refarchArchived
3 messages
Cloud Posse Reference Architecture
Matthew Clarkabout 1 year ago(edited)
Hi folks. We're trying to swap transit gateway with vpc peering.
We pulled the vpc-peering component -
We're getting this error:
We pulled the vpc-peering component -
<http://github.com/cloudposse/terraform-aws-components.git//modules/vpc-peering|github.com/cloudposse/terraform-aws-components.git//modules/vpc-peering>We're getting this error:
╷
│ Error: Cannot assume IAM Role
│
│ with module.vpc_peering.provider["registry.terraform.io/hashicorp/aws"].accepter,
│ on .terraform/modules/vpc_peering/accepter.tf line 2, in provider "aws":
│ 2: provider "aws" {
│
│ IAM Role (arn:aws:iam::216989127967:role/inno-plat-gbl-dev-terraform) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 896f3d54-01de-48e6-9abb-5181b3fa6cd7, api error AccessDenied: User:
│ arn:aws:iam::182399693862:user/SuperAdmin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::216989127967:role/inno-plat-gbl-dev-terraform216989127967 refers to a plat account. The role exists in question exists, but only records core-identity as a trusted entity while this VPC peering request is coming from core-network. I'm struggling 1) to understand if this would be considered bad practice to enable this additional trusted entity between two non-identity accounts, and 2) the best way to handle this specifically for cross account vpc peering (as a TGW alternative). It appears we need to explicitly create new roles in each of the requester/accepter accounts (seems that's not abstracted)
Christopher Mayoraabout 1 year ago
Hey folks. we are trying to deploy an ec2 instance and have access to it but needs a key-pair using this module https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ec2-instance
but i don't see the option or a variable to do it, this have to be done separately?
but i don't see the option or a variable to do it, this have to be done separately?
Christopher Mayoraabout 1 year ago
Hey Team, im trying to get running the efs and storage class on k8s using but im getting, this timeout error but when i do telnet to that addr is reached so connection is good, maybe is auth? do i need to have the cluster config on my
?
.kube?
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
+ create
Terraform planned the following actions, but then encountered a problem:
# kubernetes_storage_class_v1.ebs["gp3"] will be created
+ resource "kubernetes_storage_class_v1" "ebs" {
+ allow_volume_expansion = true
+ id = (known after apply)
+ parameters = {
+ "<http://csi.storage.k8s.io/fstype|csi.storage.k8s.io/fstype>" = "ext4"
+ "encrypted" = "true"
+ "tagSpecification_1" = "Environment=use1"
+ "tagSpecification_2" = "Name=inno-core-use1-auto-eks-cluster"
+ "tagSpecification_3" = "Namespace=inno"
+ "tagSpecification_4" = "Stage=auto"
+ "tagSpecification_5" = "Tenant=core"
+ "type" = "gp3"
}
+ reclaim_policy = "Delete"
+ storage_provisioner = "<http://ebs.csi.aws.com|ebs.csi.aws.com>"
+ volume_binding_mode = "WaitForFirstConsumer"
+ metadata {
+ annotations = {
+ "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "true"
}
+ generation = (known after apply)
+ name = "gp3"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
# kubernetes_storage_class_v1.ebs["io2"] will be created
+ resource "kubernetes_storage_class_v1" "ebs" {
+ allow_volume_expansion = true
+ id = (known after apply)
+ parameters = {
+ "<http://csi.storage.k8s.io/fstype|csi.storage.k8s.io/fstype>" = "ext4"
+ "encrypted" = "true"
+ "iopsPerGB" = "10"
+ "tagSpecification_1" = "Environment=use1"
+ "tagSpecification_2" = "Name=inno-core-use1-auto-eks-cluster"
+ "tagSpecification_3" = "Namespace=inno"
+ "tagSpecification_4" = "Stage=auto"
+ "tagSpecification_5" = "Tenant=core"
+ "type" = "io2"
}
+ reclaim_policy = "Delete"
+ storage_provisioner = "<http://ebs.csi.aws.com|ebs.csi.aws.com>"
+ volume_binding_mode = "WaitForFirstConsumer"
+ metadata {
+ annotations = {
+ "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "false"
}
+ generation = (known after apply)
+ name = "io2"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
# kubernetes_storage_class_v1.efs["efs"] will be created
+ resource "kubernetes_storage_class_v1" "efs" {
+ allow_volume_expansion = true
+ id = (known after apply)
+ parameters = {
+ "basePath" = "/efs_controller"
+ "directoryPerms" = "700"
+ "fileSystemId" = "fs-067c7e065d9487d35"
+ "provisioningMode" = "efs-ap"
}
+ reclaim_policy = "Delete"
+ storage_provisioner = "<http://efs.csi.aws.com|efs.csi.aws.com>"
+ volume_binding_mode = "Immediate"
+ metadata {
+ annotations = {
+ "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "false"
}
+ generation = (known after apply)
+ name = "efs"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
Plan: 3 to add, 0 to change, 0 to destroy.
╷
│ Error: Get "<https://0652A3BDF1CD1452BD5E6A105A4FC989.gr7.us-east-1.eks.amazonaws.com/apis/storage.k8s.io/v1/storageclasses/gp2>": net/http: TLS handshake timeout