285 messages
Laurynasabout 5 years ago
I'm updating Terraform version that is used by our team from 0.13.5 to 0.14.5. So as I understand with terraform 0.14
.terraform.lock.hcl should be committed to git?Vincent Van der Kussenabout 5 years ago
Hi, does anyone here knows of a way to handle
data resources with nill values? I'm using google_kms_key_ring and it seems to return nill when a non existing keyring name is providedRogerio Goncalvesabout 5 years ago
hey 👋
https://github.com/cloudposse/terraform-aws-efs/commit/53847b81f887f13a7cfec6132bf362bde6dd3788#diff-05b5a57c136b6ff5965[…]d184d9daa9a65a288eR41-R43
shouldn’t this change be a major release? changing encrypted from false to true will enforce recreation of the EFS resource
https://github.com/cloudposse/terraform-aws-efs/commit/53847b81f887f13a7cfec6132bf362bde6dd3788#diff-05b5a57c136b6ff5965[…]d184d9daa9a65a288eR41-R43
shouldn’t this change be a major release? changing encrypted from false to true will enforce recreation of the EFS resource
Andrew Rothabout 5 years ago
Steve Wade (swade1987)about 5 years ago
is anyone using or planning to use https://github.com/terraform-aws-modules/terraform-aws-pricing ?
Mansoor Ebrahimabout 5 years ago(edited)
trying to setup my terraform project with v0.14.4... however i'm getting an error
Error: Unsupported argument
on main.tf line 21, in provider "kubernetes":
21: load_config_file = false
here is my code
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
Error: Unsupported argument
on main.tf line 21, in provider "kubernetes":
21: load_config_file = false
here is my code
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
Jeremy G (Cloud Posse)about 5 years ago
Announcement:
Note that with this version of null label, we have dropped support for Terraform 0.12. All future versions of our Terraform modules (once they are updated to
terraform-null-label v0.23.0 is now out. It allow for setting the letter case of tag names and labels. Previously we forced tag names to be Title case and labels to be lower case. Now we allow some configuration. The primary impetus for this is that GCE does not allow uppercase letters in tag names, but we have taken it a step further based on other requests we have had over the years.Note that with this version of null label, we have dropped support for Terraform 0.12. All future versions of our Terraform modules (once they are updated to
terraform-null-label v0.23.0) are for TF 0.13.0 or above.syttenabout 5 years ago
Is it possible to list the files uploaded in a remote run?
syttenabout 5 years ago
I feel the upload part is longer than it should and since I work in a monorepo it might be due to some random stuff being uploaded
syttenabout 5 years ago
I added this terraformignore
syttenabout 5 years ago
*
!infrastructure/
**/.terraform/
.git/syttenabout 5 years ago
thanks in advance if someone has atip
Brandon Wilsonabout 5 years ago
is there a more efficient way to do this?
content_type = lookup(var.mime_types, split(".", each.value)[length(split(".", each.value))])Brandon Wilsonabout 5 years ago
i can’t predict how many
. will be in the filenameBrandon Wilsonabout 5 years ago
and I want to grab the last characters after the last
. and use that in the lookup to determine the mime typeAlex Jurkiewiczabout 5 years ago
So much functionality is missing from the core functions. I've been waiting for
endswith() for years nowlorenabout 5 years ago
any ideas on how to accept a "template string" as a variable, and template it, without using the deprecated
template_file (which actually accepted strings not files)? the function templatefile() actually requires a file... for example, i used to template arns like this, so the user wouldn't have to hard-code values if they didn't want to:data "template_file" "policy_arns" {
count = length(var.policy_arns)
template = var.policy_arns[count.index]
vars = {
partition = data.aws_partition.current.partition
region = data.aws_region.current.name
account_id = data.aws_caller_identity.current.account_id
}
}Sarath Pantalaabout 5 years ago
Error: Incorrect attribute value type
on .terraform/modules/eks/workers_launch_template.tf line 40, in resource "aws_autoscaling_group" "workers_launch_template":
40: vpc_zone_identifier = lookup(
Inappropriate value for attribute "vpc_zone_identifier": set of string
requiredcan someone help me how to handle this
Gideon Barabout 5 years ago
I used https://github.com/cloudposse/terraform-aws-emr-cluster to terraform an EMR cluster. I then tried to ssh using the auto-generated key and couldn’t. How do I gain access to the master shell (ssh?) and view spark and zeppelin UI safely (ssh tunneling?)
