Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Stephen Nelson
04/07/2022, 7:11 PMHi all! I’m trying to follow @Benjamin Edwards article on setting up Fleet on AWS with Terraform. When I do “terraform init”, I get:
Error refreshing state: AccessDenied: Access Denied
status code: 403, request id: 4739C470TC1FJYWN, host id: <snip>l
Linda Zhou
04/07/2022, 7:36 PMI wonder if you have to set AWS credentials to admin access --- have you tried that?
s
Stephen Nelson
04/07/2022, 7:50 PMI was wondering the same thing, but I’m using the credentials for a user with admin access.
l
Linda Zhou
04/07/2022, 7:52 PMWhat about the keys you're using?
ref: https://stackoverflow.com/questions/61851903/how-to-solve-error-loading-state-accessdenied-access-denied-status-code-403-w
s
Stephen Nelson
04/07/2022, 7:53 PMI’ll try that. Thanks!
b
Benjamin Edwards
04/07/2022, 7:53 PMhey Stephen, do you have the AWS cli setup? if so you should have a file in ~/.aws/credentials
if you have more than one profile setup you might need to prepend
AWS_PROFILE=foo terraform inits
Stephen Nelson
04/07/2022, 7:56 PMYes, I’ve got aws cli set up. ‘aws sts get-caller-identity’ returns expected results. The account should have admin access, but I’m triple-checking that.
Seems like I have access.
One thing to verify: Should it be querying fleet-terraform-remote-state.s3.us-east-2.amazonaws.com? Here’s the debug output:
---[ REQUEST POST-SIGN ]-----------------------------
GET /fleet/ HTTP/1.1
Host: <http://fleet-terraform-remote-state.s3.us-east-2.amazonaws.com|fleet-terraform-remote-state.s3.us-east-2.amazonaws.com>
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.1.7 aws-sdk-go/1.42.35 (go1.17.6; darwin; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=<my admin credential>, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<snip>
X-Amz-Content-Sha256: <snip>
X-Amz-Date: 20220407T195935Z
Accept-Encoding: gzip
-----------------------------------------------------
2022-04-07T12:59:36.110-0700 [DEBUG] [aws-sdk-go] DEBUG: Response s3/GetObject Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Thu, 07 Apr 2022 19:59:36 GMT
Server: AmazonS3
X-Amz-Id-2: <snip>
X-Amz-Request-Id: <snip>I have more than one profile, but I have AWS_PROFILE set.
b
Benjamin Edwards
04/07/2022, 8:18 PMohh, I think you need to choose a different bucket name, S3 bucket names are globally unique. You are probably trying to access my bucket =P
👍 2
l
Linda Zhou
04/07/2022, 9:07 PMInteresting...didn't know those bucket names are globally unique.
s
Stephen Nelson
04/07/2022, 9:09 PM@Benjamin Edwards Makes sense. So I should edit the file? I tried setting -prefix, but terraform init didn’t like that.
Anyway, I got init to work by changing the name of the bucket in main.tf. For some reason I had to create the bucket in the web interface.
I also had to take out the version number in “required_providers” for aws. It didn’t like 3.57.0.
Hmm, now it doesn’t like the lock s3 bucket. I tried creating a lockable s3 bucket in the web console, but it’s still unhappy:
{"ConsistentRead":true,"Key":{"LockID":{"S":"magritte-fleet-terraform-remote-state/env:/prod/fleet"}},"ProjectionExpression":"LockID, Info","TableName":"magritte-fleet-terraform-state-lock"}
-----------------------------------------------------
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/GetItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 112
Content-Type: application/x-amz-json-1.0
Date: Thu, 07 Apr 2022 21:27:39 GMT
Server: Server
X-Amz-Crc32: 3737639027
X-Amzn-Requestid: CAPT9R5M63GSE6GVOBM0UHSPFJVV4KQNSO5AEMVJF66Q9ASUAAJG
-----------------------------------------------------
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] {"__type":"com.amazonaws.dynamodb.v20120810#ResourceNotFoundException","message":"Requested resource not found"}
2022-04-07T14:27:39.904-0700 [DEBUG] [aws-sdk-go] DEBUG: Validate Response dynamodb/GetItem failed, attempt 0/5, error ResourceNotFoundException: Requested resource not found
failed to lock s3 state: 2 errors occurred:
* ResourceNotFoundException: Requested resource not found
* ResourceNotFoundException: Requested resource not foundb
Benjamin Edwards
04/07/2022, 9:42 PMRight so this is the dynamodb table used for state locking. What I would recommend is just to comment out all remote state management until you get a little more experience using terraform.
you can always come back and add remote state management once the system is setup
s
Stephen Nelson
04/07/2022, 9:45 PMSounds good.
b
Benjamin Edwards
04/07/2022, 9:46 PMlines 11-16 could be commented out https://github.com/fleetdm/fleet/blob/297cfe7263a147f2962185e80548e1d8540efa55/tools/terraform/main.tf#L9
basically that just removes remote state, and terraform will use local state by default
s
Stephen Nelson
04/07/2022, 9:52 PMWell, commented those out, and now “terraform apply” bombs out with:
│ Error: Value for unconfigurable attribute
│
│ with aws_s3_bucket.osquery-results,
│ on <http://firehose.tf|firehose.tf> line 7, in resource "aws_s3_bucket" "osquery-results":
│ 7: resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
│
│ Can't configure a value for "server_side_encryption_configuration": its value will be decided automatically based on the result of applying this configuration.
╵I suspect this might be a bit advanced for my first time using terraform. 🙂
b
Benjamin Edwards
04/07/2022, 11:56 PMHmm I don't recognize that error.
l
Linda Zhou
04/08/2022, 12:42 AMThis may be an eyeroll-inducing question, but are your Terraform CLI and Terraform AWS Provider compatible versions?
s
Stephen Nelson
04/08/2022, 3:09 AMAnything is possible. I’ll have a look tomorrow. In the meantime I have Fleet running via Render.