bobk81
November 5, 2021, 12:09pm
1
I have been handed over a project that has been deployed, but the previous maintainers have left without any instructions.
I have been the project files and the state files. however, I am not getting it to even run a successful plan. The problem seems to be that it needs to access resources in more than one account.
The main file has an S3 backend specified where the state file is located, and then it has the profile specified. The plan runs for a while and then I eventually get an error “Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAA”. when I go through this error it seems to require access to another account S3 bucket, ALB, and SQS. I have gone and checked that account and I can’t find any roles or policy that allows the primary account to assume permissions there.
There is also just the one provided in the entire project.
Is there any way that I can specify another profile for it to use if it can’t access something with the default one, then use this one?
I know there is an option where you can specify another provided with an alias, however, I don’t know which modules I would specifically need to set to use the other alias.
I am also stuck on version 0.13.1 as I cannot do an update until I have been able to run a plan.
Thanks
jbardin
November 5, 2021, 12:55pm
2
Hi @bobk81 ,
I think we’re going to need some examples, and the specific output you are seeing in order to try and sort out what could be going on here.
If it helps, the backend configuration is entirely unrelated to provider configuration, so you cannot assume that configuring one has any effect on configuring the other. If terraform_remote_state is used anywhere, that also has its own, independent configuration. You can use the terraform providers command to see what providers are required by the configuration, and where in the config they might be located.
bobk81
November 5, 2021, 1:44pm
3
here is the output from terraform providers, in the next port I’ll put the plan output
terraform providers
Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
├── provider[registry.terraform.io/hashicorp/random]
├── provider[registry.terraform.io/hashicorp/template]
├── module.excmgmtprod_cloudtrail_transfer
│ └── provider[registry.terraform.io/hashicorp/aws]
├── module.iam_user_alessandro
│ └── provider[registry.terraform.io/hashicorp/aws]
├── module.vpc
│ └── provider[registry.terraform.io/hashicorp/aws] >= 2.70.*
├── module.vpn_gateway
│ └── provider[registry.terraform.io/hashicorp/aws] >= 3.43.*
├── module.ecs_cluster_db_import
│ └── provider[registry.terraform.io/hashicorp/aws] >= 2.48.*
├── module.ecs_cluster_ingress_api
│ ├── provider[registry.terraform.io/hashicorp/aws]
│ ├── provider[registry.terraform.io/hashicorp/template]
│ ├── module.autoscaling_group
│ ├── provider[registry.terraform.io/hashicorp/null] >= 2.0.*
│ ├── provider[registry.terraform.io/hashicorp/aws] >= 2.41.*
│ └── provider[registry.terraform.io/hashicorp/random] >= 2.0.*
│ ├── module.cluster
│ └── provider[registry.terraform.io/hashicorp/aws] >= 2.48.*
│ └── module.ec2-profile
│ └── provider[registry.terraform.io/hashicorp/aws]
├── module.ecs_cluster_risk_api
│ ├── provider[registry.terraform.io/hashicorp/aws]
│ ├── provider[registry.terraform.io/hashicorp/template]
│ ├── module.cluster
│ └── provider[registry.terraform.io/hashicorp/aws] >= 2.48.*
│ ├── module.ec2-profile
│ └── provider[registry.terraform.io/hashicorp/aws]
│ └── module.autoscaling_group
│ ├── provider[registry.terraform.io/hashicorp/random] >= 2.0.*
│ ├── provider[registry.terraform.io/hashicorp/null] >= 2.0.*
│ └── provider[registry.terraform.io/hashicorp/aws] >= 2.41.*
└── module.ecs_cluster_shap_api
├── provider[registry.terraform.io/hashicorp/aws]
├── provider[registry.terraform.io/hashicorp/template]
├── module.ec2-profile
└── provider[registry.terraform.io/hashicorp/aws]
├── module.autoscaling_group
├── provider[registry.terraform.io/hashicorp/null] >= 2.0.*
├── provider[registry.terraform.io/hashicorp/aws] >= 2.41.*
└── provider[registry.terraform.io/hashicorp/random] >= 2.0.*
└── module.cluster
└── provider[registry.terraform.io/hashicorp/aws] >= 2.48.*
Providers required by state:
provider[registry.terraform.io/-/template]
provider[registry.terraform.io/-/aws]
provider[registry.terraform.io/-/null]
provider[registry.terraform.io/-/random]
bobk81
November 5, 2021, 1:44pm
4
And then this is the output of the plan, i just changed the account ID to BBBBBB and AAAAAAA
Acquiring state lock. This may take a few moments...
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
module.ecs_cluster_shap_api.data.template_file.stack_user_data: Refreshing state... [id=789c19a05b42ecffcafa92f086e849504169f7f677400e6a5b7e73723da7e51e]
module.ecs_cluster_ingress_api.data.template_file.stack_user_data: Refreshing state... [id=f68779d8a1e4226c9359e62bdb64e5c6f81ac155f0875316e4221b0ef440d030]
module.ecs_cluster_risk_api.data.template_file.stack_user_data: Refreshing state... [id=7dfa3bf688c3caa65cf42df50b94a749c8791bdd9756d9d33feded223f41e5c9]
data.template_file.bucket_policy: Refreshing state... [id=83946c5c251741a9aef6789c507850050c2e68942fbd64b890f9c35b94f95158]
random_password.rds_password: Refreshing state... [id=none]
aws_cloudwatch_log_group.ecs_risk_api: Refreshing state... [id=dev_ml/ecs/risk_api]
module.iam_user_alessandro.aws_iam_group.iam_group: Refreshing state... [id=DevOps]
aws_customer_gateway.main: Refreshing state... [id=cgw-060a36000acac7f1a]
aws_s3_bucket.s3_datasets: Refreshing state... [id=dev-excmgmtprod-datasets]
module.ecs_cluster_shap_api.module.cluster.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-shap-api]
module.iam_user_alessandro.aws_iam_user.iam_user: Refreshing state... [id=alessandro@cortexlogic.com.excmgmtprod]
aws_appmesh_mesh.main: Refreshing state... [id=dev_ml]
module.ecs_cluster_risk_api.module.cluster.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-risk-api]
aws_cloudwatch_log_group.ecs_ingress_api: Refreshing state... [id=dev_ml/ecs/ingress_api]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_role.this: Refreshing state... [id=dev-risk-api_ecs_instance_role]
aws_cloudwatch_log_group.ecs_shap_api: Refreshing state... [id=dev_ml/ecs/shap_api]
aws_sqs_queue.shap_queue_deadletter: Refreshing state... [id=https://sqs.eu-west-1.amazonaws.com/BBBBBBBB/dev_dead_letter]
module.iam_user_alessandro.aws_iam_policy.IAMUserChangePassword: Refreshing state... [id=arn:aws:iam::BBBBBBBB:policy/dev_IAMUserChangePassword]
module.ecs_cluster_ingress_api.data.aws_ami.amazon_linux_ecs: Refreshing state... [id=ami-09a0d4ff25d4c04cd]
aws_iam_role.ecsTaskExecutionRole: Refreshing state... [id=dev_ecsTaskExecutionRole]
data.aws_iam_policy.ecs_task_execution: Refreshing state... [id=arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy]
module.ecs_cluster_shap_api.data.aws_ami.amazon_linux_ecs: Refreshing state... [id=ami-09a0d4ff25d4c04cd]
aws_cloudwatch_log_group.ecs_shap_api_sidecar: Refreshing state... [id=dev_ml/ecs/shap_api_sidecar]
module.ecs_cluster_risk_api.data.aws_ami.amazon_linux_ecs: Refreshing state... [id=ami-09a0d4ff25d4c04cd]
aws_cloudwatch_log_group.ecs_ingress_api_sidecar: Refreshing state... [id=dev_ml/ecs/ingress_api/sidecar]
module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-06a3249eb56e2adef]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_role.this: Refreshing state... [id=dev-ingress-api_ecs_instance_role]
aws_ecr_repository.risk_score_api[0]: Refreshing state... [id=ml_risk_score_api]
module.vpc.aws_eip.nat[0]: Refreshing state... [id=eipalloc-0416ecc394c969eba]
aws_ssm_parameter.rds_username[0]: Refreshing state... [id=/dev/rds/username]
aws_ecr_repository.ingress_api[0]: Refreshing state... [id=ml_ingress_api]
aws_ecr_repository.shap_api[0]: Refreshing state... [id=ml_shap_api]
aws_ssm_parameter.rds_password[0]: Refreshing state... [id=/dev/rds/password]
aws_cloudwatch_log_group.ecs_db_import: Refreshing state... [id=dev_ml/ecs/db_import]
module.iam_user_alessandro.aws_iam_policy.AdministratorAccess: Refreshing state... [id=arn:aws:iam::BBBBBBBB:policy/dev_AdministratorAccess]
aws_s3_bucket.data_file_bucket: Refreshing state... [id=dev-medscheme-data]
module.ecs_cluster_db_import.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-db-import]
aws_dynamodb_table.ECI_DATA: Refreshing state... [id=dev-excmgmtprod-ECI-DATA]
module.ecs_cluster_shap_api.aws_cloudwatch_log_group.cluster_logs: Refreshing state... [id=/dev/ecs/shap-api]
module.ecs_cluster_ingress_api.aws_cloudwatch_log_group.cluster_logs: Refreshing state... [id=/dev/ecs/ingress-api]
module.excmgmtprod_cloudtrail_transfer.aws_cloudtrail.this: Refreshing state... [id=excmgmtprod_cloudtrail_logs]
aws_cloudwatch_log_group.ecs_risk_api_sidecar: Refreshing state... [id=dev_ml/ecs/risk_api_sidecar]
module.ecs_cluster_risk_api.aws_cloudwatch_log_group.cluster_logs: Refreshing state... [id=/dev/ecs/risk-api]
data.aws_acm_certificate.lb_certificate[0]: Refreshing state... [id=2020-08-25 13:22:24.207261 +0000 UTC]
aws_ecr_repository.db_import[0]: Refreshing state... [id=db_import]
