Boundary terraform aws example not working

neolunar7 · November 30, 2020, 2:11am

Hi, I’m having 2 kinds of problem with the boundary terraform example on AWS. (https://github.com/hashicorp/boundary-reference-architecture/tree/main/deployment/aws)
First, the boundary module is unable to bring aws module’s information, and keeps saying that there is no module.aws.boundary_lb attribute.

I can bypass the above problem, by bringing the actual lb dns from AWS, and giving it to boundary provider. I tried to create boundary resource with the .tf file below, but I keep getting Error: {"status":404, "code":"NotFound", "message":"Resource not found."}.

provider "boundary" {
      addr                            = "http://<LB DNS>:9200"
      auth_method_id                  = "ampw_1234567890"      # changeme
      password_auth_method_login_name = "username"               # changeme
      password_auth_method_password   = "password"             # changeme
    }

resource "boundary_scope" "org" {
  name                     = "organization_one"
  description              = "My first scope!"
  scope_id                 = "global"
  auto_create_admin_role   = true
  auto_create_default_role = true
}

When I hit the LB DNS:9200, I get this result. From the page, it seems that Boundary is properly set, but the provider seems not to work. Is there anything I’m doing wrong? Thanks.

malnick · November 30, 2020, 6:09pm

Hey there, you’re likely hitting that LB not found error because you’re not using the -target flag on your first run. Because the AWS LB needs to exist before running the deploy on configuring Boundary, this is a two step process as outlined here: https://github.com/hashicorp/boundary-reference-architecture/tree/main/deployment/aws#deploy

Once you deploy AWS, you can run an apply on the boundary module and that will provision the auth methods that are not found in that second issue you raised.

Given you have the LB deployed, I would just run terraform apply one more time and that will get Boundary setup with the configuration you need to login with the password auth method.

Let me know if you have any further questions!

neolunar7 · December 1, 2020, 3:01am

Hi malnick, unfortunately I have already done what you have suggested.

I installed only the aws module, but am getting the results as below.

So from the same directory, I checked with terraform console, which tells me the module is not present. (Although the module is properly installed)

Also , my second question was that although all AWS resources were properly installed (which I have shown you the UI properly working), creating resource.boundary_scope.org fails.

Was this clear enough? Thanks !

neolunar7 · December 1, 2020, 3:16am

I have this main.tf file as below, and hitting the LB address which I wiped out, gives the Boundary UI from my first question (meaning that Boundary is properly set, I suppose?). However, when trying to create any boundary resources with terraform, I get the error of 404 resource not found error. I’m unable to get the idea of which resource terraform is unable to find.

Any solutions?

terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = "0.1.0"
    }
  }
}

provider "boundary" {
  addr             = "http://boundary-controller-nlb-<MYHASH>.elb.ap-northeast-1.amazonaws.com:9200"
	auth_method_id = "ampw_1234567890"
	password_auth_method_login_name = "infra"
	password_auth_method_password = "infra"
}

malnick · December 1, 2020, 3:32am

Can I see the complete main.tf that includes the module declaration for boundary and aws?

It’s clear that the AWS part of it was deployed properly because you can get to the LB. It appears the values for that LB are not getting injected into the boundary module declaration and that’s why it can’t find the KMS key or the LB values it’s expecting.

neolunar7 · December 1, 2020, 3:45am

It’s the same as the github example, is this what you’ve meant ?

module "aws" {
  source           = "./aws"
  boundary_bin     = var.boundary_bin
  pub_ssh_key_path = var.pub_ssh_key_path
}

module "boundary" {
  source = "./boundary"
	url = "http://${module.aws.boundary_lb}:9200"
	target_ips = module.aws.target_ips
	kms_recovery_key_id = module.aws.kms_recovery_key_id
}

neolunar7 · December 1, 2020, 3:58am

After the AWS resources are all set, I tried the terraform code below, but it gives me the 404 error.

terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = "0.1.0"
    }
  }
}

provider "boundary" {
  addr             = "http://boundary-controller-nlb-<HASH>.elb.ap-northeast-1.amazonaws.com:9200"
	auth_method_id = "ampw_1234567890"
	password_auth_method_login_name = "infra"
	password_auth_method_password = "infra"
}

resource "boundary_scope" "global" {
  global_scope = true
  name         = "global"
  scope_id     = "global"
}

neolunar7 · December 1, 2020, 4:17am

Actually, I found that I mistakenly dropped the outputs.tf . Sorry for the confusion!

I’d like to receive support only for my second question, thanks!

neolunar7 · December 1, 2020, 4:23am

Actually, specifying the output.tf and using the module provided, it worked!

But I’m still curious why the code below doesn’t work and gives 404 error. Is there a sequence I should keep in mind while creating Boundary resources?

terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = "0.1.0"
    }
  }
}

provider "boundary" {
  addr             = "http://boundary-controller-nlb-<HASH>.elb.ap-northeast-1.amazonaws.com:9200"
	auth_method_id = "ampw_1234567890"
	password_auth_method_login_name = "infra"
	password_auth_method_password = "infra"
}

resource "boundary_scope" "global" {
  global_scope = true
  name         = "global"
  scope_id     = "global"