2

I am using Jenkins to automate Terraform to create my AWS environment. Although Jenkins has permissions to CreateSecurityGroup, I get this error when Jenkins runs my Terraform main file:

* aws_security_group.lambda_security_group: aws_security_group.lambda_security_group: UnauthorizedOperation: You are not authorized to perform this operation.status code: 403, request id: 08c21dbe-5b86-4ad1-8ff3-13611bdb178c

With the CreateSecurityGroup permission in place -- I am curious as to why I am unable to perform the operation.

I have ensured these permissions are assigned to the Jenkins role creating the security group:

        {
            "Sid": "AllowEC2Control",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }

This is the code within my Terraform file:

Creating the security group:

resource "aws_security_group" "lambda_security_group" {
  name = "security group"
  description = "Security group for data ingestion lambda"
  vpc_id = "${var.vpc_id}"

  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = [
      "0.0.0.0/0"
    ]
  }

  tags {
    Service = "${var.tags_service_name}"
    environment = "${var.environment}"
  }
}

Creating the lambda:

resource "aws_lambda_function" "some_lambda" {
  function_name = "my_lambda"
  s3_bucket = "${aws_s3_bucket.my_data.bucket}"
  s3_key = "lambda.zip"
  role    = "${aws_iam_role.my_iam_role.arn}"
  handler = "lambda_function.lambda_handler"
  runtime = "python3.6"
  timeout = 900
  memory_size = 128
  source_code_hash = "${var.GIT_SHA}"
  vpc_config {
    security_group_ids = [
      "${aws_security_group.lambda_security_group.id}"
    ]
    subnet_ids = "${var.subnets}"
  }

Unfortunately I get the error posted on top when Jenkins executes the Terraform script. I am expecting to have the proper permissions to create this security group

Shabina Rayan
  • 389
  • 1
  • 8
  • 22
  • How does jenkins receive the credentials? Is it via ec2 instance role or have you manually provisioned the access keys? – Datise Mar 29 '19 at 18:44
  • The IAM that the Jenkins user is assuming with Terraform may need more than just "create" to create the security group. There may also be a "read" permission necessary since Terraform does CRUD-style operations. – Matthew Schuchard Mar 29 '19 at 19:15
  • I would give your Jenkins Role all ec2:* permissions to test it and then try to create more granular permissions. You need a few permissions to make that code run properly. – victor m Mar 30 '19 at 02:51

1 Answers1

3

You just Authorize your jenkins to create Security Group and in your terraform code you want to add and egress too.

You have to grant the egress permission too. Here a ref https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#security-group

To be able to add/update/delete you change change your iam rule for

        {
            "Sid": "AllowEC2Control",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:*SecurityGroupEgress",
                "ec2:*SecurityGroupIngress",

            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
Darkjeff
  • 397
  • 2
  • 3
  • 8