Hi all, I had some more time to work on our account conversion today. I got to the
dns-primary component, but I seem to be missing something now. What is the expectation for how to run non-bootstrap terraform plan / apply for the non-bootstrap components using the terraform profiles, rather than the org role ARNs (I am looking at the
all-new-components branch)? For example, it was easy for the
iam-delegated-roles, as that component’s provider performs an
assume_role into the destination account. Is there a short blurb that gives a high level view of how things are to fit together?
Specifically, I kind of blindly configured the stack and started a run, then was surprised to see the zones appearing in the root account. That’s when I noticed that the component was using the named terraform profile (or named terraform role ARN on master)
@Joe Hosteny the current status of assume_role vs profile is a bit in flux. I know Cloud Posse folks are moving towards using profiles for everything since that covers some issue that they were having that I’m not 100% up-to-speed on.
I personally had issues with this so I created a potential abstract aws-provider.tf> proposal which is up on PR: <https://github.com/cloudposse/terraform-aws-components/pull/322
Does that possibly help you if it were used more widespread through out the components?
what Proposes a new pattern for abstractly defining the aws provider via a common providers.tf why This enables usage of the following types of AWS auth for components: Environment credentials …
Thanks @Matt Gowie. I will take a look at this.
Are you just using an IAM user that is able to assume the *-terraform role in the identity account?
@Matt Gowie FYI, I was able to finally get this to work (deployed DNS primary stack in the
dns account using the proper
terraform role). It was death by a thousand papercuts, but I think I have it all down now.
And by papercuts, I mean my mistakes
This was done via a login for a user, not system account, provisioned via GSuite and using SAML SSO. I did use the
terraform_profile_name too, not the dynamic assume role. It fell into place once I was able to figure out how to get the
iam-delegated-roles to deploy in root
Ah sorry I didn’t see your other reply Joe. Glad you got it figured. Sorry I can’t be of much help — I’m not utilizing this 100% yet, just piecemeal so I don’t use the IAM roles stuff unfortunately.
No worries! I realize I am working on it probably a little too early anyway.
RE: Atmos – kudos to you @Joe Hosteny for your advice today in getting my Atmos compiles going. Everything works now. Cheers –