Skip to content
This repository has been archived by the owner on Sep 15, 2021. It is now read-only.

Error with aws_iam_policy #10

Open
Webgardener opened this issue Jun 17, 2021 · 1 comment
Open

Error with aws_iam_policy #10

Webgardener opened this issue Jun 17, 2021 · 1 comment

Comments

@Webgardener
Copy link

Webgardener commented Jun 17, 2021
edited
Loading 

│ Error: error creating Synthetics Canary: ValidationException: 1 validation error detected: Value 'arn:aws:iam:::policy/service-role/synthetic_policy_development' at 'executionRoleArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+
│ 
│   with synthetics_canary.api,
│   on monitoring.tf line 111, in resource "synthetics_canary" "api":
│  111: resource "synthetics_canary" "api" {
│

How to reproduce?

resource "aws_iam_policy" "synthetic" {
  name        = "synthetic_policy_${var.environment}"
  path        = "/service-role/"
  description = "CloudWatch Synthetics lambda execution role for running canaries"
policy = [..]
}

resource "synthetics_canary" "api" {
  name                      = "api-${var.environment}"
  runtime_version      = var.synthetic_runtime_version
  execution_role_arn   = aws_iam_policy.synthetic.arn
  artifact_s3_location = "s3://${aws_s3_bucket.synthetic.id}/canary/${var.region}/${var.environment}"
  zip_file             = data.archive_file.synthetic.output_path
  handler              = "apiCanaryBlueprint.handler"
  run_config {
    memory_in_mb       = 1024
    timeout_in_seconds = 60
  }
  schedule {
    expression = "rate(60 minutes)"
  }
}
@Webgardener
Copy link
Author

I actually made it work:

resource "aws_iam_role" "synthetic" {
  name = "synthetic_role_${var.environment}"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}


resource "aws_iam_role_policy_attachment" "synthetic-attach" {
  role       = aws_iam_role.synthetic.name
  policy_arn = aws_iam_policy.synthetic.arn
}


resource "synthetics_canary" "api" {
  name                      = "api-${var.environment}"
  runtime_version      = var.synthetic_runtime_version
  execution_role_arn   = aws_iam_role.synthetic.arn
  artifact_s3_location = "s3://${aws_s3_bucket.synthetic.id}/canary/${var.region}/${var.environment}"
  zip_file             = data.archive_file.synthetic.output_path
  handler              = "apiCanaryBlueprint.handler"
  run_config {
    memory_in_mb       = 1024
    timeout_in_seconds = 60
  }
  schedule {
    expression = "rate(60 minutes)"
  }
}

@Webgardener Webgardener mentioned this issue Jun 17, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Webgardener