Sarath Pantalaabout 5 years ago
can anyone connect for a Zoom call or google meet to solve the terraform i am getting
Error: Incorrect attribute value type
on .terraform/modules/eks/workers_launch_template.tf line 40, in resource "aws_autoscaling_group" "workers_launch_template":
40: vpc_zone_identifier = lookup(
Inappropriate value for attribute "vpc_zone_identifier": set of string
requiredSarath Pantalaabout 5 years ago(edited)
I have Terraform scripts for eks which is in terraform v0.11.14 version i need to upgrade to v0.12.0
Sarath Pantalaabout 5 years ago
I need someone's help
OliverSabout 5 years ago
I have an EKS cluster and an EKS node group both created with your modules. Instances of that node group by default have the security group listed under "Cluster Security Group" in the AWS Console's EKS cluster view tab called Networking. I'd like these instances to have an additional security group. How to do this? The workers_security_group_ids adds SG to the security group listed under "Additional Security Groups" of the cluster, so this will not work as instances do not have that security group.
Helder Diasabout 5 years ago
Hello Guys, one question regarding module https://github.com/cloudposse/terraform-aws-eks-iam-role
Helder Diasabout 5 years ago
I can’t use it if the service account doesn’t already exist in the time of apply
Helder Diasabout 5 years ago
service_account_name = var.external_secrets_service_acount Helder Diasabout 5 years ago
This account must already exist
Helder Diasabout 5 years ago
which is bad in case you want to recreate from scrathc and you can’t plan
Helder Diasabout 5 years ago
Even with depends_on doesn’t work
Helder Diasabout 5 years ago
Any workaround for this ?
OliverSabout 5 years ago
I need to allow an ALB to communicate with pod that has an ingress and a nodeport service, in an EKS cluster that uses nodegroup. It seems like I have to add the ALB's security group to that of the EKS instances, which were created by AWS EKS NodeGroup. But this does not seem possible out of the box with your EKS cluster module (at least at version 0.4). Am I going about this incorrectly?
David van Ginnekenabout 5 years ago
Hello everyone. 🙂
David van Ginnekenabout 5 years ago
Trying to use this module and I bang my head tying to get access_points setup. What would the variable look like?
David van Ginnekenabout 5 years ago
Right now I have it set this way.
David van Ginnekenabout 5 years ago
access_points = {
example = {
posix_user = {
gid = "55007"
uid = "55007"
},
root_directory = {
creation_info = {
gid = "55007"
uid = "55007"
permissions = "0755"
}
}
}
example = {
posix_user = {
gid = "55007"
uid = "55007"
},
root_directory = {
creation_info = {
gid = "55007"
uid = "55007"
permissions = "0755"
}
}
}
David van Ginnekenabout 5 years ago
Plus a closing "}" of course 🙂
PePe Amengualabout 5 years ago
Thinking on getting a Mac with a M1 chip, anyone developing in terraform running one?
Nick Marchiniabout 5 years ago
👋
Nick Marchiniabout 5 years ago(edited)
Getting an error message when trying to setup a cluster using the latest version 0.27.0 of the module for Elasticsearch.
I can see in main.tf the following code
But the context.tf file doesn’t contain anything for id
I want to use a string that is 17 chars long but can only use one that is 10 or the error occurs.
I am passing my domain name to the module variable for
Error: invalid value for domain_name (must start with a lowercase alphabet and be at least 3 and no more than 28 characters long. Valid characters are a-z (lowercase letters), 0-9, and - (hyphen).)
on .terraform/modules/elasticsearch-cluster/main.tf line 102, in resource "aws_elasticsearch_domain" "default":
102: domain_name = module.this.idI can see in main.tf the following code
resource "aws_elasticsearch_domain" "default" {
count = module.this.enabled ? 1 : 0
domain_name = module.this.id
But the context.tf file doesn’t contain anything for id
module "this" {
source = "cloudposse/label/null"
version = "0.22.1" // requires Terraform >= 0.12.26
enabled = var.enabled
namespace = var.namespace
environment = var.environment
stage = var.stage
name = var.name
delimiter = var.delimiter
attributes = var.attributes
tags = var.tags
additional_tag_map = var.additional_tag_map
label_order = var.label_order
regex_replace_chars = var.regex_replace_chars
id_length_limit = var.id_length_limit
context = var.context
}I want to use a string that is 17 chars long but can only use one that is 10 or the error occurs.
I am passing my domain name to the module variable for
name Is this the right way to set the domain name?Alex Jurkiewiczabout 5 years ago
I'm trying to write variable validation to ensure a list of
This doesn't work (!):
This does, but is much uglier:
Any better suggestion?
type = list(number) contains no null values. So I need a test that returns false if the list contains null.This doesn't work (!):
contains([null,1,2], null) ("Invalid value for "value" parameter: argument must not be null.")This does, but is much uglier:
length([for i in [null,1,2] : i if i == null]) == 0.Any better suggestion?
Mohammed Yahyaabout 5 years ago(edited)
Dose anyone have
I want to learn more about why you picked up Terraform.
Architectural Decision Records for Terraform as an example?I want to learn more about why you picked up Terraform.
Adrian Wnukabout 5 years ago(edited)
Hello guys,
How I can define separately configuration for blocks of cors rules with this module? https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn
I have configuration module something like this
and this configuration creating for me 3 cors blocks with origins example.com, * and aliases defined in module (this is pretty good) but I can't edit any options for this origins like allowed_methods, allowed_headers. All of created cors block have same configuration 😨
There is any solution to do this using only this module?
How I can define separately configuration for blocks of cors rules with this module? https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn
I have configuration module something like this
cors_allowed_origins = ["<https://example.com>","*"]
cors_allowed_methods = ["PUT", "DELETE"]
cors_allowed_headers = ["*"]
cors_expose_headers = []
cors_max_age_seconds = 300and this configuration creating for me 3 cors blocks with origins example.com, * and aliases defined in module (this is pretty good) but I can't edit any options for this origins like allowed_methods, allowed_headers. All of created cors block have same configuration 😨
There is any solution to do this using only this module?
Yoni Leitersdorf (Indeni Cloudrail)about 5 years ago
Anyone using the
https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/581
terraform-aws-vpc module? You’re probably running into this now:https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/581
Frankabout 5 years ago
I'm trying to upgrade our Terraform from 0.13.5 to 0.14.5 but I'm running into an issue.
All outputs of the
Is anyone familiar with this error and how it could be fixed? Should the outputs of the module be changed with
All outputs of the
terraform-aws-ecs-container-definition module are giving me a Error: Output refers to sensitive valuesIs anyone familiar with this error and how it could be fixed? Should the outputs of the module be changed with
sensitive = true or is there something on my end I have to change?RBabout 5 years ago
how does one set the
required_version to be picked up automatically by atlantis for 0.13 or 0.14 ?OliverSabout 5 years ago
I’m upgrading some modules that work fine in terraform 0.12, to terraform 0.13. Got the
How do I re-add the provider: in what file (the eks_main maint.tf? the vpc module main.tf? etc), and would it just be like
terraform init to complete. Had to up the version on some third-party modules. The terraform apply gives me several errors “Provider configuration not present”. Unfortunately I do not know how to address this:To work with
module.eks_main.module.vpc.module.label.data.null_data_source.tags_as_list_of_maps[3]
its original provider configuration at
provider["<http://registry.terraform.io/-/null|registry.terraform.io/-/null>"] is required, but it has been removed.
This occurs when a provider configuration is removed while objects created by
that provider still exist in the state. Re-add the provider configuration to
destroy
module.eks_main.module.vpc.module.label.data.null_data_source.tags_as_list_of_maps[3],
after which you can remove the provider configuration again.How do I re-add the provider: in what file (the eks_main maint.tf? the vpc module main.tf? etc), and would it just be like
provider "aws" {
region = "us-east-1"
}OliverSabout 5 years ago
For upgrade from 0.12 to 0.14, the docs say to first upgrade to 0.13. Does this mean for 0.13 just the init + validate + verify that plan created, or does it also require apply?
Tomekabout 5 years ago
is there a way to get information on the last terraform run (apply/plan)? Basically trying to do something like this feature in terraform cloud https://www.terraform.io/docs/cloud/run/manage.html
Nikola Milicabout 5 years ago(edited)
Hello everyone! 👋 I have spent around a week or two trying to set up basic terraform configuration base for my example project and heard many opinions (yes/no? to Terragrunt, yes/no? to workspaces) so in abundance of various conflicting information and incomplete tutorials (tutorials which advocate an idea but do not showcase it fully) I’ve kind of lost focus. This is when I decided a Stack-overflow post might be a good idea, but that has also backfired since I haven’t got any answers to my broad questions, even though people replied.
TLDR from SO: I’d like to have multi-env (dev,stage) Terraform IaC setup that uses modules, that clearly separates prod and non-prod state management. (for the time being, resources provisioned do NOT matter to me, that can be as simple as an s3 bucket which I tried to illustrate).
Is it okay if I post it here, I’m looking for help in understanding how to set this up, and of course to change my approach If it is too restrictive/plain wrong. Thanks!
TLDR from SO: I’d like to have multi-env (dev,stage) Terraform IaC setup that uses modules, that clearly separates prod and non-prod state management. (for the time being, resources provisioned do NOT matter to me, that can be as simple as an s3 bucket which I tried to illustrate).
Is it okay if I post it here, I’m looking for help in understanding how to set this up, and of course to change my approach If it is too restrictive/plain wrong. Thanks!
Julianabout 5 years ago
Hey everybody - trying to find the best way to import / generate baseline configurations from an AWS environment into terraform code to then edit.
I've been under a small rock, so are we still in the days of the predefined resource + import or is there a more streamlined solution I've been unaware of?
I've been under a small rock, so are we still in the days of the predefined resource + import or is there a more streamlined solution I've been unaware of?
Michael Koroteevabout 5 years ago
Hi,
we are trying to update the “eks-cluster” module (version 0.32) and we started encountering this error when running terraform plan:
We suspect it is because of the kubernetes provider version, which was upgraded recently, but in their docs we don’t see any breaking changes regarding this existing configuration:
Did anyone encounter this issue ?
thanks
we are trying to update the “eks-cluster” module (version 0.32) and we started encountering this error when running terraform plan:
Error: Get "<http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth>": dial tcp [::1]:80: i/o timeoutWe suspect it is because of the kubernetes provider version, which was upgraded recently, but in their docs we don’t see any breaking changes regarding this existing configuration:
provider "kubernetes" {
token = join("", data.aws_eks_cluster_auth.eks.*.token)
host = join("", data.aws_eks_cluster.eks.*.endpoint)
cluster_ca_certificate = base64decode(join("", data.aws_eks_cluster.eks.*.certificate_authority.0.data))
}Did anyone encounter this issue ?
thanks
Kevin Huffabout 5 years ago(edited)
Hey all I have a question regarding the
terraform-aws-elastic-beanstalk-environment module. We're in the process of upgrading from a real old version. (0.11.0), and I'm trying to get the environment name in elastic beanstalk to match what that version generated, which was just the stage. Looks like were maybe setting it through the Environment tag. Now it's some combination of namespace-name-stage. I assumed setting environment = var.stage would do it but I can't see the affect that has. Any assistance would be greatly appreciated.rssabout 5 years ago(edited)
v0.14.6
0.14.6 (February 04, 2021)
ENHANCEMENTS:
backend/s3: Add support for AWS Single-Sign On (SSO) cached credentials (#27620)
BUG FIXES:
cli: Rerunning init will reuse installed providers rather than fetching the provider again (<a href="https://github.com/hashicorp/terraform/issues/27582" data-hovercard-type="pull_request"...
0.14.6 (February 04, 2021)
ENHANCEMENTS:
backend/s3: Add support for AWS Single-Sign On (SSO) cached credentials (#27620)
BUG FIXES:
cli: Rerunning init will reuse installed providers rather than fetching the provider again (<a href="https://github.com/hashicorp/terraform/issues/27582" data-hovercard-type="pull_request"...
curious deviantabout 5 years ago(edited)
Hello,
I am creating an SSH key pair in TF and storing in secrets manager for further use by related resources. While checking out support for SSH key generation via TF code, I came across the warning that the solution is not production grade since the private key would be stored in TF state file. How are others solving for such use cases ?
I am creating an SSH key pair in TF and storing in secrets manager for further use by related resources. While checking out support for SSH key generation via TF code, I came across the warning that the solution is not production grade since the private key would be stored in TF state file. How are others solving for such use cases ?
Thomas Hoefkensabout 5 years ago
Hi everyone! I have created an EKS cluster with the terraform_aws_eks module and the cluster was created with a particular access key and secret key. On a client machine, I cannot use that access key but have to use another set of accesskeys and then assume a role using the aws sts command. After assuming the role, I have "admin access". When I then call kubectl get pods, I do not have access. I thought I could solve this by including this bit in the cluster creation:
map_roles = [
{
rolearn = "arn
iam::844857508710:role/my-role"
username = "my-role"
groups = ["system:masters"]
}
]
where rolearn is the role that I assumed... but when executing kubectl get pods, I still have no access. Could someone point me to a solution 🙂 ?
map_roles = [
{
rolearn = "arn
iam::844857508710:role/my-role"username = "my-role"
groups = ["system:masters"]
}
]
where rolearn is the role that I assumed... but when executing kubectl get pods, I still have no access. Could someone point me to a solution 🙂 ?
charleszabout 5 years ago
wanted to auto scale aurora using https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target but i cannot see an option on how to scale down
charleszabout 5 years ago
any pointers you can give me or better yet examples that i can play with?
charleszabout 5 years ago
my goal is to scale up/down my rds instances dependeing on time
Vincent Van der Kussenabout 5 years ago
Is there a way to remove a provider in the remote state that has been added but has a typo?
uselessuseofcatabout 5 years ago
hi,
how can I convert
how can I convert
[""] to [] ?uselessuseofcatabout 5 years ago
How can I skip a property when calling cloudformation stack from Terraform? Empty value does not work 😞
RBabout 5 years ago
Try null
RBabout 5 years ago
Thats worked for me in the past
chrismabout 5 years ago
@Erik Osterman (Cloud Posse) https://github.com/cloudskiff/driftctl might be interesting to you
Steve Wade (swade1987)about 5 years ago
does anyone have a recommended guide for configuring AWS SSO (using Azure AD) with Terraform?
lorenabout 5 years ago
Emmanuel Gelatiabout 5 years ago
Hi, Why do I need to use DynamoDB with aws remote state?
