Title
n
numerous-plastic-31859
11/02/2022, 3:40 PMJust tried running the new CUR setup for TF
However I got this error when running trying to apply it
│ Error: error creating Cost And Usage Report Definition (InfracostReport1b781fbc-674a-43d6-b7b3-e0d28400be6c): ValidationException: Failed to verify customer bucket permission. accountId= xxxxxxxxxxxx, bucket name: infracost-cur-1b781fbc-674a-43d6-b7b3-e0d28400be6c, bucket region: eu-central-1
│
│ with module.aws.module.aws_euc1.module.infrastructure.module.infracost_cost_and_usage_report.aws_cur_report_definition.costand_usage_report,
│ on .terraform/modules/aws.aws_euc1.infrastructure.infracost_cost_and_usage_report/main.tf line 413, in resource "aws_cur_report_definition" "costand_usage_report":
│ 413: resource "aws_cur_report_definition" "costand_usage_report" {w
white-airport-8778
11/02/2022, 3:42 PM@mysterious-teacher-68276 can you possibly take a look?
m
mysterious-teacher-68276
11/02/2022, 3:43 PMHey @numerous-plastic-31859, I believe I ran into this problem myself. I believe this is because an AWS profile is getting in the way. Are you running this from your machine or the pipeline?
n
numerous-plastic-31859
11/02/2022, 3:43 PMVia github actions
m
mysterious-teacher-68276
11/02/2022, 3:44 PMok nice, how are you configuring the
AWS_PROFILEn
numerous-plastic-31859
11/02/2022, 3:45 PMWe’re just providing
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYm
mysterious-teacher-68276
11/02/2022, 3:46 PM👍 - ok one sec
ok I think i’ve found the problem, give me a bit to put out a fix
ok @numerous-plastic-31859 I’ve made a fix to the module which you can pull in, but before we do that, can you rerun the action again and see if it successfully applies this time. There were two potential issues with the validation and you might just be hitting the fact that the CUR definition was missing a dependant link on the CUR bucket policy. If this is your issue a rerun will fix. If not we’ll progress to pulling the new module and rejigging how you call it
n
numerous-plastic-31859
11/02/2022, 4:25 PMI’ll try to run it twice tomorrow, I reckon I’ll need to pin it to the sha now
HEADm
mysterious-teacher-68276
11/02/2022, 4:27 PMok cool, if you pull in the new module, you’ll have to define an aliased provider outside the module and pass it in:
provider "aws" {
region = "eu-central-1"
}
# new provider alias to define. Add any tags/config that you normally have on providers here.
provider "aws" {
alias = "us_east_1"
region = "us-east-1"
}
module "infracost" {
source = "<http://github.com/infracost/cross-account-link|github.com/infracost/cross-account-link>"
infracost_external_id = "INFRACOST_ORGANIZATION_ID"
# add the new provider here with the `us_east_1` alias
providers = {
aws.us_east_1 = aws.us_east_1
}
}
...w
white-airport-8778
11/02/2022, 5:00 PMThanks @mysterious-teacher-68276! I pushed this commit to clarify why two provider blocks are needed.
n
numerous-plastic-31859
11/03/2022, 7:57 AMOk, just ran apply twice and it went through the second time 🙂
Do you want the output from the pre-apply plan or should I go ahead and use
HEADI noticed another thing, this should probably be templated out as
"arn:aws:iam::${var.infracost_account}:root"var.infracost_accountm
mysterious-teacher-68276
11/03/2022, 9:45 AMAh, nice spot, I’ll update. I think the outputs from the pre-apply stage should be fine.
although I see you’ve opened a cheeky pr :infraheart:
n
numerous-plastic-31859
11/03/2022, 10:27 AMAlright now it went through on the first try 🙌
m
mysterious-teacher-68276
11/03/2022, 10:27 AMdance
n
numerous-plastic-31859
11/09/2022, 3:15 PM@mysterious-teacher-68276 I keep getting changes on TF plans for the cross account module:
Terraform plan Succeeded for Workspace: default
Show Output
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
! update in-place
Terraform will perform the following actions:
# module.aws.more.paths.here.module.infracost_cost_and_usage_report.aws_iam_role.cross_account_role will be updated in-place
! resource "aws_iam_role" "cross_account_role" {
! assume_role_policy = jsonencode(
! {
! Statement = [
! {
! Action = "sts:AssumeRole" -> [
+ "sts:AssumeRole",
]
# (3 unchanged elements hidden)
},
]
- Version = "2008-10-17" -> null
}
)
id = "terraform-20221103102406234000000001"
! managed_policy_arns = [
- "arn:aws:iam::xxxxxxxxxxx:policy/ObjectGetCostandUsageReports",
# (1 unchanged element hidden)
]
name = "terraform-20221103102406234000000001"
tags = {}
# (8 unchanged attributes hidden)
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.managed_policy_arnsm
mysterious-teacher-68276
11/09/2022, 3:31 PMhmm i think the managed policy arns might be solved by using a
aws_iam_policy_attachmentlet me try and push an update and see if that solves your issue
@numerous-plastic-31859 I’ve opened a PR here https://github.com/infracost/cross-account-link/pull/2 with changes. Could you test this out by pointing your module source to the branch, i.e. adding suffix
?ref=fix/iam-role-fixessourceI think it might barf the first time with the removal of
managed_policy_arnsn
numerous-plastic-31859
11/10/2022, 7:05 AMRan through fine, only thing left is the
Versionaws_iam_role.cross_account_rolem
mysterious-teacher-68276
11/10/2022, 10:11 AM👀
@numerous-plastic-31859 just pushed a commit to fix the version - give it a try, if that’s ✅ - i’ll get some 👀 on the PR and merge into master
n
numerous-plastic-31859
11/10/2022, 10:46 AMLooks good! ❤️
m
mysterious-teacher-68276
11/10/2022, 6:21 PMthis has been merged into master so the base ref should now work
n
numerous-plastic-31859
11/11/2022, 7:11 AMexcellent, thanks!