https://infracost.io logo
#help
Title
# help
n

numerous-plastic-31859

11/02/2022, 3:40 PM
Just tried running the new CUR setup for TF However I got this error when running trying to apply it
Copy code
│ Error: error creating Cost And Usage Report Definition (InfracostReport1b781fbc-674a-43d6-b7b3-e0d28400be6c): ValidationException: Failed to verify customer bucket permission. accountId= xxxxxxxxxxxx, bucket name: infracost-cur-1b781fbc-674a-43d6-b7b3-e0d28400be6c, bucket region: eu-central-1
│ 
│   with module.aws.module.aws_euc1.module.infrastructure.module.infracost_cost_and_usage_report.aws_cur_report_definition.costand_usage_report,
│   on .terraform/modules/aws.aws_euc1.infrastructure.infracost_cost_and_usage_report/main.tf line 413, in resource "aws_cur_report_definition" "costand_usage_report":
│  413: resource "aws_cur_report_definition" "costand_usage_report" {
w

white-airport-8778

11/02/2022, 3:42 PM
@mysterious-teacher-68276 can you possibly take a look?
m

mysterious-teacher-68276

11/02/2022, 3:43 PM
Hey @numerous-plastic-31859, I believe I ran into this problem myself. I believe this is because an AWS profile is getting in the way. Are you running this from your machine or the pipeline?
n

numerous-plastic-31859

11/02/2022, 3:43 PM
Via github actions
m

mysterious-teacher-68276

11/02/2022, 3:44 PM
ok nice, how are you configuring the
AWS_PROFILE
to run with?
n

numerous-plastic-31859

11/02/2022, 3:45 PM
We’re just providing
AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
to terraform
m

mysterious-teacher-68276

11/02/2022, 3:46 PM
👍 - ok one sec
ok I think i’ve found the problem, give me a bit to put out a fix
ok @numerous-plastic-31859 I’ve made a fix to the module which you can pull in, but before we do that, can you rerun the action again and see if it successfully applies this time. There were two potential issues with the validation and you might just be hitting the fact that the CUR definition was missing a dependant link on the CUR bucket policy. If this is your issue a rerun will fix. If not we’ll progress to pulling the new module and rejigging how you call it
n

numerous-plastic-31859

11/02/2022, 4:25 PM
I’ll try to run it twice tomorrow, I reckon I’ll need to pin it to the sha now
HEAD
has changed 🙂 Otherwise I’ll try the new version, I’ll let you know tomorrow!
m

mysterious-teacher-68276

11/02/2022, 4:27 PM
ok cool, if you pull in the new module, you’ll have to define an aliased provider outside the module and pass it in:
Copy code
provider "aws" {
  region  = "eu-central-1"
}

# new provider alias to define. Add any tags/config that you normally have on providers here.
provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}

module "infracost" {
  source = "<http://github.com/infracost/cross-account-link|github.com/infracost/cross-account-link>"
  infracost_external_id = "INFRACOST_ORGANIZATION_ID"
  # add the new provider here with the `us_east_1` alias
  providers = {
    aws.us_east_1 = aws.us_east_1
  }
}
...
w

white-airport-8778

11/02/2022, 5:00 PM
Thanks @mysterious-teacher-68276! I pushed this commit to clarify why two provider blocks are needed.
n

numerous-plastic-31859

11/03/2022, 7:57 AM
Ok, just ran apply twice and it went through the second time 🙂
Do you want the output from the pre-apply plan or should I go ahead and use
HEAD
?
I noticed another thing, this should probably be templated out as
"arn:aws:iam::${var.infracost_account}:root"
as it keeps reporting changes with just
var.infracost_account
🙂
message has been deleted
m

mysterious-teacher-68276

11/03/2022, 9:45 AM
Ah, nice spot, I’ll update. I think the outputs from the pre-apply stage should be fine.
although I see you’ve opened a cheeky pr infraheart
n

numerous-plastic-31859

11/03/2022, 10:27 AM
Alright now it went through on the first try 🙌
m

mysterious-teacher-68276

11/03/2022, 10:27 AM
dance
n

numerous-plastic-31859

11/09/2022, 3:15 PM
@mysterious-teacher-68276 I keep getting changes on TF plans for the cross account module:
Copy code
Terraform plan Succeeded for Workspace: default
Show Output
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!   update in-place

Terraform will perform the following actions:

  # module.aws.more.paths.here.module.infracost_cost_and_usage_report.aws_iam_role.cross_account_role will be updated in-place
!   resource "aws_iam_role" "cross_account_role" {
!       assume_role_policy    = jsonencode(
!           {
!               Statement = [
!                   {
!                       Action    = "sts:AssumeRole" -> [
+                           "sts:AssumeRole",
                        ]
                        # (3 unchanged elements hidden)
                    },
                ]
-               Version   = "2008-10-17" -> null
            }
        )
        id                    = "terraform-20221103102406234000000001"
!       managed_policy_arns   = [
-           "arn:aws:iam::xxxxxxxxxxx:policy/ObjectGetCostandUsageReports",
            # (1 unchanged element hidden)
        ]
        name                  = "terraform-20221103102406234000000001"
        tags                  = {}
        # (8 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
I think the sts diff could be fixed by changing it to `Action : "sts:assumeRole"` Not sure about the
managed_policy_arns
though 🤔
m

mysterious-teacher-68276

11/09/2022, 3:31 PM
hmm i think the managed policy arns might be solved by using a
aws_iam_policy_attachment
instead
let me try and push an update and see if that solves your issue
@numerous-plastic-31859 I’ve opened a PR here https://github.com/infracost/cross-account-link/pull/2 with changes. Could you test this out by pointing your module source to the branch, i.e. adding suffix
?ref=fix/iam-role-fixes
to the
source
url
I think it might barf the first time with the removal of
managed_policy_arns
, but let’s see
n

numerous-plastic-31859

11/10/2022, 7:05 AM
Ran through fine, only thing left is the
Version
on
aws_iam_role.cross_account_role
🙂
m

mysterious-teacher-68276

11/10/2022, 10:11 AM
👀
@numerous-plastic-31859 just pushed a commit to fix the version - give it a try, if that’s - i’ll get some 👀 on the PR and merge into master
n

numerous-plastic-31859

11/10/2022, 10:46 AM
Looks good! ❤️
m

mysterious-teacher-68276

11/10/2022, 6:21 PM
this has been merged into master so the base ref should now work
n

numerous-plastic-31859

11/11/2022, 7:11 AM
excellent, thanks!
17 Views