https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi all! I’m trying to follow <@U028H7VT5P0> articl...
# fleet
s
Hi all! I’m trying to follow @Benjamin Edwards article on setting up Fleet on AWS with Terraform. When I do “terraform init”, I get:
Copy code
Error refreshing state: AccessDenied: Access Denied
	status code: 403, request id: 4739C470TC1FJYWN, host id: <snip>
This is my first time using terraform, so I am probably missing something… any suggestions?
l
I wonder if you have to set AWS credentials to admin access --- have you tried that?
s
I was wondering the same thing, but I’m using the credentials for a user with admin access.
l
s
I’ll try that. Thanks!
b
hey Stephen, do you have the AWS cli setup? if so you should have a file in ~/.aws/credentials
if you have more than one profile setup you might need to prepend 
AWS_PROFILE=foo terraform init
s
Yes, I’ve got aws cli set up. ‘aws sts get-caller-identity’ returns expected results. The account should have admin access, but I’m triple-checking that.
Seems like I have access.
One thing to verify: Should it be querying fleet-terraform-remote-state.s3.us-east-2.amazonaws.com? Here’s the debug output:
Copy code
---[ REQUEST POST-SIGN ]-----------------------------
GET /fleet/ HTTP/1.1
Host: <http://fleet-terraform-remote-state.s3.us-east-2.amazonaws.com|fleet-terraform-remote-state.s3.us-east-2.amazonaws.com>
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.1.7 aws-sdk-go/1.42.35 (go1.17.6; darwin; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=<my admin credential>, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<snip>
X-Amz-Content-Sha256: <snip>
X-Amz-Date: 20220407T195935Z
Accept-Encoding: gzip


-----------------------------------------------------
2022-04-07T12:59:36.110-0700 [DEBUG] [aws-sdk-go] DEBUG: Response s3/GetObject Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Thu, 07 Apr 2022 19:59:36 GMT
Server: AmazonS3
X-Amz-Id-2: <snip>
X-Amz-Request-Id: <snip>
I have more than one profile, but I have AWS_PROFILE set.
b
ohh, I think you need to choose a different bucket name, S3 bucket names are globally unique. You are probably trying to access my bucket =P
👍 2
l
Interesting...didn't know those bucket names are globally unique.
s
@Benjamin Edwards Makes sense. So I should edit the file? I tried setting -prefix, but terraform init didn’t like that.
Anyway, I got init to work by changing the name of the bucket in main.tf. For some reason I had to create the bucket in the web interface.
I also had to take out the version number in “required_providers” for aws. It didn’t like 3.57.0.
Hmm, now it doesn’t like the lock s3 bucket. I tried creating a lockable s3 bucket in the web console, but it’s still unhappy:
Copy code
{"ConsistentRead":true,"Key":{"LockID":{"S":"magritte-fleet-terraform-remote-state/env:/prod/fleet"}},"ProjectionExpression":"LockID, Info","TableName":"magritte-fleet-terraform-state-lock"}
-----------------------------------------------------
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/GetItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 112
Content-Type: application/x-amz-json-1.0
Date: Thu, 07 Apr 2022 21:27:39 GMT
Server: Server
X-Amz-Crc32: 3737639027
X-Amzn-Requestid: CAPT9R5M63GSE6GVOBM0UHSPFJVV4KQNSO5AEMVJF66Q9ASUAAJG


-----------------------------------------------------
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] {"__type":"com.amazonaws.dynamodb.v20120810#ResourceNotFoundException","message":"Requested resource not found"}
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] DEBUG: Validate Response dynamodb/GetItem failed, attempt 0/5, error ResourceNotFoundException: Requested resource not found
failed to lock s3 state: 2 errors occurred:
	* ResourceNotFoundException: Requested resource not found
	* ResourceNotFoundException: Requested resource not found
b
Right so this is the dynamodb table used for state locking. What I would recommend is just to comment out all remote state management until you get a little more experience using terraform. you can always come back and add remote state management once the system is setup
s
Sounds good.
b
basically that just removes remote state, and terraform will use local state by default
s
Well, commented those out, and now “terraform apply” bombs out with:
Copy code
│ Error: Value for unconfigurable attribute
│
│   with aws_s3_bucket.osquery-results,
│   on <http://firehose.tf|firehose.tf> line 7, in resource "aws_s3_bucket" "osquery-results":
│    7: resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01  #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
│
│ Can't configure a value for "server_side_encryption_configuration": its value will be decided automatically based on the result of applying this configuration.
╵
I suspect this might be a bit advanced for my first time using terraform. 🙂
b
Hmm I don't recognize that error.
l
This may be an eyeroll-inducing question, but are your Terraform CLI and Terraform AWS Provider compatible versions?
s
Anything is possible. I’ll have a look tomorrow. In the meantime I have Fleet running via Render.
2 Views
Open in Slack
PreviousNext
Powered by