#terraform - January 2020 | Slack Archive

173 messages

Archive: https://archive.sweetops.com/terraform/

Dec 2019

January 2020

Feb 2020

Zachary Loeberabout 6 years ago

For complex terrform modules spanning multiple environments, why do I almost always regret using modules? Is there some kind of rule of thumb about module complexity that should be followed?

Zachary Loeberabout 6 years ago

like, rule 1: if you are spanning multiple providers maybe modules aren't a good idea (or something like that)

Erik Osterman (Cloud Posse)about 6 years ago

we never manage more than one environment/account in one terraform plan/apply

Erik Osterman (Cloud Posse)about 6 years ago

in our case, with #geodesic , we actually have a one-to-one correlation between AWS accounts and git repos.

Chinabout 6 years ago

What's the best learning for newbie Engineers on terraform

Eamon Keaneabout 6 years ago(edited)

@Chin check out terraform up and running second edition <http://shop.oreilly.com/product/0636920225010.do>
Then choose something you know how to deploy without terraform, open a free account on Terraform cloud and start iterating with a personal AWS/GCP account (you can prob find a community module to get you started).

Zachary Loeberabout 6 years ago

Or you can inherit a 10 thousand line complex terraform manifest like I did and learn 'under pressure'

vvspabout 6 years ago

Need an inputs pls:

I have a VPC: 10.0.0.0/16
Subnets: 2 pub + 2 pvt spanned across 2 AZs in one single region.
pub sub1-> 10.0.0.0/24
pvt sub1 -> 10.0.1.0/24

pub sub2->10.0.2.0/24
pvt sub2 -> 10.0.3.0/24

Pvt route table 1 has two routes: local and a route for 10.0.1.0/24 to a NAT GW.

I am stuck with the below error when associating Private route table 1 to private subnet 1. wondering whats actually happening under the hood and why the issue ? any inputs will be of a great help.

API error message
Route table contains unsupported route destination. The unsupported route destination is more specific or equal specific than VPC local CIDR.

Laurynasabout 6 years ago(edited)

Hi, does anyone know why terraform sees too many changes in the task definition updates?

# <http://module.ecs_app_service.module.ecs_task_definition.aws_ecs_task_definition.app|module.ecs_app_service.module.ecs_task_definition.aws_ecs_task_definition.app> must be replaced
+/- resource "aws_ecs_task_definition" "app" {
      ~ arn                      = "arn:aws:ecs:eu-west-1:xxxx:task-definition/test:216" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [ # forces replacement
              ~ {
                    cpu              = 256
                  + entrypoint       = null
                  ~ environment      = [
                      - {
                          - name  = "AWS_REGION"
                          - value = "eu-west-1"
                        },
                        {
                            name  = "APP_ENV"
                            value = "prod"
                        },
                      ~ {
                          ~ name  = "AWS_USER_POOL_ID" -> "APP_DEBUG"
                          ~ value = "us-east-jgjjh" -> "0"
                        },
                      + {
                          + name  = "AWS_REGION"
                          + value = "eu-west-1"
                        },
                    ]

is it because I use Jsondecode and it changes the ordering off the elements?

lorenabout 6 years ago(edited)

Anyone know of a way to have terraform init check a central location for providers and download them to that location if they are missing? I know there is -plugin-dir for the first part of that question, but it explicitly disables the second part. I don't really understand the need to have the same version of the same provider in .terraform in the config working directory for every config... it's a lot of space and a lot of downloads

Brij Sabout 6 years ago

is anyone able to provide more insight into the following descriptions?
https://github.com/cloudposse/terraform-null-label/blob/master/outputs.tf#L3 (Could you elaborate on what this is disambiguated from? Is it regarding the AWS Name tag?)

https://github.com/cloudposse/terraform-null-label/blob/master/outputs.tf#L8 (how do all of these fields get 'normalized'? It would be nice if this was a bit more clearer)

Andriy Knysh (Cloud Posse)about 6 years ago

please look at the description here https://github.com/cloudposse/terraform-null-label#terraform-null-label---

Andriy Knysh (Cloud Posse)about 6 years ago

also, example https://github.com/cloudposse/terraform-null-label/tree/master/examples/complete

Andriy Knysh (Cloud Posse)about 6 years ago

and terratest for the example https://github.com/cloudposse/terraform-null-label/blob/master/test/src/examples_complete_test.go

vvspabout 6 years ago

Hi There…
Quick query pls:

Does EKS cluster creation using terraform creates kubeconfig at ~/.kube by default ? or do we have to configure it manually every time we create the cluster as some of the fields are cluster specific ?

