Using Read-Only User 'planner' for Terraform Plans

[mtb-xt]

Hi guys,

We're trying to grant a user permission to run Terraform locally with atmos, but in planning only mode, without the ability to apply any changes. However, we're having trouble getting Terraform to use the 'planner' role correctly. How should our configs be configured?

At the moment, the user is encountering access errors related to the S3 backend. Here's the error message we're seeing:

│ IAM Role (arn:aws:iam::312368642835:role/nsp-data-gbl-prod-terraform) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID:
│ 94e58e32-b449-4f51-abe6-19e13ef93960, api error AccessDenied: User:
│ arn:aws:sts::767397854031:assumed-role/nsp-core-gbl-identity-developers/nsp-identity is not authorized to perform:
│ sts:AssumeRole on resource: arn:aws:iam::312368642835:role/nsp-data-gbl-prod-terraform
│

[milldr]

If I understand correctly, you have assumed the developers AWS Team (nsp-core-gbl-identity-developers) and are now trying to plan Terraform in some accounts using the planner AWS Team Role rather than the terraform team role. This is something we refer to as "dynamic" roles.

Dynamic roles will need to be configured in your account-map stack catalog. Double check the following and then reapply account-map if necessary

# stacks/catalog/account-map.yaml
components:
  terraform:
    account-map:
      settings:
        github:
          actions_enabled: false
      vars:
        enabled: true
        terraform_dynamic_role_enabled: true # <----- this line

[AleksandrMatveev]

Yes, dynamic roles are enabled.

We are trying to add a new "data" team to access data accounts. We have new accounts created in the organization (aws-sso.yaml):

          data-dev:
            groups: &data_nonprod_groups
              S_IAM_Platform_Team:
                permission_sets:
                  - AdministratorAccess
                  - PowerUserAccess
                  - ReadOnlyAccess
              S_IAM_Security_Team:
                permission_sets:
                  - ReadOnlyAccess
              S_IAM_Data:
                permission_sets:
                  - PowerUserAccess
          data-prod:
            groups:
              <<: *data_nonprod_groups
              S_IAM_Data:
                permission_sets:
                  - ReadOnlyAccess
                  - PowerUserAccess

And added them to aws-teams

          data:
            <<: *user-template
            role_description: "Team with view permissions in `identity` and limited access to all other accounts"
            aws_saml_login_enabled: true
            role_policy_arns:
              - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
              - team_role_access
            trusted_teams:
              - devops
              - managers
              - security
              - data
            trusted_permission_sets:
              - IdentityDevopsTeamAccess
              - IdentityManagersTeamAccess
              - IdentityDataTeamAccess

And aws-team-roles

          # The planner role allows use of `terraform plan` but does not allow any changes to be made
          planner:
            <<: *user-template
            enabled: true
            role_policy_arns:
              - "arn:aws:iam::aws:policy/ReadOnlyAccess"
              - "eks_viewer"
            role_description: "Role for Terraform administration of this account"
            trusted_teams:
              - "data"
              - "devops"
              - "managers"
              - "spacelift"
              - "gitops"

When our employee tried to plan, he got the following error:

√ . [org-identity] (HOST) platform ⨠ atmos terraform plan something -s data-apse2-prod
I get a different IAM error:
Error: error configuring S3 Backend: IAM Role (arn:aws:iam::xxx:role/org-core-gbl-root-tfstate) cannot be assumed.
Error: NoCredentialProviders: no valid providers in chain. Deprecated.

Did we add 'planners' to identity correctly? Are there any other steps that we need?

[milldr]

I see. Yes you added the the data team correctly to assume the planner team role, but you also need to grant the data permission to access Terraform State (arn:aws:iam::xxx:role/org-core-gbl-root-tfstate)

You'll need to add data to var.allowed_roles for your given terraform backend

# stacks/catalog/tfstate-backend.yaml
components:
  terraform:
    tfstate-backend:
...
      vars:
...
        access_roles:
          default: &access-template
            write_enabled: true
            allowed_roles:
              core-root:
                - "admin"
              core-identity:
                - "devops"
                - "developers"
                - "managers"
                - "planners"
                - "gitops"
                - "data" #<-------- this line will allow the "data" team in "core-identity" to access the tfstate access role
...

[AleksandrMatveev]

Thanks a lot! That fixes access to the Terraform state.

However, we didn't expect information about which role (terraform or planner) to use to be stored in this component's state.
I regenerated this information by running atmos terraform deploy account-map -s core-gbl-root.

Now everything works as expected.

[mtb-xt]

@milldr thanks a lot for helping us sort this out!

Did we miss something in the documentation about this? We think we read everything, but still missed this.

[milldr]

I'm glad it worked!

We have advanced documentation on this specifically here, along with thorough explanation on the identity architecture altogether:
https://docs.cloudposse.com/layers/identity/docs/aws-access-control-architecture/#access-to-the-terraform-state-backend