archived the channel

Is anybody using the latest v1.535.0 of https://github.com/cloudposse-terraform-components/aws-ssosync successfully? I'm getting an error back that looks like perhaps the cloudformation template it attempts to use wants to use a deprecated lambda runtime.

operation error Lambda: CreateFunction, https response error StatusCode: 400, RequestID: XXX, InvalidParameterValueException: The runtime parameter of go1.x is no longer supported for creating or updating AWS Lambda functions. We recommend you use a supported runtime while creating or updating functions.

Hi, I just wanted to suggest an update to this map code:

https://github.com/cloudposse/terraform-aws-cloudfront-cdn/blob/main/examples/wordpress/main.tf#L45

merge(local.wp_nocache_behavior, map("path_pattern", "wp-admin/*")),

Terraform gives an error:

Call to function "map" failed: the "map" function was deprecated in
│ Terraform v0.12 and is no longer available; use tomap({ ... }) syntax to
│ write a literal map.

Instead you would have to use:

merge(local.wp_nocache_behavior, tomap({path_pattern = "wp-admin/*"})),

@Ben Smith (Cloud Posse) I heard you are the expert on Ecspresso partial task definition stuff. When we change something in the ECS Service terraform component, it should upload to the S3 Bucket and not touch the current live deployment yes? Right now we are experiencing when we do a atmos terraform apply it is clobbering the live deployment with a new taskdef that isn't merged with the json in the bucket. We made sure the s3_mirror_name is set and that files are being uploaded to the bucket.

Hi, I wanted to know if anyone has come across this issue setting up / updating the datadog-integration component?

╷
│ Error: error getting AWS integration from /api/v1/integration/aws: 403 Forbidden: {"errors":["Forbidden"]}
│ 
│   with module.datadog_integration.datadog_integration_aws.integration[0],
│   on .terraform/modules/datadog_integration/main.tf line 18, in resource "datadog_integration_aws" "integration":
│   18: resource "datadog_integration_aws" "integration" {
│ 
╵
exit status 1

I have tried updating to a new API key and have followed the guide https://docs.cloudposse.com/layers/monitoring/datadog/setup/
As an aside I am also seeing the same issue crop up on our existing deployments via our "atmos tf diff" GHA jobs.

Wanted to get a quick sanity check before filing a Github issue but the most recent release for terraform-aws-vpc-peering-multi-account seems to have caused a regression in my TF state. I'd like to verify if the issue is on my end due to state inconsistencies, for example. I have a state created under 0.20 that is now after the terraform init -upgrade with the 0.20.1 module giving me this during the plan:

...accepter.tf line 128, in resource "aws_route" "accepter_ipv6":
2024-09-26 19:02:33 UTC	│  128:   destination_ipv6_cidr_block = local.requester_ipv6_cidr_block_associations[count.index % local.requester_ipv6_cidr_block_associations_count]["cidr_block"]

hi! with the terraform-aws-api-gateway module, is there a way to enable caching? if I enable it via the console, when I next deploy my TF it deletes the provisioned cache cluster. I have had a browse through the module code and I don’t think it’s possible to use caching with it, but thought I’d check here to make sure I’m not missing something!

Hi there, what's cloudposse point of view on policy passed as variable? Is it preferred to pass the whole policy as json, or use a datasource and partially pass part of the policy or create an object representing the policy and set the variable for the policy as object.. what's the preferred way? I'm not talking about assumerole, which is quite standard and easy to set without passing the whole object, I'm talking for example about a resource policy. I cannot find an example of your repo, it seems all of the above ways have been used, I just wanted to check if there's a preference.

What do you folks think about defaulting these inputs in the s3 bucket module ?

