im trying to enable IAM access analyzer at the org level via a default admin in a security account (All in terraform).
In the root of the org account i have:
- updated the aws_service_access_principals to include "access-analyzer.amazonaws.com"
resource "aws_organizations_organization" "org" {
feature_set = "ALL"
aws_service_access_principals = [
...
"access-analyzer.amazonaws.com"
]
enabled_policy_types = [
"SERVICE_CONTROL_POLICY"
]
}
- Created a
aws_organizations_delegated_administrator_for the security account and theaccessanalyzer
resource "aws_organizations_delegated_administrator" "example" {
account_id = var.security_account
service_principal = "access-analyzer.amazonaws.com"
}
In the security account i enabled access-analyzer with type set to organization
resource "aws_accessanalyzer_analyzer" "accessanalyzer" {
analyzer_name = "test"
type = "ORGANIZATION"
}
When this runs i get the error:
Error: error creating Access Analyzer Analyzer (openc): ConflictException: Access Analyzer Service Linked Role is not in the organizational management account
│ {
│ RespMetadata: {
│ StatusCode: 409,
│ RequestID: "1c597ce0-4c59-4115-89aa-437cdc8156d5"
│ },
│ Message_: "Access Analyzer Service Linked Role is not in the organizational management account"
│ }
│
│ with aws_accessanalyzer_analyzer.accessanalyzer,
│ on access-analyzer.tf line 1, in resource "aws_accessanalyzer_analyzer" "accessanalyzer":
│ 1: resource "aws_accessanalyzer_analyzer" "accessanalyzer" {
│
╵
Any idea why this is erroring? i was expecting the delegate admin to resolve this?
You are missing and need to Create "AWSServiceRoleForAccessAnalyzer" role on the Master "Organization" Account, easiest way by creating an Analyzer on the Master account and then the role will be created automatically
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html
then try to apply your Terraform code.