jarrettj
Repos
39
Followers
16
Following
46

Events

Use of different providers in custom modules.

Describe the outcome you'd like I'd like the ability to pass a provider to a module.

A clear and concise description of what you want to happen. The multiple region customisation shows how to do this using the updated provider jinja file in the root. But how would we do the same with a module instead of a resource that can reference the provider available in the root.

Is your feature request related to a problem you are currently experiencing? If so, please describe. Reusing shared modules across Prod and Staging environments.

A clear and concise description of what the problem is. In the structure below, I would like both app and staging-app to call the acm module to create a resource in the us-east-1 region which is not the applications default region.

  • aft-account-customizations
    • app
      • terraform
        • main.tf
    • staging-app
      • terraform
        • main.tf
    • modules
      • acm
        • main.tf

Hope that is clear :). Thanks.

Regards, Jarrett

Created at 5 days ago
Create an account in a new OU

Found it, had to delete the item in DynamoDB table :)

Created at 1 week ago
Create an account in a new OU

Hi,

Good day.

Receiving the same error ConditionalCheckFailedException. Is there a process to restore a previous state file? The terraform apply phase failed. :(

This is in the aft-account-customizations repo. Not sure what I should update in the DynamoDB table. Thanks.

Regards, Jarrett

Created at 1 week ago
Documentation on how to terraform plan on your local

Thank you @balltrev.

Created at 1 week ago
How to trigger codepipeline on commit and from github?

I fully understand @balltrev. But for a user with a basic understanding of terraform, we are not really clued up on what to do to make it automatically run with the information provided. Or should I say, I am not at all following what should be done to automatically build from a push :).

Created at 2 weeks ago
Documentation on how to terraform plan on your local

Yup, that's correct. Thought I'd add it here in the event that it's been done already, and I missed it in the docs. I'll probably figure it out as I go along working through more terraform examples etc :)

Created at 2 weeks ago
Documentation on how to terraform plan on your local

Hey @v-rosa , good day. Would this cover working locally though? Looks more like approval gates added to the pipeline.

What I'm asking is simply being able to init and plan locally. Would be way faster, 5-8 mins than pushing to the pipeline.

Created at 2 weeks ago
Documentation on how to terraform plan on your local

Hi

Good day.

Describe the outcome you'd like Documentation on how to "terraform plan" on your local. At the moment you are forced to push changes to the pipeline.

A clear and concise description of what you want to happen. A way to setup terraform locally to run "terraform plan" against a provisioned account to view changes before pushing.

Is your feature request related to a problem you are currently experiencing? If so, please describe. The problem is coding in the dark basically. The lifecycle is made harder by not being able to plan locally.

A clear and concise description of what the problem is.

Additional context

Add any other context or screenshots about the feature request here. We've managed to reference the provisioned account state file on the management account. But the "terraform plan" still shows all to update. It's better than nothing for now. But as the infrastructure increases it will become harder to read.

Regards. Jarrett

Created at 2 weeks ago
How to trigger codepipeline on commit and from github?

Hi

Good day @balltrev. Thanks for the link.

I followed it, but I'm still not sure what to do. Well not sure what the terraform code is that needs to be added to make this automatically trigger a build. Would assume most people would not know. Looked around in the terraform registry around step functions. But still a bit clueless. Thanks.

Regards. Jarret

Created at 2 weeks ago
How to import existing accounts

@dignajar you don't need to import the management account. Following this doc https://controltower.aws-management.tools/automation/aft_setup/. Once bootstrap is done, you can simply push to aft-account-provisioning-customizations repo and it auto updates the management account.

Created at 2 weeks ago
Getting iam user passwords

Terraform Version & Prov: v1.2.8 AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.6.2

Bug Description Managed to get the account provisioning pipeline going. Created a new account. Next step is adding IAM users via terraform. The users are added but there's no way to get the user passwords though. The aws codebuild output logs do not show the output values as expected.

Not sure if anyone has a workaround for this? Also, this channel seems to be for bugs. Is there a place to ask questions instead? Thanks.

Regards. Jarrett

Created at 2 weeks ago
Getting iam user passwords

Hi good day.

My apologies I should have closed this. Using SSM to store the generated passwords. Thanks.

Regards. Jarrett

Created at 2 weeks ago
Create an AWS WAF resource in US-East-1

Terraform Version & Prov: v1.2.8 AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.6.2

Bug Description Attempting to create an AWS WAF resource in US-East-1 in a managed account using terraform.

On the initial run, we received the following error:

Error: Error creating WAFv2 WebACL: AccessDeniedException: User: arn:aws:sts::0358*******:assumed-role/AWSAFTAdmin/AWSAFT-Session is not authorized to perform: wafv2:CreateWebACL on resource: arn:aws:wafv2:us-east-1:03581*****88:global/webacl/hris/* because no identity-based policy allows the wafv2:CreateWebACL action

The AWSAFTAdmin role has root access, not sure why it is not allowed to create a WAF. Proceeded to add the AWSWAFFullAccess policy to the AWSAFTAdmin role.

On the next run, the WAF gets created. But we can't use it with CloudFront if it is in eu-west-1, our default region. We then change regions using provider below:

provider "aws" {
  region = "us-east-1"
  alias = "useast1"
}

On the the next run, the WAF gets updated and moved to the US-East-1 region, but of the AFT Management account and not the account being provisioned.

