
Additional Context
I believe the provider should always be enabled, including the role_arn part, so removing the enabled ternary part:
for_each = local.enabled && var.accepter_aws_assume_role_arn != "" ? ["true"] : []
to ->
for_each = var.[accepter|requester]_aws_assume_role_arn
should fix the issue. will likely draft a pr later.
The text was updated successfully, but these errors were encountered: