provider-aws | Crossplane AWS Provider | AWS library

Finally I realized why it wasn't working. As explained here, the error:

I was able to successfully create the lambda function and IAM role resources;

The hashicorp/aws provider must send requests to the AWS API that are signed using the AWS Signature Version 4 algorithm.

One of the goals of the AWS signing scheme is to minimize the time window that a compromised signature couuld be reused by an attacker. To achieve that, the signature scheme includes a timestamp when the signature was created and the remote system requires that the timestamp be within 15 minutes of the request time as understood by the remote system.

The official documentation describes this as follows, at the time I'm writing this:

• Protect against reuse of the signed portions of the request – The signed portions (using AWS Signatures) of requests are valid within 15 minutes of the timestamp in the request. An unauthorized party who has access to a signed request can modify the unsigned portions of the request without affecting the request's validity in the 15 minute window. Because of this, we recommend that you maximize protection by signing request headers and body, making HTTPS requests to Amazon S3, and by using the s3:x-amz-content-sha256 condition key (see Amazon S3 Signature Version 4 Authentication Specific Policy Keys) in AWS policies to require users to sign Amazon S3 request bodies.

If your local system has an incorrect system time or if your system believes its local time to be in a different timezone than you are actually working in then the AWS SDK (which the Terraform AWS provider is built with) will generate a timestamp outside of the allowed 15 minute window, and so your request will fail. This would be true of any request to AWS APIs using this standard signature scheme, whether made by Terraform's AWS provider or by any other AWS-integrated tool.

In order for requests to succeed your system must be able to generate a correct UTC-referenced timestamp. In order for that to be true, it must have both a correct time and – if you are using an operating system like Windows where the system time is stored in local time rather than UTC – a correct configuration of your system time's offset from UTC so that the SDK can convert to a UTC timestamp as the AWS API requires.

I fixed this by creating the cluster without capacity provider first then modifying it to have one.

Updated:

A ${ ... } sequence is an interpolation in Terraform's configuration language, which evaluates the expression given between the markers. Unix shells typically use $..

As per the official documentation, the command is evaluated in a shell, and can use environment variables or Terraform variables. So, basically, what you are trying to achieve should work fundamentally.

I did a quick test and I was able to successfully apply that locally:

with double quotes

I think the root cause of your issue is this:

Get "https://lambda.eu-central-1.amazonaws.com/2018-10-31/layers/awswrangler/versions/2": dial tcp 3.121.178.128:443: i/o timeout

Why the terraform binary can't connect to the eu-central-1 endpoint of the Lambda service is impossible to say based on the information you provided.

You don't say where or how Jenkins is deployed. I assume in some container on AWS?

It could be a temporary network glitch or for some reason connectivity to eu-central-1 is blocked from your Jenkins deployment.

Have you retried after a few hours?

Are you able to reproduce this behaviour consistenly?

Following Hashicorp documentation, the main.tf file of the child (asdf) module should be:

I run your code in my sandbox env, and the remote-exec works. I had to make some changes for it to work and even to run your code (region, ami, security groups, ...). So you can have a look at the modified code and take it from there. But the code below works for me without any issues.

Your setup for testing import is correct. Adding steps with ImportState and ImportStateVerify should be enough.

Testing import is implemented in terraform-provider-sdk testStepNewImportState function. How it works:

1. Previous step applies terraform config using testcase workdir and state.
2. If next step sets ImportState to true, use ResourceName to grab resource id from testcase state (or use ImportStateIdFunc or ImportStateId if they are set for this step).
3. Create empty workdir, initialize new empty state, and import resource given resource name and id from previous step. There would be no conflicts since this is a separate empty state.
4. If ImportStateVerify is true, compare resource states from previous step and import step, they should be identical.
5. If ImportStateCheck function is set, use this function for custom state validation. This can be used in case if direct state comparison will be not valid.
6. Discard temporary workdir.