Ofek Solomonabout 5 years ago
I also have this issue, is there any solution for this? thanks!
uselessuseofcatabout 5 years ago(edited)
Hi, I have a CloudFormation template to which I lost 2 days trying to solve a problem but I am CF noob. I want to put this on Terraform side where one value can be either a string or a list - depending on true or false value.
For example:
But I got an error:
Is there any workaround for this?
Many thanks!
For example:
false ? "test" : tolist(["test2"])But I got an error:
The true and false result expressions must have consistent types. The given
expressions are string and list of string, respectively.Is there any workaround for this?
Many thanks!
RBabout 5 years ago
There isn't. Each variable has to be a single type
RBabout 5 years ago
What are you trying to accomplish with this technique
uselessuseofcatabout 5 years ago
I have one value from CF template that can be either a string AWS::NoValue or a list depending on other values.
RBabout 5 years ago
Oh i thought you were trying to do it in terraform
uselessuseofcatabout 5 years ago
Is there any way to omit line in Terraform template?
RBabout 5 years ago
You can set it to
nullcharleszabout 5 years ago
hi all, i have a question, i was asked to make a spot fleet that scales in / out according to specific time. is this still applicable in 0.12.x version of terraform? - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/spot_fleet_request#iam_fleet_role
uselessuseofcatabout 5 years ago
Hi! When I'm loading template_file trough data, how can I specify the list to iterate trough? For example https://www.terraform.io/docs/language/functions/templatefile.html
I know that templatefile function renders the template, but how can I implement that?
For example, this is where I specify template_file:
This is where I'm loading it:
And this is a part of cf-asg.tpl:
So, how can I specify the list tgs to iterate trough?
I know that templatefile function renders the template, but how can I implement that?
For example, this is where I specify template_file:
data "template_file" "cf" {
template = "${file("${path.module}/templates/cf-asg.tpl")}"
vars = {
service_name = "${var.service_name}"
subnets = join("\",\"", var.subnets)
availability_zones = join("\",\"", var.availability_zones)
lc_name = "${aws_launch_configuration.ecs_config_launch_config.name}"
min_instances = "${var.min_instances}"
max_instances = "${var.max_instances}"
desired_instances = "${var.desired_instances}"
asg_health_check_type = "${var.asg_health_check_type}"
no_of_resource_signals = "${var.no_of_resource_signals}"
#tgs = [<http://local.tg|local.tg>]
region_tag = var.region_tag
env_tag = var.env_tag
newrelic_infra_tag = var.newrelic_infra_tag
purpose_tag = var.purpose_tag
patch_group_tag = var.patch_group_tag
}
}This is where I'm loading it:
resource "aws_cloudformation_stack" "autoscaling_group" {
name = "${var.service_name}-asg"
template_body = <http://data.template_file.cf|data.template_file.cf>
depends_on = [aws_launch_configuration.ecs_config_launch_config]
}And this is a part of cf-asg.tpl:
MinSize: "${min_instances}"
MaxSize: "${max_instances}"
%{ for tg in tgs ~}
TargetGroupARNs: ${tg}
%{ endfor ~}So, how can I specify the list tgs to iterate trough?
RBabout 5 years ago
data "template_file" "cf" is deprecated in favor of templatefileRBabout 5 years ago
why are you using a template file to dynamically create a cf stack using tf...
RBabout 5 years ago
why not just create the resources purely in tf
uselessuseofcatabout 5 years ago
Let me explain man, since I'm doing it for 3 days straight 🙂
First of all, I am creating CF stack for ASG because I need rolling updates, and CF can bump max number of instances on the fly
First of all, I am creating CF stack for ASG because I need rolling updates, and CF can bump max number of instances on the fly
RBabout 5 years ago
isnt there a way to do that in pure tf ?
uselessuseofcatabout 5 years ago
nope man
uselessuseofcatabout 5 years ago
not yet
uselessuseofcatabout 5 years ago
and there is one stupid CF property that can be a list or a value "AWS::NoValue" which tell CF to skip that Property. But the thing is - in some cases I need to set list, in some cases string...
uselessuseofcatabout 5 years ago
so my last resort is template, I can iterate the list and if empty, skip a line in template file
RBabout 5 years ago
oh man i didnt know that
RBabout 5 years ago
is there a module that does all this for you
RBabout 5 years ago
cause that would be amazing
uselessuseofcatabout 5 years ago
Nope, only one page on the whole internet: https://medium.com/@endofcake/using-terraform-for-zero-downtime-updates-of-an-auto-scaling-group-in-aws-60faca582664
uselessuseofcatabout 5 years ago
I already have that set up, but I want to have ALB healthchecks in place
Zachabout 5 years ago
You might be better off doing a blue green swap of the ASGs then
Zachabout 5 years ago
unless you have a hard requirement for the rolling update
Zachabout 5 years ago
or another alternative, update the ASG with your new config but use the instance-refresh CLI command to do the rolling update
Chris Fowlesabout 5 years ago
Terraform supports instance refresh now
Chris Fowlesabout 5 years ago
Bobabout 5 years ago
Hi~ Anyone have experience/recommendation keeping your Terraform code DRY? Like how Terragrunt does it, but using Terraform Cloud, Scalr, or Spacelift? We have a few environments we "promote" infrastructure changes to (dev --> test --> prod) and would like get away from "copying" the same terraform code/modules . I notice env0 has support for terragrunt, but want to know what others have done
TIA!
TIA!
lorenabout 5 years ago
if i could beg for a favor and get some folks to 👍️ the linked issues and the pr, i would truly be grateful... https://github.com/hashicorp/terraform-provider-aws/issues/4426#issuecomment-775504542
Thomas Hoefkensabout 5 years ago
Hi everyone! I have a strange issue and wonder whether any of you have encountered it or managed to solve it.. I deploy an EKS cluster with fargate profiles using terraform, and this works perfectly the first time round. Then I issue a TF destroy and all resources are gone, so far so good.
Now, when again applying the TF scripts, with the same cluster name, the creation gets stuck on creating fargate profiles.. as if something is hindering AWS from recreating the same fargate profile names (which have been correctly deleted by TF):
module.eks.module.fargate.aws_eks_fargate_profile.this["default"]: Still creating... [44m50s elapsed]
Is this is a bug or is there a workaround for this? Often I can see that the Profile got created for the cluster, yet TF is somehow not "seeing" that the creation is complete...
Now, when again applying the TF scripts, with the same cluster name, the creation gets stuck on creating fargate profiles.. as if something is hindering AWS from recreating the same fargate profile names (which have been correctly deleted by TF):
module.eks.module.fargate.aws_eks_fargate_profile.this["default"]: Still creating... [44m50s elapsed]
Is this is a bug or is there a workaround for this? Often I can see that the Profile got created for the cluster, yet TF is somehow not "seeing" that the creation is complete...
Adnanabout 5 years ago
Hi Everyone!
Is anyone using porter.sh in prod?
Specifically as a bridge between terraform and helm?
Is anyone using porter.sh in prod?
Specifically as a bridge between terraform and helm?
Steve Wade (swade1987)about 5 years ago
is there a way in terraform-compliance to test outputs?
Bart Coddensabout 5 years ago
HI all, I am using this module : https://github.com/cloudposse/terraform-aws-tfstate-backend I would like to create this :
terraform_state_file = "s3state/var.tier/terraform.tfstate" where var.tier is a variable. The statefile is stored as such then: s3state/test/terraform.tfstate. The variable is tier=testBart Coddensabout 5 years ago
With the above module the s3 state backend is configured properly, thanks all for this excellent module
Bart Coddensabout 5 years ago
How do you manage multiple state files, do you generate the backend files by hand ?
Neo-fightabout 5 years ago
Is there a simple ‘how to’ on using terraform-AWScloud fronts3-can ? The .tf under examples/complete doesn’t seem to run for me when I change the relevant parameters to match a brand new AWS setup (AWS hosted domain with R53)? I haven’t been able t find one but then again I’m fried
Erik Osterman (Cloud Posse)about 5 years ago
lorenabout 5 years ago
well that's nifty, tailscale has a community terraform provider already... https://registry.terraform.io/providers/davidsbond/tailscale/latest/docs
nnsenseabout 5 years ago
Help!!
nnsenseabout 5 years ago
I mean, hi everyone! ok, now, HELP!! 😄
nnsenseabout 5 years ago
AhhhA! Caution, I've spent the last 3 days between google and cloudposse git, I could bite 😄
nnsenseabout 5 years ago
I really hope somebody can help me with cloudposse EKS cluster.. I really don't know why... first time, it creates the cluster.. second apply... `
Error: the server is currently unable to handle the request (get configmaps aws-auth)nnsenseabout 5 years ago
It's SO annoying.. reading the TRACE, it seems trying to call localhost (?) which asnwer 503...
nnsenseabout 5 years ago
HTTP/1.1 503 Service Unavailable
Connection: close
Content-Length: 299
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 10 Feb 2021 00:25:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>nnsenseabout 5 years ago
All this seems related the F.
