#refarch - March 2023 | Slack Archive

refarchArchived

21 messages

Cloud Posse Reference Architecture

Feb 2023

March 2023

Apr 2023

johncblandiialmost 3 years ago

We have the ECR repo set to allow full access from auto ...

        read_write_account_role_map:
          core-identity:
            - admin
            - cicd
          core-auto:
            - "*"

...yet we're still getting this error:

Error pulling Docker image: Error response from daemon: pull access denied for <http://123456789.dkr.ecr.us-east-1.amazonaws.com/infrastructure|123456789.dkr.ecr.us-east-1.amazonaws.com/infrastructure>, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::654321987:assumed-role/xy-core-ue1-auto-spacelift-worker-pool/i-0f47ad8c786c60585 is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:123456789:repository/infrastructure because no resource-based policy allows the ecr:BatchGetImage action

johncblandiialmost 3 years ago

DNS applies are failing over assume role. Other components work just fine. Is there any nuance to the dns-primary/dns-delegated components?

│ Error: configuring Terraform AWS Provider: IAM Role (arn:aws:iam::1234567890:role/sm-core-gbl-dns-terraform) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: a-b-c-d-e, api error AccessDenied: User: arn:aws:sts::1234567890:assumed-role/sm-core-gbl-dns-terraform/aws-go-sdk-1677817372266350530 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567890:role/sm-core-gbl-dns-terraform

Slackbotalmost 3 years ago

This message was deleted.

Michael Dizonalmost 3 years ago

the stack is based on the examples/complete directory in the atmos repo

Slackbotalmost 3 years ago

This message was deleted.

Michael Dizonalmost 3 years ago

is https://github.com/cloudposse/terraform-aws-components/tree/master/modules/sso still being used? looks like i should be using https://github.com/cloudposse/terraform-aws-components/tree/master/modules/aws-sso and https://github.com/cloudposse/terraform-aws-components/tree/master/modules/aws-saml instead

Michael Dizonalmost 3 years ago

Following up on my question from yesterday, I previously used the now deprecated “iam-primary-roles” and “iam-delegated-roles” modules, as well as “sso,” which allowed me to use Google Workspace to authenticate into my environment with Leapp. At a glance, it seems that in order to replicate this setup, I need to use “aws-teams,” “aws-team-roles,” and “aws-saml.” Does this sound correct?

Michael Dizonalmost 3 years ago

has anyone encountered this error DenyEC2InstancesWithoutEncryptionInTransit when trying to deploy a cluster using terraform-aws-components/modules/eks/cluster/

Michael Dizonalmost 3 years ago

i am using the configuration in the example

johncblandiialmost 3 years ago

Once we've applied account-settings then adjusted the tfstate-backend, how do we apply updates to account-settings?

Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 51ea4cf5-95bc-4c8c-891c-3f06155fda5a, api error AccessDenied: User: arnsts::123456789:assumed-role/sm-core-gbl-artifacts-terraform/aws-go-sdk-1678477476576489221 is not authorized to perform: sts:AssumeRole on resource: arniam::123456789:role/OrganizationAccountAccessRole

Michael Dizonalmost 3 years ago

does anyone have an example of the values to provide for kubernetes_taints for this module? https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks/cluster

the example has it empty, but I get an error saying that a list of object is required

johncblandiialmost 3 years ago

dns-delegated uses a for_each based on the subdomain. because of this, if you have multiple domains with the same subdomain, the state gets jacked up (last one wins).

is this the desired to handle it?

Solution: I'm using a separate stack component to reference the private zone anyway (my mistake on putting in the same dns-delegated instance.

johncblandiialmost 3 years ago

Any plans or active work to upgrade mq-broker in refarch and terraform-aws-mq-broker?

johncblandiialmost 3 years ago

Spacelift doc update: https://github.com/cloudposse/terraform-aws-components/pull/597

johncblandiialmost 3 years ago(edited)

Are there any patterns for using remote state references in stack configs?

Context:
I'm looking at some solutions for referencing outputs in a config so we can create SSM parameters in a file to reference all params in 1 place vs them littered in TF components

Linda Pham (Cloud Posse)almost 3 years ago

@Linda Pham (Cloud Posse) has joined the channel

johncblandiialmost 3 years ago

In ssm-parameters, setting overwrite: false results in an error on the next run:

ParameterAlreadyExists: The parameter already exists. To overwrite this value, set the overwrite option in the request to true.

Sean Nguyenalmost 3 years ago

@RB @Andriy Knysh (Cloud Posse)
Question: New(-ish) Spacelift Dependencies feature

Are there any special considerations that have to be made if we were to migrate from the old deps: label method for declaring explicit component/stack dependencies to Spacelift’s new native stack dependency feature?

I do see that y’all released support for it in v0.55.0 of your spacelift-cloud-infrastructure-automation module.

dudealmost 3 years ago

@dude has joined the channel

Lukealmost 3 years ago

Hi, has anyone run into the following error:

creating CloudTrail: InsufficientEncryptionPolicyException: Insufficient permissions to access S3 bucket or KMS key. (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientEncryptionPolicyException

? The cloudtrail-bucket component has been deployed in audit account, account itself has been made a CloudTrail delegated administrator and while I am trying to deploy cloudtrail component I am getting the above error during creation of module.cloudtrail.aws_cloudtrail.default[0] . CloudTrail trail can be successfully created in the console if I'll modify KSM policy to allow kms:* for <http://cloudtrail.amazonaws.com|cloudtrail.amazonaws.com> principal.

Michael Dizonalmost 3 years ago

running into a weird error when trying to run a plan using the aws-team-roles component. i’m logged in using leapp with my iam user with admin privileges


Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: reading IAM Role (xxx-core-gbl-network-admin): InvalidClientTokenId: The security token included in the request is invalid
│       status code: 403, request id: 5a33f9f0-d0c3-465b-842f-de33f3cabfff
│ 
│   with aws_iam_role.default["admin"],
│   on main.tf line 71, in resource "aws_iam_role" "default":
│   71: resource "aws_iam_role" "default" {
│ 
╵
╷
│ Error: reading IAM Role (xxx-core-gbl-network-terraform): InvalidClientTokenId: The security token included in the request is invalid
│       status code: 403, request id: aad87fdc-ac41-4276-8070-a39f70e8ac24
│ 
│   with aws_iam_role.default["terraform"],
│   on main.tf line 71, in resource "aws_iam_role" "default":
│   71: resource "aws_iam_role" "default" {
│

February 2023 Browse by date April 2023