#terraform - March 2020 | Slack Archive

terraform

189 messages

Archive: https://archive.sweetops.com/terraform/

Feb 2020

March 2020

Apr 2020

bougymanalmost 6 years ago

I've done similar, but in awk.

bougymanalmost 6 years ago

Hrm. What format is the pgp_key supposed to be in?

bougymanalmost 6 years ago

I did gpg -a --export <my_key> | base64 to write it.

Mattalmost 6 years ago

Does anyone know of a good Terraform module/repo for deploying a Lambda on API Gateway?

Mattalmost 6 years ago

API Gateway is ridiculously complicated. I need to use Terraform which I prefer but the Lambda/API Gateway combo is something I've spun up quickly and easily with Serverless and Zappa.

Mattalmost 6 years ago

However with Terraform, it's a bit of a pain. I haven't found any good working examples for this yet.

Raymond Butcheralmost 6 years ago

API Gateway in Terraform is pretty terrible in my experience, too many bugs. There are 66 open issues for it https://github.com/terraform-providers/terraform-provider-aws/issues?q=is%3Aissue+is%3Aopen+api+gateway+label%3Aservice%2Fapigateway
Next time I have to do it, I’ll try a swagger definition or CloudFormation stack.

Raymond Butcheralmost 6 years ago

When I last tried it, I couldn’t get it to automatically deploy the stage after making changes without resorting to hacks. I nearly got it but there was a bug that made it disassociate the API key, requiring a 2nd TF apply to put it back. Ended up doing a local exec call to the AWS CLI to do it.

lorenalmost 6 years ago

haven't used it, but this looks promising... https://github.com/FormidableLabs/terraform-aws-serverless

lorenalmost 6 years ago

also, this one: https://github.com/rms1000watt/serverless-tf

Cloud Possealmost 6 years ago

Join us for "Office Hours" every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Mar 11, 2020 11:30AM.

👉️ Register for Webinar

#office-hours (our channel)

Mattalmost 6 years ago

@Raymond Butcher Yeah, I've contemplated switching over to the Serverless framework which is not ideal as the rest of my infra is in TF

Mattalmost 6 years ago

@loren thanks, I haven't seen/tried that one yet!

RBalmost 6 years ago

anyone know how to store arbitrary values to the tfstate?

im working with the null_resource to store output using triggers but the value doesn't seem to be retrievable on subsequent terraform init && terraform plan

Raymond Butcheralmost 6 years ago

how about: arbitrary values in the outputs of one stack, terraform remote state data source to read them from another stack

RBalmost 6 years ago

the output is from a command, the output is stored using a null resource

RBalmost 6 years ago

i could take the output and store it in an s3 file and stick that in s3 and then retrieve it, but that seems awful

RBalmost 6 years ago

i could use something like consul or etcd i suppose

lorenalmost 6 years ago

ssm is often used to store values so they are accessible in different tfstates... not sure why there would be a problem on subsequent runs of the same tfstate...

RBalmost 6 years ago

i think it has something to do with this https://github.com/hashicorp/terraform/issues/23679

RBalmost 6 years ago

im using this module https://registry.terraform.io/modules/matti/resource/shell/1.0.3

lorenalmost 6 years ago

try opening an issue?

lorenalmost 6 years ago

https://github.com/matti/terraform-shell-resource

RBalmost 6 years ago

already did

RBalmost 6 years ago

trying to find a workaround while i work through the issue

RBalmost 6 years ago

thanks tho

Raymond Butcheralmost 6 years ago

i was just reading that issue, where the author says he doesn't know how it works 🙂

RBalmost 6 years ago

sometimes i love terraform and sometimes i hate it

lorenalmost 6 years ago

tbh - I don't actually know how my module works internally - so far it just has worked. It relies on terraform "bugs" that I "abuse" in a way.

Could you make a github repo with what I could try this out?

lorenalmost 6 years ago

lololol

Nikola Velkovskialmost 6 years ago(edited)

terraform always works in the CRUD cycle if you cannot do something in 1 apply then find another way to do it

RBalmost 6 years ago

so here's what im trying to solve. maybe you fine folks can help me.

i created a new global/tags module for my company which runs a couple commands to get the git_repo and git_path dynamically and uses those values as keys in my tags which are then outputted and reused across my resources.

Nikola Velkovskialmost 6 years ago

key value store is not a bad idea

RBalmost 6 years ago

so far this works but fails on subsequent applies due to this bug or workaround or w/e you want to call it.

Nikola Velkovskialmost 6 years ago

I would investigate passing those values as cmd arguments to terraform

Nikola Velkovskialmost 6 years ago

so wrapper script, makefile etc

Raymond Butcheralmost 6 years ago

that, or a data source that runs every time

RBalmost 6 years ago

@Nikola Velkovski errrrg nah, id rather it collect it dynamically so theres no fat fingering

RBalmost 6 years ago

how would the data source work? what data source would it be?

