1

I have picked up a piece of work started by a contractor who has since left, and I was told the pipeline was working, but when I run it I get this error:

╷
│ Error: updating Auto Scaling Group (XXX): AccessDenied: You are not authorized to use launch template: XXX
│   status code: 403, request id: f7f48427-6c5a-4154-ab70-5a5226929e9f
│ 
│   with aws_autoscaling_group.autoscale_group,
│   on main.tf line 243, in resource "aws_autoscaling_group" "autoscale_group":
│  243: resource "aws_autoscaling_group" "autoscale_group" {
│

I cannot track down where the permissions issue is, the role that runs terraform has a policy that allows everything:

{
    "Statement": [
        {
            "Action": [
                "*"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "AllowAllPermissions"
        }
    ],
    "Version": "2012-10-17"
}

It also seems like the AMI ID is ok and I am able to launch an instance myself using my admin role, from the console using the launch template.

Has anyone had this issue and can maybe point me in the direction of where to look for the permissions error?

berimbolo
  • 3,319
  • 8
  • 43
  • 78

3 Answers3

0

Since you are able to perform the task manually via your Admin credentials via the AWS console, I would check your terraform aws provider config to ensure that no other profile/credentials are being set there.

gmdne
  • 11
  • 1
  • I have added allow all permissions to the code pipeline, codebuild and the terraform assume role just to check. And still the error persists, even after destroying everything and trying to rebuild the account it fails at this point. – berimbolo Oct 04 '22 at 07:50
  • For my use case this was probably too specific, I will leave the question here but the answer is in fact quite simple, its just the error was not specific enough to pinpoint the issue. This code DID work as I was told, but at SCP has been enacted at organisation level enforcing that all root volumes are encrypted. This information was not passed down to development teams. – berimbolo Oct 07 '22 at 08:12
0

Same here for a couple of days. Created a Launch template via Terraform but cannot create a ASG with it. :(

user20167914
  • 1
  • You might check to see if an SCP is enforcing that all root volumes are encrypted. – berimbolo Oct 07 '22 at 08:12
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 14 '22 at 17:12
0

In my case it was because unknown to anyone was the fact that an SCP was very recently deployed restricting the creation of instances without an encrypted root device, which led to this error.

I fixed by updating the terraform launch template resource to include the following:

block_device_mappings {
    device_name = "/dev/sda1"
    ebs {
      encrypted = true
    }
  }

I will leave this question here and answered because it might be helpful to somebody in future.

berimbolo
  • 3,319
  • 8
  • 43
  • 78