  # Recommended by aws to use BucketOwnerEnforced
  # ObjectWriter is used for backwards compatibility and documented here in PR
  # <https://github.com/cloudposse/terraform-aws-s3-bucket/pull/127>
  s3_object_ownership = "BucketOwnerEnforced"
  # most s3 buckets do not need to enable versioning
  # This was toggled to false due to a compliance PR 
  # <https://github.com/cloudposse/terraform-aws-s3-bucket/pull/70>
  versioning_enabled  = false

How come the terraform aws ec2 instance module ignores changes on ami changes ? What if you want to rotate a singleton and don’t mind the downtime ?

https://github.com/cloudposse/terraform-aws-ec2-instance/blob/cb7559596b69d0b4ca31942ca2eda59a1e5bb18e/main.tf#L171-L175

Came from PR https://github.com/cloudposse/terraform-aws-ec2-instance/pull/145 but wasn’t called out explicitly

I've been looking for an terraform module(s) that will let me set up a website using cloudfront, backed by an s3 origin AND use api gateway with lambda as one single site. Anyone know of a module or have an example thats puts all of these together? I see modules around that do bits of this, but not one working together.

Hey everyone, we've hit a weird issue while updating eks/karpenter component from 1.416 to 1.468 ( ).
It seems, the new version of the component wants to create an IAM policy for both legacy v1alpha and new v1 entities.

And the resulting policy is larger than the limit... And there's no way to disable old policy (except by creating an overrides file, which we did).

Error: creating IAM Policy (nsp-core-apse2-auto-karpenter-karpenter@kube-system): operation error IAM: CreatePolicy, https response error StatusCode: 409, RequestID: 714c38d8-30e6-4019-8ffc-071c236443a6, LimitExceeded: Cannot exceed quota for PolicySize: 6144

Does anyone use https://github.com/cloudposse/terraform-aws-vpn-connection together with atmos? -_- Maybe some kind soul can share configs to make it work with the rest of the components?

We are working with a customer that requires the development environment to be created in the commercial cloud of AWS but requires the production environment to be in GovCloud. We are investigating the potential for using the atmos framework for provisioning stacks in both commercial and GovCloud at the same time. I looked around in the various channels on this forum, but could not find any mentions of GovCloud integration. Is it possible to integrate account creation and role based access via aws-teams and aws-team-roles components so that we can create and access accounts in both commercial and GovCloud AWS accounts at the same time?

Is this level of integration across the commercial and GovCloud accounts possible within the atmos framework structure? Did anyone complete this integration successfully?

Hi team,
Can someone explain me how module cloudposse/label/null works and how to use it properly?
In this example https://github.com/cloudposse/terraform-aws-eks-cluster/blob/main/examples/complete/main.tf I see that we have almost in every module context = module.this.context
What kind of fields it will include? I'm curious because I connect Infracost and got the error:

Missing mandatory tags: Service, Environment

even if I added these tags in this module like this:

module "label" {
  source  = "cloudposse/label/null"
  version = "0.25.0"

  namespace  = "eg"
  stage      = "dev"
  name       = "work"
  attributes = ["cluster"]
  delimiter  = "-"

  tags = {
    "Environment" = "Dev",
    "Service"     = "EKS Cluster"
  }

  context = module.this.context
}

Has anyone used terraform-aws-s3-bucket module for creating bi-directional replication?

Hi guys, there seems to be an issue with the VPC component - would it be possible to update the version of dynamic-subnet within it, so we can use ap-southeast-4 Melbourne?
Details are here - https://github.com/cloudposse/terraform-aws-components/issues/1047

hey there, I’m looking at the aws-config module and I’m running into a few issues:

• I’m using an organization aggregator
• I’m using a central SNS topic and S3 bucket
• I see resources in my child accounts showing up in the aggregators for my central account
• i do not see configuration change events for my child accounts (configuration change timeline) in the central aggregator
• I do see configuration change events in the configuration timeline on the child accounts
• I do not see anything actually touching the central sns topic?
is this expected? Am I not supposed to see configuration timeline / change events in the central account? Should I see activity on the sns topic?