NVMeÐÐiabout 6 years ago

Hello, I am trying to solve terraform drift and I ran into an error
Error: module “my_rds_resource”: “performance_insights_enabled” is not a valid argument
For this particular resource, it’s in 0.11.14 using the terraform-aws-rds-aurora 1.21.0 release. I see that performance_insights_enabled has been supported since 1.0.0 release, any idea why my module kicks back this error?

Cloud Posseabout 6 years ago

Join us for "Office Hours" every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Jan 15, 2020 11:30AM.

👉️ Register for Webinar

#office-hours (our channel)

Brij Sabout 6 years ago(edited)

Hey all, Ive got a warning i'm not sure how to get past. Was hoping some of the experts here can point me in the right direction

Warning: Interpolation-only expressions are deprecated

  on ../main.tf line 95, in resource "aws_lambda_function" "publisher":
  95:   source_code_hash = "${filebase64sha256("${path.module}/publisher.zip")}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 5 more similar warnings elsewhere)

I'm not really sure how to stop the warning, I checked the online documentation and everything seems correct

slaughtrabout 6 years ago

To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

So I belive you just need:
source_code_hash = filebase64sha256("${path.module}/publisher.zip")

Naseemabout 6 years ago(edited)

Anyone have good links to TF directory structures?

so far I've compiled up https://www.2ndwatch.com/blog/how-we-organize-terraform-code-at-2nd-watch/ , https://www.oreilly.com/library/view/terraform-up-and/9781491977071/ch04.html and http://saurabh-hirani.github.io/writing/2017/08/02/terraform-makefile

Going through a major refactor of TF configs currently and would like to get it right the first time around...

Mateusz Kamińskiabout 6 years ago

Hey, in https://github.com/cloudposse/terraform-aws-rds you do not have solution to update ca_cert (parameter ca_cert_identifier was added to aws_db_instance recently). This needs to be added, or do you have some other solution?

Phucabout 6 years ago

HI Guys

Phucabout 6 years ago

I'm using terraform-rds at the moment to create postgres RDS. using engine version 9.6.15
Thing work ok with DB_paramter_group, but when it running to create DB_Option_group, it return error as below:

InvalidParameterCombination: Cannot find major version 9 for postgres

I look at AWS document, seem it didn't have any DB option group yet for Postgres, So how can I by pass this resource in the module?

Bruceabout 6 years ago

Hi team, I am using the terraform-aws-rds-cluster to create an Aurora MySQL read replica of an RDS MySQL instance to transition over to Aurora by using the replication_source_identifier set as the RDS MySQL instance.
However the creation hangs on Terraform but is successful in the console. It's most likely an issue with AWS provider, but I am curious to see if anyone else has come across this issue or have a work around that was successful?

Callum Robertsonabout 6 years ago

Hey @Erik Osterman (Cloud Posse) or @Andriy Knysh (Cloud Posse), can one of you tell me how you're doing terraform md automation? (If you are)

Andriy Knysh (Cloud Posse)about 6 years ago

Hi Callum. What’s terraform md automation?

Callum Robertsonabout 6 years ago

Sorry @Andriy Knysh (Cloud Posse) if that was confusing, wondering if you had any way of automatically generating terraform inputs/outputs in an md format

Andrew Rothabout 6 years ago

My team uses https://github.com/segmentio/terraform-docs

Andriy Knysh (Cloud Posse)about 6 years ago

Yes we use it as well. In build-harness we have a Make target, make readme, that generates md files from terraform

Rhawnkabout 6 years ago

Greetings all, We have a number of existing terraform modules that we are looking to expand into a multi-region/multi-env deployment process. Just curious if anyone has any recommendations or instructions on repo configuration/setup for modules that would be deployed concurrently? Thanks in Advance.

sypeabout 6 years ago

Hello to every one from France

Zachary Loeberabout 6 years ago

good evening

George Platonabout 6 years ago

hi guys, I'm using terraform-aws-elastic-beanstalk-environment which I link to an already created VPC, and I keep getting into the problem that it tries to create a security group twice (see the error below).
`

Error creating Security Group: InvalidGroup.Duplicate: The security group 'xxxx' already exists for VPC 'vpc-xxxxxxxxxxx'
	status code: 400

kj22594about 6 years ago

Hi all, someone yesterday asked a question here: https://sweetops.slack.com/archives/CB6GHNLG0/p1578496997120600 and I have a very similar question. My team is currently trying to figure out the best way to deploy resources different AWS account in multiple regions using modules in terraform. For example we’d want to deploy an EC2 instance into account A in us-east-1 and us-west-1 and deploy that same instance into account B in the same regions. Is anyone doing anything like this, and if so how are you structuring your terraform to do so?

