Resource tag and match conditions in iam policy not working as expected

0
votes

I have a policy document as below with resource tag and stringequals condition.

{
        "Effect": "Allow",
        "Action": [
            "ec2:*"
        ],
        "Resource": [
            "arn:aws:ec2:ap-south-1::image/ami-*",
            "arn:aws:ec2:ap-south-1:736855795947:key-pair/test-webserver",
            "arn:aws:ec2:ap-south-1:736855795947:network-interface/*",
            "arn:aws:ec2:ap-south-1:736855795947:security-group/sg-01bec6381887b636d",
            "arn:aws:ec2:ap-south-1:736855795947:subnet/subnet-0f7b9499f8a8817",
            "arn:aws:ec2:ap-south-1:736855795947:volume/*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:*"
        ],
        "Resource": [
            "arn:aws:ec2:ap-south-1:736855XXXXXX:instance/*"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/Environment": "dev"
            }
        }
    }

I have tagged my ec2 instances with same tags as mentioned above. When I create instances with terraform I get error as below:

    {
"DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDA2XEAHFDV6BNRDDIX6","name":"clixtream_deploy_user","arn":"arn:aws:iam::736855795947:user/clixtream_deploy_user"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:ap-south-1:736855795947:instance/*","conditions":{"items":[{"key":"ec2:InstanceMarketType","values":{"items":[{"value":"on-demand"}]}},{"key":"aws:Resource","values":{"items":[{"value":"instance/*"}]}},{"key":"aws:Account","values":{"items":[{"value":"736855795947"}]}},{"key":"ec2:AvailabilityZone","values":{"items":[{"value":"ap-south-1b"}]}},{"key":"ec2:ebsOptimized","values":{"items":[{"value":"false"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}},{"key":"ec2:InstanceType","values":{"items":[{"value":"t3.medium"}]}},{"key":"ec2:RootDeviceType","values":{"items":[{"value":"ebs"}]}},{"key":"ec2:InstanceProfile","values":{"items":[{"value":"arn:aws:iam::736855795947:instance-profile/clixtream_profile"}]}},{"key":"aws:Region","values":{"items":[{"value":"ap-south-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"ec2:InstanceID","values":{"items":[{"value":"*"}]}},{"key":"aws:Type","values":{"items":[{"value":"instance"}]}},{"key":"ec2:Tenancy","values":{"items":[{"value":"default"}]}},{"key":"ec2:Region","values":{"items":[{"value":"ap-south-1"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:ec2:ap-south-1:736855795947:instance/*"}]}}]}}}"
}

but when I remove the StringEquals Condition in policy document I could create instance successfully without any error from terraform.

My tf code for aws_instance looks like this:

 resource "aws_instance" "test_collector_instance" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = var.instance_machine_type
  key_name = var.key_name
  iam_instance_profile = aws_iam_instance_profile.test_profile.name
  subnet_id = var.subnet_id_1
  vpc_security_group_ids = [var.security_group_id]
  associate_public_ip_address = "true"

  tags = {
    Name = "test-collector"
    Environment = "dev"
    owningTeam = "test"
  }
  lifecycle {
    create_before_destroy = true
  }
  connection {
      type        = "ssh"
      user        = "ubuntu"
      private_key = "${file("./test-webserver.pem")}"
      host        = "${self.public_ip}"
    }

  provisioner "file" {
    source      = "run-collector.sh"
    destination = "/home/ubuntu/run-collector.sh"
  }

  provisioner "file" {
    source      = "../collector/log_agent_config.json"
    destination = "/home/ubuntu/log_agent_config.json"
  }

  provisioner "remote-exec" {
    inline = [
      "chmod +x /home/ubuntu/run-collector.sh",
      "sudo /home/ubuntu/run-collector.sh ${var.aws_region} ${var.aws_account_id}",
    ]
  }

  provisioner "remote-exec" {
    inline = [
      "curl -O https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb",
      "sudo dpkg -i -E ./amazon-cloudwatch-agent.deb",
      "sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/home/ubuntu/log_agent_config.json -s",
      "sleep 5",
      "sudo cat /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log"
    ]
  }

}

My terraform version is v1.0.1 & aws provider version is v3.49.0. Other than instance I have created aws_ami_from_instance terraform resource which creates ami from this instance, then a launch group with the created ami, and ASGs as well which uses the created launch group. Where I have tagged ASGs also with environment name.

1
amazon-web-servicesterraformamazon-iam
What is your tf code?Marcin
What version of terraform and provider you are using?tomarv2
@Marcin I have updated post with tf codeVikas Shaw
@tomarv2 terraform version is v1.0.1 & aws provider version is v3.49.0Vikas Shaw

1 Answers

0
votes

The problem was I needed to tag ebs volume created along with instance as well in terraform then I was able to create the instance with policy with match contidions. So, new tf code for aws_instance looks like below:

resource "aws_instance" "test_collector_instance" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = var.instance_machine_type
  key_name = var.key_name
  iam_instance_profile = aws_iam_instance_profile.test_profile.name
  subnet_id = var.subnet_id_1
  vpc_security_group_ids = [var.security_group_id]
  associate_public_ip_address = "true"
  
  volume_tags = {
    Environment = "dev"
    owningTeam = "test"
  }

  tags = {
    Name = "test-collector"
    Environment = "dev"
    owningTeam = "test"
  }
  lifecycle {
    create_before_destroy = true
  }
  connection {
      type        = "ssh"
      user        = "ubuntu"
      private_key = "${file("./test-webserver.pem")}"
      host        = "${self.public_ip}"
    }

  provisioner "file" {
    source      = "run-collector.sh"
    destination = "/home/ubuntu/run-collector.sh"
  }

  provisioner "file" {
    source      = "../collector/log_agent_config.json"
    destination = "/home/ubuntu/log_agent_config.json"
  }