Hello,
https://github.com/cloudposse/terraform-aws-ec2-autoscale-group/commit/aa3840ee7874a74c27e4226eaab585fab9501faf#diff-dc46acf24af[…]1f33d9bf2532fbbR1

With the data , terraform plan no longer works if subnets don’t exist (which can happen when an entire infrastructure has to be created from scratch)

Would you have an idea for solving this problem?

Hey everyone, could anyone help me with aws-team-roles module? 😅
How can I change the name format for the roles, that are generated by that module? For example, I'm getting a team role like this:

  # aws_iam_role.default["admin"] will be created
  + resource "aws_iam_role" "default" {
...
      + name                  = "nsp-gbl-dns-admin"

But I'm trying to use the name format 'namespace-tenant-environment-stage' - and when I run terraform in the org account, it wants to assume role nsp-core-gbl-dns-terraform. And fails %)

I've found out, that if I set var.label_order to

      - namespace
      - tenant
      - environment
      - stage 

Then it works fine.

Is this the correct solution? Or I'm trying to do something backwards?

Hey! 👋 I have a question about this ECR module. It seems to enforce the idea that the lifecycle policy should be based on number of images in the repository (default: 500) rather than the number of days an image has hung around for, even though ECR supports both types of policies. Is that a conscious decision by-design, or an oversight? If by-design, is that because it’s a widely accepted best practice? Looking for either sources I can read or just a quick summary on why it’s the way it is please!

Hi, it looks like modules/components for AWS SQS queue exist at two locations, terraform-aws-components/modules/sqs-queue/modules/terraform-aws-sqs-queue and terraform-aws-components/modules/sqs-queue (which slightly wraps the former, adding compatibility with the account-roles component)

I'm wondering why there hasn't been a root module published at cloudposse/terraform-aws-sqs-queue to manage sqs queue resources

Hi Team, we use the multi-az-subnets module and we have been getting argument is deprecated warnings:

│ Warning: Argument is deprecated
│
│ with module.stg.module.vpc.module.isolated_subnet.aws_eip.public,
│ on .terraform/modules/stg.vpc.isolated_subnet/public.tf line 119, in resource "aws_eip" "public":
│ 119: vpc = true
│
│ use domain attribute instead
│
│ (and 14 more similar warnings elsewhere)

It looks like this module is not maintained any more? I just wondered if any one had any recommendations of similar subnet modules? or if there was a way to work around. Thanks!

Good morning kind folks! I have a question about the use of context modules in Cloudposse’s AWS DMS modules. When I try to plan anything using examples right off the readme:

module "dms_replication_instance" {
  source = "cloudposse/dms/aws//modules/dms-replication-instance"
  # Cloud Posse recommends pinning every module to a specific version
  version     = "0.2.0"

  # If `auto_minor_version_upgrade` is enabled,
  # then we should omit the patch part of the version or Terraform will try to revert the version upon detected drift
  engine_version               = "3.4"
  replication_instance_class   = "dms.t2.small"
  allocated_storage            = 50
  apply_immediately            = true
  auto_minor_version_upgrade   = true
  allow_major_version_upgrade  = false
  multi_az                     = false
  publicly_accessible          = false
  preferred_maintenance_window = "sun:10:30-sun:14:30"
  vpc_security_group_ids       = [local.convox_instances_security_group_id, local.eks_security_group_id]
  subnet_ids                   = data.terraform_remote_state.common.outputs.vpc.convox.private_subnets

  context = module.this.context

  # depends_on = [
  #   # The required DMS roles must be present before replication instances can be provisioned
  #   module.dms_iam
  # ]
}

I get `

Error: Reference to undeclared module

  on dms-migration.tf line 22, in module "dms_replication_instance":
  22:   context = module.this.context

No module call named "this" is declared in the root module.

If I remove the reference to context it will next complain about the content of replication_id because it is composed of module.this.id which seems to evaluate to null or empty string.

how are folks handing permissionsets defining permissions for teams that have varying levels of access to multiple accounts?

for example, say we have a business intelligence team.

we create a business intelligence permission set and create that in the various target accounts, but that permission set should have SLIGHTLY different permissions in each account. I don’t know if this a solvable “problem” i think the cloudposse module for permissionsets is nice, but I don’t think this pattern is possible?