module.ecs_cluster_ingress_api.module.cluster.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-ingress-api]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_role.this: Refreshing state... [id=dev-shap-api_ecs_instance_role]
aws_appmesh_virtual_router.risk_api: Refreshing state... [id=4c15128b-6ea4-4d8a-bca2-06659a360390]
aws_appmesh_virtual_router.shap_api: Refreshing state... [id=7547e73d-602b-493b-8156-535440e86dc3]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_role: Refreshing state... [id=dev-risk-api_ecs_instance_role-20200205151254612300000002]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_instance_profile.this: Refreshing state... [id=dev-risk-api_ecs_instance_profile]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_cloudwatch_role: Refreshing state... [id=dev-risk-api_ecs_instance_role-20200205151254595600000001]
module.iam_user_alessandro.aws_iam_group_membership.iam_group: Refreshing state... [id=DevOps]
module.iam_user_alessandro.aws_iam_user_login_profile.iam_user: Refreshing state... [id=alessandro@cortexlogic.com.excmgmtprod]
module.iam_user_alessandro.aws_iam_access_key.iam_user: Refreshing state... [id=AKIASQ63LTWVCXAJIBVS]
module.iam_user_alessandro.aws_iam_group_policy_attachment.change-password-access-attach: Refreshing state... [id=DevOps-20200429201103807400000001]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_instance_profile.this: Refreshing state... [id=dev-ingress-api_ecs_instance_profile]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_role: Refreshing state... [id=dev-ingress-api_ecs_instance_role-20200117115709708000000003]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_cloudwatch_role: Refreshing state... [id=dev-ingress-api_ecs_instance_role-20200117115709190500000002]
data.aws_ecr_repository.risk_api: Refreshing state... [id=ml_risk_score_api]
data.aws_ecr_repository.ingress_api: Refreshing state... [id=ml_ingress_api]
data.aws_ecr_repository.shap_api: Refreshing state... [id=ml_shap_api]
module.iam_user_alessandro.aws_iam_group_policy_attachment.admin-access-attach: Refreshing state... [id=DevOps-20200429201701963700000001]
aws_iam_role_policy.ecsTaskExecutionRole_xray: Refreshing state... [id=dev_ecsTaskExecutionRole:test_policy]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_cloudwatch_role: Refreshing state... [id=dev-shap-api_ecs_instance_role-20200206161152863000000002]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_role: Refreshing state... [id=dev-shap-api_ecs_instance_role-20200206161152860400000001]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_instance_profile.this: Refreshing state... [id=dev-shap-api_ecs_instance_profile]
aws_security_group.lb_sg: Refreshing state... [id=sg-04aa1a5759a73fc31]
aws_service_discovery_private_dns_namespace.main: Refreshing state... [id=ns-ztnllt7p24xemi7x]
module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-022aac25943879ef6]
module.vpc.aws_subnet.private[2]: Refreshing state... [id=subnet-0ff6bc7280503f10c]
module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0ec768449868fa4d1]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-0836197cf281dc997]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0f18eb51afdc08b46]
module.vpc.aws_subnet.public[2]: Refreshing state... [id=subnet-0c4eafaee809354d4]
module.vpc.aws_vpn_gateway.this[0]: Refreshing state... [id=vgw-0190a2e5cfb6d816d]
module.vpc.aws_internet_gateway.this[0]: Refreshing state... [id=igw-0349b1eb71363cdff]
module.vpc.aws_subnet.database[1]: Refreshing state... [id=subnet-01b359d50e3da0f52]
module.vpc.aws_subnet.database[0]: Refreshing state... [id=subnet-0e337be4ce2bea3f1]
module.vpc.aws_subnet.database[2]: Refreshing state... [id=subnet-0a33e9e0ccba1dd23]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-07651ed2a630e257b]
module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-07abb17d21c8c4ccb]
data.aws_ecr_repository.db_import: Refreshing state... [id=db_import]
aws_ecs_task_definition.db_import: Refreshing state... [id=dev-db-import]
aws_security_group.ingress_api: Refreshing state... [id=sg-0b18f6976b95b234d]
aws_service_discovery_service.ingress_api: Refreshing state... [id=srv-vjwbzhno67p2ntmn]
aws_service_discovery_service.risk_api: Refreshing state... [id=srv-vnkl5rvoemv3cqyo]
aws_service_discovery_service.shap_api: Refreshing state... [id=srv-6k65574rfmx7x67r]
module.vpc.aws_nat_gateway.this[0]: Refreshing state... [id=nat-063d166765d4ab62f]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-024e24cc01fa11d32]
module.vpc.aws_route_table_association.public[2]: Refreshing state... [id=rtbassoc-0e7b1a0269e12ec69]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-03965f0514cd8e930]
module.vpc.aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-07651ed2a630e257b1080289494]
