Using OOS as a Remote Backend #363
Comments
|
Hi @cvedia-mdsol, Thanks for reaching us, we are looking at your issue Best regards, |
|
@cvedia-mdsol you can disable that behaviour |
|
On a security point of view, it is a best practice to use standard AWS CLI env vars to store your secrets (AK/SK) : With those additionnal env vars :
I found two advantages :
Warning : it does not handle tfstate locking, parrallel executions of terraform apply could be a problem |
|
@ArnaultMICHEL thanks for the feedback. I typically do not include Secret or Key information directly in the configuration YAML. It was added for the example to keep things less complex for reporting purposes. We usually at least use of Environmental Variables as declared. Currently, looking to use the OOS bucket as a means to keep a better handle on State. Confirmed use of S3 works fine with a quick reference switch so curious on the requirements for connectivity to OOS. As you mentioned, still need to see what services are available with Outscale to help lock the state. |
|
Hi @pavloos. Thanks for sharing. I ran tests using the parameters you've mentioned and received the following: Using the region my account is setup in "us-east-2" Response: Error refreshing state: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint '', bucket is in 'us-east-1' region Using the region "us-east-1" due to previous response. Response: Error refreshing state: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records. All other resources have been in "us-east-2" not sure why why the 1st response is received. Example below. |
|
To use S3, you need to change profile parameter, it must be your aws profile, sthg like ~/.aws/credentials |
|
@MMege6317 I have the profile configured under my profile (~/.aws/credentials). Re-included my config files below. I have no issues connecting and using S3 for storing state. Problem is using Outscale's version of S3 called OOS. Credentials file Config file Outscales supports the same AWS CLI commands but by default these command are directed to the AWS API's so endpoint references are used for issuing commands for example. -To List Buckets- So to switch from using AWS to Outscale for state in Terraform, I change my profile name then also add an 'endpoint'. Similar to how it is done with this provider (as an example) https://registry.terraform.io/providers/FlexibleEngineCloud/flexibleengine/latest/docs/guides/remote-state-backend |
|
@outscale-toa has there been any additional updates from the team on this since the request has been made? is the provided endpoint referenced correct? I believe there are other endpoints like for FCU and EIM so want to make sure. |
|
@outscale-toa following up to see if there have been any additional updates on this that can be shared. |
|
@outscale-toa want to follow up on this again to see if there has been anything additional. having this supported using outscale OOS would help server as a centralized location for state within the same platform |
|
hello, terraform {
required_providers {
outscale = {
source = "outscale/outscale"
version = ">= 0.11.0"
}
}
backend "s3" {
bucket = "tf"
endpoint = "https://oos.eu-west-2.outscale.com"
key = "terraform.tfstate"
profile = "default"
region = "eu-west-2"
# below options make it work just fine
skip_credentials_validation = true
skip_region_validation = true
}
}
provider "outscale" {
access_key_id = var.access_key_id
secret_key_id = var.secret_key_id
region = "eu-west-2"
}
resource "outscale_volume" "s3-test" {
subregion_name = "eu-west-2a"
size = 10
}with my profile loking like this: $ ls ~/.aws
credentials
[default]
aws_access_key_id = <ACCESS_KEY>
aws_secret_access_key = <SECRET_KEY>And it seems to work. So I don't really understand your problems, do you have a conflict with different profiles ? I've test using: curl -X GET https://oos.eu-west-2.outscale.com/tf/terraform.tfstate --aws-sigv4 "aws:amz:eu-west-2:s3" --user $AK:$SKWhich show me the terraform state. |
Current Terraform Version
Use-cases
Terraform would create a State file within a local path by default but when attempting to work with various team members, it would be better to have state available in a remote space that can be retrieved by each member as needed.
Options to do this would be to use a Remote Data Store (such as Terraform Cloud, AWS S3, Azure Blob Storage, etc). Since our provisioning is happening within Outscale, would prefer to use OOS.
Attempted Solutions
Tried to connect to OOS using a bucket we've created but have been unable to connect. Because of this, I have raised a case in Github (see references).
response
code
Proposal
I am able to successfully, perform other actions against OOS such as (create/delete buckets & upload/download objects) but have to do so through the proper endpoint based on the region of my account.
The endpoint does not seem to be able to confirm my identity when the call is made through Terraform. Would be useful if we can pass our Profile configuration detail on the connection attempt so that we can use the reference name to pass sensitive information like ('access key' and 'secret key').
References
GitHub Bug: raised due to feedback when attempting to connect with OOS as a remote backend:
#359
The text was updated successfully, but these errors were encountered: