160 messages
D
discoursealmost 6 years ago
Zachary Loeberalmost 6 years ago
Curious how others are feeding output from terraform deployments into their pipeline as code
Aaron Ralmost 6 years ago
Hi all. Hope you are all well during the covid outbreak.
I've been attempting to use this great terrafrom module https://github.com/cloudposse/terraform-aws-jenkins
However my use case is slightly different to how this module has been setup.
At the moment jenkins is running on elastic bean stalk with public facing load balancers.
I want to these load balancers private facing only accessible by VPNing into the the specific VPC that is being run on
I've been attempting to use this great terrafrom module https://github.com/cloudposse/terraform-aws-jenkins
However my use case is slightly different to how this module has been setup.
At the moment jenkins is running on elastic bean stalk with public facing load balancers.
I want to these load balancers private facing only accessible by VPNing into the the specific VPC that is being run on
Aaron Ralmost 6 years ago
i.e. place the load balancers on a private subnet per region and each instance on a private subnet per region
Aaron Ralmost 6 years ago
wondering if anyone had done this before with this module and how they got it to work?
Andriy Knysh (Cloud Posse)almost 6 years ago
@Aaron R take a look at this example https://github.com/cloudposse/terraform-aws-jenkins/blob/master/examples/complete/main.tf#L45
Aaron Ralmost 6 years ago
I'm basing it off this
Andriy Knysh (Cloud Posse)almost 6 years ago(edited)
the
complete example gets automatically provisioned on AWS when we run testsAaron Ralmost 6 years ago
so I'm basing it off this
Aaron Ralmost 6 years ago
however I presume I need to create additional private subnets to place the elastic load balancers
Aaron Ralmost 6 years ago
as I also want the elastic load balancers to be private
Andriy Knysh (Cloud Posse)almost 6 years ago
loadbalancer_subnets = module.subnets.private_subnet_idsAndriy Knysh (Cloud Posse)almost 6 years ago(edited)
then place it in private
Aaron Ralmost 6 years ago
can the load balancer and instance be placed in the same subnet though?
Andriy Knysh (Cloud Posse)almost 6 years ago
you can place it in any subnet you want
Andriy Knysh (Cloud Posse)almost 6 years ago
depends on your use-case
Andriy Knysh (Cloud Posse)almost 6 years ago
if you need to place LBs in separate subnets (for any reasons), you can create more private subnets, using any subnet strategy you want
Aaron Ralmost 6 years ago
so i've used this complete main example to scale up a working jenkins instance on aws. (public facing load balancers). I then modified it to place the load balancers in the same private subnet as the instances. However when on the elasticbeanstalk console, attempting to set the application as internal it fails. (even tho everything is private). I connected a client vpn to this vpc and attempted to connect via the load balancer - couldn't manage to do it. This led me here: https://forums.aws.amazon.com/thread.jspa?messageID=415184񥗐
Aaron Ralmost 6 years ago
thanks for your help by the way 🙂
Aaron Ralmost 6 years ago
I think it's something to do with trying to set the elastic bean stalk application from public to internal
Aaron Ralmost 6 years ago
as it's set to public by default
Aaron Ralmost 6 years ago
when then attempting to set it as an internal app (once terraformed up) it fails to do so
Aaron Ralmost 6 years ago
therefore I cannot hit the load balancer when in a VPN attached to the VPC but I can directly hit the instance
mfridhalmost 6 years ago(edited)
Anyone else with this pet peeve? When using a data source for example to get the current IP addresses of elastic network interfaces attached to an NLB... any resource which then make use of this data will always show a diff known after apply even though the data is actually the same every time ... Any way around this except just not using it as data, but converting it a possibly a static variable after first creation is done? ...
Joe Presleyalmost 6 years ago
Has anyone seen Terraform useful for a situation where you want about 500 non-technical users create their own prepackaged resources in the cloud? For example, everyone gets the same account setup with predefined VM instance? My instinct is that Terraform is not the best tool for this, but I’ve seen people start with the idea that Terraform could run the backend.
Brandon Wilsonalmost 6 years ago
Does anyone have an example of using
log_configuration with the terraform-aws-ecs-container-definition module? I’m trying to update from 0.12.0 to latest (0.23.0) and it looks like the logging configuration has changed. But I can’t find an example of how to implement it now.
Brij Salmost 6 years ago
Do I need to escape any characters in the following terraform?
I get the following error and I’m not sure why its asking for a new line
coredns_patch_cmd = "kubectl --kubeconfig=<(echo '${data.template_file.kubeconfig.rendered}') patch deployment coredns --namespace kube-system --type=json -p='[{"op": "remove", "path": "/spec/template/metadata/annotations", "value": "<http://eks.amazonaws.com/compute-type|eks.amazonaws.com/compute-type>"}]'"I get the following error and I’m not sure why its asking for a new line
Error: Missing newline after argument
on variables.tf line 101:
(source code not available)
An argument definition must end with a newline.
setheryopsalmost 6 years ago
Has anyone here ever had a lambda in one account that needed to be triggered by SNS in another account and used the
aws_sns_topic_subscription resource?setheryopsalmost 6 years ago
I keep getting an error on plan that the SNS account is not the owner of the lambda in the lambda account
curious deviantalmost 6 years ago
Maybe https://jimmythompson.co.uk/blog/sns-and-lambda/ is helpful describing the permissions policy that will need to be setup in a cross account scenario ?
setheryopsalmost 6 years ago
Thanks…ill check it out
Gabealmost 6 years ago
Question regarding launch templates, block devices and instance types: Do you always use the same
device_name for the root volume? Or change it based on instance type? For example, do you always use /dev/sda1 or /dev/xvda?
lorenalmost 6 years ago
changes based on instance type, and on OS
Zachary Loeberalmost 6 years ago
What was the terraform provisioner used to collect script output into state again?