module.vpc.aws_db_subnet_group.database[0]: Refreshing state... [id=dev]
module.vpc.aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-0f03659c5637e4050]
module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-01a27df5561005412]
module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-06aedb9f95677c4fb]
module.vpc.aws_route_table_association.database[2]: Refreshing state... [id=rtbassoc-0ca3e38c985427eb9]
module.vpc.aws_route_table_association.database[1]: Refreshing state... [id=rtbassoc-07e6340d32f72080b]
module.vpc.aws_route_table_association.database[0]: Refreshing state... [id=rtbassoc-01dd02724b6dd1575]
aws_lb.test[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-1:BBBBBBBB:loadbalancer/app/dev-api/6dc84583dc0943f7]
aws_security_group.rds: Refreshing state... [id=sg-07f348afe66f58d44]
aws_security_group.shap_api: Refreshing state... [id=sg-00f9e040b70efb44a]
aws_security_group.risk_api: Refreshing state... [id=sg-0d99178f4d97a9233]
aws_db_subnet_group.default[0]: Refreshing state... [id=dev-medscheme-cluster]
module.vpc.aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-07abb17d21c8c4ccb1080289494]
aws_appmesh_virtual_node.shap_api: Refreshing state... [id=64c5b3de-ace1-4dbc-b1ee-7c3aeb69b725]
aws_appmesh_virtual_node.risk_api: Refreshing state... [id=a65a920d-2e71-43bf-ac22-39d10cf7e950]
module.vpn_gateway.aws_vpn_gateway_attachment.default[0]: Refreshing state... [id=vpn-attachment-9e8127a8]
module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing[1]: Refreshing state... [id=vgw-0190a2e5cfb6d816d_rtb-07651ed2a630e257b]
module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing[0]: Refreshing state... [id=vgw-0190a2e5cfb6d816d_rtb-07651ed2a630e257b]
module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing[2]: Refreshing state... [id=vgw-0190a2e5cfb6d816d_rtb-07651ed2a630e257b]
aws_appmesh_virtual_service.shap_api: Refreshing state... [id=2c726302-d21e-4d03-9ffc-02c02edf2d4e]
aws_appmesh_virtual_service.risk_api: Refreshing state... [id=3505a5c3-86eb-4347-8a4e-b6a1cdbaaf61]
module.ecs_cluster_ingress_api.module.autoscaling_group.aws_launch_configuration.this[0]: Refreshing state... [id=dev-ingress-api-20200825115401145200000002]
aws_rds_cluster.default[0]: Refreshing state... [id=dev-medscheme-cluster]
aws_appmesh_route.shap_api: Refreshing state... [id=98b42f01-fd8e-4c3a-8e7e-4180cd2878b1]
aws_appmesh_route.risk_api: Refreshing state... [id=3a1f492a-86d7-46c7-9111-1b76ce3626ab]
module.ecs_cluster_shap_api.module.autoscaling_group.aws_launch_configuration.this[0]: Refreshing state... [id=dev-shap-api-20200825115401149700000003]
aws_ecs_task_definition.shap_api: Refreshing state... [id=ml_shap_api]
module.ecs_cluster_risk_api.module.autoscaling_group.aws_launch_configuration.this[0]: Refreshing state... [id=dev-risk-api-20200825115401139900000001]
aws_ecs_task_definition.risk_api: Refreshing state... [id=ml_risk_score_api]
aws_appmesh_virtual_node.ingress_api: Refreshing state... [id=3a18a351-c65a-48d2-bab5-ad10ecdc3847]
aws_ssm_parameter.rds_port[0]: Refreshing state... [id=/dev/rds/port]
aws_ssm_parameter.rds_endpoint[0]: Refreshing state... [id=/dev/rds/host]
module.ecs_cluster_ingress_api.module.autoscaling_group.aws_autoscaling_group.this[0]: Refreshing state... [id=dev-ingress-api-20200206071552457600000002]
module.ecs_cluster_shap_api.module.autoscaling_group.aws_autoscaling_group.this[0]: Refreshing state... [id=dev-shap-api-20200206161215901800000004]
module.ecs_cluster_risk_api.module.autoscaling_group.aws_autoscaling_group.this[0]: Refreshing state... [id=dev-risk-api-20200206071552457400000001]
aws_appmesh_virtual_service.ingress_api: Refreshing state... [id=857930b9-ee39-4566-95d6-85a6277d9b42]
aws_ecs_task_definition.ingress_api: Refreshing state... [id=ml_ingress_api]
aws_iam_role_policy_attachment.ecs_task_execution: Refreshing state... [id=dev_ecsTaskExecutionRole-20200117090628182200000003]
module.ecs_cluster_ingress_api.aws_autoscaling_policy.cluster[0]: Refreshing state... [id=dev-ingress-api]
module.ecs_cluster_shap_api.aws_autoscaling_policy.cluster[0]: Refreshing state... [id=dev-shap-api]
module.ecs_cluster_risk_api.aws_autoscaling_policy.cluster[0]: Refreshing state... [id=dev-risk-api]
Error: error getting S3 Bucket (dev-excmgmtprod-datasets) ACL: AccessDenied: Access Denied
status code: 403, request id: 8QT2YSYX71836S3X, host id: twdaYiJVI3X4r9u6OatQXRJhs5mngW6Gq7IpH49TTvszl302AcWgScIjs7WrbY75Vm0CtoS7RoE=
Error: error reading SQS Queue (https://sqs.eu-west-1.amazonaws.com/BBBBBBBB/dev_dead_letter): AccessDenied: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.
