loads of errors when permission to view org is missing

Question

loads of errors when permission to view org is missing

Closed this issue 4 months ago · 7 comments

there are loads of errors when i do not have permissions to view the org info

225-get-cvpn-endpoints.sh runtime 6 seconds
-------------------------------------------------------------------
. ../../scripts/227-get-vpn-connections.sh
Found Error: │ Error: listing AWS Organization (<redacted>) accounts: AccessDeniedException: You don't have permissions to access this resource. .... (pass for now)
import.log adjust
--> Validate Fixer
Success! The configuration is valid.

Answer 1 · 2023-06-12T16:04:30.000Z

committed change that should hopefully skip around these when you don't have access

Answer 2 · 2023-06-12T19:24:45.000Z

i see this now

skipping 030-get-iam-users.sh
skipping 034-get-iam-groups.sh
skipping 050-get-iam-roles.sh
skipping 051-get-iam-role-policies.sh
skipping 052-get-iam-attached-role-policies.sh
skipping 055-get-iam-policies.sh
skipping 056-get-iam-instance-profile.sh
skipping 057-get-iam-access-key.sh

perhaps i should explain, i am using AWS SSO and my permission set is the aws default admin role. so i do have access to IAM

i am also still seeing the issue

. ../../scripts/070-get-cw-log-grp.sh
ncpu=32
aws --profile addoptify --region eu-west-1 --output json logs describe-log-groups
Importing aws_cloudwatch_log_group /ecs/test-AgentTaskDefinition-P9GMBYE6H5RR2 _ecs_test-AgentTaskDefinition-P9GMBYE6H5RR2
Importing aws_cloudwatch_log_group RDSOSMetrics RDSOSMetrics
Waiting for 3 Terraform imports
Importing aws_cloudwatch_log_group test-ECSLogGroup-1IJZW5XQ6ZAKA test-ECSLogGroup-1IJZW5XQ6ZAKA
Wait completed ..... imported 2
aws_cloudwatch_log_group /ecs/test-AgentTaskDefinition-P9GMBYE6H5RR2 tf files
aws_cloudwatch_log_group RDSOSMetrics tf files
aws_cloudwatch_log_group test-ECSLogGroup-1IJZW5XQ6ZAKA tf files
Starting state mv for aws_cloudwatch_log_group
Consolidated state aws_cloudwatch_log_group.RDSOSMetrics
Consolidated state aws_cloudwatch_log_group._ecs_test-AgentTaskDefinition-P9GMBYE6H5RR2
Consolidated state aws_cloudwatch_log_group.test-ECSLogGroup-1IJZW5XQ6ZAKA
Found Error: │ Error: listing AWS Organization (o-org-id) accounts: AccessDeniedException: You don't have permissions to access this resource. .... (pass for now)
import.log adjust
--> Validate Fixer
Success! The configuration is valid.

Answer 3 · 2023-06-12T19:57:28.000Z

what was the corresponding aws2tf.sh command you used ?
when you saw the skipping 030-get-iam-users.sh
etc commands

skipping iam stuff can be by design - because when other resources are found the necessary iam is pulled in as a dependency

If you still want ALL the iam stuff you can always do a subsequent:
./aws2tf.sh -t iam -c yes -f yes

(committed another change to get more output on the skipping - as there's two reasons that can happen)

Answer 4 · 2023-06-12T20:01:04.000Z

corresponding command . just aws2tf with -v yes

Answer 5 · 2023-06-12T20:23:15.000Z

committed more changes to help track this down - also please run with debug on:

./aws2tf.sh -v yes -d yes

This will help me track down the "Found Error: │ Error: listing AWS Organization (o-4oizb4q5g1) accounts:"

as it will exit soon after the error occurs (-d yes)

Answer 6 · 2023-06-12T20:45:22.000Z

cmd: ./aws2tf.sh -d -v yes

t= pre=* i= exclude=iam
loop through providers
. ../../scripts/type-get-transitgw.sh
aws --profile profile --region region --output json ec2 describe-transit-gateways --transit-gateway-ids yes --filters "Name=state,Values=available"
aws --profile profile --region region --output json  ec2 describe-transit-gateways --transit-gateway-ids yes --filters "Name=state,Values=available" : You don't have access for this resource
Success! The configuration is valid.

type-get-transitgw.sh runtime 11 seconds
-------------------------------------------------------------------
. ../../scripts/010-get-organization.sh
aws --profile profile --region region --output json organizations describe-organization
aws_organizations_organization o-??? import
╷
│ Error: listing AWS Organization (o-???) accounts: AccessDeniedException: You don't have permissions to access this resource.
│
│
╵

aws_organizations_organization.o-???: Importing from ID "o-???"...
No state file was found!

State management commands require a state file. Run this command
in a directory where Terraform has been run or use the -state flag
to point the command to a specific state location.
Found Error: │ Error: listing AWS Organization (o-???) accounts: AccessDeniedException: You don't have permissions to access this resource.
debug flag is on so exiting ....

Answer 7 · 2024-08-22T20:31:57.000Z

Handled a lot better in python version , so closing, reopen if still an issue