Raymond Butcheralmost 6 years ago

https://www.terraform.io/docs/providers/external/data_source.html

lorenalmost 6 years ago

do you have a remote state configured? trying to understand what tf is comparing against after you've deleted .terraform...

RBalmost 6 years ago

@Raymond Butcher thanks looking into it

Raymond Butcheralmost 6 years ago

i could be wrong but it sounds like a data source is more suitable than a resource. i think you'd want it to run every time to ensure the git details are current

RBalmost 6 years ago

@loren the tf is removed and then reinitalized using tf init by redownloading from s3

Mebalmost 6 years ago

https://terraform-compliance.com/

RBalmost 6 years ago

Thanks @Meb but unsure how that helps 😄

Mebalmost 6 years ago

Just sharing here a tool that would help beside the discussion..

Jessealmost 6 years ago

Looking for opinions on securely storing secrets and other sensitive data for terraform tfvars or terragrunt yamls as part of a pipeline. Hashicorp Vault is on our roadmap for other secrets, but we’re not there yet. I am trying to find a better solution than just managing them locally and in our password managers

Erik Osterman (Cloud Posse)almost 6 years ago

latest and greatest from @johncblandii https://www.youtube.com/watch?v=VvH0F6Nrlvc

RBalmost 6 years ago

TIL https://github.com/liamg/tfsec

RBalmost 6 years ago

there must be some overlap betw tfsec and tflint tho, no?

MorganGeekalmost 6 years ago

How to use tfsec and similar tools, when using terragrunt and modules, on the root folder ?

MorganGeekalmost 6 years ago

Such tools usually only recognize tf files while terragrunt uses hcl files

RBalmost 6 years ago

How do people here manage their kms policies? We have a many services that each have their own role and we have to manually add each role to our kms policy using terraform.

Is there a better way to do this?

RBalmost 6 years ago

Ideally, I'd be able to use a data source for iam roles and filter them by tag and apply them to the policy but currently roles and users can be tagged but not filtered by tag.

If anyone is also interested in that, Id appreciate if people could request their AWS TAM's for this feature 🙂

Michał Czeraszkiewiczalmost 6 years ago

Is it possible to use waf_web_acl with WAF v2?

RBalmost 6 years ago

thoughts on this? https://github.com/cloudposse/terraform-aws-ecr/issues/44

Tan Quachalmost 6 years ago

hi! Seems the version for this module went from 0.7.0 to 0.3.2 recently
https://github.com/cloudposse/terraform-aws-s3-bucket/releases
Is that the correct next version?

Brij Salmost 6 years ago

if i wanted to convert

"${var.resource_name}-alb-logs-${data.aws_region.current.name}"

to use format, am I able to pass in two variables like so:

format("%s-alb-logs-%s", var.resource_name, data.aws_region.current.name)

🤔

RBalmost 6 years ago

yeah that looks like it would work

$ terraform console
> format("%s-%s-%s-%s-%s-%s", "my", "other", "hand", "is", "a", "sandwich")
my-other-hand-is-a-sandwich

Brij Salmost 6 years ago

👍️ thanks! also didnt know terraform console was a thing

Rajesh Babu Gangulaalmost 6 years ago

@here I am in a situation where I need to stay at Terraform v0.11 but needed both 1.X and 2.X aws providers .... I need to keep 1.X for cloudfront distribution as using 2.X it keeps re-applying at every run so I need to stick with 1.X for cloudfront module .. when I try to add both providers I am getting the following error ... any ideas how to keep both providers

No provider "aws" plugins meet the constraint "~> 1.60,~> 2.0".

nianalmost 6 years ago

What are thoughts about using LocalStack for local/dev testing on those services it supports?

Any experience compared to the real AWS cloud?

MorganGeekalmost 6 years ago

Nothing is really as good and efficient as testing on real infra if you can. Localstack is the way you go when you are very contrained on the infra costs and cant afford to create test environments on cloud.

RBalmost 6 years ago

Hi all.

I was looking at the cloudposse module: https://github.com/cloudposse/terraform-aws-elasticache-redis

Noticed that it does not use resource aws_elasticache_cluster but instead uses aws_elasticache_replication_group . Does anyone know the benefits of the replication group over the cluster? As far as I understand it, the replication group is a group of clusters where as a cluster is a single instance of redis. Any additional costs with the replication group?

MattyBalmost 6 years ago

Due to customer requirements I need to export RDS snapshots to S3 & eventually glacier. Can you not configure RDS to automatically send snapshots to S3? It's either manual/console, AWS CLI, or RDS API? Is my best bet via Lambda on a timer?

Brij Salmost 6 years ago

are there any pros and cons to doing format("%s-lambda", var.resource_name) over ${var.resource_name}-lambda

Erik Osterman (Cloud Posse)almost 6 years ago

https://github.com/nrkno/terraform-provider-lastpass

Erik Osterman (Cloud Posse)almost 6 years ago

Credit: @antonbabenko

Erik Osterman (Cloud Posse)almost 6 years ago

Looks pretty neat

Erik Osterman (Cloud Posse)almost 6 years ago

https://github.com/anasinnyk/terraform-provider-1password

RBalmost 6 years ago

ive wanted to use terraform providers like lastpass and vault but doesnt that mean you have to store your passwords in version control? and how do you lock something like that down?

