ecs-deploy-runner is not authorized (RA)

[drafie]

We are having an issue deploying an RDS instance in our RA. When using the for-production example in the service catalog, we are able to terragrunt apply locally, but when committing the changes to the repo Github actions returns an error: access denied because no identify-based policy allows rds:DescribeDBSSubnetGroups action.

We have added RDS permissions to the deploy_permissions.yml and read_only_permissions.yml

RDSDeployAccess:
effect: "Allow"
actions:

• "rds:*"
  resources:
• "*"
  RDSReadOnlyAccess:
  effect: "Allow"
  actions:
• "rds:Describe*"
• "rds:List*"
• "rds:Download*"
  resources:
• "*"

But still, we get this error:

Error: AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/ecs-deploy-runner-terraform-planner/xxxxxx is not authorized to perform: rds:DescribeDBSubnetGroups on resource: arn:aws:rds:us-east-1:xxxxxxxxx:subgrp:rds-xxxxx because no identity-based policy allows the rds:DescribeDBSubnetGroups action
status code: 403, request id: f179d814-1dd7-4f5e-97db-c136883ae1db
with module.database.aws_db_subnet_group.db[0],
on .terraform/modules/database/modules/rds/main.tf line 397, in resource "aws_db_subnet_group" "db":
397: resource "aws_db_subnet_group" "db" {

We copied these two files from the service catalog:

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/data-stores/rds.hcl

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/dev/us-west-2/dev/data-stores/rds/terragrunt.hcl

Are we overlooking something obvious?

---

Tracked in ticket #109862

[Etiene]

Hi @drafie, I wonder if github has the permission to assume the role that has those permissions. When setting up the account baseline with the landingzone module, have you enabled var.enable_github_actions_access?

If you haven't yet, here are some varibles you might find useful from
https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/modules/landingzone/account-baseline-app/variables.tf :

# ---------------------------------------------------------------------------------------------------------------------
# OPTIONAL EXTERNAL IAM ACCESS PARAMETERS
# These variables have defaults, but may be overridden by the operator.
# ---------------------------------------------------------------------------------------------------------------------

variable "enable_github_actions_access" {
  description = "When true, create an Open ID Connect Provider that GitHub actions can use to assume IAM roles in the account. Refer to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for more information."
  type        = bool
  default     = false
}

variable "github_actions_openid_connect_provider_thumbprint_list" {
  description = "When set, use the statically provided hardcoded list of thumbprints rather than looking it up dynamically. This is useful if you want to trade reliability of the OpenID Connect Provider across certificate renewals with a static list that is obtained using a trustworthy mechanism, to mitigate potential damage from a domain hijacking attack on GitHub domains."
  type        = list(string)
  default     = null
}
variable "allow_auto_deploy_from_github_actions_for_sources" {
  description = "Map of github repositories to the list of branches that are allowed to assume the IAM role. The repository should be encoded as org/repo-name (e.g., gruntwork-io/terrraform-aws-ci). Allows GitHub Actions to assume the auto deploy IAM role using an OpenID Connect Provider for the given repositories. Refer to the docs for github-actions-iam-role for more information. Note that this is mutually exclusive with var.allow_auto_deploy_from_other_account_arns. Only used if var.enable_github_actions_access is true. "
  type        = map(list(string))
  default     = {}
  # Example:
  # default = {
  #   "gruntwork-io/terraform-aws-security" = ["main", "dev"]
  # }
}

You might want to use them as input here if you want to enable it for all environments (
https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/landingzone/account-baseline-app-base.hcl) or use it somewhere else depending how you want to configure this. You can also find more information about enabling github actions on our github-actions-iam-role module.