status code: 403, request id: bd8eeb47-95ab-5f93-a048-b2b8a3bdc190
Error: error reading S3 Bucket (dev-medscheme-data): Forbidden: Forbidden
status code: 403, request id: FYMVEPRT0TFPE4YW, host id: f38lmYkLEk5i6knjes/n+8m5/TtRg0g8ihcJfZWAbq9JR78ayoEdrqAdHfjH/cM+0YkQg8T9WxM=
Error: InvalidParameterException: Identifier is for 1BBBBBBBB. Your accountId is AAAAAAAAAA
Error: error retrieving ALB (arn:aws:elasticloadbalancing:eu-west-1:BBBBBBBB:loadbalancer/app/dev-api/6dc84583dc0943f7): ValidationError: 'arn:aws:elasticloadbalancing:eu-west-1:BBBBBBBB:loadbalancer/app/dev-api/6dc84583dc0943f7' is not a valid load balancer ARN
status code: 400, request id: 63e0725d-d8bd-4833-97c8-4356998a5f0c
Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAAA
Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAAA
Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAAA
Error: Error finding CustomerGateway: cgw-060a36000acac7f1a
Error: No certificate for domain "api.dev.XXXXXX.XXXXXX.XX" found in this region
on lb.tf line 41, in data "aws_acm_certificate" "lb_certificate":
41: data "aws_acm_certificate" "lb_certificate" {
Releasing state lock. This may take a few moments... Acquiring state lock. This may take a few moments...
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
module.ecs_cluster_shap_api.data.template_file.stack_user_data: Refreshing state... [id=789c19a05b42ecffcafa92f086e849504169f7f677400e6a5b7e73723da7e51e]
module.ecs_cluster_ingress_api.data.template_file.stack_user_data: Refreshing state... [id=f68779d8a1e4226c9359e62bdb64e5c6f81ac155f0875316e4221b0ef440d030]
module.ecs_cluster_risk_api.data.template_file.stack_user_data: Refreshing state... [id=7dfa3bf688c3caa65cf42df50b94a749c8791bdd9756d9d33feded223f41e5c9]
data.template_file.bucket_policy: Refreshing state... [id=83946c5c251741a9aef6789c507850050c2e68942fbd64b890f9c35b94f95158]
random_password.rds_password: Refreshing state... [id=none]
aws_cloudwatch_log_group.ecs_risk_api: Refreshing state... [id=dev_ml/ecs/risk_api]
module.iam_user_alessandro.aws_iam_group.iam_group: Refreshing state... [id=DevOps]
aws_customer_gateway.main: Refreshing state... [id=cgw-060a36000acac7f1a]
aws_s3_bucket.s3_datasets: Refreshing state... [id=dev-excmgmtprod-datasets]
module.ecs_cluster_shap_api.module.cluster.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-shap-api]
module.iam_user_alessandro.aws_iam_user.iam_user: Refreshing state... [id=alessandro@cortexlogic.com.excmgmtprod]
aws_appmesh_mesh.main: Refreshing state... [id=dev_ml]
module.ecs_cluster_risk_api.module.cluster.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-risk-api]
aws_cloudwatch_log_group.ecs_ingress_api: Refreshing state... [id=dev_ml/ecs/ingress_api]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_role.this: Refreshing state... [id=dev-risk-api_ecs_instance_role]
aws_cloudwatch_log_group.ecs_shap_api: Refreshing state... [id=dev_ml/ecs/shap_api]
aws_sqs_queue.shap_queue_deadletter: Refreshing state... [id=https://sqs.eu-west-1.amazonaws.com/BBBBBBBB/dev_dead_letter]
module.iam_user_alessandro.aws_iam_policy.IAMUserChangePassword: Refreshing state... [id=arn:aws:iam::BBBBBBBB:policy/dev_IAMUserChangePassword]
module.ecs_cluster_ingress_api.data.aws_ami.amazon_linux_ecs: Refreshing state... [id=ami-09a0d4ff25d4c04cd]
aws_iam_role.ecsTaskExecutionRole: Refreshing state... [id=dev_ecsTaskExecutionRole]
data.aws_iam_policy.ecs_task_execution: Refreshing state... [id=arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy]
module.ecs_cluster_shap_api.data.aws_ami.amazon_linux_ecs: Refreshing state... [id=ami-09a0d4ff25d4c04cd]
aws_cloudwatch_log_group.ecs_shap_api_sidecar: Refreshing state... [id=dev_ml/ecs/shap_api_sidecar]
module.ecs_cluster_risk_api.data.aws_ami.amazon_linux_ecs: Refreshing state... [id=ami-09a0d4ff25d4c04cd]
aws_cloudwatch_log_group.ecs_ingress_api_sidecar: Refreshing state... [id=dev_ml/ecs/ingress_api/sidecar]
module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-06a3249eb56e2adef]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_role.this: Refreshing state... [id=dev-ingress-api_ecs_instance_role]
aws_ecr_repository.risk_score_api[0]: Refreshing state... [id=ml_risk_score_api]
module.vpc.aws_eip.nat[0]: Refreshing state... [id=eipalloc-0416ecc394c969eba]
aws_ssm_parameter.rds_username[0]: Refreshing state... [id=/dev/rds/username]
aws_ecr_repository.ingress_api[0]: Refreshing state... [id=ml_ingress_api]
aws_ecr_repository.shap_api[0]: Refreshing state... [id=ml_shap_api]
aws_ssm_parameter.rds_password[0]: Refreshing state... [id=/dev/rds/password]
aws_cloudwatch_log_group.ecs_db_import: Refreshing state... [id=dev_ml/ecs/db_import]
module.iam_user_alessandro.aws_iam_policy.AdministratorAccess: Refreshing state... [id=arn:aws:iam::BBBBBBBB:policy/dev_AdministratorAccess]
aws_s3_bucket.data_file_bucket: Refreshing state... [id=dev-medscheme-data]
module.ecs_cluster_db_import.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-db-import]
aws_dynamodb_table.ECI_DATA: Refreshing state... [id=dev-excmgmtprod-ECI-DATA]
module.ecs_cluster_shap_api.aws_cloudwatch_log_group.cluster_logs: Refreshing state... [id=/dev/ecs/shap-api]
module.ecs_cluster_ingress_api.aws_cloudwatch_log_group.cluster_logs: Refreshing state... [id=/dev/ecs/ingress-api]
module.excmgmtprod_cloudtrail_transfer.aws_cloudtrail.this: Refreshing state... [id=excmgmtprod_cloudtrail_logs]
aws_cloudwatch_log_group.ecs_risk_api_sidecar: Refreshing state... [id=dev_ml/ecs/risk_api_sidecar]
module.ecs_cluster_risk_api.aws_cloudwatch_log_group.cluster_logs: Refreshing state... [id=/dev/ecs/risk-api]
data.aws_acm_certificate.lb_certificate[0]: Refreshing state... [id=2020-08-25 13:22:24.207261 +0000 UTC]
aws_ecr_repository.db_import[0]: Refreshing state... [id=db_import]
module.ecs_cluster_ingress_api.module.cluster.aws_ecs_cluster.this[0]: Refreshing state... [id=arn:aws:ecs:eu-west-1:BBBBBBBB:cluster/dev-ingress-api]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_role.this: Refreshing state... [id=dev-shap-api_ecs_instance_role]
aws_appmesh_virtual_router.risk_api: Refreshing state... [id=4c15128b-6ea4-4d8a-bca2-06659a360390]
aws_appmesh_virtual_router.shap_api: Refreshing state... [id=7547e73d-602b-493b-8156-535440e86dc3]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_role: Refreshing state... [id=dev-risk-api_ecs_instance_role-20200205151254612300000002]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_instance_profile.this: Refreshing state... [id=dev-risk-api_ecs_instance_profile]
module.ecs_cluster_risk_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_cloudwatch_role: Refreshing state... [id=dev-risk-api_ecs_instance_role-20200205151254595600000001]
module.iam_user_alessandro.aws_iam_group_membership.iam_group: Refreshing state... [id=DevOps]
module.iam_user_alessandro.aws_iam_user_login_profile.iam_user: Refreshing state... [id=alessandro@cortexlogic.com.excmgmtprod]
module.iam_user_alessandro.aws_iam_access_key.iam_user: Refreshing state... [id=AKIASQ63LTWVCXAJIBVS]
module.iam_user_alessandro.aws_iam_group_policy_attachment.change-password-access-attach: Refreshing state... [id=DevOps-20200429201103807400000001]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_instance_profile.this: Refreshing state... [id=dev-ingress-api_ecs_instance_profile]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_role: Refreshing state... [id=dev-ingress-api_ecs_instance_role-20200117115709708000000003]
module.ecs_cluster_ingress_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_cloudwatch_role: Refreshing state... [id=dev-ingress-api_ecs_instance_role-20200117115709190500000002]
data.aws_ecr_repository.risk_api: Refreshing state... [id=ml_risk_score_api]
data.aws_ecr_repository.ingress_api: Refreshing state... [id=ml_ingress_api]
data.aws_ecr_repository.shap_api: Refreshing state... [id=ml_shap_api]
module.iam_user_alessandro.aws_iam_group_policy_attachment.admin-access-attach: Refreshing state... [id=DevOps-20200429201701963700000001]
aws_iam_role_policy.ecsTaskExecutionRole_xray: Refreshing state... [id=dev_ecsTaskExecutionRole:test_policy]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_cloudwatch_role: Refreshing state... [id=dev-shap-api_ecs_instance_role-20200206161152863000000002]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_role_policy_attachment.ecs_ec2_role: Refreshing state... [id=dev-shap-api_ecs_instance_role-20200206161152860400000001]
module.ecs_cluster_shap_api.module.ec2-profile.aws_iam_instance_profile.this: Refreshing state... [id=dev-shap-api_ecs_instance_profile]
aws_security_group.lb_sg: Refreshing state... [id=sg-04aa1a5759a73fc31]
aws_service_discovery_private_dns_namespace.main: Refreshing state... [id=ns-ztnllt7p24xemi7x]
module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-022aac25943879ef6]
module.vpc.aws_subnet.private[2]: Refreshing state... [id=subnet-0ff6bc7280503f10c]
module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0ec768449868fa4d1]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-0836197cf281dc997]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0f18eb51afdc08b46]