Cloud Possealmost 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

RBalmost 6 years ago(edited)

anyone know any terraform modules that take advantage of the new ecs autoscaling using

aws_ecs_capacity_provider https://www.terraform.io/docs/providers/aws/r/ecs_capacity_provider.html

Ref: https://aws.amazon.com/blogs/aws/aws-ecs-cluster-auto-scaling-is-now-generally-available/

Igoralmost 6 years ago

@RB https://github.com/cloudposse/terraform-aws-ecs-alb-service-task appears to support capacity_provider_strategy configuration for aws_ecs_service, but you may need to create the capacity provider(s) yourself

Brij Salmost 6 years ago

does terraform support wildcards for filenames?

resource "aws_s3_bucket_object" "object" {
  bucket = var.s3_bucket
  key    = "${var.resource_name}/FILENAME?"
  source = "${path.module}/FILENAME?"

  # The filemd5() function is available in Terraform 0.11.12 and later
  # For Terraform 0.11.11 and earlier, use the md5() function and the file() function:
  # etag = "${md5(file("path/to/file"))}"
  etag = filemd5("path/to/file")
}

is it possible to do

"${var.resource_name}/*.zip"

rbadilloalmost 6 years ago

Hi Guys,

Is anybody here having issues creating EKS Clusters using terraform ?

We are seeing this error:

module.eks_cluster.aws_eks_cluster.eks_cluster: Still creating... [11m20s elapsed]

module.eks_cluster.aws_eks_cluster.eks_cluster: Still creating... [11m30s elapsed]


Error: unexpected state 'FAILED', wanted target 'ACTIVE'. last error: %!s(<nil>)


  on ../../../../modules/eks/eks_control_plane/main.tf line 405, in resource "aws_eks_cluster" "eks_cluster":

 405: resource "aws_eks_cluster" "eks_cluster" {

AWS just released EKS v1.15 last night and we think it maybe related.

Scottalmost 6 years ago

Am I the only one that finds these terraform patterns...bad? https://www.hashicorp.com/resources/evolving-infrastructure-terraform-opencredo

Scottalmost 6 years ago

Separate definition per environment? is that common practice?

Raymond Butcheralmost 6 years ago

I haven't read that in a long time but yeah, it doesn't seem to talk about using workspaces or extra tooling (via wrappers or automation) to deploy 1 config to multiple environments.

Raymond Butcheralmost 6 years ago

I think I've only seen 1 serious project where they copy/pasted environment definitions with the same module calls but different tfvars. But maybe I work in a bubble.

lorenalmost 6 years ago

i think that's kind of what we do, using terragrunt. one base module, with per-account tfvars, and per-account tfstate

Jason Hulingalmost 6 years ago

Hello! I’m currently using the terraform-aws-eks-cluster and just ran into an issue with auth.tf and the null_resource.apply_configmap_auth resource returning the following:

error: You must be logged in to the server (the server has asked for the client to provide credentials)

Previously I had used aws eks update-kubeconfig and specified my profile to use with --profile. I recently aliased my contexts which caused this module to create a new one, and it also updated my user for that cluster which removed the AWS_PROFILE environment variable. I was able to correct this by setting the --profile in aws_eks_update_kubeconfig_additional_arguments , but I’m also setting my profile within the aws provider, so it seems a little redundant.

So, my question for this group! Can the auth.tf file be refactored to use the kubernetes provider directly, and therefore also inherit the aws provider settings? For example I’m using the following in other scenarios to update k8s resources where local.eks_cluster is the output of the terraform-aws-eks-cluster module:

# Authenticate to the EKS Cluster
data "aws_eks_cluster_auth" "eks_cluster" {
  name = local.eks_cluster.eks_cluster_id
}

# Connect to kubernetes
provider "kubernetes" {
  host                   = local.eks_cluster.eks_cluster_endpoint
  cluster_ca_certificate = base64decode(local.eks_cluster.eks_cluster_certificate_authority_data)
  token                  = data.aws_eks_cluster_auth.eks_cluster.token
  load_config_file       = false
}

Can this not be used with kubternetes_config_map or am I overlooking something? Maybe because EKS creates the aws-auth configmap so it would need to be imported for terraform to update it?

Also, if this should be in a GitHub issue I can open one, didn’t feel like a Bug or Feature though so I came here 🙂. I am also willing to work on this refactor if there isn’t a known reason why it wouldn’t work.

Zachary Loeberalmost 6 years ago

I believe terraform was written by the devil to punish intrepid devops engineers from trying to be too smart

Zachary Loeberalmost 6 years ago

that is all, just my theory, nothing constructive at all here....

MattyBalmost 6 years ago

What's your take on cloudformation?

