4

I have a below terraform script which works fine when use it on terminal.

provider "aws" {
  region = "${var.aws_region}"
}

resource "aws_instance" "jenkins-poc" {
  count = "2"
  ami           = "${var.aws_ami}"
  instance_type = "${var.instance_type}"
  key_name      = "${var.key_name}"
  availability_zone = "${var.aws_region}${element(split(",",var.zones),count.index)}"
  vpc_security_group_ids = ["${aws_security_group.jenkins-poc.id}"]
  subnet_id = "${element(split(",",var.subnet_id),count.index)}"
  user_data = "${file("userdata.sh")}"
  tags {
    Name = "jenkins-poc${count.index + 1}"
    Owner = "Shailesh"
  }
}

resource "aws_security_group" "jenkins-poc" {
  vpc_id = "${var.vpc_id}"
  name = "${var.security_group_name}"
  description = "Allow http,httpd and SSH"

  ingress {
      from_port = 443
      to_port = 443
      protocol = "tcp"
      cidr_blocks = ["10.0.0.0/8"]
  }
  ingress {
      from_port = 22
      to_port = 22
      protocol = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
  }
 ingress {
      from_port = 80
      to_port = 80
      protocol = "tcp"
      cidr_blocks = ["10.0.0.0/8"]
 }
  egress {
      from_port = "0"
      to_port = "0"
      protocol = "-1"
      cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_elb" "jenkins-poc-elb" {
    name = "jenkins-poc-elb"
    subnets = ["subnet-","subnet-"]
listener {
    instance_port = 80
    instance_protocol = "http"
    lb_port = "80"
    lb_protocol = "http"
}

  health_check {
    healthy_threshold = "2"
    unhealthy_threshold = "3"
    timeout = "3"
    target = "tcp:80"
    interval = 30
  }
    instances = ["${aws_instance.jenkins-poc.*.id}"]
}

and variables file is as given below.

variable "aws_ami" {
  default = "ami-"
}

variable "zones"{
  default = "a,b"
}

variable "aws_region" {
    default = "us-east-1"
}

variable "key_name" {
    default = "test-key"
}

variable "instance_type" {
    default = "t2.micro"
}

variable "count" {
    default = "2"
}
variable "security_group_name" {
    default = "jenkins-poc"
}
variable "vpc_id" {
    default = "vpc-"
}
variable "subnet_id" {
    default = "subnet-,subnet"
}

Everything works fine when I run through terminal using terraform apply. But same code gives me below error when I run it through jenkins. 

aws_security_group.jenkins-poc: Error creating Security Group: UnauthorizedOperation: You are not authorized to perform this operation

Note :: This is a non-default vpc in which I am performing this operation.

I would highly appreciate any comments. I didn't mention sensitive values.

Shailesh Sutar
  • 370
  • 1
  • 6
  • 22
  • the iam user used might not have the required permissions, you can refer to the similar discussion @ https://github.com/hashicorp/terraform/issues/2834 – Jayendra Jul 20 '16 at 12:19
  • 2
    This is a issue with the policy attached to your jenkins user. – Piyush Patil Jul 20 '16 at 12:22
  • Initially I thought it might be the issue with IAM policy. But then I found this article which says part of terraform definition could cause this. https://github.com/hashicorp/terraform/issues/2875 – Shailesh Sutar Jul 20 '16 at 12:23
  • I am using jenkins just for git clone and not for any aws operations which actually fetches me all the terraform config files from repo. I believe it has nothing to do with this. Correct me if I am wrong. – Shailesh Sutar Jul 20 '16 at 12:25
  • Do you use a remote state file? Otherwise, when run through another user on another system, terraform won't know that you already created the resources. – Karen B Jul 20 '16 at 20:38
  • Are there separate credentials for jenkins user ? – darthShadow Jul 22 '16 at 17:15
  • @DarthShadow There is now separate user for Jenkins. All I am doing is cloning git repo which will have terraform config files and using terraform plugin just terraform apply to get the infrastructure ready. – Shailesh Sutar Jul 23 '16 at 17:48
  • @KarenB are you talking about tfstate files? or Can you please tell me how to define the remote state file? If you're talking in terms of jenkins master-slave config. I am not sure. How does it work. – Shailesh Sutar Jul 23 '16 at 17:51
  • @ShaileshSutar Have you checked the IAM policy permissions as mentioned above ? – darthShadow Jul 23 '16 at 18:42
  • @DarthShadow I am able to terraform apply on my linux terminal but just can't do that in jenkins job. So I believe its not the IAM policy permissions issue. Any other direction I can dig into. – Shailesh Sutar Jul 23 '16 at 19:32
  • Are you using the same credentials in both places ? – darthShadow Jul 23 '16 at 19:39
  • @DarthShadow Yes I am using same credentials in both places. I am passing my aws credentials to terraform from resource variable in jenkins and for stash(git) there is a ssh user already configured. – Shailesh Sutar Jul 23 '16 at 19:51
  • If you have multiple users working against the same terraform configuration files but they aren't sharing the up-to-date terraform.tfstate file, you are going to have serious issues with unintentionally changed or destroyed or duplicated resources. https://www.terraform.io/docs/commands/remote-config.html – Karen B Jul 23 '16 at 22:48

1 Answers1

1

Just make sure if you are in the right aws profile and the default aws profile could restrict you from creating the instance

provider "aws" {
  region = "${var.aws_region}"
  shared_credentials_file = "~/.aws/credentials"
  profile = "xxxxxxx"
}
Prashanth Sams
  • 19,677
  • 20
  • 102
  • 125