By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CUDOS Dashboard - Terraform Module Deployment Error

0

Has anyone got error with S3 bucket permissions denied when deploying the CUDOS Terraform Module via pipeline? If yes, how did you resolve it? I have not modified anything with the module in the GitHub and am using the GitHub location in the module and deploying via a pipeline. But I am getting below-

| The following resource(s) failed to create: [CidExecRole, QuickSightDataSourceRole, CidResourceLambdaLayer, ProcessPathLambdaExecutionRole, InitLambdaExecutionRole]. Rollback requested by user." "Resource creation cancelled" "Resource creation cancelled" "Resource creation cancelled" "Resource creation cancelled" "Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for aws-managed-cost-intelligence-dashboards-us-east-1/cid-resource-lambda-layer/cid-0.2.46.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException |

module "cid_dashboards" {
    source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cid-dashboards"
    stack_name      = "Cloud-Intelligence-Dashboards"
    template_bucket = "****************************"
      stack_parameters = {
      "PrerequisitesQuickSight"              = "yes"
      "PrerequisitesQuickSightPermissions"   = "yes"
      "QuickSightUser"                       = "***************************"
      "CURBucketPath"                        = "s3://****************************************************/"
      "OptimizationDataCollectionBucketPath" = "s3://***********************************/"
      "AthenaQueryResultsBucket"             =  "*************************"
      "AthenaWorkgroup"                      = "***********************"
      "DatabaseName"                      = "******************"
      "CURTableName"                         = "********************"
      "DeployCUDOSDashboard"                 = "yes"
      "DeployCostIntelligenceDashboard"      = "yes"
      "DeployKPIDashboard"                   = "yes"
      "DeployComputeOptimizerDashboard"      = "yes"
      "DeployTAODashboard"                  = "yes"
    }
Topics
StorageManagement & Governance
Tags
Amazon Simple Storage ServiceAWS CloudFormationTerraform
Language
English
Bijal
asked 3 months ago206 views
2 Answers
0
Accepted Answer

The user or role your pipeline is using to deploy the module must have s3:GetObject permissions on the Lambda layer object in S3. For deployment to us-east-1, you can do so by adding the below IAM policy statement to your deployment user/role's IAM policies. For other regions, replace the us-east-1 in the bucket name with the correct region.

{
  "Sid": "ReadLambdaLayerS3",
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::aws-managed-cost-intelligence-dashboards-us-east-1/cid-resource-lambda-layer/*"
}

You review the full set of minimal permissions necessary to deploy CUDOS dashboards as well as a CloudFormation template to deploy a role with those permissions on the Cloud Intelligence Dashboard Alternate Deployment Methods page.

profile pictureAWS
Sean Nixon
answered 3 months ago
0

Thank you for your response! I found out that there was new release right at the time when I was deploying the dashboard. As per our AWS TAM, the bucket may not have been public yet due to the release, causing the error. I tried again the next day and was past this error.

Bijal
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content