Zachary Loeberalmost 6 years ago
I've been avoiding doing so for a while now but I'm seeing no good way to generate an airflow fernet key via tf and its such a short python script and all..
Erik Osterman (Cloud Posse)almost 6 years ago
btw, for all you terraformers out there, I think you'll dig what @mumoshu as been cooking up with #variant v2. He has created a declarative way to describe any "cli" tool using HCL that can be compiled down to a single binary. It means anyone on your team who can write HCL can help write the cli tool for your company (e.g.
https://github.com/mumoshu/variant2
./acme eks up ) Maybe you use #terragrunt today. Maybe you wish it did things that it doesn't do today, but you're not a go programmer. With #variant , that's less the case because you can define arbitrary workflows like you would in a Makefile (only with a Makefile it doesn't compile down to a binary for easy distribution) and it's all in HCL so it easy for everyone to grok.https://github.com/mumoshu/variant2
M
mumoshualmost 6 years ago
@mumoshu has joined the channel
sumit parmaralmost 6 years ago
hey guys how to update map values while using it
tags={
Department="cabs"
OS="ms"
Application="cabs"
Purpose ="app"}
when i . use tags=var.tags just need to update few values such as OS = ms to OS=linux , purpose=app to purpose=db
tags={
Department="cabs"
OS="ms"
Application="cabs"
Purpose ="app"}
when i . use tags=var.tags just need to update few values such as OS = ms to OS=linux , purpose=app to purpose=db
ikaralmost 6 years ago
Dear all, is there a way how to define locals for the file scope only? Not for the whole module?
chrismalmost 6 years ago
https://github.com/cloudposse/terraform-aws-eks-cluster/commit/162d71e2bd503d328e20e023e09564a58ecee139 removed kubeconfig_path which I was using to ensure the kubecfg was available to apply the haproxy ingress after setup. Looking at the changes to the outputs etc I can't see a way to still get my grubby mitts on the cfg file.
Tonyalmost 6 years ago
hey guys, I created an ami from an ec2 instance I had configured and am trying to now deploy a new ec2 via terraform using that AMI while also joining a managed AD domain in AWS. For some reason when I use my AMI and not say the default win2019 amazon AMI to build this EC2 it fails to join my domain upon creation. Any thoughts? Do I need to prepare the machine in any way prior to creating an AMI out of it so that Terraform can do the domain joining?
Mike Martinalmost 6 years ago
Need some help - we’re about to begin rolling out our modules to production and need to decide whether to break out the modules like CloudPosse has it (a module per github repo) OR just make a monolith repo that contains all of our modules (making it easier to develop against since all dependencies are in one repo). Likely using TF Cloud. I’m in the boat of break them out - my teammates are against me. Need help! lol Thoughts?
Patrick M. Slatteryalmost 6 years ago(edited)
Hi, I'm trying to use a feature flag/toggle in Terraform with
Does anyone know how I can do this?
for_each previously I have used a count for the toggle but that does not work with for_eachDoes anyone know how I can do this?
resource "google_project_service" "compute_gcp_services" {
for_each = {
service_compute = "<http://compute.googleapis.com|compute.googleapis.com>" # Compute Engine API
service_oslogin = "<http://oslogin.googleapis.com|oslogin.googleapis.com>" # Cloud OS Login API
}
project = google_project.project.project_id
# count = "${var.compute_gcp_services_enable == "true" ? 1 : 0}"
service = each.value
disable_dependent_services = true
disable_on_destroy = false
depends_on = [
google_project_service.minimal_gcp_services
]
}
Zachalmost 6 years ago(edited)
Anyone else using pycharm and the HCL plugin for terraform work? Is there a way to solve the “Can’t locate module locally” error when using remote sourced modules from github? The only workaround I’ve found is to declare a ‘wrapper’ module around the remote module that passes vars to it … which is pretty silly.
So if I try to directly use a CloudPosse module or even one from the official terraform registry, it can’t do any code completion or validations.
Failing that, what are people using these days for ‘full featured’ terraform authoring?
So if I try to directly use a CloudPosse module or even one from the official terraform registry, it can’t do any code completion or validations.
Failing that, what are people using these days for ‘full featured’ terraform authoring?
PePe Amengualalmost 6 years ago
is someone here working on this module ? https://github.com/bitflight-public/terraform-aws-app-mesh
Zachary Loeberalmost 6 years ago
Deploying Kube Apps via the terraform provider, a quick blog I whipped up. More on the beginner side of things but with some interesting tools and a pretty comprehensive example terraform example module for a full deployment of an AKS cluster with app deployment: https://zacharyloeber.com/blog/2020/04/02/kubernetes-app-deployments-with-terraform/
PePe Amengualalmost 6 years ago
Hi, Any ide why this https://github.com/cloudposse/terraform-aws-s3-bucket/blob/master/main.tf have only lifecycle rules for versioned buckets ?
