terragrunt icon indicating copy to clipboard operation
terragrunt copied to clipboard

Published 20 hours ago verified publisher icon gruntwork-io

S3 backend update/merge policy issue: (The remote state S3 bucket {BUCKET_NAME} needs to be updated)

Open apamildner opened this issue 2 years ago • 0 comments

tl;dr: Terragrunt does not marshall exisiting policies properly

Explanation

When terragrunt finds that the s3 bucket you use as a backend is missing TLS+Root Access in its policy, it asks if you want terragrunt to update it, ie:

WARN[0002] The remote state S3 bucket BUCKETNAME needs to be updated: 
WARN[0002]   - Bucket Root Access                       
WARN[0002]   - Bucket Enforced TLS                      
Remote state S3 bucket BUCKETNAME is out of date. Would you like Terragrunt to update it? (y/n) y

This is all good, but when we say y to this, terragrunt crashes.

After trying to understand why, I found this line in the source code. It turns out that a part of our policy is not properly marshalled when terragrunt tries to read it. This is because we have used NotPrincipal, i.e like so:

{
   "Version": "2012-10-17",
   "Statement": [{
       "Effect": "Deny",
       "NotPrincipal": {"AWS": [
           "arn:aws:iam::444455556666:user/Bob",
           "arn:aws:iam::444455556666:root"
       ]},
       "Action": "s3:*",
       "Resource": [
           "arn:aws:s3:::BUCKETNAME",
           "arn:aws:s3:::BUCKETNAME/*"
       ]
   }]
}

This is not part of what terragrunt expects when marshalling the policy.

apamildner avatar Sep 21 '22 07:09 apamildner