slaughtrabout 6 years ago

Hello! Looking for some pointers here. This deploys the project to codebuild as expected, but doesn't want to properly link to the private repo. I have to go into the UI and change it from Public repository to Repository in my GitHub account and find it in the dropdown every time. As you can see at the bottom, I'm mirroring what TF is reporting the config as when it's setup properly in AWS, but that doesn't seem to fix it. Any help sincerely appreciated, this is a manageable nuisance, but a nuisance nonetheless.

slaughtrabout 6 years ago

This is copied/modified from cloudposse/terraform-aws-codebuild, if that helps in any way

Tom Taubkinabout 6 years ago(edited)

Hi the example of https://github.com/cloudposse/terraform-aws-ecs-web-app/tree/master/examples/without_authentication doesn't run.

I keep getting this response:

Error: Error in function call

  on .terraform/modules/web_app.alb_target_group_cloudwatch_sns_alarms/main.tf line 49, in locals:
  49:   alarm_actions             = coalescelist(var.alarm_actions, var.notify_arns)
    |----------------
    | var.alarm_actions is empty list of string
    | var.notify_arns is empty list of string

Call to function "coalescelist" failed: no non-null arguments.


Error: Error in function call

  on .terraform/modules/web_app.alb_target_group_cloudwatch_sns_alarms/main.tf line 50, in locals:
  50:   ok_actions                = coalescelist(var.ok_actions, var.notify_arns)
    |----------------
    | var.notify_arns is empty list of string
    | var.ok_actions is empty list of string

Call to function "coalescelist" failed: no non-null arguments.


Error: Error in function call

  on .terraform/modules/web_app.alb_target_group_cloudwatch_sns_alarms/main.tf line 51, in locals:
  51:   insufficient_data_actions = coalescelist(var.insufficient_data_actions, var.notify_arns)
    |----------------
    | var.insufficient_data_actions is empty list of string
    | var.notify_arns is empty list of string

Tom Taubkinabout 6 years ago

When trying to replicate locally without using the example I get the same errors

Brij Sabout 6 years ago

When using terragrunt's plan-all command, Ive got the following directory structure

.
├── global
│   ├── main.tf
│   └── terragrunt.hcl
├── terragrunt.hcl
└── us-east-1
    ├── main.tf
    └── terragrunt.hcl

main.tf inside the us-east-1 folder has a variable which refers to module.route53_zone.zone_id which is an output of the module referred to in main.tf in the global main.tf. However I get the following error:

Error: Reference to undeclared module

  on main.tf line 15, in module "acm":
  15:   zone_id      = module.route53_zone.zone_id

No module call named "route53_zone" is declared in the root module.

[terragrunt] 2020/01/09 10:50:41 Encountered the following errors:
Hit multiple errors:
exit status 1

Is this even possible with terragrunt? Or am I doing something wrong?

slaughtrabout 6 years ago

You need to add a dependency block in the .hcl file that's referencing the other. TG syntax is a bit different.

inputs = {
  vpc_id = dependency.vpc.outputs.vpc_id
}

dependency "vpc" {
    config_path = "../../network/vpc"
}

Brij Sabout 6 years ago

now it says

/global/terragrunt.hcl is a dependency of /us-east-1/terragrunt.hcl but detected no outputs. Either the target module has not been applied yet, or the module has no outputs. If this is expected, set the skip_outputs flag to true on the dependency block.

Brij Sabout 6 years ago

based on your example, I have

inputs = {
  zone_id = dependency.route53_zone.outputs.zone_id
}

dependency "route53_zone" {
    config_path = "../global"
}

Brij Sabout 6 years ago

do I need mock outputs?

Brij Sabout 6 years ago

oh I think do

slaughtrabout 6 years ago

So the actual terraform (not terragrunt.hcl) for whatever you're using for your global there should have an output called zone_id - outputs here refers literally to what's in the outputs for that module.

slaughtrabout 6 years ago

You can't (I don't think) access resources directly in TG. Add an output "route_53_zone_id" with the proper value to your outputs.tf in your global module and then it's dependency.route53_zone.outputs.route_53_zone_id

slaughtrabout 6 years ago

You will also need to re-apply your global module for those outputs to be detected

Erik Osterman (Cloud Posse)about 6 years ago

https://sweetops.slack.com/archives/CCT1E7JJY/p1578600923010700

Bernhard Lenzabout 6 years ago

Bernhard Lenz [3:15 PM]
I'm getting below error.

terraform init
Initializing modules...
Downloading cloudposse/ecs-container-definition/aws 0.21.0 for ecs-container-definition...

