Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall Manager does not allow deletion and creation from same role #19928

Open
Benbentwo opened this issue Jun 22, 2021 · 4 comments
Open

Firewall Manager does not allow deletion and creation from same role #19928

Benbentwo opened this issue Jun 22, 2021 · 4 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/fms Issues and PRs that pertain to the fms service.

Comments

@Benbentwo
Copy link

When trying to apply then destroy a Firewall Manager you must assume different roles in order to apply and destroy. This means the supporting modules must use work arounds to specify which role to assume, based on which terraform command is being run.

Upon further investigation this does appear to be an issue with the AWS SDK, as with the CLI the same issue arises. See section below Important Factoids

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.7
AWS Provider 3.46.0

Affected Resource(s)

Terraform Configuration Files

This block must have the provider alias turned off to be deleted - It must assume Org Management to be created, but Firewall Manager (default) to be destroyed.

resource "aws_fms_admin_account" "default" {
  provider = aws.organization_management 
  account_id = var.admin_account_id
}

providers.tf

// Security Account
provider "aws" {
  region = var.region
  assume_role {
    role_arn = var.firewall_manager_administrator_arn
  }
}


// Root Account
provider "aws" {
  alias  = "organization_management"
  region = "us-east-1"
  assume_role {
    role_arn = var.organization_management_arn
  }
}

variables.tf

variable "admin_account_id" {
  type        = string
}

variable "organization_management_arn" {
  type        = string
  default     = null
}

variable "firewall_manager_administrator_arn" {
  type        = string
  default     = null
}

variable "region" {
  type        = string
  description = "AWS Region"
}

Expected Behavior

The Resource can be created and destroyed regularly.

Actual Behavior

The resource fails to delete with the error

An error occurred (AccessDeniedException) when calling the DisassociateAdminAccount operation: Operation: DisassociateAdminAccount is only available to Administration account in AWS Firewall Manager.

Steps to Reproduce

  1. terraform apply
  2. terraform destroy

Important Factoids

Running into the same issue with aws cli.

AWS_PROFILE=organization_management_profile aws fms associate-admin-account --admin-account <firewall_manager_administrator_account>  --region us-east-1

# This Fails
AWS_PROFILE=organization_management_profile aws fms disassociate-admin-account  --region us-east-1 

# But yet this works
AWS_PROFILE=firewall_manager_profile aws fms disassociate-admin-account  --region us-east-1

I realize this means this means it is not a terraform aws provider issue. But this will help add visibility perhaps and start a discussion.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/fms Issues and PRs that pertain to the fms service. labels Jun 22, 2021
@Benbentwo Benbentwo mentioned this issue Jun 23, 2021
Merged
@ewbankkit ewbankkit added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Jun 28, 2021
@dpowley
Copy link
Contributor

dpowley commented Jun 28, 2021

Per an email from AWS (I can't find any documentation out yet), effective June 25, 2021 you will be able to register and deregister a delegated administrator account for Firewall Manager using the AWS Organizations API.

So to set up the admin account, you can use the following TF resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator. Not sure how this will affect the above scenario, but figured I'd put that out there.

@haraldmeister
Copy link

I'm trying to use this resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator, but I cannot find the right service principal, since neither "wafv2.amazonaws.com" and "waf.amazonaws.com" seems to be recognized as principals.

@arekgoral
Copy link

It is fms.amazonaws.com.

Only it is not working for me. Error: error creating Organizations DelegatedAdministrator (123456789012): AccountAlreadyRegisteredException: The provided account is already a delegated administrator for your organization.

@posquit0
Copy link
Contributor

posquit0 commented Nov 9, 2022

I have the same issue with FMS API. Can I use the AWS Organizations API now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/fms Issues and PRs that pertain to the fms service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@posquit0 @ewbankkit @Benbentwo @arekgoral @haraldmeister @dpowley