Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/aws_iam_role - add retry for assume role policy update #12436

Closed
wants to merge 1 commit into from
Closed

r/aws_iam_role - add retry for assume role policy update #12436

wants to merge 1 commit into from

Conversation

beyondbill
Copy link

@beyondbill beyondbill commented Mar 17, 2020
edited
Loading

Since IAM is eventual consistent, new users (referenced in Principal field of assume policy) can take ~30 seconds to propagate in AWS. Similar to role creation, assume role policy update also needs to have a retry logic in case a newly created user is still invisible.

In the example below (aws provider 2.53.0), AWS API call iam/UpdateAssumeRolePolicy got a 400 even though user bodebug had just been created in the same terraform apply.

......
module.engineers.module.users.aws_iam_user.engineers["bodebug"]: Creating...
module.engineers.module.users.aws_iam_user.engineers["bodebug"]: Creation complete after 1s [id=bodebug]
......
module.engineers.module.roles.data.aws_iam_policy_document.trust_relationships["DataReadOnlyRole"]: Refreshing state...
module.engineers.module.roles.aws_iam_role.engineering["DataReadOnlyRole"]: Modifying... [id=scoop-engineer-DataReadOnlyRole]
......
Error: Error Updating IAM Role (scoop-engineer-DataReadOnlyRole) Assume Role Policy: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::123456789012:user/bodebug"
	status code: 400, request id: 92e918ed-6dec-42dd-99e8-37ca6be66040

I added a retry to fix it and successfully applied the same thing above using the aws provider built locally from this PR.

......
module.engineers.module.users.aws_iam_user.engineers["bodebug"]: Creating...
module.engineers.module.users.aws_iam_user.engineers["bodebug"]: Creation complete after 0s [id=bodebug]
......
module.engineers.module.roles.aws_iam_role.engineering["DataReadOnlyRole"]: Modifying... [id=scoop-engineer-DataReadOnlyRole]
......
module.engineers.module.roles.aws_iam_role.engineering["DataReadOnlyRole"]: Still modifying... [id=scoop-engineer-DataReadOnlyRole, 10s elapsed]
module.engineers.module.roles.aws_iam_role.engineering["DataReadOnlyRole"]: Modifications complete after 10s [id=scoop-engineer-DataReadOnlyRole]

@beyondbill beyondbill requested a review from a team March 17, 2020 23:55
@ghost ghost added needs-triage Waiting for first response or review from a maintainer. size/XS Managed by automation to categorize the size of a PR. service/iam Issues and PRs that pertain to the iam service. labels Mar 17, 2020
Base automatically changed from master to main January 23, 2021 00:57
@breathingdust breathingdust requested a review from a team as a code owner January 23, 2021 00:57
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Sep 10, 2021
@ewbankkit ewbankkit mentioned this pull request Sep 10, 2021
Merged
@ewbankkit
Copy link
Contributor

@beyondbill Thanks for the contribution 🎉 👏.
I included your changes in #20785.

@ewbankkit ewbankkit closed this Sep 10, 2021
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
service/iam Issues and PRs that pertain to the iam service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@beyondbill @ewbankkit