Terraform Plan Step | Variable Substitution Not Working - AWS Service Role EC2 Instance

usability
(Martin Woods) #1

Hi,

GOAL

Under Process when using Terraform Plan Step > AWS Account where we have Execute using the AWS service role for an EC2 instance set to No we’d like to use the following conditional set when using bind

#{if isOctopusLive == "true"}
  #{octopusLiveAWSAccountEKS}
#{else}
  #{octopusSandboxAWSAccountEKS}
#{/if}

The conditional will allow us to switch between 2 AWS accounts depending on the environment that we’re running Octopus Deploy on (NOT where we’re deploying code to)

ISSUE

When we run a release we get the following error

System.Exception: AWS-LOGIN-ERROR-0003: Failed to access the role information under http://169.254.169.254/latest/meta-data/iam/security-credentials/, or failed to parse the response. This may be because the instance does not have a role assigned to it. For more information visit https://g.octopushq.com/AwsCloudFormationDeploy#aws-login-error-0003 ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 169.254.169.254:80 
September 8th 2019 20:05:16Error
   at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult) 
September 8th 2019 20:05:16Error
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult) 
September 8th 2019 20:05:16Error
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

We get this error even if we use a less complex variable syntax in the field with our bind

For example if we just set the values to #{octopusSandboxAWSAccountEKS} and run it it’s the same

NOTE

If I don’t use the bind and just select an AWS Account from the drop-down as per the screenshot below, it will work. But this means that you’re selecting a specific account and it’s NOT a conditional. We’d like to be able to use the conditional syntax when binding here

Can you let us know if this is a bug with the system or if we’re not setting the syntax correctly?

Some additional info about what has been tested here in relation to the setup of the project

  • We’ve set 2 AWS account under Infrastructure > Accounts
  • These 2 accounts have been set as variables under Library > Variable Sets > Terraform AWS Account
  • We’ve also tested these accounts set as Project variables too

Variable Set:

Project Variables:

I’ve spoken to @Bob_Walker about this under the advice channel in OD Slack, so I just wanted to log it as a ticket/help-issue to help you guys get all the info you need without having to read through a long thread

Thanks,
Martin

(Matt Richardson) #3

Hi Martin

Thanks for getting in touch! The detail here really helps.

The issue your facing is due to the step expecting the name of a variable, but when you’re passing in

#{if isOctopusLive == "true"}
  #{octopusLiveAWSAccountEKS}
#{else}
  #{octopusSandboxAWSAccountEKS}
#{/if}

it’s actually evaluating the variable name to the variable id.

Can you try

#{if isOctopusLive == "true"}octopusLiveAWSAccountEKS#{else}octopusSandboxAWSAccountEKS#{/if}

instead? This will resolve to the name of the variable, instead of the id of the variable.

Unfortunately, I dont have an aws handy, but from my preliminary testing, this looks like it should work for you.

Let me know how you go.

Cheers,
Matt

2 Likes
(Martin Woods) #4

Hi @Matt.Richardson,

Thanks for quick reply - and I just tested this and it seems to be working as the code below, so many thanks :partying_face:

#{if isOctopusLive == "true"}
  octopusLiveAWSAccountEKS
#{else}
  octopusSandboxAWSAccountEKS
#{/if}

Cheers
Martin