module.vpc.aws_subnet.public[2]: Refreshing state... [id=subnet-0c4eafaee809354d4]
module.vpc.aws_vpn_gateway.this[0]: Refreshing state... [id=vgw-0190a2e5cfb6d816d]
module.vpc.aws_internet_gateway.this[0]: Refreshing state... [id=igw-0349b1eb71363cdff]
module.vpc.aws_subnet.database[1]: Refreshing state... [id=subnet-01b359d50e3da0f52]
module.vpc.aws_subnet.database[0]: Refreshing state... [id=subnet-0e337be4ce2bea3f1]
module.vpc.aws_subnet.database[2]: Refreshing state... [id=subnet-0a33e9e0ccba1dd23]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-07651ed2a630e257b]
module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-07abb17d21c8c4ccb]
data.aws_ecr_repository.db_import: Refreshing state... [id=db_import]
aws_ecs_task_definition.db_import: Refreshing state... [id=dev-db-import]
aws_security_group.ingress_api: Refreshing state... [id=sg-0b18f6976b95b234d]
aws_service_discovery_service.ingress_api: Refreshing state... [id=srv-vjwbzhno67p2ntmn]
aws_service_discovery_service.risk_api: Refreshing state... [id=srv-vnkl5rvoemv3cqyo]
aws_service_discovery_service.shap_api: Refreshing state... [id=srv-6k65574rfmx7x67r]
module.vpc.aws_nat_gateway.this[0]: Refreshing state... [id=nat-063d166765d4ab62f]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-024e24cc01fa11d32]
module.vpc.aws_route_table_association.public[2]: Refreshing state... [id=rtbassoc-0e7b1a0269e12ec69]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-03965f0514cd8e930]
module.vpc.aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-07651ed2a630e257b1080289494]
module.vpc.aws_db_subnet_group.database[0]: Refreshing state... [id=dev]
module.vpc.aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-0f03659c5637e4050]
module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-01a27df5561005412]
module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-06aedb9f95677c4fb]
module.vpc.aws_route_table_association.database[2]: Refreshing state... [id=rtbassoc-0ca3e38c985427eb9]
module.vpc.aws_route_table_association.database[1]: Refreshing state... [id=rtbassoc-07e6340d32f72080b]
module.vpc.aws_route_table_association.database[0]: Refreshing state... [id=rtbassoc-01dd02724b6dd1575]
aws_lb.test[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-1:BBBBBBBB:loadbalancer/app/dev-api/6dc84583dc0943f7]
aws_security_group.rds: Refreshing state... [id=sg-07f348afe66f58d44]
aws_security_group.shap_api: Refreshing state... [id=sg-00f9e040b70efb44a]
aws_security_group.risk_api: Refreshing state... [id=sg-0d99178f4d97a9233]
aws_db_subnet_group.default[0]: Refreshing state... [id=dev-medscheme-cluster]
module.vpc.aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-07abb17d21c8c4ccb1080289494]
aws_appmesh_virtual_node.shap_api: Refreshing state... [id=64c5b3de-ace1-4dbc-b1ee-7c3aeb69b725]
aws_appmesh_virtual_node.risk_api: Refreshing state... [id=a65a920d-2e71-43bf-ac22-39d10cf7e950]
module.vpn_gateway.aws_vpn_gateway_attachment.default[0]: Refreshing state... [id=vpn-attachment-9e8127a8]
module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing[1]: Refreshing state... [id=vgw-0190a2e5cfb6d816d_rtb-07651ed2a630e257b]
module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing[0]: Refreshing state... [id=vgw-0190a2e5cfb6d816d_rtb-07651ed2a630e257b]
module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing[2]: Refreshing state... [id=vgw-0190a2e5cfb6d816d_rtb-07651ed2a630e257b]
aws_appmesh_virtual_service.shap_api: Refreshing state... [id=2c726302-d21e-4d03-9ffc-02c02edf2d4e]
aws_appmesh_virtual_service.risk_api: Refreshing state... [id=3505a5c3-86eb-4347-8a4e-b6a1cdbaaf61]
module.ecs_cluster_ingress_api.module.autoscaling_group.aws_launch_configuration.this[0]: Refreshing state... [id=dev-ingress-api-20200825115401145200000002]
aws_rds_cluster.default[0]: Refreshing state... [id=dev-medscheme-cluster]
aws_appmesh_route.shap_api: Refreshing state... [id=98b42f01-fd8e-4c3a-8e7e-4180cd2878b1]
aws_appmesh_route.risk_api: Refreshing state... [id=3a1f492a-86d7-46c7-9111-1b76ce3626ab]
module.ecs_cluster_shap_api.module.autoscaling_group.aws_launch_configuration.this[0]: Refreshing state... [id=dev-shap-api-20200825115401149700000003]
aws_ecs_task_definition.shap_api: Refreshing state... [id=ml_shap_api]
module.ecs_cluster_risk_api.module.autoscaling_group.aws_launch_configuration.this[0]: Refreshing state... [id=dev-risk-api-20200825115401139900000001]
aws_ecs_task_definition.risk_api: Refreshing state... [id=ml_risk_score_api]
