Title
#fleet
s

Stephen Nelson

04/07/2022, 7:11 PM
Hi all! I’m trying to follow @Benjamin Edwards article on setting up Fleet on AWS with Terraform. When I do “terraform init”, I get:
Error refreshing state: AccessDenied: Access Denied
	status code: 403, request id: 4739C470TC1FJYWN, host id: <snip>
This is my first time using terraform, so I am probably missing something… any suggestions?
l

Linda Zhou

04/07/2022, 7:36 PM
I wonder if you have to set AWS credentials to admin access --- have you tried that?
s

Stephen Nelson

04/07/2022, 7:50 PM
I was wondering the same thing, but I’m using the credentials for a user with admin access.
s

Stephen Nelson

04/07/2022, 7:53 PM
I’ll try that. Thanks!
Benjamin Edwards

Benjamin Edwards

04/07/2022, 7:53 PM
hey Stephen, do you have the AWS cli setup? if so you should have a file in ~/.aws/credentials
7:54 PM
if you have more than one profile setup you might need to prepend
AWS_PROFILE=foo terraform init
s

Stephen Nelson

04/07/2022, 7:56 PM
Yes, I’ve got aws cli set up. ‘aws sts get-caller-identity’ returns expected results. The account should have admin access, but I’m triple-checking that.
8:00 PM
Seems like I have access.
8:04 PM
One thing to verify: Should it be querying fleet-terraform-remote-state.s3.us-east-2.amazonaws.com? Here’s the debug output:
---[ REQUEST POST-SIGN ]-----------------------------
GET /fleet/ HTTP/1.1
Host: <http://fleet-terraform-remote-state.s3.us-east-2.amazonaws.com|fleet-terraform-remote-state.s3.us-east-2.amazonaws.com>
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.1.7 aws-sdk-go/1.42.35 (go1.17.6; darwin; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=<my admin credential>, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<snip>
X-Amz-Content-Sha256: <snip>
X-Amz-Date: 20220407T195935Z
Accept-Encoding: gzip


-----------------------------------------------------
2022-04-07T12:59:36.110-0700 [DEBUG] [aws-sdk-go] DEBUG: Response s3/GetObject Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Thu, 07 Apr 2022 19:59:36 GMT
Server: AmazonS3
X-Amz-Id-2: <snip>
X-Amz-Request-Id: <snip>
8:05 PM
I have more than one profile, but I have AWS_PROFILE set.
Benjamin Edwards

Benjamin Edwards

04/07/2022, 8:18 PM
ohh, I think you need to choose a different bucket name, S3 bucket names are globally unique. You are probably trying to access my bucket =P
👍 2
l

Linda Zhou

04/07/2022, 9:07 PM
Interesting...didn't know those bucket names are globally unique.
s

Stephen Nelson

04/07/2022, 9:09 PM
@Benjamin Edwards Makes sense. So I should edit the file? I tried setting -prefix, but terraform init didn’t like that.
9:21 PM
Anyway, I got init to work by changing the name of the bucket in main.tf. For some reason I had to create the bucket in the web interface.
9:22 PM
I also had to take out the version number in “required_providers” for aws. It didn’t like 3.57.0.
9:32 PM
Hmm, now it doesn’t like the lock s3 bucket. I tried creating a lockable s3 bucket in the web console, but it’s still unhappy:
{"ConsistentRead":true,"Key":{"LockID":{"S":"magritte-fleet-terraform-remote-state/env:/prod/fleet"}},"ProjectionExpression":"LockID, Info","TableName":"magritte-fleet-terraform-state-lock"}
-----------------------------------------------------
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/GetItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 112
Content-Type: application/x-amz-json-1.0
Date: Thu, 07 Apr 2022 21:27:39 GMT
Server: Server
X-Amz-Crc32: 3737639027
X-Amzn-Requestid: CAPT9R5M63GSE6GVOBM0UHSPFJVV4KQNSO5AEMVJF66Q9ASUAAJG


-----------------------------------------------------
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] {"__type":"com.amazonaws.dynamodb.v20120810#ResourceNotFoundException","message":"Requested resource not found"}
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] DEBUG: Validate Response dynamodb/GetItem failed, attempt 0/5, error ResourceNotFoundException: Requested resource not found
failed to lock s3 state: 2 errors occurred:
	* ResourceNotFoundException: Requested resource not found
	* ResourceNotFoundException: Requested resource not found
Benjamin Edwards

Benjamin Edwards

04/07/2022, 9:42 PM
Right so this is the dynamodb table used for state locking. What I would recommend is just to comment out all remote state management until you get a little more experience using terraform. you can always come back and add remote state management once the system is setup
s

Stephen Nelson

04/07/2022, 9:45 PM
Sounds good.
Benjamin Edwards

Benjamin Edwards

04/07/2022, 9:46 PM
9:47 PM
basically that just removes remote state, and terraform will use local state by default
s

Stephen Nelson

04/07/2022, 9:52 PM
Well, commented those out, and now “terraform apply” bombs out with:
9:52 PM
│ Error: Value for unconfigurable attribute
│
│   with aws_s3_bucket.osquery-results,
│   on <http://firehose.tf|firehose.tf> line 7, in resource "aws_s3_bucket" "osquery-results":
│    7: resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01  #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
│
│ Can't configure a value for "server_side_encryption_configuration": its value will be decided automatically based on the result of applying this configuration.
╵
9:58 PM
I suspect this might be a bit advanced for my first time using terraform. 🙂
Benjamin Edwards

Benjamin Edwards

04/07/2022, 11:56 PM
Hmm I don't recognize that error.
l

Linda Zhou

04/08/2022, 12:42 AM
This may be an eyeroll-inducing question, but are your Terraform CLI and Terraform AWS Provider compatible versions?
s

Stephen Nelson

04/08/2022, 3:09 AM
Anything is possible. I’ll have a look tomorrow. In the meantime I have Fleet running via Render.