C
Cloud Possealmost 6 years ago
Join us for "Office Hours" every Wednesday 11:30AM (PST, GMT-7) via Zoom.This is an opportunity to ask us questions on
terraform and get to know others in the community on a more personal level. Next one is Apr 15, 2020 11:30AM.👉️ Register for Webinar
#office-hours (our channel)
PePe Amengualalmost 6 years ago(edited)
@here https://github.com/cloudposse/terraform-aws-s3-bucket/pull/21 when you have a chance
curious deviantalmost 6 years ago
Another terraform best practices question.. i have a multi account setup wherein I create one environment type (dev, test, stage) per AWS Account. What could be a preferred strategy for storing remote state in S3 backend ? I am currently using 1 bucket /env to store state and the state bucket resides in the same account as the infrastructure being spun by terraform. Someone on the team recommended using one state bucket in the shared service account for all environments. They just want to be able to see all state files in one bucket. While it's technically feasible, I am thinking this adds additional complexity (cross account setup) without any real benefit. What do folks think ?
Shawn Petersenalmost 6 years ago
i have a syntax question. How do I use a colon ':' inside a conditional expression? I want to append a second variable (var.env) to the end of either option like this
value = "${var.one != "" ? var.one:var:env : var.two:var:env}"
what am i missing?
value = "${var.one != "" ? var.one:var:env : var.two:var:env}"
what am i missing?
caretak3ralmost 6 years ago(edited)
question, I have a dir/repo setup like this:
• .envrc has:
• terraform.tfvars has:
But when i run
error:
/repo/
-- terraform.tfvars
-- .envrc• .envrc has:
export TF_CLI_INIT_FROM_MODULE="git::<https://github.com/***/terraform-root-modules.git//aws/tfstate-backend?ref=master>"
export TF_CLI_PLAN_PARALLELISM=2
export TF_BUCKET="devops-dev-terraform-state"
export TF_BUCKET_REGION="us-east-1"
export TF_DYNAMODB_TABLE="devops-dev-terraform-state-lock"
source <(tfenv)• terraform.tfvars has:
namespace="devops"
region="us-east-1"
stage="dev"
force_destroy="false"
attributes=["state"]
name="terraform-tfstate-backend"But when i run
terraform init it complains about a non-empty directory. i am trying to learn this before jumping to geodesic, but i don’t know how to get the root module copied to my repo above. am i doing something incorrectly?error:
❯ terraform init
Copying configuration from "git::<https://github.com/***/terraform-root-modules.git//aws/tfstate-backend?ref=master>"...
Error: Can't populate non-empty directory
The target directory . is not empty, so it cannot be initialized with the
-from-module=... option.
Abel Luckalmost 6 years ago
How do you all work with a situation where you want a terraform module to spin up resources (instances in this case) in multiple regions?
Abel Luckalmost 6 years ago
I've got my terraform root module (remote state in s3) and i want to create an app server in several regions, ideally in one terraform invocation.
Raymond Butcheralmost 6 years ago
Ignoring whether that's a good idea or not, if you want it in 1 terraform invocation and state file then you can:
• create a module with your instances
• call your module for each region, passing a region-specific aws provider into the module
• create a module with your instances
• call your module for each region, passing a region-specific aws provider into the module
Raymond Butcheralmost 6 years ago
See the first example of https://www.terraform.io/docs/configuration/modules.html#passing-providers-explicitly where they call a module and pass a region-specific provider into the module as the default aws provider for that module
Abel Luckalmost 6 years ago
Thanks! I remember now I've used explicit providers before when using letsencrypt staging and production api servers at the same time
Abel Luckalmost 6 years ago(edited)
Ignoring whether that's a good idea or not,
I'd be happy to hear your thoughts on why it's not a good idea.
Raymond Butcheralmost 6 years ago
I wouldn't say it's not a good idea, just that there are trade offs. It's mainly to do with "blast radius" of changes, and what happens if the main region fails. It is probably fine to do what you've proposed though.
sahil kambojalmost 6 years ago
Hey guys,
just started working with terraform
can we make output of terraform store in s3 so my services fetch details from there like elb name- id etc.
dont want to use aws cli
just started working with terraform
can we make output of terraform store in s3 so my services fetch details from there like elb name- id etc.
dont want to use aws cli
Chris Fowlesalmost 6 years ago
for other terraform you can use this datasource to query a remote state
Chris Fowlesalmost 6 years ago
for things other than terraform - you probably want to write values to something like parameter store or something like that
Chris Fowlesalmost 6 years ago
if you're really set on writing to s3 you could use this resource to write a file out to s3 as part of your terraform module https://www.terraform.io/docs/providers/aws/r/s3_bucket_object.html
sahil kambojalmost 6 years ago
thnx Chris
setheryopsalmost 6 years ago
Does anyone know of a way that you can take an output and set a CircleCI env var as that output repended with
TF_VAR_ ? Other than a script possibly…im really more wondering if there is a way in CCi but thoguht id ask here since its TF related too.
Dave Barnumalmost 6 years ago(edited)
I have a question about terraform-null-label; It seems like the tags support maps. However, some Azurerm resources like
azurerm_kubernetes_cluster support maps while others like azuread_service_principal support only lists. Is there any way to output (or input) lists of tags from null-label?
Davidalmost 6 years ago
Right now, when we add new devs to our team, we add their name, email, github handle, etc. to a terraform input file, and then we have Atlantis provision their Datadog account, github invite to our org, AWS IAM User, etc.
