Cheers I´m trying to figure out how I can define providers with role definitions explicit when using external providers. As I believe this gives me errors when I try to make one role assume another and for specifically modules I get errors.
When I use an SSO role which has the correct permission in the same account as where I try to execute terraform I works. Basically: Goal make super platform roles that can apply to a broad range of environments.
Initial errors for modules. When using a role that does not has direct permissions and is dependant on assumption. “The assumable role has Administrator in the env to apply”
staticAssets_foundations_dev │ Error: reading S3 Bucket (di-static-assets-dev-***): operation error S3: HeadBucket, https response error StatusCode: 403, RequestID: 0XWPD9AT06B2P7RS, HostID: eC6Qs4f8EjPo6QWCzloe9qdqyh+8nBu3dY9BHhgIL4MyZQ8ClD6Ta6qKRzyS0rSG2DH7SR0X8js=, api error Forbidden: Forbidden
│
│ with aws_s3_bucket.cloudfrontS3_cloudfrontS3Bucket_DB901A19 (cloudfrontS3/cloudfrontS3Bucket),
│ on cdk.tf.json line 325, in resource.aws_s3_bucket.cloudfrontS3_cloudfrontS3Bucket_DB901A19 (cloudfrontS3/cloudfrontS3Bucket):
│ 325: }
│
╵
staticAssets_foundations_dev ╷
│ Error: reading Amazon CloudFront Origin Access Identity (EC5UYRVYS0TS8): AccessDenied: Access Denied.
│ status code: 403, request id: 5dcbf0bd-1e6e-4174-9d27-3b2ab52006ee
│
│ with module.cloudfrontS3_407A5D96.aws_cloudfront_origin_access_identity.this["s3_bucket_one"],
│ on .terraform/modules/cloudfrontS3_407A5D96/main.tf line 6, in resource "aws_cloudfront_origin_access_identity" "this":
│ 6: resource "aws_cloudfront_origin_access_identity" "this" {
│
No errors when using a role that both has the permission directly and is allowed to assume the same role. (an env specific SSO role)
I wonder if I might need to pass the providers specifically to the module (cloudfront). But if so, I dont understand how.
import { TerraformOutput } from "cdktf";
import { S3BucketPolicy } from "@cdktf/provider-aws/lib/s3-bucket-policy";
import { AwsProvider } from "@cdktf/provider-aws/lib/provider";
import { TerraformProvider } from "cdktf/lib/terraform-provider";
----
export class CloudfrontS3Construct extends Construct {
public distribution: Cloudfront;
public certificate: AcmCertificate;
constructor(scope: Construct, name: string, props: CloudfrontS3Props) {
super(scope, name);
const usEastProvider = new AwsProvider(this, 'usEastProvider', {
region: 'us-east-1',
roleToAssume: 'some-fancy-role'
});
const cloudfrontS3Bucket = new S3Bucket(this, "cloudfrontS3Bucket", {
bucket: props.s3OverrideName ?? `di-${props.tags.Application}-${props.env}-${props.accountNumber}`,
tags: props.tags,
});
let domainName = props.hostedZoneName;
if (props.recordName !== props.hostedZoneName) {
domainName = `${props.recordName}.${props.hostedZoneName}`;
}
this.certificate = new AcmCertificate(this, "certificate", {
domainName: domainName,
validationMethod: "DNS",
tags: props.tags,
//provider: usEastProvider,
subjectAlternativeNames: [domainName],
});
const CLOUDFRONT_ORGIN_ACCESS_COMMENT = "Terraform managed origin s3 bucket";
this.distribution = new Cloudfront(this, name, {
providers: [
usEastProvider as TerraformProvider, ## WHere the error shows up.
],`
Give error when trying to define the provider.
Type ‘TerraformProvider’ is not assignable to type ‘TerraformProvider | TerraformModuleProvider’.
Type ‘import(“/Users//di-cdktf-ts-lib/src/node_modules/cdktf/lib/terraform-provider”).TerraformProvider’ is not assignable to type ‘import(“/Users//git/com.github/**/di-cdktf-ts-lib/node_modules/cdktf/lib/terraform-provider”).TerraformProvider’.
Property ‘synthesizeAttributes’ is protected but type ‘TerraformProvider’ is not a class derived from ‘TerraformProvider’.ts(2322)
Deploying cloudfront module with terraform using a role in another account, using assume role logic in the module. What happens, is that I get errors of denial, when the assumable role should have all accesses. I have tried adding the provider explicit for modules. But I dont understand how to do that in CDKTF.