Error: Failed to download module

Could not download module "ecs-container-definition" (<http://ecs.tf:106|ecs.tf:106>) source code
from
"<https://api.github.com/repos/cloudposse/terraform-aws-ecs-container-definition/tarball/0.21.0//*?archive=tar.gz>":
Error opening a gzip reader for

My terraform file contains

module "ecs-container-definition" {
  source  = "cloudposse/ecs-container-definition/aws"
  version = "0.21.0"

The URL does not seem to resolve correctly. Does anybody know here how to get this to work? I believe this worked for me 2 days ago

slaughtrabout 6 years ago

What do you have for your source value?

Bernhard Lenzabout 6 years ago

module "ecs-container-definition" {
source = "cloudposse/ecs-container-definition/aws"
version = "0.21.0"

Erik Osterman (Cloud Posse)about 6 years ago

ohhhhhhh

Erik Osterman (Cloud Posse)about 6 years ago

I think this was a bug in terraform

Erik Osterman (Cloud Posse)about 6 years ago

are you running the latest terraform?

Bernhard Lenzabout 6 years ago

yeah latest version 0.12.18

Bernhard Lenzabout 6 years ago

on windows

slaughtrabout 6 years ago

Maybe try using a git:: source? IE source = "git::<https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.11.0>"

Bernhard Lenzabout 6 years ago

wait, the now have .19. Let me try that

Erik Osterman (Cloud Posse)about 6 years ago

https://sweetops.slack.com/archives/CB6GHNLG0/p1576716858083100

Erik Osterman (Cloud Posse)about 6 years ago

this is what I was thinking about

Erik Osterman (Cloud Posse)about 6 years ago(edited)

see the thread/discussion below that

Bernhard Lenzabout 6 years ago

Thanks for the quick help

Bernhard Lenzabout 6 years ago

0.12.18 -> 0.12.19 fixed it

slaughtrabout 6 years ago

Annoyingly re-sharing this since it got buried. I'm fixing a lot of stuff in the coming days that touches codebuild so it would be great to figure this out before I do that. Seriously, thanks for any help!

Brij Sabout 6 years ago

Ive got a terraform module that creates resources in two different aws accounts. I handle this by doing the following:

provider "aws" {
  region  = "us-west-2"
  profile = "profile1"
}

provider "aws" {
  region              = "us-west-2"
  profile             = "profile2"
  alias               = "digi"
}

I'm trying to utilize terragrunt to deploy many modules. This becomes difficult since the above method no longer works, has anyone encountered this? If so, how have you got around this. I dont think Terragrunt supports multiple providers like this

Davidabout 6 years ago

Hey Brij, I've used multiple providers before in terragrunt modules without issue.

What error are you seeing?

Brij Sabout 6 years ago

no errors yet, Im trying to understand how terragrunt will manage to use different aws profiles

Brij Sabout 6 years ago

how have you used multiple providers ?

Erik Osterman (Cloud Posse)about 6 years ago

(also we have #terragrunt - might get more feedback there)

Brij Sabout 6 years ago

oh 🙂 woops - thanks

Milos Backonjaabout 6 years ago

so this seams like global issue?

Milos Backonjaabout 6 years ago

strange, yesterday was working fine with 0.12.18

Milos Backonjaabout 6 years ago

but upgrade to 0.12.19 fixed issue

lorenabout 6 years ago

i bet it was related to the checkpoint api being broke yesterday, https://github.com/hashicorp/terraform/issues/23816

Rob Roseabout 6 years ago

Hey I was hoping someone could let me know if I'm on the right track. I'm currently setting up a Jenkins pipeline to provision resources for a startup I'm freelancing for. I was planning on using a multibranch repository with each branch for one environment. Is this an alright way to do it? Or should I do something else?

Philip L Bankierabout 6 years ago

Hey can someone help me terraform an EKS cluster. I'm trying to use the aws_eks_node_group resource but i can't figure out how to pass it the worker's security group so when i deploy i get workers that cant connect to the cluster because they dont have the right security group. Is that resource supposed to generate the correct security group or something? Also what security group do i use as the source_security_group_id in the cluster security group rules?

