Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EBS volume creation does not honor aws:RequestTag #6179

Closed
uasalian opened this issue Oct 17, 2018 · 3 comments
Closed

EBS volume creation does not honor aws:RequestTag #6179

uasalian opened this issue Oct 17, 2018 · 3 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone

Comments

@uasalian
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8
+ provider.aws v1.37.0

Affected Resource(s)

aws_ebs_volume

Terraform Configuration Files

resource "aws_ebs_volume" "myVolume" {
  availability_zone = "us-east-1a"
  size              = "80"
  type              = "gp2"

  tags = {
    Name            = "alpha-Test"
  }
}

Expected Behavior

Should create EBS volume

Actual Behavior

Error: Error applying plan:

1 error(s) occurred:

* aws_ebs_volume.my_volume: 1 error(s) occurred:

* aws_ebs_volume.my_volume: Error creating EC2 volume: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message:

Steps to Reproduce

  1. Attach AWS managed policy PowerUserAccess to the IAM user/role executing terraform
  2. Also add the following policy (set the right account id):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:CreateVolume",
        "ec2:RunInstances"
      ],
      "Resource": [
          "arn:aws:ec2:us-east-1:123456789012:instance/*",
          "arn:aws:ec2:us-east-1:123456789012:volume/*"
      ],
      "Condition": {
         "StringNotLike": {
             "aws:RequestTag/Name": "alpha-*"
          }
       }
    }
  ]
}
  1. terraform apply

Important Factoids

The idea is to enforce setting a tag in the form Name=alpha-* while creating EC2 instance and EBS volume. The policy can be tested in AWS CLI (or Console) using:

aws  ec2 create-volume --availability-zone us-east-1a --volume-type gp2 --size 80 \
 --tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=alpha-Test}]'

But, terraform errors out while creating EBS volume.

@nywilken nywilken added enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service. labels Feb 5, 2019
@wedge-jarrad
Copy link
Contributor

This looks like a duplicate of #1533 and #4428 which were fixed by #6396.

@bflad bflad added this to the v1.44.0 milestone Jul 7, 2020
@bflad
Copy link
Contributor

bflad commented Jul 7, 2020

I believe @wedge-jarrad is correct above, closing this issue as it should have been resolved in version 1.44.0 of the Terraform AWS Provider.

@bflad bflad closed this as completed Jul 7, 2020
@ghost
Copy link

ghost commented Aug 6, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Development

No branches or pull requests

4 participants