Error deploying EMR due to `insufficient ec2 permissions about terraform-aws-emr HOT 11 CLOSED

I'm also encountering this issue as well

from terraform-aws-emr.

I'm also encountering this error

from terraform-aws-emr.

After doing some debugging worked around the issue with the following amendment to the example...

data "aws_iam_policy_document" "create_in_network" {
  statement {
    sid     = "CreateInNetwork"
    actions = [
                "ec2:CreateNetworkInterface",
                "ec2:RunInstances",
                "ec2:CreateFleet",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion"
              ]

    resources = ["arn:aws:ec2:*:*:subnet/${PRIVATE_SUBNET_YOUR_EMR_CLUSTER_IS_USING}"]
  }
}

resource "aws_iam_policy" "emr_create_in_network" {

  name        = "emr_create_in_network"
  description = "extra policy for EMR cluster setup"

  policy = data.aws_iam_policy_document.create_in_network.json
}

module "emr" {
  source = "terraform-aws-modules/emr/aws"
  version = "1.0.0"
  ...

  ec2_attributes = {
    # Instance groups only support one Subnet/AZ
    # Subnets should be private subnets and tagged with
    # { "for-use-with-amazon-emr-managed-policies" = true }
    subnet_id = PRIVATE_SUBNET_YOUR_EMR_CLUSTER_IS_USING
  }
  ...

 service_iam_role_policies = {
   "AmazonEMRServicePolicy_v2": "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2", # THIS IS THE DEFAULT VALUE FOR THIS ATTRIBUTE
   "CreatInNetwork": aws_iam_policy.emr_create_in_network.arn # THIS FIXES THE CLUSTER FAILURE
  }
  

from terraform-aws-emr.

I suspect this is related to the v2 managed policies - without a full reproduction it will be difficult to tell though.

Have you all enabled the appropriate tag on the subnets used/passed to EMR?

See main README just before Usage:

from terraform-aws-emr.

anyone able to confirm if the above guidance solves their permission issues?

from terraform-aws-emr.

Hello @bryantbiggs, you are correct. After applying the tags to Private Subnet, I was able to solve the insufficient EC2 permissions issue.

Thanks.

from terraform-aws-emr.

Any suggestions on how to better surface this in the docs? I'm open to ideas

from terraform-aws-emr.

yes i finally put 2 and 2 together to see that it was that policy, I would question the merit of adding the tagging condition

from terraform-aws-emr.

To be clear, this is coming from Amazon and how they have scoped permissions. In this module I have tagged all the relevant resources accordingly but I cannot ensure the appropriate networking resources are tagged based on the intended architecture since those are outside of this module

from terraform-aws-emr.

closing this for now - please feel free to provide feedback on how we can better improve the documentation to make this functionality more clear to users in the future

from terraform-aws-emr.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

from terraform-aws-emr.