https://infracost.io logo
Join Slack
Powered by
<Just tried running the new CUR setup for TF> Howe...
# help
n
Just tried running the new CUR setup for TF However I got this error when running trying to apply it
Copy code
│ Error: error creating Cost And Usage Report Definition (InfracostReport1b781fbc-674a-43d6-b7b3-e0d28400be6c): ValidationException: Failed to verify customer bucket permission. accountId= xxxxxxxxxxxx, bucket name: infracost-cur-1b781fbc-674a-43d6-b7b3-e0d28400be6c, bucket region: eu-central-1
│ 
│   with module.aws.module.aws_euc1.module.infrastructure.module.infracost_cost_and_usage_report.aws_cur_report_definition.costand_usage_report,
│   on .terraform/modules/aws.aws_euc1.infrastructure.infracost_cost_and_usage_report/main.tf line 413, in resource "aws_cur_report_definition" "costand_usage_report":
│  413: resource "aws_cur_report_definition" "costand_usage_report" {
w
@mysterious-teacher-68276 can you possibly take a look?
m
Hey @numerous-plastic-31859, I believe I ran into this problem myself. I believe this is because an AWS profile is getting in the way. Are you running this from your machine or the pipeline?
n
Via github actions
m
ok nice, how are you configuring the 
AWS_PROFILE
to run with?
n
We’re just providing 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCESS_KEY
to terraform
m
👍 - ok one sec
ok I think i’ve found the problem, give me a bit to put out a fix
ok @numerous-plastic-31859 I’ve made a fix to the module which you can pull in, but before we do that, can you rerun the action again and see if it successfully applies this time. There were two potential issues with the validation and you might just be hitting the fact that the CUR definition was missing a dependant link on the CUR bucket policy. If this is your issue a rerun will fix. If not we’ll progress to pulling the new module and rejigging how you call it
n
I’ll try to run it twice tomorrow, I reckon I’ll need to pin it to the sha now 
HEAD
has changed 🙂 Otherwise I’ll try the new version, I’ll let you know tomorrow!
m
ok cool, if you pull in the new module, you’ll have to define an aliased provider outside the module and pass it in:
Copy code
provider "aws" {
  region  = "eu-central-1"
}

# new provider alias to define. Add any tags/config that you normally have on providers here.
provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}

module "infracost" {
  source = "<http://github.com/infracost/cross-account-link|github.com/infracost/cross-account-link>"
  infracost_external_id = "INFRACOST_ORGANIZATION_ID"
  # add the new provider here with the `us_east_1` alias
  providers = {
    aws.us_east_1 = aws.us_east_1
  }
}
...
w
Thanks @mysterious-teacher-68276! I pushed this commit to clarify why two provider blocks are needed.
n
Ok, just ran apply twice and it went through the second time 🙂
Do you want the output from the pre-apply plan or should I go ahead and use 
HEAD
?
I noticed another thing, this should probably be templated out as 
"arn:aws:iam::${var.infracost_account}:root"
as it keeps reporting changes with just 
var.infracost_account
🙂
message has been deleted
m
Ah, nice spot, I’ll update. I think the outputs from the pre-apply stage should be fine.
although I see you’ve opened a cheeky pr infraheart
n
Alright now it went through on the first try 🙌
m
dance
n
@mysterious-teacher-68276 I keep getting changes on TF plans for the cross account module:
Copy code
Terraform plan Succeeded for Workspace: default
Show Output
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!   update in-place

Terraform will perform the following actions:

  # module.aws.more.paths.here.module.infracost_cost_and_usage_report.aws_iam_role.cross_account_role will be updated in-place
!   resource "aws_iam_role" "cross_account_role" {
!       assume_role_policy    = jsonencode(
!           {
!               Statement = [
!                   {
!                       Action    = "sts:AssumeRole" -> [
+                           "sts:AssumeRole",
                        ]
                        # (3 unchanged elements hidden)
                    },
                ]
-               Version   = "2008-10-17" -> null
            }
        )
        id                    = "terraform-20221103102406234000000001"
!       managed_policy_arns   = [
-           "arn:aws:iam::xxxxxxxxxxx:policy/ObjectGetCostandUsageReports",
            # (1 unchanged element hidden)
        ]
        name                  = "terraform-20221103102406234000000001"
        tags                  = {}
        # (8 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
I think the sts diff could be fixed by changing it to `Action : "sts:assumeRole"` Not sure about the 
managed_policy_arns
though 🤔
m
hmm i think the managed policy arns might be solved by using a 
aws_iam_policy_attachment
instead
let me try and push an update and see if that solves your issue
@numerous-plastic-31859 I’ve opened a PR here https://github.com/infracost/cross-account-link/pull/2 with changes. Could you test this out by pointing your module source to the branch, i.e. adding suffix 
?ref=fix/iam-role-fixes
to the 
source
url
I think it might barf the first time with the removal of 
managed_policy_arns
, but let’s see
n
Ran through fine, only thing left is the 
Version
on 
aws_iam_role.cross_account_role
🙂
m
👀
@numerous-plastic-31859 just pushed a commit to fix the version - give it a try, if that’s - i’ll get some 👀 on the PR and merge into master
n
Looks good! ❤️
m
this has been merged into master so the base ref should now work
n
excellent, thanks!
18 Views
Open in Slack
PreviousNext
Powered by