Title
#help
Kasper Jacobsen

Kasper Jacobsen

11/02/2022, 3:40 PM
Just tried running the new CUR setup for TF However I got this error when running trying to apply it
│ Error: error creating Cost And Usage Report Definition (InfracostReport1b781fbc-674a-43d6-b7b3-e0d28400be6c): ValidationException: Failed to verify customer bucket permission. accountId= xxxxxxxxxxxx, bucket name: infracost-cur-1b781fbc-674a-43d6-b7b3-e0d28400be6c, bucket region: eu-central-1
│ 
│   with module.aws.module.aws_euc1.module.infrastructure.module.infracost_cost_and_usage_report.aws_cur_report_definition.costand_usage_report,
│   on .terraform/modules/aws.aws_euc1.infrastructure.infracost_cost_and_usage_report/main.tf line 413, in resource "aws_cur_report_definition" "costand_usage_report":
│  413: resource "aws_cur_report_definition" "costand_usage_report" {
Ali (Infracost)

Ali (Infracost)

11/02/2022, 3:42 PM
@Hugo (Infracost) can you possibly take a look?
Hugo (Infracost)

Hugo (Infracost)

11/02/2022, 3:43 PM
Hey @Kasper Jacobsen, I believe I ran into this problem myself. I believe this is because an AWS profile is getting in the way. Are you running this from your machine or the pipeline?
Kasper Jacobsen

Kasper Jacobsen

11/02/2022, 3:43 PM
Via github actions
Hugo (Infracost)

Hugo (Infracost)

11/02/2022, 3:44 PM
ok nice, how are you configuring the
AWS_PROFILE
to run with?
Kasper Jacobsen

Kasper Jacobsen

11/02/2022, 3:45 PM
We’re just providing
AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
to terraform
Hugo (Infracost)

Hugo (Infracost)

11/02/2022, 3:46 PM
👍 - ok one sec
3:58 PM
ok I think i’ve found the problem, give me a bit to put out a fix
4:23 PM
ok @Kasper Jacobsen I’ve made a fix to the module which you can pull in, but before we do that, can you rerun the action again and see if it successfully applies this time. There were two potential issues with the validation and you might just be hitting the fact that the CUR definition was missing a dependant link on the CUR bucket policy. If this is your issue a rerun will fix. If not we’ll progress to pulling the new module and rejigging how you call it
Kasper Jacobsen

Kasper Jacobsen

11/02/2022, 4:25 PM
I’ll try to run it twice tomorrow, I reckon I’ll need to pin it to the sha now
HEAD
has changed 🙂 Otherwise I’ll try the new version, I’ll let you know tomorrow!
Hugo (Infracost)

Hugo (Infracost)

11/02/2022, 4:27 PM
ok cool, if you pull in the new module, you’ll have to define an aliased provider outside the module and pass it in:
provider "aws" {
  region  = "eu-central-1"
}

# new provider alias to define. Add any tags/config that you normally have on providers here.
provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}

module "infracost" {
  source = "<http://github.com/infracost/cross-account-link|github.com/infracost/cross-account-link>"
  infracost_external_id = "INFRACOST_ORGANIZATION_ID"
  # add the new provider here with the `us_east_1` alias
  providers = {
    aws.us_east_1 = aws.us_east_1
  }
}
...
Ali (Infracost)

Ali (Infracost)

11/02/2022, 5:00 PM
Thanks @Hugo (Infracost)! I pushed this commit to clarify why two provider blocks are needed.
Kasper Jacobsen

Kasper Jacobsen

11/03/2022, 7:57 AM
Ok, just ran apply twice and it went through the second time 🙂
7:58 AM
Do you want the output from the pre-apply plan or should I go ahead and use
HEAD
?
9:08 AM
I noticed another thing, this should probably be templated out as
"arn:aws:iam::${var.infracost_account}:root"
as it keeps reporting changes with just
var.infracost_account
🙂
9:09 AM
Hugo (Infracost)

Hugo (Infracost)

11/03/2022, 9:45 AM
Ah, nice spot, I’ll update. I think the outputs from the pre-apply stage should be fine.
9:46 AM
although I see you’ve opened a cheeky pr :infraheart:
Kasper Jacobsen

Kasper Jacobsen

11/03/2022, 10:27 AM
Alright now it went through on the first try 🙌
Hugo (Infracost)

Hugo (Infracost)

11/03/2022, 10:27 AM
dance
Kasper Jacobsen

Kasper Jacobsen

11/09/2022, 3:15 PM
@Hugo (Infracost) I keep getting changes on TF plans for the cross account module:
Terraform plan Succeeded for Workspace: default
Show Output
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!   update in-place

Terraform will perform the following actions:

  # module.aws.more.paths.here.module.infracost_cost_and_usage_report.aws_iam_role.cross_account_role will be updated in-place
!   resource "aws_iam_role" "cross_account_role" {
!       assume_role_policy    = jsonencode(
!           {
!               Statement = [
!                   {
!                       Action    = "sts:AssumeRole" -> [
+                           "sts:AssumeRole",
                        ]
                        # (3 unchanged elements hidden)
                    },
                ]
-               Version   = "2008-10-17" -> null
            }
        )
        id                    = "terraform-20221103102406234000000001"
!       managed_policy_arns   = [
-           "arn:aws:iam::xxxxxxxxxxx:policy/ObjectGetCostandUsageReports",
            # (1 unchanged element hidden)
        ]
        name                  = "terraform-20221103102406234000000001"
        tags                  = {}
        # (8 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
I think the sts diff could be fixed by changing it to Action : "sts:assumeRole" Not sure about the
managed_policy_arns
though 🤔
Hugo (Infracost)

Hugo (Infracost)

11/09/2022, 3:31 PM
hmm i think the managed policy arns might be solved by using a
aws_iam_policy_attachment
instead
3:32 PM
let me try and push an update and see if that solves your issue
3:41 PM
@Kasper Jacobsen I’ve opened a PR here https://github.com/infracost/cross-account-link/pull/2 with changes. Could you test this out by pointing your module source to the branch, i.e. adding suffix
?ref=fix/iam-role-fixes
to the
source
url
3:41 PM
I think it might barf the first time with the removal of
managed_policy_arns
, but let’s see
Kasper Jacobsen

Kasper Jacobsen

11/10/2022, 7:05 AM
Ran through fine, only thing left is the
Version
on
aws_iam_role.cross_account_role
🙂
Hugo (Infracost)

Hugo (Infracost)

11/10/2022, 10:11 AM
👀
10:23 AM
@Kasper Jacobsen just pushed a commit to fix the version - give it a try, if that’s - i’ll get some 👀 on the PR and merge into master
Kasper Jacobsen

Kasper Jacobsen

11/10/2022, 10:46 AM
Looks good! ❤️
Hugo (Infracost)

Hugo (Infracost)

11/10/2022, 6:21 PM
this has been merged into master so the base ref should now work
Kasper Jacobsen

Kasper Jacobsen

11/11/2022, 7:11 AM
excellent, thanks!