amazon-web-servicesterraformamazon-iamterraform-provider-awsaws-step-functions

How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?

I am creating a step-function via Terraform that uses the Hashicorp AWS Step Function module. I have specified an existing role for the step-function to use as opposed to generating a role from the service integrations. However, I am getting the following error:

Error: creating Step Functions State Machine (<step func name>): AccessDeniedException: '<step func arn>' is not authorized to create managed-rule.

The role has the principal 'states.amazonaws.com'. The permissions that appear relevant (i.e., ignoring permissions to invoke lambda functions, glue jobs, etc.) are:

Actions: (I started with far more refined permissions)

Resources:

Actions:

Resources:

I did try using service integrations instead but for some reason I was getting an error saying that the keys I provided did not match the list of service integrations (they were exactly the same as far as I can tell).

I cannot find answers anywhere online so any help would be much appreciated! Thank you

EDIT - added code:

module "step-function-crawler-execution" {
  source = "git@github.com:Schroders-Personal-Wealth/terraform-shared-library.git//services/step-functions?ref=steps-func-0.1.0"

  name       = local.state_machine_def.crawler_wrapper.name
  type       = var.stepfunc_type
  definition = jsonencode(local.state_machine_def.crawler_wrapper.definition)

  publish           = var.stepfunc_publish
  create_role       = false
  use_existing_role = true
  role_arn                         = module.stepfunc-iam-role.arn
  attach_policies_for_integrations = false

  tags = var.service_tags
}

IAM Role:

module "stepfunc-iam-role" {
  source  = "cloudposse/iam-role/aws"
  version = "0.16.2"

  enabled = true
  name    = "${var.env}-${var.stepfunc_role_name}"
  principals = {
    "Service" = ["states.eu-west-1.amazonaws.com"]
  }
  assume_role_actions = [
    "sts:AssumeRole", "sts:TagSession"
  ]
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
  ]
  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/permissions-boundary"


  policy_document_count = 7
  policy_documents = [
    data.aws_iam_policy_document.glue_perms.json,
    data.aws_iam_policy_document.glue_crawler_perms.json,
    data.aws_iam_policy_document.lambda_perms.json,
    data.aws_iam_policy_document.statemachine_perms.json,
    data.aws_iam_policy_document.ddb_perms.json,
    data.aws_iam_policy_document.log_perms.json,
    data.aws_iam_policy_document.event_perms.json,

  ]
  policy_description = var.stepfunc_policy_desc
  role_description   = var.stepfunc_role_desc

  tags = var.service_tags
}

Permissions:

data "aws_iam_policy_document" "event_perms" {
  statement {
    sid    = "EB_perms"
    effect = "Allow"
    actions = [
      "events:*"
    ]
    resources = [
      "*"
    ]
  }
}

data "aws_iam_policy_document" "statemachine_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    actions = [
      "states:Describe*",
      "states:Create*",
      "states:Update*",
      "states:List*",
      "states:Start*",
      "states:StopExecution"

    ]
    resources = [
      module.step-function-crawler-execution.state_machine_arn,
      module.step-function-schema-validation.state_machine_arn,
      module.step-function-cleanzone.state_machine_arn
    ]
  }
}

data "aws_iam_policy_document" "lambda_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    actions = [
      "lambda:InvokeFunction"
    ]
    resources = [
      < arns >
    ]
  }
}

data "aws_iam_policy_document" "s3_perms" {
  statement {
    sid    = "rawzoneS3"
    effect = "Allow"
    resources = [
< arns >
    ]
    actions = [
      "s3:GetObject",
      "s3:PutObject",
      "s3:ListBucket",
      "s3:DeleteObject",
    ]
  }
}

data "aws_iam_policy_document" "glue_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    resources = [
      < arns >
    ]
    actions = [
      "glue:GetTableVersion",
      "glue:GetTableVersions",
      "glue:GetTable",
      "glue:GetTables",
      "glue:GetPartitions",
      "glue:GetCrawler",
      "glue:GetCrawlers",
      "glue:GetJob",
      "glue:GetJobs",
      "glue:GetJobRun",
      "glue:GetJobRuns",
      "glue:GetCrawlerMetrics",
      "glue:StartCrawler",
      "glue:StartJobRun",
      "glue:DeleteTable"

    ]
  }
}

data "aws_iam_policy_document" "ddb_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    resources = [
      < arns >
    ]
    actions = [
      "dynamodb:PutItem",
      "dynamodb:UpdateItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:DeleteItem",
      "dynamodb:Query",
      "dynamodb:UpdateTable",
      "dynamodb:GetItem",
    ]
  }
}

data "aws_iam_policy_document" "ssm_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    resources = [
      "*"
    ]
    actions = [
      "ssm:GetParametersByPath",
      "ssm:GetParameters",
      "ssm:GetParameter"
    ]
  }
}

data "aws_iam_policy_document" "log_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    resources = [
      "*"
    ]
    actions = [
      "cloudwatch:Put*",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "logs:CreateLogGroup",
    ]
  }
}

data "aws_iam_policy_document" "glue_crawler_perms" {
  statement {
    sid    = ""
    effect = "Allow"
    resources = [
      "arn:aws:glue:${var.region}:${var.deploy_account_id}:*"
    ]
    actions = [
      "glue:CreateDatabase",
      "glue:CreateTable",
      "glue:GetDatabase",
      "glue:GetTable",
      "glue:GetConnection",
      "glue:GetPartitions",
      "glue:UpdateTable"
    ]
  }
}
Solution

  • I eventually found that if I apply the IAM role before applying the step function it works.