Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No output from terraform on MacOS #74

Open
hammopau opened this issue Nov 26, 2023 · 7 comments
Open

No output from terraform on MacOS #74

hammopau opened this issue Nov 26, 2023 · 7 comments

Comments

@hammopau
Copy link

Hi,

Apologies for raising as issue as its (hopefully) just a simple question.

I'm running on MacOS with:

  • Sononma 14.1
  • Terraform v1.5.0
  • provider registry.terraform.io/hashicorp/aws v5.4.0
  • Custom/non-default AWS CLI profile

I'm getting no response from iamlive executing Terraform based interactions with AWS. AWS CLI is fine.

The Terraform code in question is just simple test (copying AMIs).

I've tried running:

  1. iamlive in one terminal tab, with TF executed in a different tab (iamlive --set-ini --profile personal --output-file policy.json --refresh-rate 1 --sort-alphabetical)
  2. iamlive running in background, with TF executed in same tab (iamlive --set-ini --profile personal --refresh-rate 1 --sort-alphabetical)

What am I doing wrong...?
@iann0036
Copy link
Owner

Hey @hammopau,

Terraform doesn't always support the AWS SDK settings. Instead, try running iamlive in proxy mode with --mode proxy in your iamlive terminal and in your Terraform terminal set the SDK proxy settings:

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem

@hammopau
Copy link
Author

Hi,

No joy I'm afraid.

After setting the above vars before starting iamlive in one shell & then before executing TF in another, I get an error due to missing CA in the configured location.

Planning failed. Terraform encountered an error while generating this plan.

Plan:

│ Error: configuring Terraform AWS Provider: loading configuration: open ~/.iamlive/ca.pem: no such file or directory

│ with provider["registry.terraform.io/hashicorp/aws"],
│ on terraform.tf line 11, in provider "aws":
│ 11: provider "aws" {

Init:
Initializing the backend...

Initializing provider plugins...

  • Reusing previous version of hashicorp/aws from the dependency lock file

    │ Error: Failed to query available provider packages

    │ Could not retrieve the list of available versions for provider hashicorp/aws: could not connect to registry.terraform.io: failed to request discovery document: Get
    │ "https://registry.terraform.io/.well-known/terraform.json": proxyconnect tcp: dial tcp 127.0.0.1:10080: connect: connection refused

If the file needs to be populated, I'm assuming this would be the public cert CA chain for the APIs - pls confirm. Any guidence on how to get this as all docs found so far only cover Private CA & ACM chains, not the public facing APIs...?

@wernerdiers
Copy link

Hey, running on mac here.

You could add this helper function to your ~/.zshrc file (then run: source ~/.zshrc) in order to do the setup faster.

iamlive-exec() {
  # https://github.com/iann0036/iamlive
  action=$1
  shift
  extra_args="$@" # Remaining arguments
  
  export IAMLIVE_HOME="${HOME}/.iamlive" ;
  export IAMLIVE_PROXY_PORT="10080" ;
  export IAMLIVE_OUTPUT_POLICY_FILE="iamlive_policy.json " ;
  export IAMLIVE_CA_KEY="${HOME}/.iamlive/ca.key" ;
  export IAMLIVE_CA_PEM="${HOME}/.iamlive/ca.pem" ;

  if [ -z "${action}" ]; then
    echo -e "[INFO] - Parameter action is missing: [create, terraform, listen, unset]" 
  else
    if [ "${action}" = 'create' ]; then
      echo -e "[INFO] - Creating IAMLIVE files"
      mkdir -p $IAMLIVE_HOME ;
      echo -e "[INFO] - IAMLIVE_HOME: $IAMLIVE_HOME"

      echo -e "[INFO] - Creating CA .key file. IAMLIVE_CA_KEY: $IAMLIVE_CA_KEY"
      openssl genrsa -out $IAMLIVE_CA_KEY 2048 ;

      echo -e "[INFO] - Creating CA .pem self-signed file. IAMLIVE_CA_PEM: $IAMLIVE_CA_PEM"
      openssl req -new \
      -x509 \
      -days "3650" \
      -key $IAMLIVE_CA_KEY \
      -out $IAMLIVE_CA_PEM \
      -subj "/C=IL/O=rootCaOrg" ;
    fi

    if [ "${action}" = 'terraform' ]; then
      echo -e "[INFO] - Exporting env vars" ;
      
      echo -e "[INFO] - export HTTP_PROXY=http://127.0.0.1:$IAMLIVE_PROXY_PORT"
      export HTTP_PROXY="http://127.0.0.1:$IAMLIVE_PROXY_PORT" ;
      
      echo -e "[INFO] - export HTTPS_PROXY=http://127.0.0.1:$IAMLIVE_PROXY_PORT"
      export HTTPS_PROXY="http://127.0.0.1:$IAMLIVE_PROXY_PORT" ;
      
      echo -e "[INFO] - export IAMLIVE_CA_KEY="$IAMLIVE_HOME/ca.key""
      export IAMLIVE_CA_KEY="$IAMLIVE_HOME/ca.key" ;
      
