CODEWITHSUNDEEP
amazon-ec2terraformaws-security-groupaws-vpc
Shabina Rayan
Shabina Rayan

Reputation: 419

Unable to create AWS security group via Terraform

I am using Jenkins to automate Terraform to create my AWS environment. Although Jenkins has permissions to CreateSecurityGroup, I get this error when Jenkins runs my Terraform main file:

* aws_security_group.lambda_security_group: aws_security_group.lambda_security_group: UnauthorizedOperation: You are not authorized to perform this operation.status code: 403, request id: 08c21dbe-5b86-4ad1-8ff3-13611bdb178c

With the CreateSecurityGroup permission in place -- I am curious as to why I am unable to perform the operation.

I have ensured these permissions are assigned to the Jenkins role creating the security group:

        {
            "Sid": "AllowEC2Control",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }

This is the code within my Terraform file:

Creating the security group:

resource "aws_security_group" "lambda_security_group" {
  name = "security group"
  description = "Security group for data ingestion lambda"
  vpc_id = "${var.vpc_id}"

  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = [
      "0.0.0.0/0"
    ]
  }

  tags {
    Service = "${var.tags_service_name}"
    environment = "${var.environment}"
  }
}

Creating the lambda:

resource "aws_lambda_function" "some_lambda" {
  function_name = "my_lambda"
  s3_bucket = "${aws_s3_bucket.my_data.bucket}"
  s3_key = "lambda.zip"
  role    = "${aws_iam_role.my_iam_role.arn}"
  handler = "lambda_function.lambda_handler"
  runtime = "python3.6"
  timeout = 900
  memory_size = 128
  source_code_hash = "${var.GIT_SHA}"
  vpc_config {
    security_group_ids = [
      "${aws_security_group.lambda_security_group.id}"
    ]
    subnet_ids = "${var.subnets}"
  }

Unfortunately I get the error posted on top when Jenkins executes the Terraform script. I am expecting to have the proper permissions to create this security group

Upvotes: 2

Views: 2629

Answers (1)

Darkjeff
Darkjeff

Reputation: 427

You just Authorize your jenkins to create Security Group and in your terraform code you want to add and egress too.

You have to grant the egress permission too. Here a ref https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#security-group

To be able to add/update/delete you change change your iam rule for

        {
            "Sid": "AllowEC2Control",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:*SecurityGroupEgress",
                "ec2:*SecurityGroupIngress",

            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }

Upvotes: 3

Related Questions