Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MalformedPolicyDocumentException on creating KMS key #62

Open
Markchau opened this issue Sep 6, 2023 · 3 comments
Open

MalformedPolicyDocumentException on creating KMS key #62

Markchau opened this issue Sep 6, 2023 · 3 comments

Comments

@Markchau
Copy link

Markchau commented Sep 6, 2023
edited
Loading

Describe the bug
When I try to run terragrunt apply on the openedx_devops/terraform/stacks/service/kubernetes, I encounter the MalformedPolicyDocumentException on creating the KMS key, this is the following error:

│ Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│ 
│   with module.eks.module.kms.aws_kms_key.this[0],
│   on .terraform/modules/eks.kms/main.tf line 8, in resource "aws_kms_key" "this":
│    8: resource "aws_kms_key" "this" {
│

Workflow
This the full workflow on running the terraform & terragrunt command:

cd ./terraform/common/cookiecutter_meta
terraform init
terraform apply

cd ../../stacks/service
terragrunt run-all init

cd vpc
terragrunt apply -target module.cookiecutter_meta
terragrunt apply

cd ../kubernetes
terragrunt apply -target module.cookiecutter_meta
terragrunt apply

Getting the above error on the last step of commands. I didn't add any new IAM user as owner with admin permission in the kms_key_owners list and map_users list in the terraform/stacks/service/kubernetes/terragrunt.hcl files on first trial, just using default setting of including the IAM user for the bastion server inside these two list. Then this error happened. On the second trial, I try to add a new IAM user with admin permission but the same error occurred again.

Expected behavior
The error above does not occur.

Additional context
It will be a great gratitude if you can help me on resolving this issue. Thank you for your time to work on this.
@cm-aulasneo
Copy link
Contributor

Hi @Markchau, we are having the same issue!

were you able to resolve it?

@cm-aulasneo
Copy link
Contributor

hi @Markchau and @lpm0073 ! i found a work-around this! you need to create bastion user in order to kms policy well formatted.

you can do this with aws cli

aws iam create-user --user-name ${local.namespace}-bastion --path /system/bastion-user/

change ${local.namespace} with your real name space.

after that bastion module will fail because user already exists.

im working to solve it , will send a pr soon, this will solve both problems

@lpm0073
Copy link
Collaborator

lpm0073 commented Jun 25, 2024

great solution. thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lpm0073 @Markchau @cm-aulasneo