Terraform provisioner local-exec - aws cli











up vote
1
down vote

favorite












Trying to use AWS cli to put-public-access-block on an s3 bucket but running into an issue and cannot work it out.



This is my code;



resource "aws_s3_bucket" "test" {
bucket = "blah-blah"

versioning {
enabled = false
}

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

tags {
Name = "blah-blah"
}
}

resource "null_resource" "s3publicpol" {
provisioner "local-exec" {
command = "aws s3api put-public-access-block --bucket blah-blah --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
}
}


When running this from terraform I am getting this message;




An error occurred (AccessDenied) when calling the PutPublicAccessBlock operation: Access Denied




But when I try and run AWS cli and run the command above myself it works perfectly fine, so I have the permissions within AWS.



Am I missing something I need to do locally for Terraform?



Cheers
Stephen










share|improve this question
























  • What account are you running the terraform under? Is it your account or a different one? If it is a different one, does it have the correct permissions?
    – Jamie
    Nov 19 at 13:25










  • I am running this from an EC2 instance, with a role which assumes administrator access in another account, unless it is something to do with that? But I have manually switched roles and done this via the management GUI, the provider for AWS specifies the role in the other account - bit lots as to what is causing this
    – user2086572
    Nov 19 at 13:29










  • your code worked for me running Terraform from my command line. I would look at the assume role.
    – kenlukas
    Nov 19 at 13:49












  • Thanks for having a look, wondering if there could be something not obvious on this like a canned ACL stopping cross account or something - I'll go back and have a look at my permissions least I know this should work!
    – user2086572
    Nov 19 at 13:52















up vote
1
down vote

favorite












Trying to use AWS cli to put-public-access-block on an s3 bucket but running into an issue and cannot work it out.



This is my code;



resource "aws_s3_bucket" "test" {
bucket = "blah-blah"

versioning {
enabled = false
}

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

tags {
Name = "blah-blah"
}
}

resource "null_resource" "s3publicpol" {
provisioner "local-exec" {
command = "aws s3api put-public-access-block --bucket blah-blah --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
}
}


When running this from terraform I am getting this message;




An error occurred (AccessDenied) when calling the PutPublicAccessBlock operation: Access Denied




But when I try and run AWS cli and run the command above myself it works perfectly fine, so I have the permissions within AWS.



Am I missing something I need to do locally for Terraform?



Cheers
Stephen










share|improve this question
























  • What account are you running the terraform under? Is it your account or a different one? If it is a different one, does it have the correct permissions?
    – Jamie
    Nov 19 at 13:25










  • I am running this from an EC2 instance, with a role which assumes administrator access in another account, unless it is something to do with that? But I have manually switched roles and done this via the management GUI, the provider for AWS specifies the role in the other account - bit lots as to what is causing this
    – user2086572
    Nov 19 at 13:29










  • your code worked for me running Terraform from my command line. I would look at the assume role.
    – kenlukas
    Nov 19 at 13:49












  • Thanks for having a look, wondering if there could be something not obvious on this like a canned ACL stopping cross account or something - I'll go back and have a look at my permissions least I know this should work!
    – user2086572
    Nov 19 at 13:52













up vote
1
down vote

favorite









up vote
1
down vote

favorite











Trying to use AWS cli to put-public-access-block on an s3 bucket but running into an issue and cannot work it out.



This is my code;



resource "aws_s3_bucket" "test" {
bucket = "blah-blah"

versioning {
enabled = false
}

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

tags {
Name = "blah-blah"
}
}

resource "null_resource" "s3publicpol" {
provisioner "local-exec" {
command = "aws s3api put-public-access-block --bucket blah-blah --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
}
}


When running this from terraform I am getting this message;




An error occurred (AccessDenied) when calling the PutPublicAccessBlock operation: Access Denied




But when I try and run AWS cli and run the command above myself it works perfectly fine, so I have the permissions within AWS.



Am I missing something I need to do locally for Terraform?