Any ideas on how to terraform a different region when using AFT? This might be an edge case as most resources would live in your default region. Thanks.

Regards, Jarrett

Created at 2 weeks ago
Create an AWS WAF resource in US-East-1

Legend, thanks. It worked. Removed the AWSAFTAdmin modification as well. All works fine. WAF created in us-east-1. Yay.

Created at 2 weeks ago
Create an AWS WAF resource in US-East-1

Will give it a try. I missed that example :). Thanks @balltrev.

Created at 2 weeks ago
Create an AWS WAF resource in US-East-1

Terraform Version & Prov: v1.2.8 AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.6.2

Bug Description Attempting to create an AWS WAF resource in US-East-1 in a managed account using terraform.

On the initial run, we received the following error:

Error: Error creating WAFv2 WebACL: AccessDeniedException: User: arn:aws:sts::0358*******:assumed-role/AWSAFTAdmin/AWSAFT-Session is not authorized to perform: wafv2:CreateWebACL on resource: arn:aws:wafv2:us-east-1:03581*****88:global/webacl/hris/* because no identity-based policy allows the wafv2:CreateWebACL action

The AWSAFTAdmin role has root access, not sure why it is not allowed to create a WAF. Proceeded to add the AWSWAFFullAccess policy to the AWSAFTAdmin role.

On the next run, the WAF gets created. But we can't use it with CloudFront if it is in eu-west-1, our default region. We then change regions using provider below:

provider "aws" {
  region = "us-east-1"
  alias = "useast1"
}

On the the next run, the WAF gets updated and moved to the US-East-1 region, but of the AFT Management account and not the account being provisioned.

Any ideas on how to terraform a different region when using AFT? This might be an edge case as most resources would live in your default region. Thanks.

Regards, Jarrett

Created at 2 weeks ago
Created at 2 weeks ago
Created at 3 weeks ago
Getting iam user passwords

Terraform Version & Prov: v1.2.8 AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.6.2

Bug Description Managed to get the account provisioning pipeline going. Created a new account. Next step is adding IAM users via terraform. The users are added but there's no way to get the user passwords though. The aws codebuild output logs do not show the output values as expected.

Not sure if anyone has a workaround for this? Thanks.

Regards. Jarrett

Created at 3 weeks ago
Sam deploy error.

Updated error.

Created at 4 weeks ago
Same deploy error.

Hi,

Good day.

Get the following error when deploying:

Whether code signing is enabled or not. Thanks.

Regards, Jarrett

Created at 1 month ago
How to add regions?

Hi,

Good day.

How to add regions other than us-east-1? Thanks.

Regards, Jarrett

Created at 1 month ago
How to add regions?

Ran deploy :)

Created at 1 month ago
How to add regions?

Hi,

Good day.

How to add regions other than us-east-1? Thanks.

Regards, Jarrett

Created at 1 month ago
Does not work with the latest version of terraform 1.2.8

Hi,

Good day..

Followed the instructions up to "Run the setup script." step. When executing:

bash scripts/full-setup.sh, I get the following:

Creating the Delegated admin account role
╷
│ Error: Unsupported Terraform Core version
│ 
│   on versions.tf line 19, in terraform:
│   19:   required_version = "= 0.14.6"
│ 
│ This configuration does not support Terraform version 1.2.8. To proceed, either choose another supported Terraform version or update this version

Should we downgrade our terraform version? Thanks.

Regards, Jarrett

Created at 1 month ago
Does not work with the latest version of terraform 1.2.8

Awesome, thanks for the prompt response! Will do.

Created at 1 month ago
Does not work with the latest version of terraform 1.2.8

Hi,

Good day..

Followed the instructions up to "Run the setup script." step. When executing:

bash scripts/full-setup.sh, I get the following:

Creating the Delegated admin account role
╷
│ Error: Unsupported Terraform Core version
│ 
│   on versions.tf line 19, in terraform:
│   19:   required_version = "= 0.14.6"
│ 
│ This configuration does not support Terraform version 1.2.8. To proceed, either choose another supported Terraform version or update this version

Should we downgrade our terraform version? Thanks.

Regards, Jarrett

Created at 1 month ago
Help with Post-deployment steps

Found https://controltower.aws-management.tools/, following those steps instead of the blog post on aws. Thanks.

Created at 1 month ago
Help with Post-deployment steps

Terraform Version & Prov: terraform -v
Terraform v1.2.8

AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.6.2

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.2.8

terraform providers

Providers required by configuration:
.
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_ssm_parameters
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/random]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/time]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    └── module.aft_backend
        └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0

Providers required by state:

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/random]

    provider[registry.terraform.io/hashicorp/time]

    provider[registry.terraform.io/hashicorp/archive]

    provider[registry.terraform.io/hashicorp/local]

Bug Description

It is more of guidance as I can't find anything in the documentation. After you run terraform apply and the AFT infrastructure deployment is complete. How do you access the empty AWS Codecommit repos? The AFT account is a new account without any users created as far as I can tell. How does one clone those? Do you have to manually create access? Thanks.

Regards, Jarrett

Created at 1 month ago