Erik Osterman (Cloud Posse)about 6 years ago

@Philip L Bankier have you seen our working example here? https://github.com/cloudposse/terraform-aws-eks-node-group

Erik Osterman (Cloud Posse)about 6 years ago

see examples/complete of using our module that implements the EKS managed node groups

Joe Hostenyabout 6 years ago

Hi @Andriy Knysh (Cloud Posse). The previously mentioned NLB module is available at https://github.com/jhosteny/terraform-aws-nlb/. I didn't realize NLBs could not have security groups assigned when I started, so it has a smaller surface area now. Also, I could not figure out how to get access logs to work with NLBs due to encryption issues (not sure it is possible on NLBs yet), so I left that commented out. Also, tests have not been run, though I modified your ALB tests and expect it should work, or be close to working.

lorenabout 6 years ago

very cool, variable validation coming to tf 0.12.20... https://github.com/hashicorp/terraform/issues/2847#issuecomment-573252616

tamskyabout 6 years ago

Do any folks here have advice to share on how they manage environments that require multi-step terraform apply ?
For instance, in our environment, we have dependencies between two different terraform config dirs ( config dir A references resource ARNs that are created and exist in the output of config dir B ).
If config dir A executes apply before resources exist in config dir B, we rely on terraform_remote_state with lookup(), and an empty ("") default value.

I'm interested to hear about methods folks have created that track and/or automate the cases where A is waiting for resources in B, and helps the system determine and/or trigger a subsequent apply in dir A.

IvanMabout 6 years ago

guys could this https://github.com/cloudposse/terraform-aws-codebuild/pull/50 be merged?
Seems that it will work and it will help big time!

Cloud Posseabout 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

PePe Amengualabout 6 years ago(edited)

Hi, I’m using https://github.com/cloudposse/terraform-aws-alb-ingress.git but I need to specify 15 ingress rules some path some host-header for what I understand with this module I can’t define more than

count        = length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? var.unauthenticated_listener_arns_count : 0

Erik Osterman (Cloud Posse)about 6 years ago

@PePe Amengual yea, I think it could use some refactoring for that use-case. We were a bit constrained with HCLv1 syntax, but I think with HCLv2, it can be improved. When we upgraded it to HCL2, didn't change the interface or leverage the new features of HCL2.

PePe Amengualabout 6 years ago

ok, yes we could use some dynamics for that

PePe Amengualabout 6 years ago

ok for now I will just do it in plain tf without the module

PePe Amengualabout 6 years ago

I will see if I have some time and send a PR over

Vlad Ionescu (he/him)about 6 years ago

If I have an object of the following type:

type = list(object({
  sqs_arn     = string
  bucket_name = string
}))

is there any way for me to get a list of all the sqs_arns?

I want to say there is but for the life of me I can’t figure it out

Vlad Ionescu (he/him)about 6 years ago

🤦‍♂️ Got it:

[for i in var.additional_forwarding_configs : i.sqs_arn]

IvanMabout 6 years ago

guys anyone could help pls with small thing? It’s about https://github.com/cloudposse/terraform-aws-codebuild

Everytime I execute terraform plan I can see this diff (without any changes)

      - source {
          - buildspec           = "cicd/swaggerspec.yml" -> null
          - git_clone_depth     = 0 -> null
          - insecure_ssl        = false -> null
          - report_build_status = false -> null
          - type                = "CODEPIPELINE" -> null
        }
      + source {
          + buildspec           = "cicd/swaggerspec.yml"
          + report_build_status = true
          + type                = "CODEPIPELINE"
        }

Any idea how to get rid of it?

mfridhabout 6 years ago

I dunno about the module specifically...
But seems there is a diff between the state and desired state at least ...

report_build_status = false

report_build_status = true

Did you apply the current diff above at least once?

IvanMabout 6 years ago

🤦‍♂️

IvanMabout 6 years ago

it was report_build_status
thanks a lot

cabrinhaabout 6 years ago

Seems like using a aws_launch_config and setting spot_price = "" no longer launches spot instances?

Erik Osterman (Cloud Posse)about 6 years ago

https://www.hashicorp.com/blog/announcing-providers-in-the-new-terraform-registry/

rbadilloabout 6 years ago

Hi team, I have a question about launch templates and AWS ASG:

resource "aws_launch_template" "example" {
  name_prefix   = "example"
  image_id      = "${data.aws_ami.example.id}"
  instance_type = "c5.large"
}

resource "aws_autoscaling_group" "example" {
  availability_zones = ["us-east-1a"]
  desired_capacity   = 1
  max_size           = 1
  min_size           = 1

  mixed_instances_policy {
    launch_template {
      launch_template_specification {
        launch_template_id = "${aws_launch_template.example.id}"
      }

      override {
        instance_type = "c4.large"
        weighted_capacity = "3"
      }

      override {
        instance_type = "c3.large"
        weighted_capacity = "2"
      }
    }
  }
}

Can I have an ASG with 2 overrides and not weighted_capacity ?

rbadilloabout 6 years ago

I think I found my answer by reading this:

override - (Optional) List of nested arguments provides the ability to specify multiple instance types. This will override the same parameter in the launch template. For on-demand instances, Auto Scaling considers the order of preference of instance types to launch based on the order specified in the overrides list. Defined below.

