streamalert
streamalert copied to clipboard
airbnb
iam role creation fails with longer prefix + cluster names
Background
During infrastructure creation, if the length of the prefix + the length of the cluster + "streamalert_rule_processor_role" is > 64 chars, the terraform build will fail due to the character limit on IAM roles.
This exists because of the way everything is joined upon creation in the terraform vars
streamalert/terraform/modules/tf_stream_alert/iam.tf
// IAM Role: Rule Processor Execution Role
resource "aws_iam_role" "streamalert_rule_processor_role" {
name = "${var.prefix}_${var.cluster}_streamalert_rule_processor_role"
assume_role_policy = "${data.aws_iam_policy_document.lambda_assume_role_policy.json}"
}
Desired Change
There are several ways around this. However, I think the best option would be to add a check upon creation of the prefix as well as on initial run of the init scripts. Because this fails a good way through the infrastructure creation, rollback can be rather frustrating when terraform errors out. Rather than getting through 80% of the deploy and then finding the error, I think it would be good to perform a "pre-flight" length check on the described variables.
hey @securityclippy thanks for filing this issue! We've ran into this a few times as well and haven't decided on the best approach for fixing. Thanks for the thoughts, we'll try to prioritize soon. You're also welcome to submit a PR to address this :)
Thanks @ryandeivert . I get that its probably not simple to just add a check, as its used in multiple places. Perhaps a large warning in the docs when setting the prefix/clusters? Curious what other solutions people have come up with?
I'll take a stab at this one at some point. If someone could assign to me, that would be greatly appreciated so I don't lose track of it.