Issue defining AWS region
gregneagle opened this issue · comments
How do I define my desired aws region to avoid this? I can successfully run terraform plan:
$ terraform plan -out saved_plan
provider.aws.region
The region where AWS operations will take place. Examples
are us-east-1, us-west-2, etc.
Default: us-east-1
Enter a value: us-west-1
and the plan completes OK, but it fails on terraform apply:
$ terraform apply "saved_plan"
Error: Error applying plan:
1 error occurred:
* provider.aws: Invalid AWS Region:
AWS_REGION="us-west-1" terraform apply "saved_plan" lets me get further along, but then it fails with:
Error: Error applying plan:
1 error occurred:
* module.munki-repo.aws_lambda_function.basic_auth_lambda: 1 error occurred:
* aws_lambda_function.basic_auth_lambda: Error creating Lambda function: ValidationException:
status code: 400, request id: d9c94fb7-d9a7-40d5-b6f9-91ca0586d2f6
A little more context:
module.munki-repo.aws_lambda_function.basic_auth_lambda: Creating...
arn: "" => "<computed>"
filename: "" => "basic_auth_lambda.zip"
function_name: "" => "com.mac.gregneagle._basic_auth"
handler: "" => "basic_auth.handler"
invoke_arn: "" => "<computed>"
last_modified: "" => "<computed>"
memory_size: "" => "128"
publish: "" => "true"
qualified_arn: "" => "<computed>"
reserved_concurrent_executions: "" => "-1"
role: "" => "arn:aws:iam::495021859466:role/com.mac.gregneagle._iam_for_lambda"
runtime: "" => "nodejs10.x"
source_code_hash: "" => "JSC4L5qLMAC4o0hfyxFFMSyqWDBxHG5p/xNn7VKjXLU="
source_code_size: "" => "<computed>"
timeout: "" => "3"
tracing_config.#: "" => "<computed>"
version: "" => "<computed>"
Error: Error applying plan:
1 error occurred:
* module.munki-repo.aws_lambda_function.basic_auth_lambda: 1 error occurred:
* aws_lambda_function.basic_auth_lambda: Error creating Lambda function: ValidationException:
status code: 400, request id: 6cf0f9ca-0c9f-4af1-9948-6d5732176be3
You must run lambda@edge in us East 1. The region is irrelevant here since it is replicated to every cloudfront pop
Perhaps that could be documented here? We discussed setting the region yesterday; I showed I was choosing us-west-1, and nothing was said.
If the region choice cannot be anything other than us-east-1 it seems odd for there to be a choice at all.
All that aside, if I want the S3 storage bucket to be created in us-west-1, is there anything different I should be doing?
Yes it probably could. You have not posted your code so it is hard to say. Mine runs in us-East-1 so this has not been extensively tested running elsewhere (I.e not at all). You will not see any performance gain running it there since your content will be delivered via the local cloudfront pop.
What code would I post? My main.tf is precisely as you document, merely changing the values for s3_bucket, name, password, and prefix.
I had the same issue, not using Graham’s modules but because I have “everything” in eu-west I didn’t know why cloudfront was failing and it was due to not having that part in us-east-1. I Don’t remember where I got the info.
If you don’t have the aws provider configured then you will certainly run into problems like these. I suggest looking at https://github.com/grahamgilbert/macdevops_2019/blob/master/main.tf for an example that assumes no prior terraform knowledge.
So, main.tf now looks like this:
provider "aws" {
region = "us-east-1"
}
module "munki-repo" {
source = "grahamgilbert/munki-repo/aws"
version = "0.1.11"
munki_s3_bucket = "munki-s3-bucket"
username = "${var.username}"
password = "${var.password}"
prefix = "com.mac.gregneagle."