Cheers
Stephen










share|improve this question















Trying to use AWS cli to put-public-access-block on an s3 bucket but running into an issue and cannot work it out.



This is my code;



resource "aws_s3_bucket" "test" {
bucket = "blah-blah"

versioning {
enabled = false
}

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

tags {
Name = "blah-blah"
}
}

resource "null_resource" "s3publicpol" {
provisioner "local-exec" {
command = "aws s3api put-public-access-block --bucket blah-blah --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
}
}


When running this from terraform I am getting this message;




An error occurred (AccessDenied) when calling the PutPublicAccessBlock operation: Access Denied




But when I try and run AWS cli and run the command above myself it works perfectly fine, so I have the permissions within AWS.



Am I missing something I need to do locally for Terraform?



Cheers
Stephen







terraform aws-cli






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 at 13:44









kenlukas

1,24431217




1,24431217










asked Nov 19 at 13:05









user2086572

6129




6129












  • What account are you running the terraform under? Is it your account or a different one? If it is a different one, does it have the correct permissions?
    – Jamie
    Nov 19 at 13:25










  • I am running this from an EC2 instance, with a role which assumes administrator access in another account, unless it is something to do with that? But I have manually switched roles and done this via the management GUI, the provider for AWS specifies the role in the other account - bit lots as to what is causing this
    – user2086572
    Nov 19 at 13:29










  • your code worked for me running Terraform from my command line. I would look at the assume role.
    – kenlukas
    Nov 19 at 13:49












  • Thanks for having a look, wondering if there could be something not obvious on this like a canned ACL stopping cross account or something - I'll go back and have a look at my permissions least I know this should work!
    – user2086572
    Nov 19 at 13:52


















  • What account are you running the terraform under? Is it your account or a different one? If it is a different one, does it have the correct permissions?
    – Jamie
    Nov 19 at 13:25










  • I am running this from an EC2 instance, with a role which assumes administrator access in another account, unless it is something to do with that? But I have manually switched roles and done this via the management GUI, the provider for AWS specifies the role in the other account - bit lots as to what is causing this
    – user2086572
    Nov 19 at 13:29










  • your code worked for me running Terraform from my command line. I would look at the assume role.
    – kenlukas
    Nov 19 at 13:49












  • Thanks for having a look, wondering if there could be something not obvious on this like a canned ACL stopping cross account or something - I'll go back and have a look at my permissions least I know this should work!
    – user2086572
    Nov 19 at 13:52
















What account are you running the terraform under? Is it your account or a different one? If it is a different one, does it have the correct permissions?
– Jamie
Nov 19 at 13:25




What account are you running the terraform under? Is it your account or a different one? If it is a different one, does it have the correct permissions?
– Jamie
Nov 19 at 13:25












I am running this from an EC2 instance, with a role which assumes administrator access in another account, unless it is something to do with that? But I have manually switched roles and done this via the management GUI, the provider for AWS specifies the role in the other account - bit lots as to what is causing this
– user2086572
Nov 19 at 13:29




I am running this from an EC2 instance, with a role which assumes administrator access in another account, unless it is something to do with that? But I have manually switched roles and done this via the management GUI, the provider for AWS specifies the role in the other account - bit lots as to what is causing this
– user2086572
Nov 19 at 13:29












your code worked for me running Terraform from my command line. I would look at the assume role.
– kenlukas
Nov 19 at 13:49






your code worked for me running Terraform from my command line. I would look at the assume role.
– kenlukas
Nov 19 at 13:49














Thanks for having a look, wondering if there could be something not obvious on this like a canned ACL stopping cross account or something - I'll go back and have a look at my permissions least I know this should work!
– user2086572
Nov 19 at 13:52




Thanks for having a look, wondering if there could be something not obvious on this like a canned ACL stopping cross account or something - I'll go back and have a look at my permissions least I know this should work!
– user2086572
Nov 19 at 13:52

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53375295%2fterraform-provisioner-local-exec-aws-cli%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53375295%2fterraform-provisioner-local-exec-aws-cli%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

RAC Tourist Trophy