I am looking into Okta so that our Ops side of things can create users across all our accounts, but have some concerns where it seems like support for AWS users and some other orgs would become harder to work with (SAML seems quite annoying compared to SSO, for example, and we like having IAM Users as we already have strategies for eliminating long-lasting credentials)
For those who have faced similar issues before, how did you decide which accounts to provision through Okta/terraform? If you have a well-oiled terraform/atlantis setup, do you feel that Okta is still worth pouring some money into?
I am looking into Okta so that our Ops side of things can create users across all our accounts, but have some concerns where it seems like support for AWS users and some other orgs would become harder to work with (SAML seems quite annoying compared to SSO, for example, and we like having IAM Users as we already have strategies for eliminating long-lasting credentials)
For those who have faced similar issues before, how did you decide which accounts to provision through Okta/terraform? If you have a well-oiled terraform/atlantis setup, do you feel that Okta is still worth pouring some money into?
Pierre-Yvesalmost 6 years ago
Hello,
I am using Vscode and was looking for syntax highlight and linting;
I just want to share that the syntax highlight extension to use is "terraform" 0.1.8" from Anton Kulikov ( 25k download ) latest commit in December 2019.
the extension "terraform" version 1.4.0 from "Mikael Olenfalk" (520k download ) is not working with the latest terraform syntax: latest commit October 2019.
I am using Vscode and was looking for syntax highlight and linting;
I just want to share that the syntax highlight extension to use is "terraform" 0.1.8" from Anton Kulikov ( 25k download ) latest commit in December 2019.
the extension "terraform" version 1.4.0 from "Mikael Olenfalk" (520k download ) is not working with the latest terraform syntax: latest commit October 2019.
jedineeperalmost 6 years ago
Anyone know if it's possible to use the new tf12 syntax to add optional parameters to a resource? I want to pass through a string for redrive_policy on an sqs_queue but it doesn't take blank as an empty string. Trying to figure out if i can use a for loop to skip adding the redrive_policy parameter at all if the variable is empty?
Shawn Petersenalmost 6 years ago
Does anyone know how to setup codepipeline resource for multi-region actions? The documentation is unclear, saying I need to add "region" to the "artifact_store" block for multi-region, but every time I try that, I get "Error: region cannot be set for a single-region CodePipeline"
How would I make it mutli-region?
How would I make it mutli-region?
Matt Gowiealmost 6 years ago
Is there a way for terraform to associate an instance with a launch template / ASG or wait for the ASG / launch template to create an instance? I’d like to include the launched instance’s details in the output of my Terraform module.
Raymond Butcheralmost 6 years ago(edited)
What do people think about Atlantis doing
terraform apply before merging the pull request? They explain why on this page https://www.runatlantis.io/docs/locking.html
msharma24almost 6 years ago
Does anyone know why using
-detailed-exitcode for terraform plan returns 2 shell exit code ?Abel Luckalmost 6 years ago(edited)
Is it possible in terraform 12 to dynamically define provider blocks based on a variable?
I tried something like this:
But terraform complains
I'm not fully up to speed on HCL2, so maybe my syntax is wrong? (FWIW Terraform v0.12.24)
I tried something like this:
locals {
satellite_regions = {
eu = "eu-central-1"
us1 = "us-east-2"
}
}
provider "aws" {
for_each = local.satellite_regions
alias = each.key
region = each.value
}But terraform complains
Error: Reserved argument name in provider block
on main.tf line 17, in provider "aws":
17: for_each = local.satellite_regions
The provider argument name "for_each" is reserved for use by Terraform in a
future version.I'm not fully up to speed on HCL2, so maybe my syntax is wrong? (FWIW Terraform v0.12.24)
rohitalmost 6 years ago
did anyone use this module ? if yes, can you let me know your experienve with it
C
Cloud Possealmost 6 years ago
Join us for "Office Hours" every Wednesday 11:30AM (PST, GMT-7) via Zoom.This is an opportunity to ask us questions on
terraform and get to know others in the community on a more personal level. Next one is Apr 22, 2020 11:30AM.👉️ Register for Webinar
Doug Lethinalmost 6 years ago
hello - can someone possibly explain the difference between https://github.com/cloudposse/terraform-terraform-label and https://github.com/cloudposse/terraform-null-label. It's ot obvious from their README. It seems the latter is more active and has more inputs and examples. Also confused as the doc says The
null in the name refers to the primary Terraform null provider used, but looks like as of v0.15.0 use of null_resource has been removed, but probably the name remains for backwards compatibility. Is the former terraform-terraform-label deprecated in favor of terraform-null-label? Thanks.Erik Osterman (Cloud Posse)almost 6 years ago
@Doug Lethin we should have this documented, but for now here's the quick answer 😃
Erik Osterman (Cloud Posse)almost 6 years ago
Erik Osterman (Cloud Posse)almost 6 years ago
(check out some of the responses there)
Tom Howarthalmost 6 years ago
I am attempting to build out my first autoscaling group and as a part of the launch instance I need to install some programs and upload some config files, when I was just creating a single instance I would use host = self.public.ip to login to the externally facing IP Address and it would run its magic, however host = self.public_ip is an unsupported attribute in "aws_launch_configuration. so how will I handle this now?
Albert Domenechalmost 6 years ago(edited)
I'm trying to use emr-cluster module but I don't see step component defined in the aws_emr_cluster resource. The only reference I see, applies ignore_changes meta-argument on the lifecycle block.
Is there any way to provision custom jar with map/reduce jobs via terraform with this setup?
