[AWS] aws_opsworks_permission: Setting 'level' has no effect, allow_ssh keeps reapplying

[solinv]

Hi there,

thanks for introducting the aws_opsworks_permission resource, it's been a great help already.

We encountered two issues with it that I'd like to report. Please have a look at the following resource configuration:

resource aws_opsworks_permission deploy_user {
  allow_ssh = true
  allow_sudo = false
  level = "deploy"
  user_arn = "${var.user_arn}"
  stack_id = "${var.stack_id}"
}

The issues we've encountered:

1. Setting the level to anything has no effect in OpsWorks, i.e. after terraform apply, Terraform saves the new level in it's state file, but the OpsWorks permission level stays iam_only, always.
2. When setting allow_ssh = true and allow_sudo = false, Terraform keeps re-planning and -applying allow_ssh = true. Note: This does not happen if allow_sudo is set to true also.

We're using Terraform v0.7.4.

Thanks in advance and looking forward to hearing from you!

[stack72]

Hi @solinv

apologies this is causing you issues, can you try and help us diagnose this a little bit more for you? If possible, please can you run the following command:

TF_LOG=1 terraform apply 2>~/tf.log

This will put terraform into verbose mode and give us a debug output. When you get that file, can you have a look in the ~/tf.log file and search for:

[ERROR] OpsWorks error:

And if you find it, can you drop the details here?

Thanks

Paul

[solinv]

Hi @stack72

thanks for the quick answer!

I just ran terraform plan, terraform apply several times, both when creating the permission resource, as well as when the repeating updates happen. The logs showed no error.

When running terraform plan, to me it looks like the AWS SDKs response when terraform asks for the current state yields the correct state for Allow* properties as they show up in OpsWorks, but terraform still wants to reapply. The Level property is just wrong, as far as I can tell terraform doesn't set this property when creating or updating the permission resource.

{"Permissions":[{"AllowSsh":true,"AllowSudo":false,"IamUserArn":"%arn%","Level":"iam_only","StackId":"%stackId%"}]}

I thought about a permission problem with the AWS account I configure for the provider (using an AWS CLI profile), but using the same account credentials in AWS Console OpsWorks allows me to change permissions.

Is there anything more I can provide you with to identify the cause, maybe more complete portions of the log or any other details about our setup?

Thanks again :)

[stack72]

Hi @solinv

Thanks for getting back to me - can you post a small config (minus any secrets) that can help us try and recreate this error?

Thanks

Paul

[solinv]

Hi @stack72

Sure thing, please see the config (stripped of account-specific stuff) attached. I've been using it to reproduce the behaviour described.

Thanks once more! :)
stack.tf.txt

[janschumann]

Hi, is anyone working in this?

I am currently working on another feature for OpsWorks (RDS DB instance registration), so if nobody is working on this, I would like to help.

[stack72]

Hi @janschumann

I've not gotten around to it i'm afraid - would love for you to help with it

P.

[janschumann]

@solinv @stack72 this should now be fixed in #10394

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.