# price_class is one of PriceClass_All, PriceClass_200, PriceClass_100
price_class = "PriceClass_100"
}
variable "username" {
default = "<redacted>"
}
variable "password" {
default = "<redacted>"
}
output "cloudfront_url" {
value = "${module.munki-repo.cloudfront_url}"
}
output "munki_bucket_id" {
value = "${module.munki-repo.munki_bucket_id}"
}
output "username" {
value = "${var.username}"
}
output "password" {
value = "${var.password}"
}
I also reconfigured the aws tool:
$ aws configure
AWS Access Key ID [********************]:
AWS Secret Access Key [********************]:
Default region name [us-west-1]: us-east-1
Default output format [None]:
But after terraform init, terraform get, terraform plan -- terraform apply errors like so:
module.munki-repo.aws_cloudfront_origin_access_identity.origin_access_identity: Creation complete after 2s (ID: E1WMSDH8PYYXJJ)
Error: Error applying plan:
2 errors occurred:
* module.munki-repo.aws_s3_bucket.log_bucket: 1 error occurred:
* aws_s3_bucket.log_bucket: Error creating S3 bucket: AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'us-west-1'
status code: 400, request id: 37A3DA70E643855D, host id: twlJ2pQSRrgI/loIt/lEEK9PMy3T7RfQUgmpwJs9Pcl4/EELs7iJPjJcljHibFsoVJHZM/FjNCc=
* module.munki-repo.aws_lambda_function.basic_auth_lambda: 1 error occurred:
* aws_lambda_function.basic_auth_lambda: Error creating Lambda function: ValidationException:
status code: 400, request id: 1d298fb2-de62-46b2-9b05-76cca98eb8fe
Was there any infrastructure provisioned in west-1? Things like s3 need to be globally unique, so I would destroy any infra stood up in west-1 before switching to East-1
I’ll double-check. I thought I had destroyed/deleted/removed everything that had been created in us-west-1.
You can have you s3 bucket in us-west but in that case you have to create a secondary provider for aws pointing to us-east-1 only for your cloudfront
"You can have you s3 bucket in us-west but in that case you have to create a secondary provider for aws pointing to us-east-1 only for your cloudfront" How do I do that in the main.tf?
The AWS console for my account shows no deployed/active resources for S3, CloudFront, and Lamba.
I started over in a new directory and have made some additional progress... will update more later.
Now stuck with yet another error:
module.munki-repo.aws_s3_bucket_policy.www: Creation complete after 1s (ID: munki-s3-bucket)
Error: Error applying plan:
1 error occurred:
* module.munki-repo.aws_lambda_function.basic_auth_lambda: 1 error occurred:
* aws_lambda_function.basic_auth_lambda: Error creating Lambda function: ValidationException:
status code: 400, request id: dcbd9367-69d5-4cd2-bc58-99f41b3d82a1
Post the full output please. The error suggests it is trying to create a node 8 lambda, but the latest version of the module fixes that.
Hope I'm not leaking anything confidential here:
$ terraform apply "saved_plan"
module.munki-repo.aws_cloudfront_origin_access_identity.origin_access_identity: Creating...
caller_reference: "" => "<computed>"
cloudfront_access_identity_path: "" => "<computed>"
comment: "" => "Some comment"
etag: "" => "<computed>"
iam_arn: "" => "<computed>"
s3_canonical_user_id: "" => "<computed>"
module.munki-repo.aws_s3_bucket.log_bucket: Creating...
acceleration_status: "" => "<computed>"
acl: "" => "log-delivery-write"
arn: "" => "<computed>"
bucket: "" => "munki-s3-bucket-logs"
bucket_domain_name: "" => "<computed>"
bucket_regional_domain_name: "" => "<computed>"
force_destroy: "" => "false"
hosted_zone_id: "" => "<computed>"
lifecycle_rule.#: "" => "1"
lifecycle_rule.0.enabled: "" => "true"
lifecycle_rule.0.id: "" => "<computed>"
lifecycle_rule.0.transition.#: "" => "1"
lifecycle_rule.0.transition.2000431762.date: "" => ""
lifecycle_rule.0.transition.2000431762.days: "" => "30"
lifecycle_rule.0.transition.2000431762.storage_class: "" => "STANDARD_IA"
region: "" => "<computed>"
request_payer: "" => "<computed>"
versioning.#: "" => "<computed>"
website_domain: "" => "<computed>"
website_endpoint: "" => "<computed>"
module.munki-repo.aws_iam_role.iam_for_lambda: Creating...
arn: "" => "<computed>"
assume_role_policy: "" => "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": [\n \"lambda.amazonaws.com\",\n \"edgelambda.amazonaws.com\"\n ]\n },\n \"Effect\": \"Allow\",\n \"Sid\": \"\"\n }\n ]\n}\n"
create_date: "" => "<computed>"
force_detach_policies: "" => "false"
max_session_duration: "" => "3600"
name: "" => "com.mac.gregneagle._iam_for_lambda"
path: "" => "/"
unique_id: "" => "<computed>"
module.munki-repo.aws_iam_role.iam_for_lambda: Creation complete after 2s (ID: com.mac.gregneagle._iam_for_lambda)
module.munki-repo.aws_lambda_function.basic_auth_lambda: Creating...
arn: "" => "<computed>"
filename: "" => "basic_auth_lambda.zip"
function_name: "" => "com.mac.gregneagle._basic_auth"
handler: "" => "basic_auth.handler"
invoke_arn: "" => "<computed>"
last_modified: "" => "<computed>"
memory_size: "" => "128"
publish: "" => "true"
qualified_arn: "" => "<computed>"
reserved_concurrent_executions: "" => "-1"
role: "" => "arn:aws:iam::495021859466:role/com.mac.gregneagle._iam_for_lambda"
runtime: "" => "nodejs10.x"
source_code_hash: "" => "JGDAYS8FN3vy4HfP1MR30e4qMVxYwwFcP314N2rygCk="
source_code_size: "" => "<computed>"
timeout: "" => "3"
tracing_config.#: "" => "<computed>"
version: "" => "<computed>"
module.munki-repo.aws_cloudfront_origin_access_identity.origin_access_identity: Creation complete after 2s (ID: E2AR9PRF37PMCY)
module.munki-repo.aws_s3_bucket.log_bucket: Creation complete after 8s (ID: munki-s3-bucket-logs)
module.munki-repo.aws_s3_bucket.www: Creating...
acceleration_status: "" => "<computed>"
acl: "" => "private"
arn: "" => "<computed>"
bucket: "" => "munki-s3-bucket"
bucket_domain_name: "" => "<computed>"
bucket_regional_domain_name: "" => "<computed>"
force_destroy: "" => "false"
hosted_zone_id: "" => "<computed>"
logging.#: "" => "1"
logging.227607726.target_bucket: "" => "munki-s3-bucket-logs"
logging.227607726.target_prefix: "" => "logs/"
region: "" => "<computed>"
request_payer: "" => "<computed>"
server_side_encryption_configuration.#: "" => "1"
server_side_encryption_configuration.0.rule.#: "" => "1"
server_side_encryption_configuration.0.rule.0.apply_server_side_encryption_by_default.#: "" => "1"
server_side_encryption_configuration.0.rule.0.apply_server_side_encryption_by_default.0.sse_algorithm: "" => "AES256"
versioning.#: "" => "<computed>"
website_domain: "" => "<computed>"
website_endpoint: "" => "<computed>"
module.munki-repo.aws_s3_bucket.www: Creation complete after 8s (ID: munki-s3-bucket)
module.munki-repo.data.aws_iam_policy_document.s3_policy: Refreshing state...
module.munki-repo.aws_s3_bucket_policy.www: Creating...
bucket: "" => "munki-s3-bucket"
policy: "" => "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::munki-s3-bucket/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <redacted>\"\n }\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::munki-s3-bucket\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <redacted>\"\n }\n }\n ]\n}"
module.munki-repo.aws_s3_bucket_policy.www: Creation complete after 1s (ID: munki-s3-bucket)
Error: Error applying plan:
1 error occurred:
* module.munki-repo.aws_lambda_function.basic_auth_lambda: 1 error occurred:
* aws_lambda_function.basic_auth_lambda: Error creating Lambda function: ValidationException:
status code: 400, request id: dcbd9367-69d5-4cd2-bc58-99f41b3d82a1
function_name: "" => "com.mac.gregneagle._basic_auth"
I wonder if the trailing dot in your prefix is the problem. I don’t see anything else immediately obvious. If it’s not that I’ll have to try it out tomorrow.
After changing the prefix to com_mac_gregneagle, terraform apply finally completed successfully.
I would definitely take a PR for the docs to preserve all this for prosperity.
I don't know what characters are legal or illegal in the prefix: I only know that I was finally successful with a prefix that contained only lower-case letters and underscores.
I also don't know enough to say anything about the region other than "this module currently works only for the us-east-1 region, specifying any other region will fail"
I'll see what I can do, though, to increase odds of success for others.