CODEWITHSUNDEEP
amazon-web-servicesterraformamazon-iamterraform-provider-aws
asur
asur

Reputation: 1879

Error creating autoscaling scheduled action

I am trying to stop and start EC2 instances mapped with ASG on a particular timeframe. I am getting access denied errors even after giving the role appropriate permissions. 

resource "aws_autoscaling_group" "asg" {
  availability_zones        = "${var.availability_zones}"
  name                      = "${var.environment}-airflow-asg"
  launch_configuration      = "${aws_launch_configuration.lc.name}"
  target_group_arns         = ["${aws_lb_target_group.lb_tg.arn}"]
  max_size                  = "${var.asg_max_size}"
  min_size                  = "${var.asg_min_size}"
  desired_capacity          = "${var.asg_desired_capacity}"
  health_check_grace_period = "300"
  health_check_type         = "EC2"
  vpc_zone_identifier       = ["${data.aws_subnet.app_subnet_0.id}", "${data.aws_subnet.app_subnet_1.id}"]
  force_delete              = true

  lifecycle {
    create_before_destroy = true
  }

  tags = [merge(
    var.common_tags,
    map("Classification", "private"),
    map("Name", "${var.environment}-airflow-asg"),
    map("key", "Name", "value", "${var.environment}-airflow", "propagate_at_launch", true)
  )]
}
# Stop instances each weekday at 6pm
resource "aws_autoscaling_schedule" "asg_stop" {
  scheduled_action_name  = "${var.environment}-asg_stop"
  min_size               = 0
  max_size               = 0
  desired_capacity       = 0
  recurrence             = "00 18 * * MON-FRI"
  autoscaling_group_name = "${aws_autoscaling_group.asg.name}"
}

# Startup instance each weekday at 8am
resource "aws_autoscaling_schedule" "asg_start" {
  scheduled_action_name  = "${var.environment}-asg_start"
  min_size               = "${var.asg_min_size}"
  max_size               = "${var.asg_max_size}"
  desired_capacity       = "${var.asg_desired_capacity}"
  recurrence             = "00 08 * * MON-FRI"
  autoscaling_group_name = "${aws_autoscaling_group.asg.name}"
}

Error after executing terraform apply:

Error Creating Autoscaling Scheduled Action: AccessDenied: User: arn:aws:sts::12345678910:assumed-role/jenkins/AssumeRoleSessionOrchestration is not authorized to perform: autoscaling:PutScheduledUpdateGroupAction on resource: arn:aws:autoscaling:eu-central-1:12345678910:autoScalingGroup:bb231f2f-7336-471a-bba6-312969c65523:autoScalingGroupName/asg
    status code: 403, request id: dbc1da6e-ad34-11e9-8c30-bd488dac5c78

  on ../../modules/airflow/asg.tf line 51, in resource "aws_autoscaling_schedule" "asg_stop":
  51: resource "aws_autoscaling_schedule" "asg_stop"

My role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSPermissions",
            "Effect": "Allow",
            "Action": [
                "rds:*",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScheduledUpdateGroupAction",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DeleteAlarms",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Upvotes: 0

Views: 1367

Answers (1)

ydaetskcoR
ydaetskcoR

Reputation: 56877

You've confused the similarly named application-autoscaling and autoscaling IAM policies.

Application autoscaling is used for scaling ECS services and DynamoDB table read/write capacity among other things.

The other type, autoscaling, is the more standard EC2 autoscaling that scales out groups of instances and is what you need for autoscaling groups as you have there.

So to fix this just change the application-autoscaling:* actions to autoscaling:*:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSPermissions",
            "Effect": "Allow",
            "Action": [
                "rds:*",
                "autoscaling:DeleteScalingPolicy",
                "autoscaling:DeleteScheduledAction",
                "autoscaling:DeregisterScalableTarget",
                "autoscaling:DescribeScalableTargets",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:DescribeScalingPolicies",
                "autoscaling:PutScheduledUpdateGroupAction",
                "autoscaling:PutScalingPolicy",
                "autoscaling:RegisterScalableTarget",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DeleteAlarms",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Upvotes: 1

Related Questions