Using "iam_role" with S3 state bucket in another account
Hi. I'm having a heck of a time with something that I swear worked fine two days ago. Now I can't explain the failure. I'm trying to use the `iam_role` feature to have Terragrunt deploy resources into another AWS account and keep my remote state DRY. My `terragrunt.hcl` at the root of my project. `my-state-bucket` is in account 111111111111. ``` remote_state { backend = "s3" generate = { path = "backend.tf" if_exists = "overwrite_terragrunt" } config = { bucket = "my-state-bucket" key = "${path_relative_to_include()}/terraform.tfstate" region = "us-east-1" encrypt = true dynamodb_table = "terraform-locks" } } ``` My `terragrunt.hcl` in a subfolder: ``` include "parent" { path = find_in_parent_folders() } iam_role = "arn:aws:iam::222222222222:role/my-cross-account-role" terraform { source = "tfr://registry.terraform.io/........" } inputs = { .... } ``` `my-cross-account-role` has AdminstratorAccess, and has a policy that allows `s3:*` access to `my-state-bucket` and `kms:*` to the CMK KMS. `my-state-bucket` also has a bucket policy that allows `s3:*` for the `arn:aws:iam::222222222222:role/my-cross-account-role` principal. The KMS key also has a policy that allows `kms:*` to the principal as well. When I run `terragrunt plan --terragrunt-log-level debug`, I get this: ``` ... DEBU[0000] Assuming IAM role arn:aws:iam::222222222222:role/my-cross-account-role with a session duration of 0 seconds. .... DEBU[0000] Initializing remote state for the s3 backend prefix=[.....] DEBU[0000] Checking if SSE is enabled for AWS S3 bucket my-state-bucket prefix=[.....] DEBU[0001] Checking if bucket my-state-bucket is have root access prefix=[.....] DEBU[0001] Could not get policy for bucket my-state-bucket prefix=[.....] DEBU[0001] Checking if bucket my-state-bucket is enforced with TLS prefix=[.....] ERRO[0001] MethodNotAllowed: The specified method is not allowed against this resource. status code: 405, request id: EH84T2FY841KD420, host id: YSYFjAWjZ1mYp7C4L5h1v7VV6A38ff6mdK9MY05o1h424dGlUrl21Cif5vGugZlIl/OFhmQkCZY= ERRO[0001] Unable to determine underlying exit code, so Terragrunt will exit with error code 1 ``` I can assume the `my-cross-account-role` at the cli, and can successsfully access the bucket, list objects, put and get objects and everything is good. However, if I try this, it fails, similar to the error above: ``` $ aws s3api get-bucket-policy --bucket my-state-bucket An error occurred (MethodNotAllowed) when calling the GetBucketPolicy operation: The specified method is not allowed against this resource. ``` The only thing I can come up with is https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html, a 405 Method Not Allowed because the identity doesn't belong to the bucket owner's account. As mentioned, I'm 99.9999% sure this was working two days ago, and after many changes and things moving around, now I can't figure out what's going on! Happy to provide more details if I'm missing some details above. --- <ins datetime="2022-08-17T22:57:36Z"> <p><a href="https://support.gruntwork.io/hc/requests/109144">Tracked in ticket #109144</a></p> </ins>
Did you recently update `terragrunt` to the latest version? This may be an issue with the introduction of the bucket state syncing feature in Terragrunt. Can you try setting `disable_bucket_update = true` on the `remote_state` block and see if that avoids the issue? E.g.: ```hcl remote_state { backend = "s3" generate = { path = "backend.tf" if_exists = "overwrite_terragrunt" } config = { bucket = "my-state-bucket" key = "${path_relative_to_include()}/terraform.tfstate" region = "us-east-1" encrypt = true dynamodb_table = "terraform-locks" } disable_bucket_update = true } ```