This is a fantastic video! Thank you so much for making a clear, concise, end-to-end guide. Quick info to anyone following this now. With the new layout on 06:59, you have to click the "Access" tab, followed by "Grant access" (yellow button on right), before you can select roles.
Thank you, Alfredo! Appreciate your feedback, it really motivates me to move forward. If you will have any suggestions on what you want to see also on this channel, always welcome :)
I'm getting an error with AWS permissions. I'm not sure what i'm missing. module.aft.module.aft_account_request_framework.data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole: Refresh complete after 0s [id=arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole] ╷ │ Error: configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxxxx3:role/AWSControlTowerExecution) cannot be assumed. │ │ There are a number of possible causes of this - the most common are: │ * The credentials used in order to assume the role are invalid │ * The credentials do not have appropriate permission to assume the role │ * The role ARN is not valid │ │ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 7f33036a-1489-498e-add8-dcc1cd24a8fd, api error AccessDenied: User: arn:aws:iam::xxxxxxxx8:user/terraform.cloud is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx3:role/AWSControlTowerExecution │ │ │ with module.aft.provider["registry.terraform.io/hashicorp/aws"].tf_backend_secondary_region, │ on .terraform/modules/aft/providers.tf line 28, in provider "aws": │ 28: provider "aws" { │ ╵ Operation failed: failed running terraform plan (exit 1) The user i'm using is an admin, but i've also got a policy specifically for AssumeRole { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::xxxxxxxxx3:role/AWSControlTowerExecution" } ] }
Did you manage to use s3 as a terraform state backend? It does create the necessary buckets and dynamodb table but stores the statefile locally. When trying to migrate I don't seem to have permission to write to the bucket in the aft management account from the root/controltower account.
How do you resolve this error? error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxxxx375:role/AWSControlTowerExecution) cannot be assumed. │ │ There are a number of possible causes of this - the most common are: │ * The credentials used in order to assume the role are invalid │ * The credentials do not have appropriate permission to assume the role │ * The role ARN is not valid I've assumed roles for each account under my "ct_management" user profile, but still having the same error
Fixed it, realized it was an issue w/ my credentuals, when calling aws sts get-caller-identity Creds were correct but still had issues running next steps, ended up deleting the credentials file and re-configured my aws credentials locally to get terraform working properly
So, the third requirement - pre-installed landing zone - can't create it from Terraform? because I am looking for information about this but I dont find anything... any idea?
![LAVROV's interview with Tucker CARLSON 😁 [Parody]](/img/n.gif)
you are the guy from Udemy! great job with this tutorial, you saved my thesis 🤖
This is a fantastic video! Thank you so much for making a clear, concise, end-to-end guide. Quick info to anyone following this now. With the new layout on 06:59, you have to click the "Access" tab, followed by "Grant access" (yellow button on right), before you can select roles.
Awesome demo, Skrypnyk, I wanted exactly see a walkthrough like that before diving deep to build one myself!
Glad that you liked :)
Thank you for feedback
Will continue soon prepare more interesting video
Great video. Thanks a lot for taking the time to create it.
Thank you, Alfredo! Appreciate your feedback, it really motivates me to move forward.
If you will have any suggestions on what you want to see also on this channel, always welcome :)
Its a wonderful explanation .. thank you somuch sir
great walkthrough! thanks for posting this
can you please demo from the beginning , for how to create Control Tower Landing Zone with what Iam user please?
Well done :)
I'm getting an error with AWS permissions. I'm not sure what i'm missing.
module.aft.module.aft_account_request_framework.data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole: Refresh complete after 0s [id=arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole]
╷
│ Error: configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxxxx3:role/AWSControlTowerExecution) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 7f33036a-1489-498e-add8-dcc1cd24a8fd, api error AccessDenied: User: arn:aws:iam::xxxxxxxx8:user/terraform.cloud is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx3:role/AWSControlTowerExecution
│
│
│ with module.aft.provider["registry.terraform.io/hashicorp/aws"].tf_backend_secondary_region,
│ on .terraform/modules/aft/providers.tf line 28, in provider "aws":
│ 28: provider "aws" {
│
╵
Operation failed: failed running terraform plan (exit 1)
The user i'm using is an admin, but i've also got a policy specifically for AssumeRole
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxx3:role/AWSControlTowerExecution"
}
]
}
Can you please make another video for configuring control tower.
Thanks
Did you manage to use s3 as a terraform state backend? It does create the necessary buckets and dynamodb table but stores the statefile locally.
When trying to migrate I don't seem to have permission to write to the bucket in the aft management account from the root/controltower account.
How do you resolve this error?
error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxxxx375:role/AWSControlTowerExecution) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
I've assumed roles for each account under my "ct_management" user profile, but still having the same error
Fixed it, realized it was an issue w/ my credentuals, when calling aws sts get-caller-identity
Creds were correct but still had issues running next steps, ended up deleting the credentials file and re-configured my aws credentials locally to get terraform working properly
i have tried exactly how you did by reffering the blog of hashicorp everything worked fine but couldn't be able to create the accounts
So, the third requirement - pre-installed landing zone - can't create it from Terraform? because I am looking for information about this but I dont find anything...
any idea?
thats right, u do it in the aws console