Zachary Loeberalmost 6 years ago

I don't use it so I've no opinion at all but I understand it to be akin to Azure ARM templates or something. So it probably works great if all you ever deploy is AWS resources and don't have to worry to much about complex multi-team environments (and resulting backend states).

Zachary Loeberalmost 6 years ago

Working with terraform makes me feel like either I have to think like a moron and completely simplify my designs and expectations of the product or conversely, that I actually am a moron and should know that there is a completely undocumented template_file resource (as opposed to a data source) with the exact same syntax but different behavior....

ismailalmost 6 years ago

Hi all,
Can someone please tell me how to accept/continue with AWS Marketplace images in Terraform?

ikaralmost 6 years ago

hi @ismail, I guess you're looking for this: https://www.terraform.io/docs/providers/aws/d/ami.html

ikaralmost 6 years ago

you use it for finding AMI you want to use and later use for defining e.g. EC2 instance

ikaralmost 6 years ago

this can be useful if you start with data sources: https://www.terraform.io/docs/configuration/data-sources.html

ismailalmost 6 years ago

umm.... I am able to find the image... But the problem is with Market place images.... When i try yo create an instance it gives errors as

Please accept licentse for marketplace images

ismailalmost 6 years ago

Anyways... I am not facing it anymore after accepting it on UI

ikaralmost 6 years ago

oh okay

Matt Gowiealmost 6 years ago

Hey @Cloudposse folks — Is it suggested to not use cloudposse/terraform-aws-rds-replica. And if I need an RDS replica of my primary to just use cloudposse/terraform-aws-rds? Asking as the replica repo hasn’t been touched in 12 months, so I’m figuring that is the case but also wanted to confirm.

Timalmost 6 years ago

Hey, someone there could quickly review and release https://github.com/cloudposse/terraform-aws-dynamodb/pull/52 ?

Cloud Possealmost 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

Karthik Sadhasivamalmost 6 years ago

Hi Guys, I am new to this channel and trying to get some advice on the rolling update EC2 on the ASGs. I am trying to use this module https://registry.terraform.io/modules/cloudposse/ec2-autoscale-group/aws/0.4.0 and seeing that everytime I update userdata, instance type it just creates a new version of launch template but doesnt do any rolling update on the ASG. Is there is any sort of workarounds available as discussed in https://github.com/hashicorp/terraform/issues/1552.

jeffreyalmost 6 years ago

Hi all, have any of you handled the case of an entire region going down and not having access to your remote backend (such as Amazon S3)? if disaster recovery is required such as spinning up resources in a different region, i imagine you'd probably want to have terraform state replicated

Jake Lundberg (HashiCorp)almost 6 years ago

Do you know some folks that want free Terraform training? Are you in Southern California? Check out this free workshop from HashiCorp:

https://events.hashicorp.com/workshops/socalterraform

btaialmost 6 years ago

https://twitter.com/mitchellh/status/1240000181958934528?s=20

Davidalmost 6 years ago

Can I multiline with the ternary conditional operator?

ismailalmost 6 years ago(edited)

Hey Team,
Does cloudposse have a terraform module for WAF for ALB?

Maarten van der Hoefalmost 6 years ago(edited)

I don't know but I made one for waf specific: https://github.com/Flaconi/terraform-aws-waf-acl-rules

kgibalmost 6 years ago

can anyone help with this

Error: Either `number_cache_clusters` or `cluster_mode` must be set

  on .terraform/modules/redis.elasticache/main.tf line 81, in resource "aws_elasticache_replication_group" "default":
  81: resource "aws_elasticache_replication_group" "default" {

kgibalmost 6 years ago

having a lot of trouble getting this module to work https://github.com/cloudposse/terraform-aws-elasticache-redis

Perry Hoekstraalmost 6 years ago

Quick question: I am attempting to use the terraform-aws-dynamodb module but I am getting an Unsupported Terraform Core version error. I am on Terraform 0.12.9, are the modules reasonably up to date on 0.12.x or just 0.12.0?

rohitalmost 6 years ago

I am not sure if this is the right channel to ask my question but i wanted to know how people are deploying lambda functions to different stages in AWS

rohitalmost 6 years ago

do you deploy your infrastructure code and app code separately ?

Brij Salmost 6 years ago

has anyone tried to use https://www.terraform.io/docs/providers/aws/#ignore_tag_prefixes ?
Im adding the following

provider "aws" {
  region = "us-east-1"
  ignore_tag_prefixes = ["<http://kubernetes.io/*|kubernetes.io/*>"]
}

but when i run terraform apply Im still getting changes to the tags with those prefixes, like so:

      ~ tags                             = {
            "Environment"                                           = "dev"
          - "<http://kubernetes.io/cluster/12-Cluster|kubernetes.io/cluster/12-Cluster>" = "shared" -> null
          ..............
        }
    }

xluffyalmost 6 years ago

Hi all. I have a question about terraform-aws-vpc-peering-multi-account. In example, I need to input requester_aws_assume_role_arn and accepter_aws_assume_role_arn, I review code of this module. but don't see anything for creating two assume roles. How to get/create there roles?

