From e64cf40f35f48984501be77825d3280ea3e13050 Mon Sep 17 00:00:00 2001 From: Yuriy Natarov Date: Thu, 12 Sep 2024 23:02:10 +0200 Subject: [PATCH 1/2] Add missing permissions --- iam.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/iam.tf b/iam.tf index 6097596..96a518e 100644 --- a/iam.tf +++ b/iam.tf @@ -655,6 +655,7 @@ data "aws_iam_policy_document" "doublecloud_airflow" { "rds:CreateDBInstance", "rds:CreateDBCluster", "rds:CreateDBParameterGroup", + "rds:ModifyDBParameterGroup", ] resources = [ "arn:aws:rds:${local.region}:${local.account_id}:*:airflow-afc*", @@ -672,6 +673,12 @@ data "aws_iam_policy_document" "doublecloud_airflow" { "arn:aws:s3:::airflow-remote-logging-*/*", ] } + + statement { + effect = "Allow" + actions = ["kms:CreateAlias"] + resources = ["arn:aws:kms:${local.region}:${local.account_id}:alias/airflow-afc*"] + } } # AWS IAM returns AccessDenied error right after Role creation. From ada3f5248507c60ef09b9a7b742b50a84afc730c Mon Sep 17 00:00:00 2001 From: Yuriy Natarov Date: Fri, 13 Sep 2024 09:35:59 +0200 Subject: [PATCH 2/2] move kms block --- iam.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/iam.tf b/iam.tf index 96a518e..3c8ec99 100644 --- a/iam.tf +++ b/iam.tf @@ -648,6 +648,12 @@ data "aws_iam_policy_document" "doublecloud_airflow" { ] } + statement { + effect = "Allow" + actions = ["kms:CreateAlias"] + resources = ["arn:aws:kms:${local.region}:${local.account_id}:alias/airflow-afc*"] + } + statement { effect = "Allow" actions = [ @@ -673,12 +679,6 @@ data "aws_iam_policy_document" "doublecloud_airflow" { "arn:aws:s3:::airflow-remote-logging-*/*", ] } - - statement { - effect = "Allow" - actions = ["kms:CreateAlias"] - resources = ["arn:aws:kms:${local.region}:${local.account_id}:alias/airflow-afc*"] - } } # AWS IAM returns AccessDenied error right after Role creation.