Since I was relying on a data source (instead of variables) to discover my private subnets/AZs, I just ended up doing something like this

data "aws_subnets" "private" {
  filter {
    name   = "tag:Attributes"
    values = ["private"]
  }
}

data "aws_subnet" "selected" {
  for_each = toset(data.aws_subnets.private.ids)
  id = each.value
}

module "app_cache_memcached" {
  source  = "cloudposse/elasticache-memcached/aws"
  version = "0.19.1"

  availability_zones = [for i in range(var.app_cache_node_count) : values(data.aws_subnet.selected)[i % length(data.aws_subnet.selected)].availability_zone]
  az_mode            = "cross-az"
  vpc_id             = values(data.aws_subnet.selected)[0].vpc_id
  subnets            = [for s in data.aws_subnet.selected : s.id]

  cluster_size  = var.app_cache_node_count
  instance_type = var.app_cache_instance_type

  engine_version    = var.app_cache_engine_version
  apply_immediately = true

  elasticache_parameter_group_family = var.app_cache_parameter_group_family
  max_item_size                      = var.app_cache_max_item_size

  context = module.app_cache.context
}

This...probably isn't ideal since I literally just repeat the list of availability_zone id's until that = the number of cache nodes being requested, however it seems to work just fine

ah nm I seem to have found a workaround. I was not relying on passing a list of availability zones in from variables, but rather finding specific availability zones with a data source. Once I'm absolutely happy with how I have it working I'll post something here 🙂

👋 I'm trying to deploy an elasticache memcached cluster using the https://github.com/cloudposse/terraform-aws-elasticache-memcached

I've got it mostly working, but now I'm attempting to spin a 10 node cluster in a VPC where I have 3 availability zones available and am getting an error:

│ Error: length of preferred_availability_zones (3) must match num_cache_nodes (10)
│ 
│   with module.app_cache_memcached.aws_elasticache_cluster.default[0],
│   on .terraform/modules/app_cache_memcached/main.tf line 101, in resource "aws_elasticache_cluster" "default":
│  101: resource "aws_elasticache_cluster" "default" {

Am I correct in understanding that I simply always have to pass in a list of availability zones, and just ensure the number of elements in that list matches the number of cache nodes being requested?

Hello @Erik Osterman (Cloud Posse),
I saw this repo has been created ; https://github.com/cloudposse/terraform-aws-batch

Is the CloudPosse team working on it, or do you need help getting started?

I’m very interested in a Terraform module for AWS batch 😎

Hey people,

I’m not sure if this is the right channel for this question. My apologies if it’s not.

I have an EC2 instance that was created using a terraform module. I am creating an autoscaling group for it so that there is no downtime when there is a change to the instance. I have already written the code for the ASG, but terraform docs do not mention how to attach the existing instance to the ASG. AWS docs show that it is possible to do this using aws autoscaling attach-instances

Is this something that can be done using terraform and if it is, kindly show an example of how to go about it.

Thanks!

hiya folks, any chance of a review + merge on this: https://github.com/cloudposse/terraform-aws-rds-cluster/pull/186

Im sure its related to my use of a data call, but im trying to switch over to passing in a locals block outside of the module, to the input variable to “update” it

I have a question about the aws_ecr module.
I’ve been using it for a while now, but just recently, the scenario came up where I need to update the prefix for the tag used for retention. Updating the value for the input variable for the prefix does not seem to trigger any changes from terraforms perspective when calling the existing module? Any thoughts?