Is there any way to provision custom jar with map/reduce jobs via terraform with this setup?
curious deviantalmost 6 years ago
Hello
I have a terraform modules + CircleCI situation that I am pretty sure others must have resolved for. Basically CircleCI is unable to download/clone terraform modules in a repo that references them, both hosted in our GitHub. From what I have researched looks like it may be a security feature in CircleCI. How should this be solved for ? Also let me know if there's another channel I should post this query to.
I have a terraform modules + CircleCI situation that I am pretty sure others must have resolved for. Basically CircleCI is unable to download/clone terraform modules in a repo that references them, both hosted in our GitHub. From what I have researched looks like it may be a security feature in CircleCI. How should this be solved for ? Also let me know if there's another channel I should post this query to.
Matthew Kingalmost 6 years ago
if I use a module, say one of the awesome ones you guys created, can I on my local run of terraform use a terraform.tfvars file to input into the module that I’m using via git? or am I not understanding how the module creation and download works?
Brij Salmost 6 years ago(edited)
How do people here who use lambdas, deploy lambda config changes (with no code change) and get a version deployed and the alias updated? I dont think Terraform handles this well
Abel Luckalmost 6 years ago(edited)
When using https://github.com/cloudposse/terraform-aws-ec2-autoscale-group if I want to create an ASG of size=1 , and attach an EBS volume that persists and is always mounted onto the active instance, should I use the
Reading the docs of aws_launch_template doesn't clear it up for me.
If I include a config such as the following, will it create a new volume for each ASG instance created or re-use the same one?
block_device_mappings input.. or create the ebs volume separately and use userdata to attach it on boot?Reading the docs of aws_launch_template doesn't clear it up for me.
If I include a config such as the following, will it create a new volume for each ASG instance created or re-use the same one?
block_device_mappings = [
{
device_name = "/dev/sda1"
virtual_name = "root"
ebs = {
encrypted = true
volume_size = 50
delete_on_termination = false
volume_type = "gp2"
}
}
]
Alex Friedrichsenalmost 6 years ago
Hello, I am noticing issues with https://github.com/cloudposse/terraform-aws-eks-cluster whether I am adding/removing managed node groups or just making a minor change to an existing one (example: increasing desired number of nodes). In all circumstances, I am able to run an initial
This includes even setting the variable
terraform plan/apply but any future run returns the following errormodule.eks_cluster.kubernetes_config_map.aws_auth_ignore_changes[0]: Creating...
Error: configmaps "aws-auth" already exists
on .terraform/modules/eks_cluster/auth.tf line 84, in resource "kubernetes_config_map" "aws_auth_ignore_changes":
84: resource "kubernetes_config_map" "aws_auth_ignore_changes" {This includes even setting the variable
kubernetes_config_map_ignore_role_changes = false as recommended. Using the latest stable version of the plugin (0.22.0) as well as the latest stable terraform. Thoughts?
Nalmost 6 years ago
@channel I am thinking of using a remote storage backend for storing terraform state files , the way I use it , it often contains sensitive info like ssh keys etc , what is a good solution, S3 or consul ? From a cost and security perspective. Thanks in advance
Abel Luckalmost 6 years ago
We've always stored state encrypted in S3. Consul has too much overhead, unless perhaps you're already using it
Nalmost 6 years ago
Thanks @Abel Luck , For encryption, do you suggest server side encryption or client side ?
Christian Royalmost 6 years ago(edited)
Hello, I am new here. SweetOps looks like a strong community!
I am thinking about using Terraform and I am wondering if it would easily allow me to specify that one of the resources needed is a helm chart in a private helm repo on gcs and it would create (and push) it if it does not exists, and another resource needed would be a docker image on google container registry and if it does not exists it would create (and push) it... So far I've seen resources being "ip address, vnc, vm" but not what I just explained. Did I miss something?
Thanks 🙂
I am thinking about using Terraform and I am wondering if it would easily allow me to specify that one of the resources needed is a helm chart in a private helm repo on gcs and it would create (and push) it if it does not exists, and another resource needed would be a docker image on google container registry and if it does not exists it would create (and push) it... So far I've seen resources being "ip address, vnc, vm" but not what I just explained. Did I miss something?
Thanks 🙂
Zachary Loeberalmost 6 years ago
I've never used terraform to push a helm repo. The helm provider only has data sources for repositories and resources that allow you define and create releases from charts within them.
Zachary Loeberalmost 6 years ago
if you have the entire chart locally that you would push for a deployment you can just refer directly to the chart location and bypass the entire repo creation process
Zachary Loeberalmost 6 years ago
resource "helm_release" "local" {
name = "my-local-chart"
chart = "./charts/example"
}
Igor Bronovskyialmost 6 years ago
Hello. I have trouble with
https://take.ms/5cyu8
aws_appautoscaling_policy . When left one container this alarm not disappeared.https://take.ms/5cyu8
Christian Royalmost 6 years ago
So, sounds like the terraform helm provider would need to have something called
helm_chart which would be linked to a helm_repository and some files (local or git) that would run helm package ${DIR} and then handle the different ways to "add" a chart to a repo, which I think may have many ways. I use gcs so for me its helm gcs push ${chart}.tgz ${reponame} ...Zachary Loeberalmost 6 years ago
right a resource called helm_chart specifically that would run all the package and push stuff, typically if you are doing this it would be from another pipeline though (simply using the helm command). The gcs repo would be created by terraform in some other pipeline at some other level
sheldonhalmost 6 years ago
So i'm trying to think of ways to simplify running in terraform cloud + later maybe some azure devops. Thinking of the terraform-root-modules repo Cloudposse has and made me think... while I need separate repos for modules, would it be a better practice to setup all my root module plans from 1 root repo in the same manner? The checks list in github would be huge after a while but would be probably easier to contribute new plans at that point, if I required no modules in there, just root plans.