Michał Czeraszkiewiczalmost 6 years ago

Hi, did anyone experience issues with the EKS cluster module (https://github.com/cloudposse/terraform-aws-eks-cluster/) in a multi-worker scenario?
Described the issue here: https://github.com/cloudposse/terraform-aws-eks-cluster/issues/55

Perry Hoekstraalmost 6 years ago

Question: Is there a Cloudposse module for the Terraform aws_lamba_permission (https://www.terraform.io/docs/providers/aws/r/lambda_permission.html)? I looked through the repositories and did not see anything.

sheldonhalmost 6 years ago

Would you say this sounds correct?

If you are adopting Terraform with few developer focused team mates, then Terraform Cloud is going to be the easiest way to centralize both automated deploy + state.

If more mature development practices then using azure devops pipelines, jenkins pipelines etc can give more control + at the cost of more complexity.

If no mature pipeline practice that is easy to standardize across team at this time, then Terraform Cloud is going to force "pure" terraform development without relying on wrapper scripts, terragrunt and other tooling, resulting in simplier plans.

Erik Osterman (Cloud Posse)almost 6 years ago(edited)

Yes, I think Terraform Cloud will yield the best developer experience out-of-the-box with the least custom tooling (wrapper scripts, terragrunt, etc) and with the least infrastructure in place to support it.

Erik Osterman (Cloud Posse)almost 6 years ago

@johncblandii has some training videos he's been working on for terraform cloud - that might help your team

RBalmost 6 years ago

ehhhh, you'll still need a linter like tflint, you'll still need terragrunt if you want to DRY up your code

Erik Osterman (Cloud Posse)almost 6 years ago

IMO, you don't need terragrunt to be dry, even with terraform cloud.

Erik Osterman (Cloud Posse)almost 6 years ago(edited)

it requires a different project folder structure though than terragrunt projects.

sheldonhalmost 6 years ago

The key to this is simplicity. I personally am comfortable with concepts like terragrunt, scripting my code more etc with linting etc. However, the bare bones nature of terraform cloud forces you to not rely on make files and var files etc

RBalmost 6 years ago

IMHO, terraform cloud is more expensive than it's worth

sheldonhalmost 6 years ago

Right now we have terraform cloud (me), some very make file oriented terraform jenkins jobs that would need much refactoring to be easily used in terraform cloud for example.

RBalmost 6 years ago

but if youre starting new, i'd POC it

sheldonhalmost 6 years ago

I'm already using it. It's more about trying to help ease of adoption.

sheldonhalmost 6 years ago

I personally would like Azure DevOps multistage pipelines or something, but I'm afraid if everyone is already struggling to even setup a cloud pipeline that that approach will limit others contributing

sheldonhalmost 6 years ago

and yes the pricing model needs adjustment for sure

RBalmost 6 years ago

look into atlantis too if you get a chance. hashicorp bought the lead developer of it. and it's pretty nifty for pipelines

sheldonhalmost 6 years ago

My impression is that Atlantis is great, but will basically be on life support in the future as terraform cloud is the way they want you to go

mfridhalmost 6 years ago

I find the diminishing returns are quite early and high when it comes to infrastructure which is NOT repeated en masse. What do you think?

Erik Osterman (Cloud Posse)almost 6 years ago

proper CI/CD of terraform is non-trivial. we've recently implemented it in codefresh pipelines. it was HARD. not because of using codefresh, but because treating planfiles as artifacts and knowing when to strategically plan projects based on files changed, and invalidating plans when new plans are created is essential.

sheldonhalmost 6 years ago

^^ this. Exactly. I took it for granted when doing my initial production deploy. I later realized why it was so hard. Cloudformation forces the pipelines/everything into the equivalent of terraform cloud by it's nature.

sheldonhalmost 6 years ago

Terraform can be run on a latop and is the lowest overhead to get going. To scale to a team, jumping that hurdle is really hard to stop relying on local runs and everything through cicd

sheldonhalmost 6 years ago

Ok, one more (maybe a thread for this). Any docs/blog article on module design building blocks vs stacks? I have one coworker who is creating a module for a security group RULE, basically almost a 1-1 for a resource. I'm going to be owning the terraform standards this year, and trying to convince that individual resources at that level is too granular. Need some external material on this topic

Brij Salmost 6 years ago

I know the terraform does dynamic variables like this

  dynamic "vpc_config" {
    for_each = var.vpc_config == null ? [] : [var.vpc_config]
    content {
      security_group_ids = vpc_config.value.security_group_ids
      subnet_ids         = vpc_config.value.subnet_ids
    }
  }

for an eks profile selector, does anyone have a clever way of making selector a list var so that if [default,kube-system] is entered it populates this

  selector {
    namespace = "default"
  }

  selector {
    namespace = "kube-system"
  }

The selector part has to be seperate for each item in the list 🤔 is it possible?

