I ran into this error when deploying to AWS using Terraform. Anyone know what I need to enter (and where) to enable this permission? Found quite a bit online during my search, but nothing that was explicit enough for someone with limited knowledge of the platform.

Hi Jayson, let me see if I can rope in someone who has some insight

what permissions does the IAM role you are using to run terraform deploy have? FWIW this is what we needed in our github actions runner: https://github.com/fleetdm/fleet/blob/b8ccebcbcaaa68cdd478031e9c9cae13cde34e37/infrastructure/dogfood/terraform/aws-tf-module/github.tf#L64

@Rachel Perkins I am not. For full disclosure, I started off following Deploy Fleet on AWS with Terraform but without success. I then copied this main.tf and this variables.tf to a local directory and followed these instructions to get as far as I have, troubleshooting permission and region issues as they cropped up. That's what brought me to where I am. I guess on a more fundamental level, being someone who has limited knowledge of standing up cloud infrastructure in general, which example files should I be using to stand up a fully functional Fleet instance while bringing nothing to the table?

Kish, I don’t think this is necessarily an issue with the terraform, as the error you provided looks to be an issue with the IAM user you are using. There are many resources provisioned during the apply process, and it seems one of those necessary resources is being denied by some policy. There is an alternative deployment strategy like https://fleetdm.com/docs/deploy/deploy-on-render that is a much simpler method.

@Benjamin Edwards No, I totally understand that this error is a permissions issue. I just can't seem to find an obvious way to resolve it using the IAM Identity Center. The long term goal is to quickly stand up new, distinct, Fleet instances that will ultimately report back to a centralized SIEM. For this particular need, in your opinion, what would be the best (and most supported) deployment method to explore?

Do you own your AWS account you are deploying into? Do you use IAM guardrails? Unfortunately there isn’t an easy way for us to debug your AWS environment, but I’ve seen accounts that have organization level policies and restrictions cause issues and it’s hard to determine.

I do own the account.

Do you have other workloads on AWS already? Is AWS a requirement? Quickly standing up Fleet severs to report into a centralized SEIM could be as simple as running a binary on a VPS and sending stdout to your SEIM. Really depends on your requirements for the system.

I don't. This is my first foray. More or less, I need to get Fleet deployed into a cloud-native environment with TLS, but don't have to use any provider in particular. It just needs to be fairly easy, repeatable and supported.

Personally I think terraform and AWS is definitely not the easy button.

Would Render be more appropriate in this case?

Render is a platform as a service and it distills away a ton of complexity and configuration.

I may give that one a go this weekend, especially if it would allow me to learn without needing to become an expert right out of the gate. Greatly appreciate your help!

Feel free to give me a shout. I haven’t deployed on Render in a few months, but it was fairly painless the last time I did.

Deploy Fleet on Render was definitely the way to go. Thank you again for your recommendation! I do have two follow-up questions though; • What is the proper way to upgrade Fleet when a new version is released? • How do I enter my Fleet Premium key? Aside from those, I think I'm up and running. 😎

@kish.jayson here's a guide to upgrade fleet. https://fleetdm.com/docs/deploy/upgrading-fleet