aws_appmesh_virtual_node.ingress_api: Refreshing state... [id=3a18a351-c65a-48d2-bab5-ad10ecdc3847]
aws_ssm_parameter.rds_port[0]: Refreshing state... [id=/dev/rds/port]
aws_ssm_parameter.rds_endpoint[0]: Refreshing state... [id=/dev/rds/host]
module.ecs_cluster_ingress_api.module.autoscaling_group.aws_autoscaling_group.this[0]: Refreshing state... [id=dev-ingress-api-20200206071552457600000002]
module.ecs_cluster_shap_api.module.autoscaling_group.aws_autoscaling_group.this[0]: Refreshing state... [id=dev-shap-api-20200206161215901800000004]
module.ecs_cluster_risk_api.module.autoscaling_group.aws_autoscaling_group.this[0]: Refreshing state... [id=dev-risk-api-20200206071552457400000001]
aws_appmesh_virtual_service.ingress_api: Refreshing state... [id=857930b9-ee39-4566-95d6-85a6277d9b42]
aws_ecs_task_definition.ingress_api: Refreshing state... [id=ml_ingress_api]
aws_iam_role_policy_attachment.ecs_task_execution: Refreshing state... [id=dev_ecsTaskExecutionRole-20200117090628182200000003]
module.ecs_cluster_ingress_api.aws_autoscaling_policy.cluster[0]: Refreshing state... [id=dev-ingress-api]
module.ecs_cluster_shap_api.aws_autoscaling_policy.cluster[0]: Refreshing state... [id=dev-shap-api]
module.ecs_cluster_risk_api.aws_autoscaling_policy.cluster[0]: Refreshing state... [id=dev-risk-api]
Error: error getting S3 Bucket (dev-excmgmtprod-datasets) ACL: AccessDenied: Access Denied
status code: 403, request id: 8QT2YSYX71836S3X, host id: twdaYiJVI3X4r9u6OatQXRJhs5mngW6Gq7IpH49TTvszl302AcWgScIjs7WrbY75Vm0CtoS7RoE=
Error: error reading SQS Queue (https://sqs.eu-west-1.amazonaws.com/BBBBBBBB/dev_dead_letter): AccessDenied: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.
status code: 403, request id: bd8eeb47-95ab-5f93-a048-b2b8a3bdc190
Error: error reading S3 Bucket (dev-medscheme-data): Forbidden: Forbidden
status code: 403, request id: FYMVEPRT0TFPE4YW, host id: f38lmYkLEk5i6knjes/n+8m5/TtRg0g8ihcJfZWAbq9JR78ayoEdrqAdHfjH/cM+0YkQg8T9WxM=
Error: InvalidParameterException: Identifier is for 1BBBBBBBB. Your accountId is AAAAAAAAAA
Error: error retrieving ALB (arn:aws:elasticloadbalancing:eu-west-1:BBBBBBBB:loadbalancer/app/dev-api/6dc84583dc0943f7): ValidationError: 'arn:aws:elasticloadbalancing:eu-west-1:BBBBBBBB:loadbalancer/app/dev-api/6dc84583dc0943f7' is not a valid load balancer ARN
status code: 400, request id: 63e0725d-d8bd-4833-97c8-4356998a5f0c
Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAAA
Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAAA
Error: InvalidParameterException: Identifier is for BBBBBBBB. Your accountId is AAAAAAAAAA
Error: Error finding CustomerGateway: cgw-060a36000acac7f1a
Error: No certificate for domain "api.dev.XXXXXX.XXXXXX.XX" found in this region
on lb.tf line 41, in data "aws_acm_certificate" "lb_certificate":
41: data "aws_acm_certificate" "lb_certificate" {
Releasing state lock. This may take a few moments...
Each of the modules you see with providers may be declaring a new instance of that provider. Unfortunately here Terraform could not validate the use of providers within modules until 1.0, so you are going to need to manually audit their use.
If any module has an empty provider block, or a provider block that contains only an alias, it must have a provider configuration passed in from the parent module in the providers map. Failure to pass in a provider will create a new provider instance within the module. Any providers with versions declared within their provider block must be changed to use required_providers within the terraform configuration block. If the only reason for the provider block was to declare the version, then that block should be removed from the configuration. The idea here is that all providers should only be configured from the root module, so that you have control over what configuration every provider instance is using.
It’s also possible that the providers were expecting to get all their configuration information from the environment, in which case you may be able to use a combination of the standard environment variables and ~/.aws/credentials entries used by the AWS sdk, and only override certain cases within the configuration. That may be the easiest direction to try in order to get to v1.0 where Terraform can give you more direct feedback about how the providers are configured within modules.
Once you are on v1.0 you should no longer have provider blocks within modules, and provider versions and names within modules are declared solely by required_providers blocks.
bobk81
November 5, 2021, 2:42pm
6
Thanks, I’ll see what I can do.