search

terraform-aws-modules / terraform-aws-atlantis

Terraform module to deploy Atlantis on AWS Fargate 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/atlantis/aws
Apache License 2.0
520 stars 351 forks source link

Issues with ACM Certificate Validation Timeout and ECS Service Creation Due to Target Group Association #398

Closed genfemme closed 8 months ago

genfemme commented 8 months ago

Description

Hello,

I'm encountering two issues when using the terraform-aws-modules/atlantis/aws module version 4.2.0 in my Terraform configuration. My environment is set up in AWS region eu-west-1,

  1. ACM Certificate Validation Timeout: The first issue is related to the ACM certificate validation process timing out. Despite ensuring that the DNS validation records are correctly configured in my DNS service, the certificate remains in the 'PENDING_VALIDATION' state, eventually leading to a timeout error.

    Error Message: Error: waiting for ACM Certificate (arn:aws:acm:eu-west-1:211373502290:certificate/5d8248db-bdee-4d1b-8990-1043490656c4) to be issued: timeout while waiting for state to become 'ISSUED' (last state: 'PENDING_VALIDATION', timeout: 1h15m0s) with module.atlantis.module.acm.aws_acm_certificate_validation.this[0], on .terraform/modules/atlantis.acm/main.tf line 64, in resource "aws_acm_certificate_validation" "this": 64: resource "aws_acm_certificate_validation" "this" {

  2. ECS Service Creation Failure Due to Target Group Association: The second issue arises when creating the ECS service, where it fails due to the target group not being associated with a load balancer, despite the module being responsible for creating and managing these resources.

Error Message: Error: creating ECS Service (atlantis): InvalidParameterException: The target group with targetGroupArn arn:aws:elasticloadbalancing:eu-west-1:211373502290:targetgroup/atlantis/a69972a206c93a63 does not have an associated load balancer. with module.atlantis.module.ecs_service.aws_ecs_service.this[0], on .terraform/modules/atlantis.ecs_service/modules/service/main.tf line 29, in resource "aws_ecs_service" "this": 29: resource "aws_ecs_service" "this" {

Versions

Reproduction Code [Required]

Steps to reproduce the behavior:

  1. Configure the module with the necessary inputs.
  2. Run terragrunt apply

Expected behavior

The ACM certificate validation completes successfully, and the ECS service is created without issues, with the target group being correctly associated with the load balancer.

Actual behavior

Encountered the above-mentioned errors, preventing successful resource creation and module execution.

Any assistance or guidance on resolving these issues would be greatly appreciated.

genfemme commented 8 months ago

@here

genfemme commented 8 months ago

Please can someone help with this?

genfemme commented 8 months ago

@bryantbiggs @semantic-release-bot @nitrocode @dynamike Any ideas?

antonbabenko commented 8 months ago

Without any reproduction code we can't do or say much. There is something wrong in tour configuration apparently.

genfemme commented 8 months ago

@antonbabenko
This is the code that I am using to deploy Atlantis. Could you please provide guidance or identify what might be misconfiguration in my setup?

`module "atlantis" { source = "terraform-aws-modules/atlantis/aws" version = "4.2.0" name = "atlantis"

enable_efs = true service_subnets = ["subnet-xxxxxx", "subnet-yyyyyy"] vpc_id = "vpc-aaaaaaa" alb_subnets = ["subnet-bbbbbb", "subnet-cccccc"] route53_zone_id = "ZXXXXXXXXXXXXX" certificate_domain_name = "example.com"

atlantis = { environment = [ { name = "ATLANTIS_GH_USER" value = "mygithubuser" }, { name = "ATLANTIS_REPO_ALLOWLIST" value = "github.com/myorg/*" }, { name = "atlantis_image" value = "customimage:tag" }, ]

secrets = [
  {
    name      = "ATLANTIS_GH_TOKEN"
    valueFrom = "arn:aws:secretsmanager:region:account-id:secret:token"
  },
  {
    name      = "ATLANTIS_GH_WEBHOOK_SECRET"
    valueFrom = "arn:aws:secretsmanager:region:account-id:secret:webhook"
  },
]

}

alb = { https_listener_authenticate_oidc = { issuer = "https://accounts.google.com" token_endpoint = "https://oauth2.googleapis.com/token" user_info_endpoint = "https://openidconnect.googleapis.com/v1/userinfo" authorization_endpoint = "https://accounts.google.com/o/oauth2/v2/auth" authentication_request_extra_params = {} client_id = "client-id" client_secret = "client-secret" ssl_policy = "ELBSecurityPolicy-2021-06" allow_unauthenticated_access = true allow_github_webhooks = true } }

service = { cpu = 1024 ecs_task_memory = 2048 }

tags = { Environment = "dev" Terraform = "true" } }`

genfemme commented 8 months ago

Sharing an update on the ACM Certificate Validation Timeout issue. The validation process has successfully completed as of half an hour ago.

While the validation took longer than expected, it eventually resolved without further intervention.

This resolved the ECS service creation error as well.

github-actions[bot] commented 7 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.