Brij Salmost 6 years ago

figured it out! 🙂 (for anyone else that may be interested

variable "selector" {
  type = list(map(string))
}

then

  dynamic "selector" {
    for_each = var.selector
    content {
      namespace = selector.value["namespace"]
    }
  }

Morten Hjorth Fæsteralmost 6 years ago

Hi - I am trying to setup a task for windows container in ECS. The docs specify that windows containers must use the network mode 'default' as it uses 'NAT'. But it seem terraform only support bridge, host, awsvpc and none:

terraform@22975a35d682:~/git-repos/kit.aws.medielogin/terraform/environments/medielogin-dev/04.services$ terraform apply

Error: expected network_mode to be one of [bridge host awsvpc none], got default

  on ../../../modules/ecs-service/main.tf line 30, in resource "aws_ecs_task_definition" "service_task":
  30: resource "aws_ecs_task_definition" "service_task" {

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

This is going to hit me pretty hard. Does anyone have any advise. (Except skipping Windows altogether 🙂 )

lorenalmost 6 years ago

the way i read that, i'd try none

lorenalmost 6 years ago

When you register a task definition with Windows containers, you must not specify a network mode.

lorenalmost 6 years ago

the sentence after that you are referring to is talking about the aws console, which has a "default" option. but that is not a valid option for the api. that is just the console trying to be helpful.

Callum Robertsonalmost 6 years ago

Hi everyone, running into a bit of blocker and I thought I'd ask if anyone had found a way around problems like this in Terraform as it currently is.

I'm trying to use a dynamic block for a list(string) of ports I want to allow to a list(string) of security groups

Expected:
Terraform will review the for_each argument and if the length of the var.allowed_security_group > 0 then do NOT execute the nested dynamic block

Behaviour:
Creates the SG and fails as the source for security_groups is empty on a apply

Current configuration:

resource "aws_security_group" "default" {
  count  = var.enabled && var.use_existing_security_groups == false ? 1 : 0
  vpc_id = var.vpc_id
  name   = module.sg_label.id

  dynamic "ingress" {
    for_each = length(var.allowed_security_groups) > 0 ? var.service_ports : null
    iterator = ingress
    content {
      description     = "Allow inbound traffic from existing Security Groups"
      from_port       = ingress.value
      to_port         = ingress.value
      protocol        = "tcp"
      security_groups = length(var.allowed_security_groups) > 0 ? [element(var.allowed_security_groups, count.index)] : null
    }
  }
}

Callum Robertsonalmost 6 years ago

Keen to know what you think!

Zachalmost 6 years ago(edited)

Has anyone successfully created an aws_pinpoint_gcm_channel resource with terraform? It’s a relatively new resource and I opened a bug report against it in the aws provider, because we just get ‘401 unauthorized’ errors when we run our plan, but we can enable the api key via the console no problem

rbadilloalmost 6 years ago(edited)

Hi guys, I’m building my own terraform provider and I want to know if it is possible to use a datasource and try to save the value of a list that I”m computing. is that possible ? basically I want to keep adding values to the list instead of recreating the list every time the datasource runs.

Cloud Possealmost 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

Erik Osterman (Cloud Posse)almost 6 years ago

wow, hashicorp has developed their own operator for kubernetes (alpha)

Erik Osterman (Cloud Posse)almost 6 years ago

there have been a few others (links are in the archives)

Erik Osterman (Cloud Posse)almost 6 years ago

but this coming from hashicorp is rad!

Erik Osterman (Cloud Posse)almost 6 years ago(edited)

https://www.hashicorp.com/blog/creating-workspaces-with-the-hashicorp-terraform-operator-for-kubernetes/

Erik Osterman (Cloud Posse)almost 6 years ago

https://youtu.be/4MJF-enC3Us

Erik Osterman (Cloud Posse)almost 6 years ago(edited)

Ah bummer - looks like it may be dependent on terraform cloud

Alex Siegmanalmost 6 years ago

Yeah, i just watched the video, seems it is

Chris Fowlesalmost 6 years ago

https://github.com/hashicorp/terraform-k8s/issues/10 vote here!!! 😄

Chris Fowlesalmost 6 years ago

give it all your 👍️

Adam Blackwellalmost 6 years ago(edited)

Hey folks, this may have already been talked about here, but we currently create our RDS databases outside of atlantis since atlantis can't pull from vault and we don't want root passwords in plaintext anywhere, is there a canonical way to use https://github.com/terraform-aws-modules/terraform-aws-rds-aurora or https://docs.cloudposse.com/terraform-modules/databases/terraform-aws-rds-cluster/ from Atlantis without plaintexting passwords?

jeffreyalmost 6 years ago

Hi all, I can also ask this during the office hours tomorrow but wanted to see if you any of you have input.

I'm working through disaster recovery with terraform, primarily for the terraform remote state management of multiple regions. i wanted to have a duplicate set of resources created in a separate region (e.g. us-east-1 for primary, us-west-2 for failover). initially i thought it'd be best to have remote state separated in each region, such that a bucket in us-east-1 handled all of the us-east-1 resources and a bucket in us-west-2 handled all of the us-west-2 resources. however, i imagine this becomes an issue if the region is actually down, and the failover reads from terraform_remote_state of the primary. would it be better to have a primary remote state that manages resources in multiple regions, but is also cross-region replicated? that way if the region goes down, we can update our terraform configurations to read from the failover remote state bucket and pick up exactly where we left off

Erik Osterman (Cloud Posse)almost 6 years ago

thanks @jeffrey - we'll discuss tomorrow!

