#terraform-aws-modules - February 2024

@Andriy Knysh (Cloud Posse), can you please review this PR - https://github.com/cloudposse/terraform-aws-components/pull/971 ?

@Andriy Knysh (Cloud Posse), can you help me with this - https://github.com/cloudposse/terraform-aws-components/pull/973

Hi all - I'm trying to use this beanstalk module to spin up some infra https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment My requirement is that the beanstalk environment attaches itself to port 443 so that it's on SSL.

Here is my configuration:

module "alb" {
  source  = "cloudposse/alb/aws"
  version = "1.10.0"

  namespace          = "tpo"
  name               = "elastic-beanstalk"
  vpc_id             = data.aws_vpc.default.id
  subnet_ids         = data.aws_subnets.private.ids
  internal           = true
  certificate_arn    = data.aws_acm_certificate.cert.arn
  security_group_ids = [module.security_groups.alb_sg]

  http_enabled                            = false
  https_enabled                           = true

  enabled = true
  
  stage                                   = "prod"
  access_logs_enabled                     = true
  access_logs_prefix                      = "tpo-prod"
  alb_access_logs_s3_bucket_force_destroy = true

  # This additional attribute is required since both the `alb` module and `elastic_beanstalk_environment` module
  # create Security Groups with the names derived from the context (this would conflict without this additional attribute)
  attributes = ["shared"]

}


module "elastic_beanstalk_application" {
  source  = "cloudposse/elastic-beanstalk-application/aws"
  version = "0.11.1"
  enabled = true

  for_each = toset(var.EB_APPS)

  name = each.value

}

module "elastic_beanstalk_environment" {
  source   = "cloudposse/elastic-beanstalk-environment/aws"
  for_each = toset(var.EB_APPS)
  enabled = true

  region = var.REGION

  elastic_beanstalk_application_name = each.value
  name                               = "prod-${each.value}-tpo"
  environment_type                   = "LoadBalanced"
  loadbalancer_type                  = "application"
  loadbalancer_is_shared             = true
  shared_loadbalancer_arn            = module.alb.alb_arn
  loadbalancer_certificate_arn       = data.aws_acm_certificate.cert.arn

  tier          = "WebServer"
  force_destroy = true

  instance_type = "t4g.xlarge"

  vpc_id               = data.aws_vpc.default.id
  loadbalancer_subnets = data.aws_subnets.private.ids
  application_subnets  = data.aws_subnets.private.ids
  application_port = 443
  allow_all_egress = true

  additional_security_group_rules = [
    {
      type                     = "ingress"
      from_port                = 0
      to_port                  = 65535
      protocol                 = "-1"
      source_security_group_id = data.aws_security_group.vpc_default.id
      description              = "Allow all inbound traffic from trusted Security Groups"
    }
  ]
  solution_stack_name = "64bit Amazon Linux 2 v5.8.10 running Node.js 14"

  additional_settings = [
    {
      namespace = "aws:elasticbeanstalk:application:environment"
      name      = "NODE_ENV"
      value     = "prod"
    },
    {
      namespace = "aws:elbv2:listenerrule:${each.value}"
      name      = "HostHeaders"
      value     = "prod-${each.value}-<http://taxdev.io|taxdev.io>"
    }
  ]
  env_vars = {
    "NODE_ENV" = "prod"
  }

  enable_stream_logs = true
  extended_ec2_policy_document = data.aws_iam_policy_document.minimal_s3_permissions.json
  prefer_legacy_ssm_policy     = false
  prefer_legacy_service_policy = false

}

What ends up happening is that the beanstalk application tries to map to port 80 rather than 443, and the whole thing errors out

The only way I can get it to finish successfully is if I set http_enabled = true but then my beanstalk app ends up on the wrong listener port

Does anybody have any ideas how I can get this working on listener port 443 instead of 80?

https://github.com/cloudposse/terraform-aws-iam-account-settings/blob/78e9718eabbeca8e8c66bcf387e09b3c3333d411/main.tf#L3-L7
I don't believe the account alias is used anywhere in the Cloud Posse components. But wanted to double-check if there could be any unforeseen issues if we update these with different values.

Quick question about the lambda component. The version of the cloudposse/lambda-function/aws module listed in the repo (https://github.com/cloudposse/terraform-aws-components) is 0.4.1. The current version of 0.5.3 and importantly contains the fixes to the names of function log groups from 0.5.1 .

The lambda component is still regularly updated (e.g. v1.396.0, two weeks ago). Is there a reason for the listed version of the module being behind? I’m not clear why the module version used here in the main repo has drifted behind its source — as in most cases bumping the version after the atmos vendor causes no problems

We have been eagerly anticipating the day when we could manage EKS cluster authentication via AWS APIs rather than the Kubernetes ConfigMap. That day is here, but there are still some bugs to be worked out. Please upvote this issue that, when resolved, will make upgrading to the new APIs significantly easier.

Hey! Any chance this could be looked into https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/194? It even has a proposed fix done as a PR 🙏

I am adding support for latest Karpenter. I noticed the IAM role for nodes provisioned or managed by Karpenter is created by the eks/cluster component instead of eks/karpenter. I also noticed this is the "recommend" configuration. I cannot understand why, though. Can someone help me understand?

One-line bug in the CloudPosse terraform-aws-cloudwatch-logs module:
https://github.com/cloudposse/terraform-aws-cloudwatch-logs/issues/52

This bug affects how this module is called by the lambda (and in fact any other) modules for a AWS resource where an underscore is a valid character in the resource name.