Naseemabout 6 years ago

Niche question but any GCP users have tried declaring their build steps of Cloud Build triggers in Terraform?

Chris Fowlesabout 6 years ago

yeh - it was a bit awkward but ok for simple builds

Chris Fowlesabout 6 years ago

probably wouldn't try doing it again

Milos Backonjaabout 6 years ago

Guys,
I am using waf regional web acls with fortinet managed rules from marketplace.
That fortinet rule set id changes from region to region, maybe even from account to account so option to hardcode id cant work. I can't find way to dynamically find rule id (over data source). I was only able to find rule id, if i create web acl by hand through console, attach fortinet rule to webacl, and to describe web acl through aws cli which contains rule id inside.
Does anyone have similar issue? Any ideas are welcomed.
Thanks

Erik Osterman (Cloud Posse)about 6 years ago

https://www.hashicorp.com/resources/evolving-infrastructure-terraform-opencredo

Erik Osterman (Cloud Posse)about 6 years ago(edited)

"The Terralith" very apropos 😃

Erik Osterman (Cloud Posse)about 6 years ago(edited)

nice explanation for newcomers to terraform (And why to avoid them)

Davidabout 6 years ago(edited)

What happens when you have an explicit dependency on a resource that has a count of 0?

So something like:

resource some_resource thing {
  count = 0
}

resource other_resource thang {
  ...
  depends_on = [some_resource.thing]
}

lorenabout 6 years ago

i'd say your config is broken 😂

lorenabout 6 years ago

modules are getting an upgrade... https://github.com/hashicorp/terraform/issues/10462#issuecomment-575738220

Pierre-Yvesabout 6 years ago(edited)

Hi,
do you recommend using multiple tfstate file ? per environnment and per tool as explained here
the post below is from 2016 and I wonder if its still the best way to go . ( I am currently struggling by having a single tfstate file ).
or should I go with workspace ? which path did you choose ?

https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa

Cloud Posseabout 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

Igorabout 6 years ago

Has anybody ever run into an error that just says Invalid Parameter with no other info. The DEBUG output shows a 400 Bad Request from AWS

Erik Osterman (Cloud Posse)about 6 years ago

I think it would help if you share a little bit more context like:

Erik Osterman (Cloud Posse)about 6 years ago

• what is the terraform provider

Erik Osterman (Cloud Posse)about 6 years ago

• how are you authenticating with AWS (e.g. through SSO or access keys)

Erik Osterman (Cloud Posse)about 6 years ago

• if this was working and recently stopped

Igorabout 6 years ago(edited)

I was able to find the issue. It had to do with target group not being connected to the ALB, due to neither unauthenticated_hosts/_paths parameter being passed in to terraform-aws-alb-ingress.

Igorabout 6 years ago

Not sure why TF was swallowing the error message

Erik Osterman (Cloud Posse)about 6 years ago(edited)

Saw a neat demo today by @marcinw of his new SaaS (spacelift.io). They've built something similar to Terraform Cloud, but some nice differentiators:
• Integration with Open Policy Agent so you can set policies that operate on the output of the terraform plan, but also other things like time-of-day.
• Bring-your-own-docker-container model so it's easier to run custom providers and depend on other tools
• No hardcoded AWS credentials. Just grant access to their principal, the way datadog works.

Erik Osterman (Cloud Posse)about 6 years ago

If it sounds interesting, you can ping him for a demo.

marcinwabout 6 years ago

Thanks for the shout-out @Erik Osterman (Cloud Posse) . If anyone wants a demo or just wants to try it out (it’s in private beta) please give me a shout, either here or through the contact form on https://spacelift.io

Erik Osterman (Cloud Posse)about 6 years ago

https://www.openpolicyagent.org/docs/latest/terraform/#4-evaluate-the-opa-policy-on-the-terraform-plan

Erik Osterman (Cloud Posse)about 6 years ago

There's an example of using OPA with terraform. Pretty neat.

