No output from terraform on MacOS

[hammopau]

Hi,

Apologies for raising as issue as its (hopefully) just a simple question.

I'm running on MacOS with:

• Sononma 14.1
• Terraform v1.5.0
• provider registry.terraform.io/hashicorp/aws v5.4.0
• Custom/non-default AWS CLI profile

I'm getting no response from iamlive executing Terraform based interactions with AWS. AWS CLI is fine.

The Terraform code in question is just simple test (copying AMIs).

I've tried running:

1. iamlive in one terminal tab, with TF executed in a different tab (iamlive --set-ini --profile personal --output-file policy.json --refresh-rate 1 --sort-alphabetical)
2. iamlive running in background, with TF executed in same tab (iamlive --set-ini --profile personal --refresh-rate 1 --sort-alphabetical)

What am I doing wrong...?

[iann0036]

Hey @hammopau,

Terraform doesn't always support the AWS SDK settings. Instead, try running iamlive in proxy mode with --mode proxy in your iamlive terminal and in your Terraform terminal set the SDK proxy settings:

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem

[hammopau]

Hi,

No joy I'm afraid.

After setting the above vars before starting iamlive in one shell & then before executing TF in another, I get an error due to missing CA in the configured location.

Planning failed. Terraform encountered an error while generating this plan.

Plan:
╷
│ Error: configuring Terraform AWS Provider: loading configuration: open ~/.iamlive/ca.pem: no such file or directory
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on terraform.tf line 11, in provider "aws":
│ 11: provider "aws" {
│
╵

Init:
Initializing the backend...

Initializing provider plugins...

• Reusing previous version of hashicorp/aws from the dependency lock file
  ╷
  │ Error: Failed to query available provider packages
  │
  │ Could not retrieve the list of available versions for provider hashicorp/aws: could not connect to registry.terraform.io: failed to request discovery document: Get
  │ "https://registry.terraform.io/.well-known/terraform.json": proxyconnect tcp: dial tcp 127.0.0.1:10080: connect: connection refused
  ╵

If the file needs to be populated, I'm assuming this would be the public cert CA chain for the APIs - pls confirm. Any guidence on how to get this as all docs found so far only cover Private CA & ACM chains, not the public facing APIs...?

[wernerdiers]

Hey, running on mac here.

You could add this helper function to your ~/.zshrc file (then run: source ~/.zshrc) in order to do the setup faster.

iamlive-exec() {
  # https://github.com/iann0036/iamlive
  action=$1
  shift
  extra_args="$@" # Remaining arguments
  
  export IAMLIVE_HOME="${HOME}/.iamlive" ;
  export IAMLIVE_PROXY_PORT="10080" ;
  export IAMLIVE_OUTPUT_POLICY_FILE="iamlive_policy.json " ;
  export IAMLIVE_CA_KEY="${HOME}/.iamlive/ca.key" ;
  export IAMLIVE_CA_PEM="${HOME}/.iamlive/ca.pem" ;

  if [ -z "${action}" ]; then
    echo -e "[INFO] - Parameter action is missing: [create, terraform, listen, unset]" 
  else
    if [ "${action}" = 'create' ]; then
      echo -e "[INFO] - Creating IAMLIVE files"
      mkdir -p $IAMLIVE_HOME ;
      echo -e "[INFO] - IAMLIVE_HOME: $IAMLIVE_HOME"

      echo -e "[INFO] - Creating CA .key file. IAMLIVE_CA_KEY: $IAMLIVE_CA_KEY"
      openssl genrsa -out $IAMLIVE_CA_KEY 2048 ;

      echo -e "[INFO] - Creating CA .pem self-signed file. IAMLIVE_CA_PEM: $IAMLIVE_CA_PEM"
      openssl req -new \
      -x509 \
      -days "3650" \
      -key $IAMLIVE_CA_KEY \
      -out $IAMLIVE_CA_PEM \
      -subj "/C=IL/O=rootCaOrg" ;
    fi

    if [ "${action}" = 'terraform' ]; then
      echo -e "[INFO] - Exporting env vars" ;
      
      echo -e "[INFO] - export HTTP_PROXY=http://127.0.0.1:$IAMLIVE_PROXY_PORT"
      export HTTP_PROXY="http://127.0.0.1:$IAMLIVE_PROXY_PORT" ;
      
      echo -e "[INFO] - export HTTPS_PROXY=http://127.0.0.1:$IAMLIVE_PROXY_PORT"
      export HTTPS_PROXY="http://127.0.0.1:$IAMLIVE_PROXY_PORT" ;
      
