Seemingly invalid error when using an assumed role, with a module, and a private AMI image.

[rquadling]

Recently upgraded tflint and enabled module validation.

Using

$ tflint --version
TFLint version 0.35.0
+ ruleset.aws (0.13.3)

 $ terraform --version
Terraform v1.1.8
on darwin_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v3.13.0
+ provider registry.terraform.io/hashicorp/aws v3.75.1
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/local v2.2.2
+ provider registry.terraform.io/hashicorp/random v3.1.2
+ provider registry.terraform.io/hashicorp/time v0.7.2

Not sure what's needed to determine this error, but the error generated is invalid.

1 issue(s) found:

ec2-asg-wildcard.tf:106:31: Error - "ami-08d3692544bbeb612" is invalid image ID. (aws_launch_configuration_invalid_image_id)

The AMI is a private one in an account that Terraform (via an assumed role) has access to.

Removing module validation (by not having --module on the command-line and by not having module=true in the .tflint.hcl file) will not error (sort of obvious really).

The file in question (ec2-asg-wildcard.tf) contains the call to the module to instantiate a Classic Load Balancer, a Launch Configuration, and AutoScalingGroup (with scaling rules and alarms and relevant Cloudwatch logging).

The terraform setup is well established and has been working for several years. Only recently we have tried to get TFLint operational with modules.

I thought I'd be able to see the AMI retrieval request in the debug log, but the log entry in

tflint-ruleset-aws/rules/api/aws_launch_configuration_invalid_image_id.go

Line 80 in fc2b8fe

log.Printf("[DEBUG] Fetch AMI images: %s", ami)

is never output.

I'm happy to provide more information. In the meantime, we'll are going to back to NOT validating the modules.

[wata727]

One possibility is that the assume role is not configured correctly in TFLint. If you are making a request with a different access token, you will not be able to access your private AMI and you will get the issue. We recommend that you check it first.

[rquadling]

Terraform is very happy to plan and apply the changes. The TF code has been running without issue for several years. So as far as Terraform is concerned the AWS Provider is very happily assuming the role asked of it.

We are instantiating the provider this way:

provider "aws" {
  region = "eu-west-1"
  assume_role {
    role_arn = format("arn:aws:iam::%s:role/%s", var.account_id, var.deployment_role_name)
  }

  default_tags {
    tags = local.app_ids
  }
}

We have about 10 accounts and each one has a deployment role that controls what the deployment pipeline can do.

This is working fine for us. Just tflint being ... odd.