Martin Helleralmost 6 years ago

Hi folks, can someone review my pull request please? Just adding environment label to terraform-aws-vpc: https://github.com/cloudposse/terraform-aws-vpc/pull/48

sohel2020almost 6 years ago

Hello good people, is it possible to get rid r2, r3, r4 ?

variable "destination_cidr_block" {
    default = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"]
}

data "aws_route_tables" "rts" {
  vpc_id = "${var.vpc_id}"

  filter {
    name   = "tag:<http://kubernetes.io/kops/role|kubernetes.io/kops/role>"
    values = ["private*"]
  }
}

resource "aws_route" "r1" {
  count                     = "${length(data.aws_route_tables.rts.ids)}"
  route_table_id            = "${data.aws_route_tables.rts.ids[count.index]}"
  destination_cidr_block    = "${var.destination_cidr_block[0]}"
  vpc_peering_connection_id = "pcx-0e9a7a9ecd137dc54"
}

resource "aws_route" "r2" {
  count                     = "${length(data.aws_route_tables.rts.ids)}"
  route_table_id            = "${data.aws_route_tables.rts.ids[count.index]}"
  destination_cidr_block    = "${var.destination_cidr_block[1]}"
  vpc_peering_connection_id = "pcx-0e9a7a9ecd137dc54"
}

resource "aws_route" "r3" {
  count                     = "${length(data.aws_route_tables.rts.ids)}"
  route_table_id            = "${data.aws_route_tables.rts.ids[count.index]}"
  destination_cidr_block    = "${var.destination_cidr_block[2]}"
  vpc_peering_connection_id = "pcx-0e9a7a9ecd137dc54"
}

resource "aws_route" "r4" {
  count                     = "${length(data.aws_route_tables.rts.ids)}"
  route_table_id            = "${data.aws_route_tables.rts.ids[count.index]}"
  destination_cidr_block    = "${var.destination_cidr_block[3]}"
  vpc_peering_connection_id = "pcx-0e9a7a9ecd137dc54"
}

Abel Luckalmost 6 years ago(edited)

Anyone know if its possible to create a aws_iam_policy_document where the condition blocks are dynamic based on module input? That is.. the number of condition blocks are determined by input from a list.

Abel Luckalmost 6 years ago

rather than use the aws_iam_policy_document data source, I guess it might be best to template a json string?

sheldonhalmost 6 years ago

Trying to improve my "default settings" approach with a terraform project that has 50ish input defaults that i need to override. Please see this discussion issue and if you feel like helping out I'd love to see some insight. It's a follow-up to my first more complicated project

https://discuss.hashicorp.com/t/best-practice-for-reusing-with-many-environments/2704/2

Sean Turneralmost 6 years ago

Is there a way to do multiline descriptions on variables?

variable "dynamodb_table_name" {
  description = "Name of the dynamo db table that holds the proxy whitelist. This table resides in the xxxxxx account so that spinnaker can read the table when building proxy AMIs"
  type        = string
}

xluffyalmost 6 years ago(edited)

Hi all, I have another issue with https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account

module "vpc_peering_cross_account" {
  source           = "git::<https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=master>"
  namespace        = "eg"
  stage            = "dev"
  name             = "cluster"

  requester_aws_assume_role_arn             = "arn:aws:iam::1111111111:role/ops/r_ops_peering_access"
  requester_region                          = "us-west-2"
  requester_vpc_id                          = "vpc-1111111111"
  requester_allow_remote_vpc_dns_resolution = "true"

  accepter_aws_assume_role_arn             = "arn:aws:iam::2222222222:role/ops/r_ops_peering_access"
  accepter_region                          = "us-east-1"
  accepter_vpc_id                          = "vpc-2222222222"
  accepter_allow_remote_vpc_dns_resolution = "true"
}

I'm done for creating 2 role (with assume role). Show error when try to run terraform plan

Error: Error refreshing state: 1 error occurred:
        * module.vpc_peering_cross_account.provider.aws.accepter: The role "arn:aws:iam::2222222222:role/ops/r_ops_peering_access" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

any idea?

ByronHomealmost 6 years ago(edited)

Hi all, I have a question, How i can use the output module variable into the same module to assigned it as value? I get a cycle dependence error. I should use a local variable? Regards.

Mattalmost 6 years ago

Does anyone have a good workaround for adding a depends_on to a module? I have a state that I want to deploy. It references a module which requires a variable foo. I want to define a resource in my state and set foo to an attribute of the resource I'm creating.