map_additional_iam_roles and also map_additional_iam_users (tried both)nnsenseabout 5 years ago
That unathorized thing seems to be related
module.eks_cluster.kubernetes_config_map.aws_auth[0]nnsenseabout 5 years ago
This, if I set
kubernetes_config_map_ignore_role_changes to truennsenseabout 5 years ago
If I set it to
false, the the module is instead module.eks_cluster.kubernetes_config_map.aws_auth_ignore_changesnnsenseabout 5 years ago
I've tried almost everything, but I really don't understand why it run perfectly, but If I run a refresh, an apply, or a destroy, it throws that error and byebye
nnsenseabout 5 years ago
Tried.
nnsenseabout 5 years ago
I've forgotten to say, I'm not using any other module than cloudposse eks cluster and node-groups
lorenabout 5 years ago
now i feel bad about speaking up so flippantly, because i know nothing about eks 😅
nnsenseabout 5 years ago
Oh don't worry, me too 😄
lorenabout 5 years ago
but, i know one big difference between an initial apply and subsequent terraform actions, is that terraform will actually attempt to describe the running resources and compare them to the config. so i'd guess it is that part of the execution that is throwing the error. i have no idea how to use that to help you though
nnsenseabout 5 years ago
Yep, that's correct but I didn't change anything between the two apply (or the apply and the refresh). It's clearly written to change
kubernetes_config_map_ignore_role_changes into the readme if I want to change the nodes, or the users, but I don't want, it's throwing that error even if I run tf apply -auto-approve && tf refreshnnsenseabout 5 years ago
I really don't know what to do, I've tried reading the code of the module, but it looks fine to me
nnsenseabout 5 years ago
@Erik Osterman (Cloud Posse)... I know you know the answer... 😁
lorenabout 5 years ago
i would recommend threading, at least, to give others a chance with their own questions... 🙏
nnsenseabout 5 years ago
Oops.. You're right 🤦
Mr.Devopsabout 5 years ago(edited)
hello - has anyone come with a solution to use a list of instance id in the target_id for the resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment#target_id
I find it annoying to have to create multiply lb_target_group_attachment for every instances
I find it annoying to have to create multiply lb_target_group_attachment for every instances
Victor Hugo dos Santosabout 5 years ago
Hi... The aws-ssm-iam-role supose to work with terraform 12 ???
Victor Hugo dos Santosabout 5 years ago
Im getting this error:
But, look like this module isnt update.. 😞
warning: Quoted type constraints are deprecatedon .terraform/modules/ssm_role.label/variables.tf line 19, in variable "delimiter":19: type = "string"Terraform 0.11 and earlier required type constraints to be given in quotes,but that form is now deprecated and will be removed in a future version ofTerraform. To silence this warning, remove the quotes around "string".(and 13 more similar warnings elsewhere)But, look like this module isnt update.. 😞
Patrick Doyleabout 5 years ago
Hello. I'm trying to use the CIS config rules module but getting an error that no source URL was returned when running terraform init with the latest version(0.14.6). I am using the URL defined in the example, https://github.com/cloudposse/terraform-aws-config.git//modules/cis-1-2-rules?ref=master. The module URL seems correct based on the terraform docs so I'm not sure if this is an issue with the repo or with terraform...
rssabout 5 years ago(edited)
v0.15.0-alpha20210210
0.15.0 (Unreleased)
BREAKING CHANGES:
The list and map functions, both of which were deprecated since Terraform v0.12, are now removed. You can replace uses of these functions with tolist([...]) and tomap({...}) respectively. (#26818)
Terraform now requires UTF-8 character encoding and virtual terminal support when running on...
0.15.0 (Unreleased)
BREAKING CHANGES:
The list and map functions, both of which were deprecated since Terraform v0.12, are now removed. You can replace uses of these functions with tolist([...]) and tomap({...}) respectively. (#26818)
Terraform now requires UTF-8 character encoding and virtual terminal support when running on...
Mr.Devopsabout 5 years ago
please anyone?
Asisabout 5 years ago(edited)
Our team runs terragrunt modules locally , what are the best solutions/ practice to run modules in more unified pattern
Note we have s3bucket + dynamodb for locking state
Note we have s3bucket + dynamodb for locking state
uselessuseofcatabout 5 years ago
Is someone still using this Lambda https://registry.terraform.io/modules/blinkist/airship-ecs-instance-draining/aws/latest?