I don't use
Any thoughts to the contrary?
I don't use
Make, but probably would setup either some InvokeBuild powershell helper for local ops, and then have a terraform plan in there that setup each folder added automatically as workspaces with version control hooks and all (already built this).Any thoughts to the contrary?
sheldonhalmost 6 years ago
I want something like this in my slack room 😁 Please tell me they need more beta users, because I would love for a bot that gave me suggestions from confluence and previous history. The only thing I've seen before cost a fortune and I couldn't get something like that through at all.
sheldonhalmost 6 years ago
Now i just want to figure out how to make it answer questions completely wrong by putting the wrong keywords in... 🤖 🙉 Any know how to stop robots from taking over the world?
sheldonhalmost 6 years ago
Maybe you didn't all see it, but Foqal prompted me with some prior message history about make files. Pretty cool concept!
Joan Hermidaalmost 6 years ago
Hi! Someone, I'm dying here. Does Terraform has a way to create EventBridge Event Buses? I just can't find how. Every search points to aws_cloudwatch_event_permission but that's out of scope here. Anyone?
Sorinalmost 6 years ago
Am I right that I cannot use this module for default VPC? Because it REQUIRES me entering all the CIDR info which the Terraform "standard" module can do without, in a default VPC environment. By the way, specifying in docs which are the mandatory arguments would only help...
plodalmost 6 years ago
How would one convert a map of key=value to a string of "key=value,key=value..."
lorenalmost 6 years ago
probably using the string templating and a for loop... https://www.terraform.io/docs/configuration/expressions.html#string-templates
plodalmost 6 years ago
think ive got it
plodalmost 6 years ago
join(",", formatlist("%s=%s", keys(var.common_tags), values(var.common_tags)))
C
Cloud Possealmost 6 years ago
Join us for "Office Hours" every Wednesday 11:30AM (PST, GMT-7) via Zoom.This is an opportunity to ask us questions on
terraform and get to know others in the community on a more personal level. Next one is Apr 29, 2020 11:30AM.👉️ Register for Webinar
Brij Salmost 6 years ago
does anyone know if terraform-enterprise supports submodules? Similar to this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/0.0.4
Pratapalmost 6 years ago
Ho to all, can anyone help to to fetch the alerting details or data from Elasticsearch and send it to otrs ticketing tool using terraform. I read the aws kinesis using terraform but a confusion is still there. So I am asking here. If anyone worked with on this plz help me.
drexleralmost 6 years ago
Hello is there a way to reference multiple attributes for a partition key in dynamodb?
Matt Gowiealmost 6 years ago
Hey folks — Anybody know of a way to add tags to an existing resource? Specifically the main route table which is generated implicitly when creating a VPC?
Mr.Devopsalmost 6 years ago
Hello - I'm having bit of a brain fart , hoping someone can help.
Within my
If I set var.image_id to centos how can i tell user_data to execute a bash template file oppose to setting var.image_id to windows and executing a powershell template file?
Within my
resource "aws_launch_configuration" i've set my image_id to reference var.image_id (depending on OS type (e.g windows or Centos)If I set var.image_id to centos how can i tell user_data to execute a bash template file oppose to setting var.image_id to windows and executing a powershell template file?
Mr.Devopsalmost 6 years ago
hope that makes sense.
Mr.Devopsalmost 6 years ago
or should i use
template_cloudinit_config data source and include both bash and powershell script as multi part script?Mr.Devopsalmost 6 years ago
i got what i'm expecting to work - seems a bit hacky.. Any feedback would be appreciated too :)
user_data = var.ami_name == "CentOS" ? file("${path.module}/templates/install_xxx.sh") : data.template_file.windows_userdata.renderedIgor Bronovskyialmost 6 years ago
can help me?
ikaralmost 6 years ago
^^ this looks okay to me, the alarm definition is
CPUUtil <= 10 -> therefor in ALARM statePierre-Yvesalmost 6 years ago
hello,
I use
I use
count = var.env == "prod" ? 1 : 0 to trigger the creation of a resource only if env = "prod". Is there a way to do it at the module level ?Matt Gowiealmost 6 years ago
sheldonhalmost 6 years ago(edited)
For those using Terraform Cloud ☁️
How do you simplify deploying the same work to multiple regions?
The way I see it is repeated code in the project or creating a workspace per region (can do through terraform provider so it's not a pain with some initial legwork).
And no terragrunt or make files involved here... all terraform cloud please 😁
How do you simplify deploying the same work to multiple regions?
The way I see it is repeated code in the project or creating a workspace per region (can do through terraform provider so it's not a pain with some initial legwork).
And no terragrunt or make files involved here... all terraform cloud please 😁
Joe Hostenyalmost 6 years ago
Not sure if this is the right channel for this, but would someone at CP mind tagging a new version of https://github.com/cloudposse/terraform-github-repository-webhooks? I had a PR that got merged, but it looks like that one is not setup to tag automatically on merge to master.
