Terraform Cloud Project Bootcamp with Andrew Brown — Week 1 Validation
This article is part of my Terraform journey with Terraform Bootcamp by Andrew Brown and Andrew Bayko with Chris Williams and Shala.
My wild career adventure into Cloud Computing continues with Andrews, and I highly, highly recommend you to come join us if you are interested. Check out Andrews’ free youtube learning contents. You can also buy some paid courses here to support their good cause.
Agenda
Video here: Cloud Project Validation Week 1
Workflow
- ✅ 1) Run validator & Permission errors
- ✅ 1–1) Troubleshoot: set up permissions
- ✅ 2) Run validator & DomainName and Invalidation errors
- ✅ 2–1) Troubleshoot: fix domainName and add invalidations
- ✅ 3) Pass the validation and be happy 🍷✨
1. Run validator & Permission errors
My first run was brutal. One thing I forgot to do was the step 3 which requires some manual setup.
1–1. Troubleshoot: set up permissions
Step 3 offers two options: either
- Generate a command
- Generate a CloudFormation stack template.
Both of them above do the same thing. It’s up to you to either run the command on terminal or to manually import that template file on the AWS console.
In my case, I ran into the error of “Stack [ExamProValidation] already exists”. You may run into this, if you didn’t clean up the resources after the validation for Week 0. I manually removed these relevant resources then created the stack using the template file on the AWS CloudFront console.
For your reference, this is the set of policies granted to the Validator role in the cross account permissions operation we performed through the ExamProValidation stack.
{
"Version": "2012-10-17",
"dStatement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudfront:ListDistributions",
"cloudfront:GetDistribution",
"cloudfront:ListInvalidations",
"cloudfront:ListCloudFrontOriginAccessIdentities",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetCloudFrontOriginAccessIdentityConfig",
"cloudfront:GetOriginAccessControl",
"cloudfront:ListOriginAccessControls"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:HeadBucket",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketCors",
"s3:GetBucketWebsite",
"s3:GetObject",
"s3:HeadObject",
"s3:GetObjectAcl",
"s3:GetBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::nomadiachi-in-terratown-bucket/*",
"arn:aws:s3:::nomadiachi-in-terratown-bucket"
],
"Effect": "Allow"
}
]
}2. Run validator & DomainName and Invalidation errors
With the permission ready, I ran the Validator again. Now the results improved, but my work still fails to pass. I have the following two problems:
- CF distribution’s
DomainNamevalue does NOT equil the expected value. - Invaliations were not found.
2–1. Troubleshoot: fix domainName and add invalidations
My domain name is missing the region in the URL where as the provided value expects it. I compared my resource-cdn.tf configuration against Andrew’s and found the following:
- The bucket name has to be “regional” domain name. So I modified
bucket_domain_nametobucket_regional_domain_name.
resource "aws_cloudfront_distribution" "s3_distribution" {
origin {
- domain_name = aws_s3_bucket.website_bucket.bucket_domain_name
+ domain_name = aws_s3_bucket.website_bucket.bucket_regional_domain_name
...
}I tried terraform plan & terraform apply to implement the change set on top of the existing stack. However, this did not get the domain_name with bucket_regional_domain_name so I did terraform destroy & terraform apply again.
3. Pass the validation and be happy 🍷✨
It took me a total of 8 runs (thank goodness, we were given plenty for week 1. For week 0, we had been given only 7 runs total!).
And I passed it. Now on to the Week 2 game!