      echo -e "[INFO] - export IAMLIVE_CA_KEY="$IAMLIVE_HOME/ca.key""
      export IAMLIVE_CA_KEY="$IAMLIVE_HOME/ca.key" ;
      
      echo -e "[INFO] - export IAMLIVE_CA_PEM=$IAMLIVE_HOME/ca.pem"
      export IAMLIVE_CA_PEM="$IAMLIVE_HOME/ca.pem" ;
      
      echo -e "[INFO] - export AWS_CA_BUNDLE=$IAMLIVE_HOME/ca.pem"
      export AWS_CA_BUNDLE="$IAMLIVE_HOME/ca.pem" ;
    fi

    if [ "${action}" = 'listen' ]; then
      # --force-wildcard-resource
      command="iamlive --set-ini --mode proxy --output-file $IAMLIVE_OUTPUT_POLICY_FILE --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:$IAMLIVE_PROXY_PORT --ca-bundle $IAMLIVE_CA_PEM --ca-key $IAMLIVE_CA_KEY $extra_args" ;
      echo -e "[INFO] - Starting iamlive in PROXY mode\n$command" ;
      eval $command 
    fi

    if [ "${action}" = 'unset' ]; then
      for envvar in HTTP_PROXY HTTPS_PROXY IAMLIVE_PROXY_PORT IAMLIVE_HOME IAMLIVE_CA_KEY IAMLIVE_CA_PEM IAMLIVE_OUTPUT_POLICY_FILE AWS_CA_BUNDLE 
      do
        echo -e "[INFO] - Un-setting $envvar env var" ;
        unset $envvar ;
      done
    fi
  fi
}

Then

• On the terminal session that will run iamlive in listening mode:

❯ iamlive-exec create
❯ iamlive-exec listen

• On the terminal session that will run terraform commands you do:

❯ iamlive-exec terraform
[INFO] - Exporting env vars
[INFO] - export HTTP_PROXY=http://127.0.0.1:10080
[INFO] - export HTTPS_PROXY=http://127.0.0.1:10080
[INFO] - export IAMLIVE_CA_KEY=/Users/myuser/.iamlive/ca.key
[INFO] - export IAMLIVE_CA_PEM=/Users/myuser/.iamlive/ca.pem
[INFO] - export AWS_CA_BUNDLE=/Users/myuser/.iamlive/ca.pem
  

❯ iamlive-exec unset ; terraform init -upgrade ; iamlive-exec terraform
[INFO] - Un-setting HTTP_PROXY env var
[INFO] - Un-setting HTTPS_PROXY env var
[INFO] - Un-setting IAMLIVE_PROXY_PORT env var
[INFO] - Un-setting IAMLIVE_HOME env var
[INFO] - Un-setting IAMLIVE_CA_KEY env var
[INFO] - Un-setting IAMLIVE_CA_PEM env var
[INFO] - Un-setting IAMLIVE_OUTPUT_POLICY_FILE env var
[INFO] - Un-setting AWS_CA_BUNDLE env var

Initializing the backend...
Upgrading modules...
- efs in modules/TF_AWS_EFS

Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 4.0"...
- Finding hashicorp/random versions matching "~> 3.1"...
- Installing hashicorp/random v3.6.0...
- Installed hashicorp/random v3.6.0 (signed by HashiCorp)
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
[INFO] - Exporting env vars
[INFO] - export HTTP_PROXY=http://127.0.0.1:10080
[INFO] - export HTTPS_PROXY=http://127.0.0.1:10080
[INFO] - export IAMLIVE_CA_KEY=/Users/myuser/.iamlive/ca.key
[INFO] - export IAMLIVE_CA_PEM=/Users/myuser/.iamlive/ca.pem
[INFO] - export AWS_CA_BUNDLE=/Users/myuser/.iamlive/ca.pem

❯ terraform apply
...
...

[avazula]

Hey @wernerdiers, that util script is awesome, thanks!

However when I follow your steps (though I run terraform plan before apply) nothing happens and my terminal hangs. I have to kill it manually.
I suspect it may be because:

• Multiple accounts are declared in my code
• In lieu of access and secret keys, I use IAM Identity Center.

Do you concur with this analysis? Or perhaps do you see where I'm going wrong?

I'm on mac too, installed iamlive with brew. Terraform version is 1.7.1.

[wernerdiers]

@avazula I had to use an IAM user, it seems that (at least at that time) IAM Identity Center (SSO) credentials were not supported

[avazula]

Thanks @wernerdiers, I'll try with an IAM user.