Chris Fowlesabout 6 years ago

https://github.com/fugue/regula <- similar thing from fugue

Erik Osterman (Cloud Posse)about 6 years ago

ah cool, so OPA under the hood

marcinwabout 6 years ago

Also https://github.com/instrumenta/conftest

Brij Sabout 6 years ago

in a brand new aws account with nothing in it initially, how do you all handle creating some sort of iam role/user which carries out tf applies

Brij Sabout 6 years ago

kind of a chicken n egg situation

lorenabout 6 years ago

Create the account with aws organizations, assume the role it creates in the account

Chris Fowlesabout 6 years ago

we have an org management project that is run against the org root - it handles creating sub accounts and then assuming roles into those to create the baseline IAM setup

Chris Fowlesabout 6 years ago

it's a chicken omelette

Brij Sabout 6 years ago

i have a route53 module which creates a route53 zone among some other operations and an acm module, when running terraform apply, I get the following output

module.route53_zone.aws_route53_record.digital_ns: Creating...
module.acm.aws_acm_certificate_validation.this[0]: Creating...
module.acm.aws_acm_certificate_validation.this[0]: Still creating... [10s elapsed]

The acm validation wont pass until that route53 record is created, can I force the order here, or place a dependency on modules?

Rob Roseabout 6 years ago

Hey how do you guys work around https://github.com/hashicorp/terraform/issues/4775 when using MySQL instances in a private subnet?

johncblandiiabout 6 years ago

Hey folks, I have the eks_node_group working, but am hitting a problem with EFS allowing connections. I need to update the EFS security group to allow the node groups sg, but it gets a random sg from the template.

Anyone address this yet?

Bradford Toneyabout 6 years ago

Would it be unwise to use terraform to install fluxcd at the end of a EKS provision?

johncblandiiabout 6 years ago

https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/blob/0.7.0/main.tf#L51

module "alb_target_group_alarms" {
 source = "git::<https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms.git?ref=tags/0.7.0>"
 
 ...
 insufficient_data_actions = []
 ...
}

what solution would fix this when it is set to [] or null?

Error: Error in function call
  on .terraform/modules/core.alb_target_group_alarms/main.tf line 51, in locals:
  51:   insufficient_data_actions = coalescelist(var.insufficient_data_actions, var.notify_arns)
    |----------------
    | var.insufficient_data_actions is null
    | var.notify_arns is list of string with 1 element
Call to function "coalescelist" failed: panic in function implementation:
value is null
goroutine 3185 [running]:
runtime/debug.Stack(0xc000cb2230, 0x25dc320, 0x2d91510)
        /opt/goenv/versions/1.12.4/src/runtime/debug/stack.go:24 +0x9d
<http://github.com/zclconf/go-cty/cty/function.errorForPanic(...)|github.com/zclconf/go-cty/cty/function.errorForPanic(...)>
        /opt/teamcity-agent/work/9e329aa031982669/pkg/mod/github.com/zclconf/go-cty@v1.0.0/cty/function/error.go:44
<http://github.com/zclconf/go-cty/cty/function.Function.Call.func1(0xc000cb2568|github.com/zclconf/go-cty/cty/function.Function.Call.func1(0xc000cb2568>,
0xc000cb2588)
        /opt/teamcity-agent/work/9e329aa031982669/pkg/mod/github.com/zclconf/go-cty@v1.0.0/cty/function/function.go:239
+0x8f
panic(0x25dc320, 0x2d91510)
        /opt/goenv/versions/1.12.4/src/runtime/panic.go:522 +0x1b5
<http://github.com/zclconf/go-cty/cty.Value.Lengt|github.com/zclconf/go-cty/cty.Value.Lengt>

Bruceabout 6 years ago

This may be a dumb question. But how do I get a single Nacl ID from a the data "aws_network_acls" resource to add a route in aws_route for the route_table_id attribute? I've tried using element function but that doesn't work.

sumit parmarabout 6 years ago

do we have terraform provider for Ingress controller on kubernetes

sumit parmarabout 6 years ago

Cloud Posseabout 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

getSurrealabout 6 years ago

Is the terraform-aws-dynamic-subnets module preferred over terraform-aws-multi-az-subnets or is there a reason to use one over the other?

Erik Osterman (Cloud Posse)about 6 years ago

@getSurreal there's no one best way to do it because it depends on the customer requirements on what you want to achieve

Erik Osterman (Cloud Posse)about 6 years ago

that's why we decoupled subnets from VPCs

Erik Osterman (Cloud Posse)about 6 years ago

because subnetting is a very opinionated topic, especially in established organizations

Darenabout 6 years ago(edited)

Do you have plans to update https://github.com/cloudposse/terraform-aws-cloudfront-cdn/releases with support for TF 0.12?

