Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudTrail resource creation failure when creating aws_iam_role and aws_iam_role_policy in single run #13631

Closed
tmclaugh opened this issue Apr 13, 2017 · 6 comments
Closed

CloudTrail resource creation failure when creating aws_iam_role and aws_iam_role_policy in single run #13631

tmclaugh opened this issue Apr 13, 2017 · 6 comments
Labels
bug provider/aws

Comments

@tmclaugh
Copy link

There appears to be an issue with creating cloudtrails when the iam role for cloudwatch logs
is created in the same run. Terraform says the resource creation has completed but when creating the CloudTrail an InvalidCloudWatchLogsRoleArnException error occurs. A subsequent run completes just fine. This leads me to believe that the issue is with the IAM role policy change not being propagated across AWS fast enough for Terraform.

Terraform Version

Terraform v0.9.3

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_cloudtrail
  • aws_iam_role_policy
  • aws_iam_role

Terraform Configuration Files

https://gist.github.com/0dd20ed6bc2a9dcd5c316c9d5193cdc2

Debug Output

https://gist.github.com/690acefc73b6509d89e53f389981cdd0

Expected Behavior

aws_cloudtrail is successful created

Actual Behavior

It appears that the role policy is not properly propagated by AWS before attempting to create the cloudtrail resource. A second run successfully creates wht aws_cloudtrail resource.

* aws_cloudtrail.ct: InvalidCloudWatchLogsRoleArnException: Access denied. Check the trust relationships for your role.
        status code: 400, request id: 4a209c1f-206b-11e7-bb0a-0d6cd06b0119

Steps to Reproduce

  1. terraform apply
@tmclaugh
Copy link
Author

I was able to confirm that this is a timing issue. I created another terraform configuration that has more resources defined in it. At first it would encounter this error but by using depends_on heavily I was able to draw the run out longer and this error does not occur.

@tmclaugh
Copy link
Author

The issue is hit or miss in my new module. This holds us back from supporting Terraform based setup. :(

https://github.com/threatstack/tf_threatstack_aws_integration

@willejs
Copy link

willejs commented Apr 20, 2017

I can also confirm this, its very easy to reproduce. I guess there needs to be a retry built into creating the cloudtrail...
I'm contemplating putting a sleep somewhere to fix this in the meantime 🙈 😿

@gobbx
Copy link

gobbx commented Apr 26, 2017
edited
Loading

I'm experiencing the same issue. The configuration file fails the first time but successfully completes when I run it again. CloudTrail needs to wait longer for the other resources to be created.

I can also confirm that this is a timing issue. I was able to get around this problem by adding the following code to my configuration file:

provisioner "local-exec" {
  command = "sleep 10"
}

@willejs
Copy link

willejs commented Jun 6, 2017

I think this is an issue that is present in lambda as well, as cloudtrail is run on lambda?

@chrisjharding chrisjharding mentioned this issue Jun 7, 2017
Closed
@hashibot hashibot mentioned this issue Jun 13, 2017
Closed
skuenzli added a commit to qualimente/tf_module_aws_account that referenced this issue Oct 3, 2017
@skuenzli
Add a sleep to cover-up the race condition between s3, iam, and cloud…
b37371b 
…trail

hashicorp/terraform#13631
@azonirunner azonirunner mentioned this issue Oct 4, 2017
Merged
@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@willejs @tmclaugh @grubernaut @hashibot @gobbx