When configuring resource-tags for aws provider, the tags are created after the resource is created
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
High
|
Thomas Miller |
Bug Description
For AWS provider, you can configure resource-tags as model-config, and as a result the following resources will get the specific tags configured.
- instances
- security groups
- volumes
However, it looks like the tags are created after the resource is created, not while it is created.
Therefore the following IAM policy, based on this policy[0], adding conditions to restrict creation of resources with the specific tag, this will fail to bootstrap.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow_
],
}
}
},
{
"Sid": "Allow_
],
}
}
},
{
"Sid": "JujuEC2Actions",
}
}
},
{
},
{
"Sid": "JujuIAMActions",
],
},
{
"Sid": "JujuSSMActions",
],
}
]
}
As far as I have checked from the behaviour, juju creates an instance with the following flow
1. CreateSecurityGroup
2. CreateTags
3. AuthorizeSecuri
4. CreateVolume
5. CreateTags
6. RunInstances
7. CreateTags
Due to customer's security policy, IAM policy does only allow to launch an instance with the specific tag associated as you can see in the above IAM policy.
So the expected behaviour is to have the "CreateTags" action to run inside each actions, not after.
[0] https:/
Changed in juju: | |
milestone: | none → 3.1.1 |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: bitesize ec2-provider |
Changed in juju: | |
milestone: | 3.1.1 → 3.1.2 |
Changed in juju: | |
status: | Fix Committed → Fix Released |
https:/ /github. com/juju/ juju/pull/ 15197