Comments (11)
I'm also encountering this issue as well
from terraform-aws-emr.
I'm also encountering this error
from terraform-aws-emr.
After doing some debugging worked around the issue with the following amendment to the example...
data "aws_iam_policy_document" "create_in_network" {
statement {
sid = "CreateInNetwork"
actions = [
"ec2:CreateNetworkInterface",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion"
]
resources = ["arn:aws:ec2:*:*:subnet/${PRIVATE_SUBNET_YOUR_EMR_CLUSTER_IS_USING}"]
}
}
resource "aws_iam_policy" "emr_create_in_network" {
name = "emr_create_in_network"
description = "extra policy for EMR cluster setup"
policy = data.aws_iam_policy_document.create_in_network.json
}
module "emr" {
source = "terraform-aws-modules/emr/aws"
version = "1.0.0"
...
ec2_attributes = {
# Instance groups only support one Subnet/AZ
# Subnets should be private subnets and tagged with
# { "for-use-with-amazon-emr-managed-policies" = true }
subnet_id = PRIVATE_SUBNET_YOUR_EMR_CLUSTER_IS_USING
}
...
service_iam_role_policies = {
"AmazonEMRServicePolicy_v2": "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2", # THIS IS THE DEFAULT VALUE FOR THIS ATTRIBUTE
"CreatInNetwork": aws_iam_policy.emr_create_in_network.arn # THIS FIXES THE CLUSTER FAILURE
}
from terraform-aws-emr.
I suspect this is related to the v2 managed policies - without a full reproduction it will be difficult to tell though.
Have you all enabled the appropriate tag on the subnets used/passed to EMR?
terraform-aws-emr/examples/private-cluster/main.tf
Lines 265 to 270 in d987b8d
See main README just before Usage
:
from terraform-aws-emr.
anyone able to confirm if the above guidance solves their permission issues?
from terraform-aws-emr.
Hello @bryantbiggs, you are correct. After applying the tags to Private Subnet, I was able to solve the insufficient EC2 permissions issue.
Thanks.
from terraform-aws-emr.
Any suggestions on how to better surface this in the docs? I'm open to ideas
from terraform-aws-emr.
yes i finally put 2 and 2 together to see that it was that policy, I would question the merit of adding the tagging condition
from terraform-aws-emr.
To be clear, this is coming from Amazon and how they have scoped permissions. In this module I have tagged all the relevant resources accordingly but I cannot ensure the appropriate networking resources are tagged based on the intended architecture since those are outside of this module
from terraform-aws-emr.
closing this for now - please feel free to provide feedback on how we can better improve the documentation to make this functionality more clear to users in the future
from terraform-aws-emr.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-emr.
Related Issues (13)
- Master Security Group Rule Does Not Match Terraform Configuration HOT 3
- Insufficient Role/Rolebinding for EMR on EKS Virtual Cluster HOT 4
- Error when installing livy application on EMR HOT 4
- ebs_config could not take effect HOT 5
- EMR Cluster Service Role not able to assume the EMR Cluster Autoscaling Role HOT 4
- EMR service is recreating on every terraform apply HOT 3
- Attaching EMR on EC2 cluster to Studio Notebook doesn't work HOT 3
- Service Pass Role does not support custom instance profile HOT 4
- If Placement Group is set as [] , then it recreates EMR everytime HOT 4
- If Placement Group is not defined, then it recreates EMR everytime HOT 4
- Unable to start EMR studio workspaces HOT 2
- EMR Studio -> Input service_role_s3_bucket_arns not working as expected HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-emr.