Originally I was using a data call for the jsonencoded policy rules

Trying to get default_route_enabled working with the tgw/spoke module. Currently stuck at

│ Error: creating Route in Route Table (rtb-0b999f9d3ccb0f9c7) with destination (10.14.4.0/23): InvalidTransitGatewayID.NotFound: The transitGateway ID 'tgw-019c1d8199bc68916' does not exist.
│ 	status code: 400, request id: 53725870-12b1-4ae8-b5f6-61bc927222ae
│
│   with aws_route.back_route[0],
│   on main.tf line 71, in resource "aws_route" "back_route":
│   71: resource "aws_route" "back_route" {

The mentioned TGW does exist (it's a shared resource). Currently not spotting the obvious of why its not working. Anybody has this working?

Found a bit of a weird situation with the recent updates to the Spacelift components as of 1.400.0. Was the addition of space_name_pattern intended to be a breaking change? Using it is a hard requirement of the new release
https://github.com/cloudposse/terraform-aws-components/issues/996

Greetings everyone. I'm using the cloudposse/vpn-connection/aws module and I'm facing some issues that I really don't understand..

My module code is as follows

module "vpn_connection" {
  source  = "cloudposse/vpn-connection/aws"
  version = "1.0.0"

  namespace                                 = var.namespace
  stage                                     = var.env
  name                                      = var.vpn_connection_name
  vpc_id                                    = var.vpc_id
  vpn_gateway_amazon_side_asn               = var.amazon_asn
  customer_gateway_bgp_asn                  = var.customer_asn
  customer_gateway_ip_address               = var.customer_gateway_ip_address
  route_table_ids                           = var.route_table_ids
  vpn_connection_static_routes_only         = true
  vpn_connection_static_routes_destinations = [var.vpn_connection_static_routes_destinations]
  vpn_connection_local_ipv4_network_cidr    = var.vpn_connection_static_routes_destinations
  vpn_connection_remote_ipv4_network_cidr   = var.vpc_cidr
}

route_table_ids should contain a single element found using https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables and vpn_connection_static_routes_destinations is a simple ipv4 cidr coming in as a string

The 'calling' of the module

module "vpn-connection" {
  source = "../../modules/vpn-connection"

  namespace                                 = var.namespace
  env                                       = var.environment
  vpn_connection_name                       = var.vpn_connection_name
  vpc_id                                    = module.staging-vpc.vpc_id
  amazon_asn                                = var.amazon_asn
  customer_asn                              = var.customer_asn
  customer_gateway_ip_address               = var.customer_gateway_ip_address
  route_table_ids                           = data.aws_route_tables.route_tables_for_vpn_connection_to_public_subnets.ids
  vpn_connection_static_routes_destinations = var.vpn_connection_static_routes_destinations
  vpc_cidr                                  = var.vpc_cidr
}

Should I not in the route tables inside route_table_ids see a non-propagated / aka static route to the contents of var.vpn_connection_static_routes_destinations

I see Route propagation set to No under the Route table which is also what I want..

But where's my static route?

One-line bug in the CloudPosse terraform-aws-cloudwatch-logs module:
https://github.com/cloudposse/terraform-aws-cloudwatch-logs/issues/52

This bug affects how this module is called by the lambda (and in fact any other) modules for a AWS resource where an underscore is a valid character in the resource name.

I am adding support for latest Karpenter. I noticed the IAM role for nodes provisioned or managed by Karpenter is created by the eks/cluster component instead of eks/karpenter. I also noticed this is the "recommend" configuration. I cannot understand why, though. Can someone help me understand?

Hey! Any chance this could be looked into https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/194? It even has a proposed fix done as a PR 🙏

We have been eagerly anticipating the day when we could manage EKS cluster authentication via AWS APIs rather than the Kubernetes ConfigMap. That day is here, but there are still some bugs to be worked out. Please upvote this issue that, when resolved, will make upgrading to the new APIs significantly easier.

Quick question about the lambda component. The version of the cloudposse/lambda-function/aws module listed in the repo (https://github.com/cloudposse/terraform-aws-components) is 0.4.1. The current version of 0.5.3 and importantly contains the fixes to the names of function log groups from 0.5.1 .

