Terraform-provider-aws: dms-vpc-role not created before aws_dms_replication_instance
_This issue was originally opened by @neovasili as hashicorp/terraform#20346. It was migrated here as a result of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.11.11
Terraform Configuration Files
resource "aws_dms_replication_instance" "dynamodb-import-instance" {
engine_version = "3.1.2"
multi_az = "false"
publicly_accessible = "false"
replication_instance_class = "${ var.dms_replication_instance_type }"
replication_instance_id = "${ var.replication_instance_id }"
tags {
description = "test"
}
}
resource "aws_iam_role" "dms-vpc-role" {
name = "dms-vpc-role"
assume_role_policy = "${ data.aws_iam_policy_document.dms-vpc-role-policy.json }"
}
data "aws_iam_policy_document" "dms-vpc-role-policy" {
statement {
actions = [ "sts:AssumeRole" ]
principals {
type = "Service"
identifiers = [ "dms.amazonaws.com" ]
}
}
}
Crash Output
Error: Error applying plan:
1 error(s) occurred:
aws_dms_replication_instance.dynamodb-import-instance: 1 error(s) occurred:
aws_dms_replication_instance.dynamodb-import-instance: error creating DMS Replication Instance: AccessDeniedFault: The IAM Role arn:aws:iam::xxxxxxxx:role/dms-vpc-role is not configured properly.
status code: 400, request id: xxxxxxxxx
Expected Behavior
Apply complete! Resources: X added, 0 changed, 0 destroyed.
Actual Behavior
Fails to apply because iam role is created after dms replication instance
Steps to Reproduce
terraform apply
Additional context
If you perform a secondary terraform apply all changes are applied perfectly
hashibot[bot]
All 6 comments
I get the same error when trying to create a replication instance with an additional aws_dms_replication_subnet_group.
Error:
module.datawarehouse.aws_dms_replication_subnet_group.dms: Creating...
Error: AccessDeniedFault: The IAM Role arn:aws:iam::123456789:role/dms-vpc-role is not configured properly.
status code: 400, request id: 8cfa6491-8762-40a3-a1bb-31cc63a5a0f3
on modules/datawarehouse/dms.tf line 4, in resource "aws_dms_replication_subnet_group" "dms":
4: resource "aws_dms_replication_subnet_group" "dms" {
phillycheeze
on 27 Jun 2019
So the resource assumes that a Role already exists to create the resources. This isn't the case if you have never created a DMS resource in your account before.
A quick way to solve this is to go into your AWS console and create a temp DMS replication instance. Once it is created, delete it. AWS will provision the roles for you and the terraform script will use them from now on.
It would be nice if Terraform documented this somewhere or provided a useful error message. I had to look at the original pull request to find out that this was assumed functionality.
For a full solution, you'd have to create the roles manually and name them exactly as terraform/AWS expects them. I suspect this will be a bad idea and causes issues later on. The roles/policies are quite complex.
phillycheeze
on 27 Jun 2019
Thanks for the heads up, @phillycheeze 👍 This is indeed a documentation issue on our end and as such am marking this issue accordingly.
The DMS service is where the specifically named IAM Role requirement comes from: https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.APIRole.html
Here is an example configuration that can accomplish the creation of these roles, using the available AWS managed service policies that automatically receive updates:
data "aws_iam_policy_document" "dms_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = ["dms.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "dms-access-for-endpoint" {
assume_role_policy = "${data.aws_iam_policy_document.dms_assume_role.json}"
name = "dms-access-for-endpoint"
}
resource "aws_iam_role_policy_attachment" "dms-access-for-endpoint-AmazonDMSRedshiftS3Role" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"
role = "${aws_iam_role.dms-access-for-endpoint.name}"
}
resource "aws_iam_role" "dms-cloudwatch-logs-role" {
assume_role_policy = "${data.aws_iam_policy_document.dms_assume_role.json}"
name = "dms-cloudwatch-logs-role"
}
resource "aws_iam_role_policy_attachment" "dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"
role = "${aws_iam_role.dms-cloudwatch-logs-role.name}"
}
resource "aws_iam_role" "dms-vpc-role" {
assume_role_policy = "${data.aws_iam_policy_document.dms_assume_role.json}"
name = "dms-vpc-role"
}
resource "aws_iam_role_policy_attachment" "dms-vpc-role-AmazonDMSVPCManagementRole" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
role = "${aws_iam_role.dms-vpc-role.name}"
}
I have submitted a pull request to update the documentation here: #9173
Hope this helps.
bflad
on 27 Jun 2019
Thanks @bflad ! This probably goes without saying, but if aws has already created the roles for you, that code sample won't work since it'll throw an error saying the roles already exist. In that case, it's probably better to go and delete the roles that aws created for you. Just a heads up if anyone runs into this problem.
phillycheeze
on 29 Jun 2019
I am still getting the error the first run, a second apply straight after and it does work.
leeuw471
on 3 Jul 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 3 Nov 2019
Related issues
hashibot
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
andywirv
·
3Comments
joelittlejohn
·
3Comments
Most helpful comment
I am still getting the error the first run, a second apply straight after and it does work.