Error: error reading Macie ClassificationJob

[zackproser]

A customer asked:

Had a question regarding updating users in the users.yml file under our security account. When I ran terragrunt plan locally, it was able to complete without issue, however in the plan phase of our pipeline it is failing with this error:

[ecs-deploy-runner][2022-01-04T20:12:14+0000] module.security_baseline.module.kms_grants.aws_kms_grant.grants_for_us_west_2["ami_encryption_key"]: Refreshing state... [id=arn:aws:kms:us-west-2:[REDACTED]:key/KEY:KEY]
[ecs-deploy-runner][2022-01-04T20:12:15+0000] ╷
[ecs-deploy-runner][2022-01-04T20:12:15+0000] │ Error: error reading Macie ClassificationJob (9e9c0f2494cf219ec6c1f967c4bd5273): AccessDeniedException: User: arn:aws:sts::[REDACTED]:assumed-role/ecs-deploy-runner-terraform-planner/7ceec9c9348b40b1814a7fe3f6323153 is not authorized to perform: macie2:DescribeClassificationJob on resource: arn:aws:macie2:us-west-2:[REDACTED]:classification-job/9e9c0f2494cf219ec6c1f967c4bd5273
[ecs-deploy-runner][2022-01-04T20:12:15+0000] │ 
[ecs-deploy-runner][2022-01-04T20:12:15+0000] │   with module.macie.aws_macie2_classification_job.macie_job_us_west_2[0],
[ecs-deploy-runner][2022-01-04T20:12:15+0000] │   on ../../security/macie/main.tf line 1157, in resource "aws_macie2_classification_job" "macie_job_us_west_2":
[ecs-deploy-runner][2022-01-04T20:12:15+0000] │ 1157: resource "aws_macie2_classification_job" "macie_job_us_west_2" {
[ecs-deploy-runner][2022-01-04T20:12:15+0000] │ 
[ecs-deploy-runner][2022-01-04T20:12:15+0000] ╵
[ecs-deploy-runner][2022-01-04T20:12:15+0000] time=2022-01-04T20:12:15Z level=error msg=1 error occurred:
[ecs-deploy-runner][2022-01-04T20:12:15+0000] 	* exit status 1
[ecs-deploy-runner][2022-01-04T20:12:15+0000] [INFO] [infrastructure-deploy-script] 2022-01-04 20:12:15  "terragrunt plan" exited with code 1
[ecs-deploy-runner][2022-01-04T20:12:15+0000] Error: Could not run "terragrunt plan"

[zackproser]

One thing to check would be your deploy_permissions.yml file - which could be in various places (but probably next to your mgmt/ecs-deploy-runner directory, depending on when your Ref Arch was deployed).

The idea is that ECS deploy runner permissions are defined here and used to generate the actual IAM policies that allow pipelines to manage infrastructure for you.

You also have a read_only_permissions.yml file which should look like this (if you're running a CIS-compliant Ref Arch):

MacieReadOnlyAccess:
  effect: "Allow"
  actions:
  - "macie2:Get*"
  - "macie2:List*"
  - "macie2:Describe*"
  resources:
  - "*"

You should also have an entry for ECSReadOnlyAccess if your Ref Arch uses ECS as a backing compute cluster, as defined here: https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/mgmt/read_only_permissions.yml#L208

Finally - once you you have updated your permissions yaml file with the correct permissions, you will need to re apply your ECS deploy runner / pipelines configuration for the new permission set to be reflected.

[zackproser]

Credit for this solution goes to @yorinasub17