The lambda component is still regularly updated (e.g. v1.396.0, two weeks ago). Is there a reason for the listed version of the module being behind? I’m not clear why the module version used here in the main repo has drifted behind its source — as in most cases bumping the version after the atmos vendor causes no problems

https://github.com/cloudposse/terraform-aws-iam-account-settings/blob/78e9718eabbeca8e8c66bcf387e09b3c3333d411/main.tf#L3-L7
I don't believe the account alias is used anywhere in the Cloud Posse components. But wanted to double-check if there could be any unforeseen issues if we update these with different values.

Does anybody have any ideas how I can get this working on listener port 443 instead of 80?

The only way I can get it to finish successfully is if I set http_enabled = true but then my beanstalk app ends up on the wrong listener port

What ends up happening is that the beanstalk application tries to map to port 80 rather than 443, and the whole thing errors out

Hi all - I'm trying to use this beanstalk module to spin up some infra https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment My requirement is that the beanstalk environment attaches itself to port 443 so that it's on SSL.

Here is my configuration:

module "alb" {
  source  = "cloudposse/alb/aws"
  version = "1.10.0"

  namespace          = "tpo"
  name               = "elastic-beanstalk"
  vpc_id             = data.aws_vpc.default.id
  subnet_ids         = data.aws_subnets.private.ids
  internal           = true
  certificate_arn    = data.aws_acm_certificate.cert.arn
  security_group_ids = [module.security_groups.alb_sg]

  http_enabled                            = false
  https_enabled                           = true

  enabled = true
  
  stage                                   = "prod"
  access_logs_enabled                     = true
  access_logs_prefix                      = "tpo-prod"
  alb_access_logs_s3_bucket_force_destroy = true

  # This additional attribute is required since both the `alb` module and `elastic_beanstalk_environment` module
  # create Security Groups with the names derived from the context (this would conflict without this additional attribute)
  attributes = ["shared"]

}


module "elastic_beanstalk_application" {
  source  = "cloudposse/elastic-beanstalk-application/aws"
  version = "0.11.1"
  enabled = true

  for_each = toset(var.EB_APPS)

  name = each.value

}

module "elastic_beanstalk_environment" {
  source   = "cloudposse/elastic-beanstalk-environment/aws"
  for_each = toset(var.EB_APPS)
  enabled = true

  region = var.REGION

  elastic_beanstalk_application_name = each.value
  name                               = "prod-${each.value}-tpo"
  environment_type                   = "LoadBalanced"
  loadbalancer_type                  = "application"
  loadbalancer_is_shared             = true
  shared_loadbalancer_arn            = module.alb.alb_arn
  loadbalancer_certificate_arn       = data.aws_acm_certificate.cert.arn

  tier          = "WebServer"
  force_destroy = true

  instance_type = "t4g.xlarge"

  vpc_id               = data.aws_vpc.default.id
  loadbalancer_subnets = data.aws_subnets.private.ids
  application_subnets  = data.aws_subnets.private.ids
  application_port = 443
  allow_all_egress = true

  additional_security_group_rules = [
    {
      type                     = "ingress"
      from_port                = 0
      to_port                  = 65535
      protocol                 = "-1"
      source_security_group_id = data.aws_security_group.vpc_default.id
      description              = "Allow all inbound traffic from trusted Security Groups"
    }
  ]
  solution_stack_name = "64bit Amazon Linux 2 v5.8.10 running Node.js 14"

  additional_settings = [
    {
      namespace = "aws:elasticbeanstalk:application:environment"
      name      = "NODE_ENV"
      value     = "prod"
    },
    {
      namespace = "aws:elbv2:listenerrule:${each.value}"
      name      = "HostHeaders"
      value     = "prod-${each.value}-<http://taxdev.io|taxdev.io>"
    }
  ]
  env_vars = {
    "NODE_ENV" = "prod"
  }

  enable_stream_logs = true
  extended_ec2_policy_document = data.aws_iam_policy_document.minimal_s3_permissions.json
  prefer_legacy_ssm_policy     = false
  prefer_legacy_service_policy = false

}