      echo -e "[INFO] - export IAMLIVE_CA_PEM=$IAMLIVE_HOME/ca.pem"
      export IAMLIVE_CA_PEM="$IAMLIVE_HOME/ca.pem" ;
      
      echo -e "[INFO] - export AWS_CA_BUNDLE=$IAMLIVE_HOME/ca.pem"
      export AWS_CA_BUNDLE="$IAMLIVE_HOME/ca.pem" ;
    fi

    if [ "${action}" = 'listen' ]; then
      # --force-wildcard-resource
      command="iamlive --set-ini --mode proxy --output-file $IAMLIVE_OUTPUT_POLICY_FILE --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:$IAMLIVE_PROXY_PORT --ca-bundle $IAMLIVE_CA_PEM --ca-key $IAMLIVE_CA_KEY $extra_args" ;
      echo -e "[INFO] - Starting iamlive in PROXY mode\n$command" ;
      eval $command 
    fi

    if [ "${action}" = 'unset' ]; then
      for envvar in HTTP_PROXY HTTPS_PROXY IAMLIVE_PROXY_PORT IAMLIVE_HOME IAMLIVE_CA_KEY IAMLIVE_CA_PEM IAMLIVE_OUTPUT_POLICY_FILE AWS_CA_BUNDLE 
      do
        echo -e "[INFO] - Un-setting $envvar env var" ;
        unset $envvar ;
      done
    fi
  fi
}

Then

  • On the terminal session that will run iamlive in listening mode:
❯ iamlive-exec create
❯ iamlive-exec listen
  • On the terminal session that will run terraform commands you do:
❯ iamlive-exec terraform
[INFO] - Exporting env vars
[INFO] - export HTTP_PROXY=http://127.0.0.1:10080
[INFO] - export HTTPS_PROXY=http://127.0.0.1:10080
[INFO] - export IAMLIVE_CA_KEY=/Users/myuser/.iamlive/ca.key
[INFO] - export IAMLIVE_CA_PEM=/Users/myuser/.iamlive/ca.pem
[INFO] - export AWS_CA_BUNDLE=/Users/myuser/.iamlive/ca.pem
  

❯ iamlive-exec unset ; terraform init -upgrade ; iamlive-exec terraform
[INFO] - Un-setting HTTP_PROXY env var
[INFO] - Un-setting HTTPS_PROXY env var
[INFO] - Un-setting IAMLIVE_PROXY_PORT env var
[INFO] - Un-setting IAMLIVE_HOME env var
[INFO] - Un-setting IAMLIVE_CA_KEY env var
[INFO] - Un-setting IAMLIVE_CA_PEM env var
[INFO] - Un-setting IAMLIVE_OUTPUT_POLICY_FILE env var
[INFO] - Un-setting AWS_CA_BUNDLE env var

Initializing the backend...
Upgrading modules...
- efs in modules/TF_AWS_EFS

Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 4.0"...
- Finding hashicorp/random versions matching "~> 3.1"...
- Installing hashicorp/random v3.6.0...
- Installed hashicorp/random v3.6.0 (signed by HashiCorp)
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
[INFO] - Exporting env vars
[INFO] - export HTTP_PROXY=http://127.0.0.1:10080
[INFO] - export HTTPS_PROXY=http://127.0.0.1:10080
[INFO] - export IAMLIVE_CA_KEY=/Users/myuser/.iamlive/ca.key
[INFO] - export IAMLIVE_CA_PEM=/Users/myuser/.iamlive/ca.pem
[INFO] - export AWS_CA_BUNDLE=/Users/myuser/.iamlive/ca.pem

❯ terraform apply
...
...

@avazula
Copy link

avazula commented Feb 23, 2024

Hey @wernerdiers, that util script is awesome, thanks!

However when I follow your steps (though I run terraform plan before apply) nothing happens and my terminal hangs. I have to kill it manually.
I suspect it may be because:

  • Multiple accounts are declared in my code
  • In lieu of access and secret keys, I use IAM Identity Center.

Do you concur with this analysis? Or perhaps do you see where I'm going wrong?

I'm on mac too, installed iamlive with brew. Terraform version is 1.7.1.

@wernerdiers
Copy link

@avazula I had to use an IAM user, it seems that (at least at that time) IAM Identity Center (SSO) credentials were not supported

@avazula
Copy link

avazula commented Feb 29, 2024

Thanks @wernerdiers, I'll try with an IAM user.

@Speeddymon
Copy link

Speeddymon commented Jul 31, 2024
edited
Loading

I'm also seeing this trying to use proxy mode for terragrunt (terraform) with Azure.

iamlive --provider azure

export ARM_CLIENT_ID=<my-client-id>
export ARM_CLIENT_SECRET=<my-secret>
export ARM_SUBSCRIPTION_ID=<my-subscription-id>
export ARM_TENANT_ID=<my-tenant-id>
export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export REQUESTS_CA_BUNDLE=~/.iamlive/ca.pem
terragrunt run-all plan

There is no output in iamlive and the command hangs indefinitely. Terragrunt makes use of Terraform under the hood, and therefore the Azure SDKs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Speeddymon @iann0036 @wernerdiers @avazula @hammopau