Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

setting aws_account_id doesn't ensure all resources are created in that account #132

Closed
applike-ss opened this issue Sep 27, 2022 · 3 comments
Closed

setting aws_account_id doesn't ensure all resources are created in that account #132

applike-ss opened this issue Sep 27, 2022 · 3 comments

Comments

@applike-ss
Copy link
Contributor

applike-ss commented Sep 27, 2022
edited
Loading

I am trying out this template for EKS cluster creation right now.

While doing the apply, i was wondering why my vpc endpoint resources did not show up in the new subaccount that i created.

Turns out they were created in the main account i was using, even though i set aws_account_id to the sub account.

That is not ideal or obvious to a new user and i assume it also is a bug?

These resources i can see in my main account, which should be in the new sub account instead:

  • vpc
  • subnets
  • routing tables
  • igw
  • egress igw
  • eip
  • endpoints
  • nat gw

I see that it says in the requirements [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) configured with the account you want to deploy into, however my assumption was that my profile should have the permissions needed to create the resources.

Why else would there be a aws_account_id variable?

It seems i will have to use the iam_role option then to enforce where to spawn the resources, will check that out.

When destroying the incorrectly created resources, i do now get:

╷
│ Error: expected "url" url to not be empty, got 
│ 
│   with data.flux_sync.main[0],
│   on flux2.tf line 103, in data "flux_sync" "main":
│  103:   url         = local.flux2["github_url"]
│ 
╵
╷
│ Error: error reading EKS Cluster (cluster-name): couldn't find resource
│ 
│   with data.aws_eks_cluster.cluster,
│   on provider-local.tf line 33, in data "aws_eks_cluster" "cluster":
│   33: data "aws_eks_cluster" "cluster" {
│ 
╵

not ideal, because we wanted to use flux2 without github.
Will try that again with a demo url set.

Setting a demo url did actually not let me remove the resources, so i manually removed them.
@ArchiFleKs
Copy link
Member

ArchiFleKs commented Sep 27, 2022
edited
Loading

@applike-ss Hi, as you might have notice in #133, to enable multi-account support, you need to use a dedicated assume role in the terragrunt.hcl in each environment.

For example if using AWS Organization / SSO:

  • Always run Terragrunt command from the root account
  • Setup cross account access using IAM assume role in Terragrunt.hcl per env

More information here

@applike-ss
Copy link
Contributor Author

Thanks, that's what i'm trying right now.

Having some issues still like #134, however i am refactoring it a bit so i don't actually need the kms module.

@applike-ss
Copy link
Contributor Author

i got my cluster up and running, though not with all the addons that it should have. closing it and creating a new one for the current issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ArchiFleKs @applike-ss