Brij Salmost 6 years ago
For anyone using the
terraform-aws-vpc module, I noticed it doesnt create a vpc endpoint policy. Is this intentional? Does anyone have a work-around to add a policy to a vpce created by the module?sheldonhalmost 6 years ago
For terraform cloud, is there any name matching rules for
i do this in one project via yaml but trying to explore the native built in offering for merging default values from files.
auto.tfvars for loading? The docs were confusing. Was hoping to preload a few of these autos for different regions/names and just set one workspace variable that would ensure this file for default values gets loaded.i do this in one project via yaml but trying to explore the native built in offering for merging default values from files.
Erik Osterman (Cloud Posse)almost 6 years ago
Someone has graciously updated
tfmask to support 0.12 outputErik Osterman (Cloud Posse)almost 6 years ago
0.4.0 adds support.sheldonhalmost 6 years ago
Thing 1: I want to improve my terraform IAM service account security. What's the best cross platform way to ensure the credentials are encrypted in state but can be accessed by other modules, and not output to console any longer.
sheldonhalmost 6 years ago
Thing 2: I want to give a very simplistic process for updating ssm parameter store values and eventually lock down console. I already have format, and was planning on environment folders with tfvars and single resource call for parameters.
The catch is I can't lock down drift yet. I want to make it automerge to master for this one project (will use github action/probot) after it passes all checks. I don't want it to allow destruction of resources though without approval.
Would setting a dynamic block for lifecycle work, requiring a explit "allow destruction" in the input array? And do you think i could trigger the pull request to NOT auto apply if it detects destruction?
That might be an enhancement with terraform cloud. Autoapprove except with destroy, or autoapprove new but not changed/destroy.
The catch is I can't lock down drift yet. I want to make it automerge to master for this one project (will use github action/probot) after it passes all checks. I don't want it to allow destruction of resources though without approval.
Would setting a dynamic block for lifecycle work, requiring a explit "allow destruction" in the input array? And do you think i could trigger the pull request to NOT auto apply if it detects destruction?
That might be an enhancement with terraform cloud. Autoapprove except with destroy, or autoapprove new but not changed/destroy.
C
Cloud Possealmost 6 years ago
Join us for "Office Hours" every Wednesday 11:30AM (PST, GMT-7) via Zoom.This is an opportunity to ask us questions on
terraform and get to know others in the community on a more personal level. Next one is May 06, 2020 11:30AM.👉️ Register for Webinar
curious deviantalmost 6 years ago
How are folks testing their terraform code? Are there any recommended tools/frameworks out there ? Appreciate any pointers.
btaialmost 6 years ago
so for some reason, when I ran a
terraform destroy , terraform decided to attempt to delete my vpc module components first before my EKS cluster built on top of it causing it to error out. (terraform needs module dependency IMO 🙄) It also deleted my kube auth config map for EKS along with it so now terraform or I cannot auth to the cluster. Anyone know of a workaround to fix this (recreating the auth config map)? Other than manually deleting all the AWS resources.
cabrinhaalmost 6 years ago
I've got a question about the EMR Cluster module.
cabrinhaalmost 6 years ago
I would like to create a DNS record that points to all of the master instances, for HA purposes
cabrinhaalmost 6 years ago
It seems that TF doesn't allow a way to do that, though? https://www.terraform.io/docs/providers/aws/r/emr_cluster.html#master_public_dns
cabrinhaalmost 6 years ago
eventhough the master group can be 3 nodes for HA, I'm wondering how I could use TF to assign a DNS name to all three ...
ikaralmost 6 years ago
Hey there!
How would you set
How would you set
instance_market_options of aws_launch_template only for stage environment? Define two similar launch templates with count condition?
RBalmost 6 years ago
hey all, if you had to give a talk to a bunch of ppl for 30 min to an hour on infrastructure as code (terraform) and policy as code (open policy / cloud custodian), what are some things you'd mention ?
Pierre Humberdrozalmost 6 years ago
Does someone know if I can import an existing rds instance into my terraform stack ?
Pierre Humberdrozalmost 6 years ago
into this module: https://github.com/terraform-aws-modules/terraform-aws-rds
RBalmost 6 years ago
Anyone else run into this? If so, would appreciate upvotes 😄
https://github.com/terraform-providers/terraform-provider-aws/issues/11801
https://github.com/terraform-providers/terraform-provider-aws/issues/11801
sheldonhalmost 6 years ago
Does anyone know the right git repo or forum to provide feedback on terraform cloud? I have some general things as a user I want to provide feedback on regarding usability but can't figure out the right place to get that heard.
PePe Amengualalmost 6 years ago(edited)
I’m going crazy!!!! No matter what I do, this thing keeps trying to create webhooks!!!!!!!!! https://github.com/cloudposse/terraform-aws-ecs-atlantis/blob/0.14.0/main.tf#L54
PePe Amengualalmost 6 years ago(edited)
I’m using https://github.com/cloudposse/terraform-github-repository-webhooks.git?ref=0.6.0 to create webhooks but once the webhook is created and the user is changed from admin to read then terraform tries to read the /hook url for that repo and gets a 403, is there a workaround for this so that terraform does not try to create the webhook every single time ?