Pierre-Yvesabout 6 years ago

Hello,
I am using remote tfstate and change are directly made to it with no backup. Do you do tfstate backup and store it remotelly ?
i see that terraform refresh has a backup option, but as I am using it in CI local storage is not an option

Adrianabout 6 years ago

S3 bucket versioning isn't enough?

Pierre-Yvesabout 6 years ago

Hi Adrian, i am using Azure where there is no versioning on Blobstorage, also Azure Snapshot is only for file but not for Blob

mmarsegliaabout 6 years ago

When using elasticbeanstalk why does every apply result in setting changes on the elasticbeanstalk app even though it looks like nothing changed?

      - setting {
          - name      = "MinSize" -> null
          - namespace = "aws:autoscaling:asg" -> null
          - value     = "2" -> null
        }
      + setting {
          + name      = "MinSize"
          + namespace = "aws:autoscaling:asg"
          + value     = "2"
        }

mmarsegliaabout 6 years ago

i don't understand what's going on there

mmarsegliaabout 6 years ago

and what that -> null is all about

creatureabout 6 years ago

hey there sweetops ninjas. I'm working with the terraform-aws-cloudtrail-s3-bucket module and wondering if there's a trick to adding a custom policy attribute. Docs simply say "string", but I can't get anything to stick. It always overwrites the policy with the default.

module "cloudtrail_s3_bucket" {
  source    = "git::<https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git?ref=master>"
  name      = "cloudtrail-sandbox-boo"
  policy    = file("policies/cloudtrail-bucket.json.tpl")
}

creatureabout 6 years ago(edited)

any examples would be greatly appreciated. I've tried the <<EOF pattern also, both of which work with the aws_s3_bucket_policy resource. But these two battle it out, so no idempotency which makes me a sad panda.

Laurynasabout 6 years ago

Hi, has anyone tried Pulumi? I heard a lot of good things about it but I'm not sure if it's good idea to migrate

IckesJabout 6 years ago

In general terms how are any of you guys protecting secrets inside tfstates?
• We are currently using the S3 backend with it encrypted so the general tf recommendation referenced here https://www.terraform.io/docs/state/sensitive-data.html is only part of the solution.
The solution for pgp is great but only available inside iam_user, iam access key & iam login profile & light sail.

So what about when an RDS instance for example, the admin password I want to be a secret in the tfstate. Other examples are DS Directory Services domain admin password, SSM values, etc.

Brij Sabout 6 years ago

when you want to reference a release(Within github) for a tf module. Do you reference within the link, for example:

git@github.corp/example.git?ref=v.1.0

or can you do the following:

  source  = "git@github.corp/example.git"
  version = "1.0"

Andriy Knysh (Cloud Posse)about 6 years ago

example.git?ref=tags/0.1.0

sumit parmarabout 6 years ago

How to import Azure Function App in Azure API Management using Terraform?

Igor Bronovskyiabout 6 years ago

tflint error

Igor Bronovskyiabout 6 years ago

what am I doing wrong?

Igor Bronovskyiabout 6 years ago

terraform validate say Ok

Scottabout 6 years ago

Anyone have recommendations/reading suggestions on how you test infra built with terraform?

creatureabout 6 years ago

I watched a Hashicorp video the other day that talked about terratest

creatureabout 6 years ago

curious what other folks are doing also though

Scottabout 6 years ago

I’m even just curious on HOW testing for infra is done - beyond the tools - the concept of testing infra is new to me 😞

Igor Bronovskyiabout 6 years ago

tflint .
terraform validate

Igorabout 6 years ago

Does ECS provide an SNS topic to subscribe to events like updating service, tasks starting/stopping, autoscaling events?

Igorabout 6 years ago

And if so, is there a terraform example of this that someone can share?

Joe Hostenyabout 6 years ago

Using the CloudPosse tooling, and root modules using tf 0.12, is there any way at all to run output currently, when using remote state?

Olaabout 6 years ago

@here can anyone help with terraform connection to a private cloud. Do I have to write a custom provider?

Erik Osterman (Cloud Posse)about 6 years ago

@Ola, do you mean a way to manage a private cloud platform/api with Terraform?

Erik Osterman (Cloud Posse)about 6 years ago

...if so, first check the wealth of providers for private clouds

Erik Osterman (Cloud Posse)about 6 years ago

alternatively, if the scope of what you want to manage is small/simple and the private cloud provides a standard REST API, you can use this "escape hatch": https://github.com/Mastercard/terraform-provider-restapi

December 2019 Browse by date February 2020