‘aws_chatbot_slack_channel_configuration‘ has become available starting from AWS Provider v5.61.0
In the project I am involved in, we manage infrastructure with Terraform and use Atlantis.
Atlantis is a very useful tool, but I would like to share an issue that occurred when creating a channel for AWS Chatbot.
The resources managed by Atlantis (such as ECS) are in AWS Account A, and I attempted to create AWS Chatbot in AWS Account B.
Here’s an example of the Terraform code to create an AWS Chatbot Slack channel configuration in AWS Account B.
resource "awscc_chatbot_slack_channel_configuration" "this" {
configuration_name = "test_channel"
iam_role_arn = aws_iam_role.this.arn
slack_channel_id = var.slack_channel_id
slack_workspace_id = var.slack_workspace_id
sns_topic_arns = [aws_sns_topic.this.arn]
guardrail_policies = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
}I pushed the code to GitHub and created a Pull Request. plan executed in the Pull Request detected the following changes.
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.chatbot_test.awscc_chatbot_slack_channel_configuration.this will be created
+ resource "awscc_chatbot_slack_channel_configuration" "this" {
+ arn = (known after apply)
+ configuration_name = "test_channel"
+ guardrail_policies = [
+ "arn:aws:iam::aws:policy/ReadOnlyAccess",
]
+ iam_role_arn = "arn:aws:iam::<AWS_ACCOUNT_B>:role/chatbot-test-role"
+ id = (known after apply)
+ logging_level = "NONE"
+ slack_channel_id = "Cxxxxxxxxxx"
+ slack_workspace_id = "Txxxxxxxxxx"
+ sns_topic_arns = [
+ "arn:aws:sns:ap-northeast-1:<AWS_ACCOUNT_B>:test",
]
+ tags = (known after apply)
+ user_role_required = false
}
Plan: 1 to add, 0 to change, 0 to destroy.However, when I ran atlantis apply, I encountered the following error.
running "/usr/local/bin/terraform apply -input=false \"/home/atlantis/.atlantis/repos/yowatanabe/chatbot-test/17/default/staging/staging-default.tfplan\"" in "/home/atlantis/.atlantis/repos/yowatanabe/chatbot-test/17/default/staging": exit status 1
module.chatbot_test.awscc_chatbot_slack_channel_configuration.this: Creating...
╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│
│ with module.chatbot_test.awscc_chatbot_slack_channel_configuration.this,
│ on ../modules/chatbot_test/main.tf line 6, in resource "awscc_chatbot_slack_channel_configuration" "this":
│ 6: resource "awscc_chatbot_slack_channel_configuration" "this" {
│
│ Calling Cloud Control API service CreateResource operation returned:
│ operation error CloudControl: CreateResource, https response error
│ StatusCode: 400, RequestID: 7295e9f3-104e-46c0-89ca-a42a8cd0e081, api error
│ AccessDeniedException: User:
│ arn:aws:sts::<AWS_ACCOUNT_A>:assumed-role/atlantis-ecs-task-role/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
│ is not authorized to perform: cloudformation:CreateResource on resource:
│ arn:aws:cloudformation:ap-northeast-1:<AWS_ACCOUNT_A>:resource/* because no
│ identity-based policy allows the cloudformation:CreateResource action
╵When I ran terraform apply on my PC, I encountered the following error.
module.chatbot_test.awscc_chatbot_slack_channel_configuration.this: Creating...
╷
│ Error: AWS SDK Go Service Operation Incomplete
│
│ with module.chatbot_test.awscc_chatbot_slack_channel_configuration.this,
│ on ../modules/chatbot_test/main.tf line 6, in resource "awscc_chatbot_slack_channel_configuration" "this":
│ 6: resource "awscc_chatbot_slack_channel_configuration" "this" {
│
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Cross-account pass role is not allowed. (Service: AWSChatbot; Status
│ Code: 403; Error Code: AccessDeniedException; Request ID: a2ac84e6-4d74-424b-8f81-d37ab574ec0d; Proxy: null). ErrorCode: GeneralServiceException
╵For now, I comment out the assume_role configuration. Then, I retrieved the access key for AWS Account B and set it up on my PC. After that, running terraform apply was successful.
I was confused by the unexpected situation.
I noticed that awscc_chatbot_slack_channel_configuration is a resource of the AWS Cloud Control Provider.
Altantis is built on ECS. When running Terraform on ECS with an IAM Task Role configured, Terraform will use the Task Role of the container.
ECS IAM Task Role in Atlantis was configured to perform operations on multiple AWS accounts by assuming the IAM role created in each respective AWS account. I suspect this might have caused it to not work properly.
I thought that AWS Chatbot channels could only be created using awscc_chatbot_slack_channel_configuration. However, I learned that starting from AWS Provider v5.61.0, aws_chatbot_slack_channel_configuration is now available.
The version of the AWS provider used in the project was outdated, so I updated it to v5.61.0. As a result, atlantis apply succeeded, and I was able to successfully create an AWS Chatbot channel in AWS Account B. 🎊🎊🎊
module.chatbot_test.aws_chatbot_slack_channel_configuration.this: Creating...
module.chatbot_test.aws_chatbot_slack_channel_configuration.this: Still creating... [10s elapsed]
module.chatbot_test.aws_chatbot_slack_channel_configuration.this: Still creating... [20s elapsed]
module.chatbot_test.aws_chatbot_slack_channel_configuration.this: Still creating... [30s elapsed]
module.chatbot_test.aws_chatbot_slack_channel_configuration.this: Creation complete after 32s
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.Here is the final Terraform code.
resource "aws_chatbot_slack_channel_configuration" "this" {
configuration_name = "test_channel"
iam_role_arn = aws_iam_role.this.arn
slack_channel_id = var.slack_channel_id
slack_team_id = var.slack_team_id
sns_topic_arns = [aws_sns_topic.this.arn]
guardrail_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
}terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.61.0"
}
}
}