awscc_databrew_job - fails to create the job in a multi account setup. "Cross-account pass role is not allowed"

[Venkat2512]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Description:

We have a multi account setup where in the source account assumes a role in the destination account to create resources. Both the user in the source and assumed role in the destination account has full permissions on all the resources.

aws provider is able to create cross account resources without any issues but awscc fails to do so.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.0.9 on darwin_arm64

• provider registry.terraform.io/hashicorp/archive v2.4.0
• provider registry.terraform.io/hashicorp/aws v5.8.0
• provider registry.terraform.io/hashicorp/awscc v0.56.0
• provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

awscc_databrew_job

Terraform Configuration Files

Root module:

provider.tf

provider "aws" {
  region = var.region
}

provider "awscc" {
  region = var.region
}

provider "awscc" {
  region = var.region
  alias  = "modeling"
  assume_role {
    role_arn = "Destination assumed role ARN"
  }
} 

versions.tf

terraform {
  required_version = ">= 0.15"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.9.0"
    }
    awscc = {
      source  = "hashicorp/awscc"
      version = ">= 0.55.0"
    }
  }

  backend "s3" {

  }
}

Main.tf

resource "awscc_databrew_job" "databrew" {
  name         = "brewjob"
  role_arn     = aws_iam_role.databrew_role[0].arn
  type         = "PROFILE"
  }


data "aws_iam_policy_document" "databrew_assume_role_document" {
  version = "2012-10-17"
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["databrew.amazonaws.com"]
    }
    actions = [
      "sts:AssumeRole"
    ]
  }
}

resource "aws_iam_role" "databrew_role" {
  name               =  "testrole"
  assume_role_policy = data.aws_iam_policy_document.databrew_assume_role_document.json
}

resource "aws_iam_role_policy" "databrew_role_policy" {
  name   = "testpolicy"
  role   = aws_iam_role.databrew_role.id
  policy = data.aws_iam_policy_document.databrew_policy.json
}

data "aws_iam_policy_document" "databrew_policy" {
  version = "2012-10-17"
    statement {
    sid    = "ToUseCloudWatchLogs"
    effect = "Allow"
    actions = [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
    ]
 resources = ["*"]
    ]
  }
}

Debug Output

Panic Output

Expected Behavior

Actual Behavior

│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with module.modeling.awscc_databrew_job.databrew[0],
│   on module/modeling/main.tf line 1, in resource "awscc_databrew_job" "databrew":
│    1: resource "awscc_databrew_job" "databrew" {
│ 
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Cross-account pass role is not allowed. (Service: DataBrew,
│ Status Code: 403, Request ID: 21cad71c-c45f-43c7-bb14-4f62811496cf, Extended Request ID: null). ErrorCode: ServiceInternalError

Steps to Reproduce

terraform apply with the above configuration.

Important Factoids

References

• #0000

[7adityaraj]

I am having the same issue, is there any workaround for this @Venkat2512

[Venkat2512]

Unfortunately, no. Any luck on your side?

[7adityaraj]

hi @ewbankkit any suggestions for this one please.

[corrigac]

Similar issue here on AWS account under control tower, works fine on non control tower AWS account

│ Error: AWS SDK Go Service Operation Incomplete │ │ with module.cloud_watch_alarms.awscc_chatbot_slack_channel_configuration.slack_integration[0], │ on ../../../cloudwatchalarm/main.tf line 31, in resource "awscc_chatbot_slack_channel_configuration" "slack_integration": │ 31: resource "awscc_chatbot_slack_channel_configuration" "slack_integration" { │ │ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to │ FAILED. StatusMessage: Cross-account pass role is not allowed. (Service: AWSChatbot; Status Code: 403; Error │ Code: AccessDeniedException; Request ID: c84dc7eb-7e1f-41ef-8216-d43e57ebdd53; Proxy: null). ErrorCode: │ GeneralServiceException provider = terraform-provider-aws_v5.14.0_x5: on darwin_arm64

Turns out to be an AWS IAM cross account configuration issue rather than TF resolved by adding a provider stanza for awscc with profile and region settings

[tobywan]

Thanks @corrigac

For clarity, this is the stanza I added successfully:

provider "awscc" {
  # As we use some resources not yet in the aws terraform provider
  # see https://registry.terraform.io/providers/hashicorp/awscc/latest/docs
  region = "us-east-1"
  assume_role = {
    role_arn = local.aws_provider_iam_role_arn
  }
}

where the role arn is based on which control tower account we are deploying into

[wellsiau-aws]

@Venkat2512 are you able to incorporate the suggested fix above?