Matt Gowiealmost 6 years ago
Terraform project folks are looking for backend / provisioner maintainers: https://discuss.hashicorp.com/t/seeking-terraform-open-source-backend-maintainers/8113
OliverSalmost 6 years ago(edited)
Hi everyone I'm trying to use the
Unfortunately the fargate profile name generated by the module does not include the
I could of course clone the module code since it is standalone, but then I loose the benefit of fixes made by CloudPosse, so I'm wondering if there is a better way, maybe there is a workaround I'm not thinking of.
eks_fargate_profile module from github on an EKS cluster in which I will define 2 namespaces, so I need 2 fargate profiles (I could use one profile with 2 selectors, but this is not really practical from an automation point of view -- if I want to create/delete a namespace, I have to modify the one profile rather than create/delete a separate one -- plus there is an AWS-imposed limit of 5 selectors per profile so 5 namespaces -- not likely I would hit that limit but not unlikely either).Unfortunately the fargate profile name generated by the module does not include the
kubernetes_namespace value, so I end up with duplicate resources (like the IAM role):Error: Error creating IAM Role rnd-poc-kim-fargate: EntityAlreadyExists: Role with name rnd-poc-kim-fargate already exists.
status code: 409, request id: 12f2e0cb-9028-43ac-8791-b03bf5398f2a
on .terraform/modules/eks_fargate_profile_default/main.tf line 35, in resource "aws_iam_role" "default":
35: resource "aws_iam_role" "default" {
Error: Error creating IAM Role rnd-poc-kim-fargate: EntityAlreadyExists: Role with name rnd-poc-kim-fargate already exists.
status code: 409, request id: cbe7771a-a866-45d1-a35e-b82727e84f15
on .terraform/modules/eks_fargate_profile_staging/main.tf line 35, in resource "aws_iam_role" "default":
35: resource "aws_iam_role" "default" {I could of course clone the module code since it is standalone, but then I loose the benefit of fixes made by CloudPosse, so I'm wondering if there is a better way, maybe there is a workaround I'm not thinking of.
Andriy Knysh (Cloud Posse)almost 6 years ago
each module has
namespace, stage, name and attributes. You can add var.attributes=["something"] to one of the modules so all the generated names/IDs will be in the format namespace-stage-name-attributes which will be uniqueOliverSalmost 6 years ago
That's one of the first things I tried but it did't work. However given other errors I had it is possible I had other stuff incorrect that I have since fixed so will try again.
msharma24almost 6 years ago
Hello
I have built a same region cross account VPC Peering with Terraform, I have added one of the accepter VPCs SG to the one of the requester VPCs SG as an inbound rule with account-number/sg-Id and i have applied the TF resources, now, on every TF plan run, TF wants to recreate this cross account SG rule, and I don't get to see the happy - Your infrastructure is upto date message 😂 its annoying me
Any one else faced this issue? I'm using latest TF and latest aws provider versions
I have built a same region cross account VPC Peering with Terraform, I have added one of the accepter VPCs SG to the one of the requester VPCs SG as an inbound rule with account-number/sg-Id and i have applied the TF resources, now, on every TF plan run, TF wants to recreate this cross account SG rule, and I don't get to see the happy - Your infrastructure is upto date message 😂 its annoying me
Any one else faced this issue? I'm using latest TF and latest aws provider versions
AugustasValmost 6 years ago
Trying to create S3 bucket with state, and create dynamodb with some tables. Works fine on one region, got this error trying on another one. What should I do next? Google alot.
Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.Matt Gowiealmost 6 years ago
Does anyone know why the standard is to put quotes around blocks (resources and module) labels (resource identifiers and their associated names)? It seems the whole community does so and I didn’t question it… but I do not know why it’s done when the quotes can be omitted which seems cleaner to me.
This is what I’m talking about btw:
This is what I’m talking about btw:
# What everyone does:
data "aws_iam_policy_document" "default" {
...
}# What no one does, but is valid (and I personally like more):
data aws_iam_policy_document default {
...
}msharma24almost 6 years ago
Hi
Any one facing trouble with terraform init for aws provider
Any one facing trouble with terraform init for aws provider
terraform init 03:58 5.86G
Initializing provider plugins...
- Checking for available provider plugins...
Registry service unreachable.
This may indicate a network issue, or an issue with the requested Terraform Registry.
Registry service unreachable.
This may indicate a network issue, or an issue with the requested Terraform Registry.
Warning: Skipping backend initialization pending configuration upgrade
The root module configuration contains errors that may be fixed by running the
configuration upgrade tool, so Terraform is skipping backend initialization.
See below for more information.
Error: registry service is unreachable, check <https://status.hashicorp.com/> for status updates
Error: registry service is unreachable, check <https://status.hashicorp.com/> for status updatesPePe Amengualalmost 6 years ago
Is it possible to exclude a tf file from being picked up by TF plan ?
msharma24almost 6 years ago
Anyone facing issues with terraform init taking ages to download the provider and plugins ?
Shawn Petersenalmost 6 years ago
Hi all, is it possible to dynamically populate a list of resources inside an "aws_iam_policy_document" ?
I'm trying to do something like this, with a list of arns passed into the module.
s3_bucket_arn = [arn1, arn2, arn3]
resources = [
"${var.s3_bucket_arn}",
"${var.s3_bucket_arn}/*"
but i keep running into the following error:
"is tuple with 3 elements Cannot include the given value in a string template: string required."
Any ideas?
I'm trying to do something like this, with a list of arns passed into the module.
s3_bucket_arn = [arn1, arn2, arn3]
resources = [
"${var.s3_bucket_arn}",
"${var.s3_bucket_arn}/*"
but i keep running into the following error:
"is tuple with 3 elements Cannot include the given value in a string template: string required."
Any ideas?
Chris Fowlesalmost 6 years ago
formatlist()
Chris Fowlesalmost 6 years ago
resources = flatten(var.s3_bucket_arn, formatlist("%s/*", var.s3_bucket_arn))