State bucket access for ops-admin
It appears in the Ref Arch the ops-admin assumed roles don't have access to the state bucket, so they aren't able to do a terragrunt plan to review changes before pushing it up to github. This makes module development a bit a headache. Is there something special that needs to be done to allow ops-admins to do this? --- <ins datetime="2022-05-02T13:38:45Z"> <p><a href="https://gruntwork.zendesk.com/agent/tickets/108532">Tracked in ticket #108532</a></p> </ins>
The `ops-admin` role does have access to the state buckets. If you look at [the IAM policy that is assigned to the role](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/examples/for-production/infrastructure-live/dev/_global/ops-admin-role/terragrunt.hcl#L58), you will see that it is using the exact same permissions as the ECS Deploy Runner, which has the following [IAM policy statements](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/mgmt/deploy_permissions.yml#L189-L201) Note that the role only has permissions to access and manipulate the state bucket of the account in which the role resides. E.g., the `ops-admin` role for the Dev account can only access the state bucket of resources in the Dev account. Given that, typically state bucket access issues are a sign that either: - The state bucket was incorrectly created in the wrong account. - You are assuming the `ops-admin` role in the wrong account.