Terraform generates AccessDenied events

[lapkritinis]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.29

• provider.archive v2.0.0
• provider.aws v3.10.0
• provider.null v3.0.0
• provider.random v3.0.0

Affected Resource(s)

• S3 in generic sense

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

It should run without generating AccessDenied events

Actual Behavior

Terraform while running does multiple queries against S3 bucket. Just be clear - I am running with full Administrator rights.
Among all the other requests to same S3 bucket where it presents authorization headers there is one request which seems goes "anonymous"

Here is log snippet:
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5: 2020/10/15 17:10:56 [DEBUG] [aws-sdk-go] DEBUG: Request s3/HeadBucket Details:
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5: HEAD /com.example.prod.temp HTTP/1.1
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5: Host: s3.eu-central-1.amazonaws.com
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5: User-Agent: aws-sdk-go/1.35.2 (go1.14.5; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.29 (+https://www.terraform.io)
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5:
2020-10-15T17:10:56.606+0300 [DEBUG] plugin.terraform-provider-aws_v3.10.0_x5:

Here is snippet from CloudTrail AccessDenied event:

"eventVersion": "1.07",
"userIdentity": {
"type": "AWSAccount",
"principalId": "",
"accountId": "ANONYMOUS_PRINCIPAL"
},
"eventTime": "2020-10-15T14:10:56Z",
"eventSource": "s3.amazonaws.com",
"eventName": "HeadBucket",
"awsRegion": "eu-central-1",
"sourceIPAddress": "89.xxx.xxx.xxx",
"userAgent": "[aws-sdk-go/1.35.2 (go1.14.5; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.29 (+https://www.terraform.io)]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
"bucketName": "com.example.prod.temp",
"Host": "s3.eu-central-1.amazonaws.com"
},

Steps to Reproduce

I guess run terraform apply in account which has S3 buckets.

Important Factoids

References

• #0000

[lapkritinis]

p.s. it generates such event for each S3 bucket in region. As we are watching logs for AccessDenied events - its annoying to get spammed every time we do something with terraform :)

[ecktom]

Just stumbled about this issue after updating https://github.com/nozaq/terraform-aws-secure-baseline (0.20.0->0.21.0) to comply with CIS Amazon Web Services Foundations v1.3.0

Can confirm the issue occurs, even during terraform plan

Terraform v0.13.4
AWS Provider v3.12.0

{
    "eventVersion": "1.07",
    "userIdentity": {
        "type": "AWSAccount",
        "principalId": "",
        "accountId": "ANONYMOUS_PRINCIPAL"
    },
    "eventTime": "2020-10-27T14:24:27Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "HeadBucket",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "**redacted**",
    "userAgent": "[aws-sdk-go/1.35.9 (go1.14.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.13.4 (+https://www.terraform.io)]",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "bucketName": "**redacted**",
        "Host": "**redacted**.s3.eu-central-1.amazonaws.com"
    },
    "responseElements": null,
    "additionalEventData": {
        "CipherSuite": "**redacted**",
        "bytesTransferredIn": 0,
        "x-amz-id-2": "**redacted**",
        "bytesTransferredOut": 243
    },
    "requestID": "**redacted**",
    "eventID": "**redacted**",
    "readOnly": true,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARNPrefix": "**redacted**/"
        },
        {
            "accountId": "**redacted**",
            "type": "AWS::S3::Bucket",
            "ARN": "**redacted**"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": false,
    "recipientAccountId": "**redacted**",
    "sharedEventID": "**redacted**",
    "eventCategory": "Data"
}

[lapkritinis]

I am glad - I am not alone 👍

[ebabani]

This PR should help with the Headbucket requests: #15481

[bflad]

The fix for this has been merged and will release with version 3.16.0 of the Terraform AWS Provider, later this week. Thank you to @ebabani for the implementation. 👍

[ghost]

This has been released in version 3.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!