[shaik005@catlab001 tco-ent-auth]$ tf-run apply 14 * running action=apply * START: tf-run 1.10.2 start=1666816892 end= logfile=logs/run.apply.20221026.1666816892.log * reading from tf-run.data * read 31 entries from tf-run.data >> START: start_time=1666816892 version=1.10.2 data.version=1.1.3 start=14 end=0 start_tag= - profile=079788916859-do2-cat region=us-east-1 short_region=east-1 > [14] POLICY> (*.tf) aws_iam_policy.nlb-policy aws_iam_policy.cloudwatch-policy aws_iam_policy.cluster-admin-policy aws_iam_policy.cluster-admin_assume_policy > [14] tf-apply -target=aws_iam_policy.nlb-policy -target=aws_iam_policy.cloudwatch-policy -target=aws_iam_policy.cluster-admin-policy -target=aws_iam_policy.cluster-admin_assume_policy # starting v1.4.4 action apply file logs/apply.20221026.1666816893.log stamp 20221026.1666816893 time 1666816893 data.aws_caller_identity.current: Refreshing state... data.aws_iam_policy_document.cloudwatch-policy: Refreshing state... data.aws_iam_policy_document.nlb-policy: Refreshing state... data.aws_region.current: Refreshing state... aws_iam_policy.cloudwatch-policy: Refreshing state... [id=arn:aws:iam::079788916859:policy/p-eks-tco-ent-auth-cloudwatch] aws_iam_policy.nlb-policy: Refreshing state... [id=arn:aws:iam::079788916859:policy/p-eks-tco-ent-auth-nlb] data.aws_arn.current: Refreshing state... data.aws_iam_policy_document.allow_sts: Refreshing state... data.aws_iam_policy_document.cluster-admin-policy: Refreshing state... module.role_cluster-admin.aws_iam_role.role[0]: Refreshing state... [id=r-eks-tco-ent-auth-cluster-admin] data.aws_iam_policy_document.cluster-admin_assume_policy: Refreshing state... aws_iam_policy.cluster-admin_assume_policy: Refreshing state... [id=arn:aws:iam::079788916859:policy/p-eks-tco-ent-auth-cluster-admin-assume] An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_iam_policy.cluster-admin-policy will be created + resource "aws_iam_policy" "cluster-admin-policy" { + arn = (known after apply) + description = "Allow for administration of the cluster tco-ent-auth using AWS resources" + id = (known after apply) + name = "p-eks-tco-ent-auth-cluster-admin" + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "ecr:ListImages", + "ecr:GetDownloadUrlForLayer", + "ecr:Get*", + "ecr:Describe*", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", ] + Effect = "Allow" + Resource = "*" + Sid = "AllowECRReadAccess" }, + { + Action = [ + "ecr:UploadLayerPart", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:DeleteRepository", + "ecr:CreateRepository", + "ecr:CompleteLayerUpload", + "ecr:BatchDeleteImage", ] + Effect = "Allow" + Resource = "arn:aws:ecr:us-east-1:079788916859:repository/eks/tco-ent-auth/*" + Sid = "AllowECRWriteAccess" }, + { + Action = [ + "eks:ListNodegroups", + "eks:ListClusters", + "eks:ListAddons", + "eks:DescribeNodegroup", + "eks:DescribeCluster", + "eks:DescribeAddon*", ] + Effect = "Allow" + Resource = [ + "arn:aws:eks:us-east-1:079788916859:nodegroup/*", + "arn:aws:eks:us-east-1:079788916859:cluster/*", + "arn:aws:eks:us-east-1:079788916859:addons/*", + "arn:aws:eks:us-east-1:079788916859:addon/*", + "arn:aws:eks:us-east-1:079788916859:/addons/*", ] + Sid = "AllowEKSReadAccess" }, + { + Action = [ + "eks:Read*", + "eks:List*", + "eks:Describe*", + "eks:AccessKubernetesApi", ] + Effect = "Allow" + Sid = "AllowEKSReadMyClustersAccess" }, + { + Action = "iam:ListRoles" + Effect = "Allow" + Resource = "*" + Sid = "AllowIAMReadAccess" }, + { + Action = "ssm:GetParameter" + Effect = "Allow" + Resource = "arn:aws:ssm:us-east-1::parameter/aws/service/eks/*" + Sid = "AllowSSMGetAccess" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags = { + "CostAllocation" = "cat-TCO-ent-auth PoC" + "Environment" = "cat-sandbox env" + "Project Name" = "cat-tco-ent-auth-eks" + "boc:created_by" = "terraform" + "boc:tf_module_version" = "0.9.0" + "eks-cluster-name" = "tco-ent-auth" } + tags_all = { + "CostAllocation" = "cat-TCO-ent-auth PoC" + "Environment" = "cat-sandbox env" + "Project Name" = "cat-tco-ent-auth-eks" + "boc:created_by" = "terraform" + "boc:tf_module_version" = "0.9.0" + "eks-cluster-name" = "tco-ent-auth" } } Plan: 1 to add, 0 to change, 0 to destroy. Warning: Resource targeting is in effect You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration. The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message. Warning: Provider source not supported in Terraform v0.12 on .terraform/modules/group_cluster-admin/versions.tf line 3, in terraform: 3: aws = { 4: source = "hashicorp/aws" 5: version = ">= 3.66.0" 6: } A source was declared for provider aws. Terraform v0.12 does not support the provider source attribute. It will be ignored. (and 6 more similar warnings elsewhere) Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes aws_iam_policy.cluster-admin-policy: Creating... Warning: Applied changes may be incomplete The plan was created with the -target option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully updated. Run the following command to verify that no other changes are pending: terraform plan Note that the -target option is not suitable for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message. Error: error creating IAM Policy p-eks-tco-ent-auth-cluster-admin: MalformedPolicyDocument: Policy statement must contain resources. status code: 400, request id: e3b6ee7c-340b-4610-964a-45d9743b2ac5 on policy.tf line 57, in resource "aws_iam_policy" "cluster-admin-policy": 57: resource "aws_iam_policy" "cluster-admin-policy" { # ending v1.4.4 action apply file logs/apply.20221026.1666816893.log stamp 20221026.1666816893 start 1666816893 end 1666816934 elapsed 41 # results in file logs/apply.20221026.1666816893.log stamp 20221026.1666816893 status=0 = Complete: 14 POLICY> | status=0 } Next: 15, continue [y|n: default=y]? n << INCOMPLETE 14/30 last_item=14 << END: start_time=1666816892 end_time=1666816936 elapsed=44 logfile=logs/run.apply.20221026.1666816892.log status=0 [shaik005@catlab001 tco-ent-auth]$