search

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.
https://terragrunt.gruntwork.io/
MIT License
8.04k stars 975 forks source link

Remote state backend S3 without logging and encryption enabled #1444

Closed marlovil closed 3 years ago

marlovil commented 3 years ago

When creating the remote stat backend S3 bucket, encryption and logging are disabled. There is no way to activate it using terragrunt init command.

Terraform version: 0.13.5 Terragrun version: 0.26.7

Configuration:

remote_state {
  backend = "s3"
  config = {
    profile        = "profile-1"
    bucket         = "project-terraform-tfstate"
    region         = "eu-west-1"
    encrypt        = true
    dynamodb_table = "project-terraform-lock"
    key            = "${path_relative_to_include()}/terraform.tfstate"
  }
}

The AWS profile profile-1 has Administrator access level.

The output is:

[terragrunt] [/code/terraform/config/sbx] 2020/11/26 11:23:54 Running command: terraform --version
[terragrunt] 2020/11/26 11:23:54 Terraform version: 0.13.5
[terragrunt] 2020/11/26 11:23:54 Reading Terragrunt config file at /code/terraform/config/sbx/terragrunt.hcl
[terragrunt] 2020/11/26 11:23:54 Downloading Terraform configurations from file:///code/terraform/infra into /code/terraform/config/sbx/.terragrunt-cache/0uk-3B3OSXwYbdVujtlm-F9bmLM/_BPNiew1AseQc_HizNT4G_GYXb8
[terragrunt] 2020/11/26 11:23:54 Copying files from /code/terraform/config/sbx into /code/terraform/config/sbx/.terragrunt-cache/0uk-3B3OSXwYbdVujtlm-F9bmLM/_BPNiew1AseQc_HizNT4G_GYXb8/infra-envs
[terragrunt] 2020/11/26 11:23:54 Setting working directory to /code/terraform/config/sbx/.terragrunt-cache/0uk-3B3OSXwYbdVujtlm-F9bmLM/_BPNiew1AseQc_HizNT4G_GYXb8/infra-envs
[terragrunt] 2020/11/26 11:23:54 Initializing remote state for the s3 backend
[terragrunt] 2020/11/26 11:23:54 [terragrunt]  Remote state S3 bucket project-terraform-tfstate does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n) 
y
[terragrunt] 2020/11/26 11:23:57 Create S3 bucket with retry project-terraform-tfstate
[terragrunt] 2020/11/26 11:23:57 Creating S3 bucket project-terraform-tfstate
[terragrunt] 2020/11/26 11:23:58 Created S3 bucket project-terraform-tfstate
[terragrunt] 2020/11/26 11:23:58 Waiting for bucket project-terraform-tfstate to be created
[terragrunt] 2020/11/26 11:23:58 S3 bucket project-terraform-tfstate created.
[terragrunt] 2020/11/26 11:23:58 Enabling root access to S3 bucket project-terraform-tfstate
[terragrunt] 2020/11/26 11:23:58 Create S3 bucket with retry project-terraform-tfstate returned an error: InvalidClientTokenId: The security token included in the request is invalid.
    status code: 403, request id: 8903df34-f51c-44f9-b556-3bc45604a342. Sleeping for 10s and will try again.
[terragrunt] 2020/11/26 11:24:08 Create S3 bucket with retry project-terraform-tfstate
[terragrunt] 2020/11/26 11:24:08 Creating S3 bucket project-terraform-tfstate
[terragrunt] 2020/11/26 11:24:09 Looks like you're already creating bucket project-terraform-tfstate at the same time. Will not attempt to create it again.
[terragrunt] 2020/11/26 11:24:09 Waiting for bucket project-terraform-tfstate to be created
[terragrunt] 2020/11/26 11:24:09 S3 bucket project-terraform-tfstate created.
[terragrunt] 2020/11/26 11:24:09 WARNING: Versioning is not enabled for the remote state S3 bucket project-terraform-tfstate. We recommend enabling versioning so that you can roll back to previous versions of your Terraform state in case of error.
[terragrunt] 2020/11/26 11:24:09 Running command: terraform init -backend-config=key=sbx/terraform.tfstate -backend-config=region=eu-west-1 -backend-config=bucket=project-terraform-tfstate -backend-config=profile=platform-global -backend-config=dynamodb_table=project-terraform-lock -backend-config=encrypt=true

Initializing the backend...

Initializing provider plugins...
- Using previously-installed hashicorp/aws v3.17.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

This issue is similar to: https://github.com/gruntwork-io/terragrunt/issues/1369

brikis98 commented 3 years ago

In your logs, I see:

[terragrunt] 2020/11/26 11:23:58 Create S3 bucket with retry project-terraform-tfstate returned an error: InvalidClientTokenId: The security token included in the request is invalid.
    status code: 403, request id: 8903df34-f51c-44f9-b556-3bc45604a342. Sleeping for 10s and will try again.

Some issue with how you're authenticating perhaps?

marlovil commented 3 years ago

Hi @brikis98!

Tanks for your question. The profile we used to deploy the infra belongs to Administrator user group. The S3 bucket was created successfully. The only thing that doesn't work is enable versioning and encryption. We've finally enabled both options via console (with the same user). In fact, with the same user, we've deployed other S3 buckets enabling versioning and encryption without any problem.

Thanks!

brikis98 commented 3 years ago

Ah, if the same user is working now, then it may have been a timing issue, where the creds you were using just happened to expire on that first run. I believe "The security token included in the request is invalid" does show up for expired creds. Sounds like this is resolved, so marking as closed.

marlovil commented 3 years ago

Hi!

Thanks @brikis98. But I don't think it was a temporary issue. I have been trying this several times during two different days. Only failed on the first time terragrunt init is executed. On the other side, it makes no sense that the init was able to create the bucket but not to enable logging and encryption.

Anyway, thanks for your support. If this issue happens again in another account/environment I will let you know.

nsvijay04b1 commented 3 years ago

//reopen

Not sure why this is closed with reason of permission issue? it is still open. I have EC2 instance profile which has all admin access.

terragrunt creates remote state bucket without versioning and without encryption enabled where as by default both should be done.

versions terragrunt version v0.26.7 Terraform v0.13.5

config

remote_state { backend = "s3" config = { encrypt = true bucket = "${get_env("PROJECT_NAME", "")}-${get_env("FLAVOR", "")}-remotestate-${local.account_name}-${local.aws_region}" key = "${path_relative_to_include()}/terraform.tfstate" region = local.aws_region dynamodb_table = "terraform-locks" s3_bucket_tags = { managedby = "Terragrunt" env = "${get_env("PROJECT_NAME", "")}-${get_env("FLAVOR", "")}" } dynamodb_table_tags = { env = "dev" managedby = "Terragrunt" env = "${get_env("PROJECT_NAME", "")}-${get_env("FLAVOR", "")}" } } generate = { path = "backend.tf" if_exists = "overwrite" } }

nsvijay04b1 commented 3 years ago

//reopen please

marlovil commented 3 years ago

Hi @brikis98.

Seems that @nsvijay04b1 has the same problem. Could we reopen the issue, please?

Thanks!

nsvijay04b1 commented 3 years ago

Apologies .. Deleted the bucket and ran terragrunt again. I see versioning enabled and encryption enabled with default KMS key ( AWS Key Management Service key (SSE-KMS)) . Thanks.

My mistake to ask to reopen. please, confirm if there is a way to ask for AES256 , the default S3 managed key for encryption than managing KMS master key.