Sometimes, we learn the hard way. Here's my story: I accidentally left a DocumentDB instance running. I thought I deleted it, but nope—it was still there, alive and kicking. The result? AWS charged me 5x what I was expecting. 🥲
I reached out to AWS Support, explained the situation, and asked if they could pardon the charges. The ticket is still open as I write this, but life goes on, and I needed to move forward. So, here I am, documenting what I did to migrate an ECS + RDS project built entirely with Terraform from one AWS account to another.
Challenge 1: Subnet Configuration Issue
My ECS setup used an Application Load Balancer (ALB) running in two subnets, targeting availability zones A and B. However, the default VPC in the new account didn’t support IPv6 CIDR block ranges, which caused some hiccups. Here’s how I fixed it:
Step 1: Add IPv6 CIDR to the VPC
Before associating IPv6 CIDRs with subnets, you need to make them available within the VPC:
- Navigate to VPC > Your VPCs > Actions > Edit CIDRs.
- Add an IPv6 CIDR block.
Step 2: Associate IPv6 CIDRs with Subnets
This next step wasn’t as intuitive:
- Go to Subnets > Actions > Edit IPv6 CIDRs.
- Select the newly added block.
This solved the issue, but it served as a reminder that default VPC configurations can vary, and they don’t always cover edge cases like dual-stack networking.
Challenge 2: RDS KMS Key Access Issue
Here’s the error I faced when trying to create the RDS instance in the new account:
Error: creating RDS DB Instance (bia): operation error RDS: CreateDBInstance, https response error StatusCode: 400, RequestID: de87f4fd-2349-4fdf-ab0f-df7f1d78735c, KMSKeyNotAccessibleFault: The specified KMS key [arn:aws:kms:us-east-1:601139476230:key/267552e8-e621-4b5c-ba76-d839ade56f1b] does not exist, is not enabled or you do not have permissions to access it.
What happened? I initially created the RDS instance through the AWS Console, then imported it into my Terraform project. When I migrated accounts, parameters like the KMS key obviously didn’t exist in the new account. So, I had to create a new key and update my configuration.
Steps to Create a New KMS Key for RDS
- Go to KMS > Customer managed keys.
- Select Symmetric and Encrypt/Decrypt options for RDS compatibility.
- Carefully define administrative and usage permissions.
- Update your Terraform script with the new KMS key ARN.
These error logs were crucial in diagnosing the issue:
- KMSKeyNotAccessibleFault
- Subnet does not contain any IPv6 CIDR block ranges
If you’ve ever faced similar migration challenges (or forgotten to delete something costly), I’d love to hear about it! Share your stories in the comments—let’s learn from each other’s mistakes. 😅
A github repo if you want to follow up:
Top comments (0)