Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assume role configuration doesn't seem to work #149

Closed
mrtnfchs opened this issue Mar 4, 2021 · 5 comments
Closed

Assume role configuration doesn't seem to work #149

mrtnfchs opened this issue Mar 4, 2021 · 5 comments

Comments

@mrtnfchs
Copy link

mrtnfchs commented Mar 4, 2021

Hi all

I'm trying to configure this phillbaker/elasticsearch Terraform provider v1.5.3 to assume an instance role to get an AWS identity so I can launch Terraform via one of my build agents. Unfortunately I'm getting a health check timeout and request context canceled caused by: context deadline exceeded: no Elasticsearch node available regardless what I try (eg: explicitly providing region or not,...)

When I run terraform from a dedicated machine that has an AccessKey and SecretKey configured in $HOME/.aws/credentials or set by environment variables, everything runs fine but when I try to use aws_assume_role_arn on one of my build agents, that don't have these keys set, but do have a instance profile with admin privileges assigned, I'm getting above connection failure.

This is my provider configuration:

provider "elasticsearch" {
  url = "https://${module.k8s-monitor.es_endpoint}"
  aws_assume_role_arn = var.aws_assume_role
}

The role specified is the same role as assigned to the build agent itself and has following trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Is there anything I'm missing ?

Thank you ! 🙏
@phillbaker
Copy link
Owner

Hello, is this using Web Identity Tokens or EKS's IRSA? If so, please see #112.

Otherwise, this maybe similar to #114, however, the fix for that may have been related to the regression in #124.

I don't have access to an AWS environment to test this, so it's a bit hard to debug 😀 .

Can you try version 1.5.1 to see if that version of auth works for your situation?

@phillbaker
Copy link
Owner

Hi @mrtnfchs following up on this, can you provide any further details on this?

@raids
Copy link

raids commented Mar 29, 2021

Hey @phillbaker. I ran into the issue described with provider version 1.5.3:

Error: health check timeout: no Elasticsearch node available

Here's my provider config:

terraform {
...
  required_providers {
    elasticsearch = {
      source  = "registry.terraform.io/phillbaker/elasticsearch"
      version = ">= 1.5.3"
    }
  }
...
}

...

provider elasticsearch {
  url                 = "https://${data.containing_my_elasticsearch_endpoint}"
  sign_aws_requests   = true
  aws_assume_role_arn = data.containing_my_role_arn
}

Downgraded to =1.5.1 and my apply went through without error. Hopefully that's helpful without having an AWS environment.

Thanks for the provider 🥇

@michelzanini
Copy link

Try version 1.5.0 and see if it works. If it does, it might be that #124 was never fixed.

@phillbaker
Copy link
Owner

Hi @raids @mrtnfchs I believe this is a dupe of #124, the fix for that issue to pin to v1.5.0 as @michelzanini pointed out. I'm going to close this issue to focus on the additional information in that issue.

Please let me know if this is separate and downgrading does not work.

@raids raids mentioned this issue Jun 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@phillbaker @raids @michelzanini @mrtnfchs