Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: elasticloadbalancing:ModifyLoadBalancerAttributes permission is required when creating an load balancer listener even when tcp_idle_timeout_seconds is not specified #40000

Closed
dlcc opened this issue Nov 4, 2024 · 6 comments · Fixed by #40039
Closed

[Bug]: elasticloadbalancing:ModifyLoadBalancerAttributes permission is required when creating an load balancer listener even when tcp_idle_timeout_seconds is not specified #40000

dlcc opened this issue Nov 4, 2024 · 6 comments · Fixed by #40039
Assignees
@jar-b
Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/elbv2 Issues and PRs that pertain to the elbv2 service.
Milestone
v5.75.0

Comments

@dlcc
Copy link

dlcc commented Nov 4, 2024
edited
Loading

Terraform Core Version

1.5.6

AWS Provider Version

5.73.0

Affected Resource(s)

aws_lb_listener

Expected Behavior

If no tcp_idle_timeout_seconds is specified, I wouldn't expect to need to have the elasticloadbalancing:ModifyLoadBalancerAttributes
If I don't have that permission, I would expect the creation not to fail

Actual Behavior

Creation fails when you don't have permission to ModifyLoadBalancerAttributes, even if no LoadBalancerAttributes are specified.

Relevant Error/Panic Output Snippet

aws_vpc.example: Creating...
aws_vpc.example: Creation complete after 2s [id=vpc-072edeff9170414bf]
aws_internet_gateway.example: Creating...
aws_subnet.example: Creating...
aws_lb_target_group.example: Creating...
aws_internet_gateway.example: Creation complete after 0s [id=igw-05898eff8b81cc8b5]
aws_route_table.example: Creating...
aws_subnet.example: Creation complete after 0s [id=subnet-06c41cbed2129fb04]
aws_lb.example: Creating...
aws_lb_target_group.example: Creation complete after 1s [id=arn:aws:elasticloadbalancing:eu-west-1:413720706075:targetgroup/example-targets/151b5c32e24bc951]
aws_route_table.example: Creation complete after 1s [id=rtb-0a5d398f8d78dd2eb]
aws_route_table_association.example: Creating...
aws_route_table_association.example: Creation complete after 0s [id=rtbassoc-087551d40a46be943]
aws_lb.example: Still creating... [10s elapsed]
aws_lb.example: Still creating... [20s elapsed]
aws_lb.example: Still creating... [30s elapsed]
aws_lb.example: Still creating... [40s elapsed]
aws_lb.example: Still creating... [50s elapsed]
aws_lb.example: Still creating... [1m0s elapsed]
aws_lb.example: Still creating... [1m10s elapsed]
aws_lb.example: Still creating... [1m20s elapsed]
aws_lb.example: Still creating... [1m30s elapsed]
aws_lb.example: Still creating... [1m40s elapsed]
aws_lb.example: Still creating... [1m50s elapsed]
aws_lb.example: Still creating... [2m0s elapsed]
╷
│ Error: modifying ELBv2 Load Balancer (arn:aws:elasticloadbalancing:eu-west-1:413720706075:loadbalancer/net/example-nlb/1c808da6c16f1b84) attributes: operation error Elastic Load Balancing v2: ModifyLoadBalancerAttributes, https response error StatusCode: 403, RequestID: 861c8ba8-703e-4777-9639-3dc2fd9f80e6, api error AccessDenied: User: arn:aws:iam::413720706075:user/example-user is not authorized to perform: elasticloadbalancing:ModifyLoadBalancerAttributes on resource: arn:aws:elasticloadbalancing:eu-west-1:413720706075:loadbalancer/net/example-nlb/1c808da6c16f1b84 with an explicit deny in an identity-based policy
│
│   with aws_lb.example,
│   on nlb.tf line 40, in resource "aws_lb" "example":
│   40: resource "aws_lb" "example" {
│

Terraform Configuration Files

Documents.zip

Steps to Reproduce

Terraform a simply nlb with a listener (that has no custom tcp timeout specified) and the item will fail if you don't have the elasticloadbalancing:ModifyLoadBalancerAttributes permission. This isn't necessary to create an nlb listener without a custom tcp timeout.

Debug Output

No response

Panic Output

No response

Important Factoids

When pinning the AWS to use a provider before 5.73.0, the issue does not occur. (5.70.0)

References

No response

Would you like to implement a fix?

No
@dlcc dlcc added the bug Addresses a defect in current functionality. label Nov 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/elbv2 Issues and PRs that pertain to the elbv2 service. needs-triage Waiting for first response or review from a maintainer. labels Nov 4, 2024
@justinretzolk justinretzolk added regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. labels Nov 4, 2024
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Nov 4, 2024
@jar-b
Copy link
Member

jar-b commented Nov 4, 2024

Relates #39585

@jar-b
Copy link
Member

jar-b commented Nov 4, 2024

Hello - In the provided configuration there is a listener using the TCP protocol, which will automatically inherit the default tcp_idle_timeout_seconds value of 350 when unset. Because the value cannot be set during creation, the ModifyLoadBalancerAttributes API is called after creation completes, and does require additional IAM permissions.

# Add a listener for the Network Load Balancer
resource "aws_lb_listener" "example" {
  load_balancer_arn = aws_lb.example.arn
  port              = 80
  protocol          = "TCP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.example.arn
  }
}

I believe this is the expected behavior based on the implementation in #39585.

That said, we can investigate the possibility of removing the default value (this will now be a breaking change) or providing some mechanism to opt-out of sending the value.

@jar-b jar-b self-assigned this Nov 4, 2024
@dlcc
Copy link
Author

dlcc commented Nov 4, 2024

@jar-b Thank you for looking at this. I guessed this was what was happening.

Surely it would be better to not attempt to ModifyLoadBalancerAttributes if a custom TCP timeout has not been set in the terraform? The LB listener will still get the default for TCP timeout as part of the creation, anyway, as it always has.

For me, the current implementation is the breaking change, not the other way around. Unfortunately, an external team manages our IAM so what would seem like a trivial tasks is actually extremely difficult. Last time we asked for an IAM change it took them 6 months, so we will have to pin the provider version for the forseeable.

@jar-b jar-b mentioned this issue Nov 7, 2024
Merged
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 7, 2024

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@github-actions github-actions bot added this to the v5.75.0 milestone Nov 7, 2024
@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Nov 11, 2024
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.75.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jar-b jar-b

Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/elbv2 Issues and PRs that pertain to the elbv2 service.
Projects
None yet
Milestone
v5.75.0
Development

Successfully merging a pull request may close this issue.

r/aws_lb_listener: remove tcp_idle_timeout_seconds default value hashicorp/terraform-provider-aws
3 participants
@dlcc @jar-b @justinretzolk