Erik Osterman (Cloud Posse)almost 6 years ago

Adding @U010XGY9B46 bot

discoursealmost 6 years ago

Erik Osterman (Cloud Posse)almost 6 years ago

☝️ This was created by running /discourse post thread <https://sweetops.slack.com/archives/CB6GHNLG0/p1585316372027300> where the link comes from right-clicking on the message and click "copy link". Anyone should be able to do this, but open to beta testers. 😃

Erik Osterman (Cloud Posse)almost 6 years ago

the idea is to be able to spin off good questions / answers to individual posts.

Erik Osterman (Cloud Posse)almost 6 years ago

We have our slack archives at archive.sweetops.com, but the problem there is they are not interactive. Other people who have the same problems (or found a better workaround) are unable to jump in the thread and contribute. With Discourse, this is possible.

lorenalmost 6 years ago

pretty slick

btaialmost 6 years ago

terraform cloud users (@johncblandii), how are we supposed to use providers like helm remotely? i cant seem to find documention on that being possible 😕

Raymond Butcheralmost 6 years ago(edited)

Anyone interested in deploying AWS Lambda functions with Terraform, https://github.com/raymondbutcher/terraform-aws-lambda-builder now has an option to build deployment packages using CodeBuild. I did this to lower the barrier of entry for writing infrastructure Lambda functions in Go, but it should work for anything. There's a golang example in the tests directory. If you haven't seen it before, it also supports Node.js and Python.

Erik Osterman (Cloud Posse)almost 6 years ago

Had a random interesting idea. What about a provider like this one: https://github.com/scottwinkler/terraform-provider-shell that was called terraform-provider-webhook and all it did was let you trigger webhooks (with get/post parameters) as part of lifecycle events in terraform. So when you deploy a new ECS task (for example), you can use the terraform-provider-webhook to trigger a deployment from your CI/CD platform. Or for example, if you have multiple terraform projects that use remote state (or ssm), you could trigger deployments on dependent projects. Or you could send the webhooks to sentry for deployment notifications of when infrastructure changes. Seems like there could be a lot of use-cases for it.

Joe Nilandalmost 6 years ago

Hi @Maxim Mironenko (Cloud Posse) would you mind reviewing this PR? I need a bit of help with the bats tests as well. Thanks!!
https://github.com/cloudposse/terraform-aws-ec2-bastion-server/pull/27

davidvasandanialmost 6 years ago

Has anyone else found a sustainable way to use ALB wighted target groups in Terraform as they aren't officially supported yet? https://github.com/terraform-providers/terraform-provider-aws/issues/10942

Cloud Possealmost 6 years ago

👉️ Register for Webinar

#office-hours (our channel)

discoursealmost 6 years ago

rbadilloalmost 6 years ago

Hi guys, does anybody here have experience writing terraform provider ? I want to know if it is possible to get the name of the resource on the provider side

Clayton Wheeleralmost 6 years ago

Hey, I think I've got a decent start on updating the ECS service for 0.12; is that something that's already in progress, or shall I make a PR for it?

Todd Lyonsalmost 6 years ago

I’m starting to get annoyed. I’m waiting on a aws_cloudfront_distribution apply to finish. All it did was add some tags. It’s at 1h18m so far.

Todd Lyonsalmost 6 years ago

These are normally 5 or 6 minute changes.

Todd Lyonsalmost 6 years ago

So it turns out that CloudFront is experiencing an outage right now, about an hour into the official outage.

Todd Lyonsalmost 6 years ago

But my anecdotal evidence suggests it started well before they declare to have started.

discoursealmost 6 years ago

Geoff Weinholdalmost 6 years ago

So I’m trying to demo creating a VPC Endpoint for S3 for a customer but hit a bump where I need to associate to the route table. I was thinking I’d attach to existing infra like VPC/subnet/etc but looks like it’s harder to query for the route table that’s associated with subnet. Am I overthinking this and should just create it all (vpc/subnets/etc) at once?

Brij Salmost 6 years ago

has anyone tried to create more than one fargate profile?

resource "aws_eks_fargate_profile" "default" {
  cluster_name           = aws_eks_cluster.eks.name
  fargate_profile_name   = "default"
  pod_execution_role_arn = aws_iam_role.fargate_pod_execution.arn
  subnet_ids             = var.private_subnet_ids
  tags                   = var.tags

  dynamic "selector" {
    for_each = var.selector
    content {
      namespace = selector.value["namespace"]
    }
  }
}

resource "aws_eks_fargate_profile" "example" {
  cluster_name           = aws_eks_cluster.eks.name
  fargate_profile_name   = "default"
  pod_execution_role_arn = aws_iam_role.fargate_pod_execution.arn
  subnet_ids             = var.private_subnet_ids
  tags                   = var.tags

  dynamic "selector" {
    for_each = var.selector
    content {
      namespace = selector.value["namespace"]
    }
  }
}

by doing this, example might fail to create with the following error

Error: error creating EKS Fargate Profile (cluster-name:example): ResourceInUseException: Cannot create Fargate Profile example because cluster cluster-name currently has Fargate profile default in status CREATING

February 2020 Browse by date April 2020