EBS volume provisioning unauthorized with enforced tagging IAM policy

[kaussamy]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Im trying to enforce EBS volume creation if tags are missing or invalid in the terraform template however it doesn’t work and gives me a unauthorized exception. This works using AWS CLI and curios if something needs to be fixed in Terraform or we have to change the way we are using tags for EBS resource. Could you please look into this?

CLI command that works with enforced policy - aws ec2 create-volume --size 8 --region us-east-1 --availability-zone us-east-1a --volume-type gp2 --tag-specifications 'ResourceType=volume,Tags=[{Key=stackid,Value=lowercase}]'

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.
Terraform v0.11.7

• provider.aws v1.16.0

Affected Resource(s)

Please list the resources as a list, for example:

• EBS Volume

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Yes affects all users with enforced IAM policy

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "aws_ebs_volume" "my_Vol" {
availability_zone = "us-east-1a"
size = 8
tags {

 Stack = "test"


  }

}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.
Unauthorized exception

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

What should have happened?
EBS volume should be created if tags supplied in the request matches with what is enforced through IAM policy

Actual Behavior

What actually happened?
Unauthorized access

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

   1. Set up IAM policy for the role\user to enforce tag and deny if tags in terraform script is invalid or missing, here is the IAM policy

   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Sid": "VisualEditor0",
   "Effect": "Allow",
   "Action": "ec2:",
   "Resource": ""
   },

        {
            "Sid": "AllowLaunchOnlyWithRequiredTags",
            "Effect": "Deny",
            "Action": "ec2:CreateVolume",
            "Resource": "arn:aws:ec2:*:*:volume/*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/Stack": "true"
                }
            }
        }
    ]
   

   }

   2. Make sure terraform uses the access keys which has enforced policy applied. Set up terraform template to provision EBS volume as mentioned above in configuration section and Terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs? None happens in all accounts

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? NA

[bflad]

In version 1.44.0 of the AWS provider releasing later this week, the tagging has been switched from a call after the creation to a parameter during creation which should resolve this situation. 👍

[bflad]

This has been released in version 1.44.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!