Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource aws_iam_policy_attachment.ec2_ssm_attachment causes conflicts with other resources in IAM #162

Closed
JoeJasinski opened this issue Feb 24, 2024 · 2 comments
Closed

Resource aws_iam_policy_attachment.ec2_ssm_attachment causes conflicts with other resources in IAM #162

JoeJasinski opened this issue Feb 24, 2024 · 2 comments

Comments

@JoeJasinski
Copy link

JoeJasinski commented Feb 24, 2024
edited
Loading

The following policy attachment was causing issues as it was trying to remove other attributes on the existing "ec2-ssm-attachment" (added somewhere else). Doing a "terrafrom plan" showed a lot of removals related to the "ec2-ssm-attachment".

resource "aws_iam_policy_attachment" "ec2_ssm_attachment" {
  name       = "ec2-ssm-attachment"
  roles      = [aws_iam_role.iam_role.name]
}

This change seemed to fix the issue, in my fork of this codebase, because it applies the policy to the role without involving the existing "ec2-ssm-attachment".

resource "aws_iam_role_policy_attachment" "ec2_ssm_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
    role     = aws_iam_role.iam_role.name
}

Here is the relevant place in the code:
https://github.com/weka/terraform-aws-weka/blob/46603015877427f092eedbe7d0871f9ac634ed5b/modules/iam/ec2.tf#L150C12-L150C57
@jrandall
Copy link

jrandall commented Aug 7, 2024

This is a major issue with the Weka terraform module.

Please see the warning in the terraform AWS provider docs for aws_iam_policy_attachment (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment):

WARNING:
The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead. These resources do not enforce exclusive attachment of an IAM policy.

It is not a problem (and could be considered good practice) to use aws_iam_policy_attachment on customer managed IAM policies that the module itself is managing (to prevent them from being (mis)used for other purposes, but it is a major problem that the weka terraform module uses aws_iam_policy_attachment on an AWS managed policy arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM (

terraform-aws-weka/modules/iam/ec2.tf

Lines 150 to 154 in 4660301

resource "aws_iam_policy_attachment" "ec2_ssm_attachment" {
name = "ec2-ssm-attachment"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
roles = [aws_iam_role.iam_role.name]
}
). After applying this module, the AmazonEC2RoleforSSM AWS managed policy has been removed from all other users, roles, and groups in our AWS account.

@assafgi
Copy link
Collaborator

assafgi commented Aug 7, 2024

Fixed in this release: https://github.com/weka/terraform-aws-weka/releases/tag/v1.0.6

@assafgi assafgi closed this as completed Aug 7, 2024
@danny-burrows danny-burrows mentioned this issue Aug 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JoeJasinski @jrandall @assafgi