It looks it's not working anymore 😞
Lambda logs looks something like this:
It looks it's not working anymore 😞
Lambda logs looks something like this:
Event needs-retry.autoscaling.CompleteLifecycleAction: calling handler <botocore.retryhandler.RetryHandler object at 0x7fe662775b10> and Event request-created.autoscaling.CompleteLifecycleAction: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7fe6627a99d0>>johntellsallabout 5 years ago
This tool visualizes Terraform state files! Has anyone played with Pluralith?
https://www.pluralith.com/
https://www.pluralith.com/
Balazs Vargaabout 5 years ago
hello, can I ask about vault? Is there a way to autogenerate missing passwords and store them on vault? So I don't need to provide from helm/helmfile.
uselessuseofcatabout 5 years ago(edited)
Hi, I have the rolling update set with Terraform and CF for ECS clusters. This is how it works:
- I have ECS cluster behind ALB
- When there is an AMI change, Terraform applies it
- ASG, which was created with CloudFormation template on Terraform, adds a new instance (this was not possible with TF module)
Here it becomes funky:
- Target group sees status of the old instance as "initial draining" 30 seconds after I run
- Healthchecks are failing, because, of course, container on my new EC2 instance is not started yet and Target Group sees it as unhealthy, but doesn't continue to serve traffic from the old insntace.
- Then I got bunch of 503s and after 502s until the container on the new instance is up
These parts are ok:
- I have Lambda function that drains ECS containers
- After draining finishes, the instance is killed
This worked before, when I had EC2 checks on ASG. Now I want to use TargetGroupArns to check HTTP and to see if I'll get 200 and if application is really running.
Is there any workaround on this?
Like to set draining of instances with a delay of few minutes?
- I have ECS cluster behind ALB
- When there is an AMI change, Terraform applies it
- ASG, which was created with CloudFormation template on Terraform, adds a new instance (this was not possible with TF module)
Here it becomes funky:
- Target group sees status of the old instance as "initial draining" 30 seconds after I run
terraform apply- Healthchecks are failing, because, of course, container on my new EC2 instance is not started yet and Target Group sees it as unhealthy, but doesn't continue to serve traffic from the old insntace.
- Then I got bunch of 503s and after 502s until the container on the new instance is up
These parts are ok:
- I have Lambda function that drains ECS containers
- After draining finishes, the instance is killed
This worked before, when I had EC2 checks on ASG. Now I want to use TargetGroupArns to check HTTP and to see if I'll get 200 and if application is really running.
Is there any workaround on this?
Like to set draining of instances with a delay of few minutes?
andrewAtX82about 5 years ago
Hi guys, I was looking through the terraform-aws-ses-lambda-forwarder code as I was intrigued to see a system close to one that we devised. I see that listed under the limitations is the use of a verified domain as the sender. We use SRS to be compliant with without breaking SPF . I've had success using senrews to do SRS0 and SRS1 rewrites.
Another thing to note is additional cleanup of the email. SES very loosely accepts emails, however is very strict with what it sends out. You will need to clean up duplicate headers, remove DKIM signatures and return-paths, etc when forwarding . The aws-lambda-ses-forwarder has some problems with sending bounce messages and a host of other minor bugs. Just a heads up.
Another thing to note is additional cleanup of the email. SES very loosely accepts emails, however is very strict with what it sends out. You will need to clean up duplicate headers, remove DKIM signatures and return-paths, etc when forwarding . The aws-lambda-ses-forwarder has some problems with sending bounce messages and a host of other minor bugs. Just a heads up.
Vincent Shefferabout 5 years ago(edited)
Can I get some guidance on the difference between terraform-aws-eks-workers and terraform-aws-eks-node-group ? They both seem very similar and both are actively being maintained. When should we use one over the other?
Vincent Shefferabout 5 years ago
I’ve tried both. eks-node-group seems to work better for me, but wondering what the experience is like for others.
PePe Amengualabout 5 years ago
is this correct?
dynamic "custom_header" {
for_each = lookup(origin.value, "custom_header", [])
content {
name = custom_header.value.name
value = custom_header.value.value
}
}Erik Osterman (Cloud Posse)about 5 years ago(edited)
congrats to @marcinw @Paweł Hytry - Spacelift https://techcrunch.com/2021/02/11/cloud-automation-startup-spacelift-raises-6m-series-a-led-by-blossom-capital/
Mohammed Yahyaabout 5 years ago(edited)
https://www.manatee.app/
Manatee alerts you the instant your infrastructure drifts from Terraform. It's free to use, supports all major clouds, and takes minutes to set up.Mohammed Yahyaabout 5 years ago
one way to keep secrets out of your state file https://secrethub.io/docs/guides/terraform/
Tim Schwenkeabout 5 years ago
Are the Terraform modules https://github.com/cloudposse/terraform-null-label and https://github.com/cloudposse/terraform-terraform-label aimed at usage in any Terraform module or specifically made for Cloud Posse modules? I'm asking this because the docs mention
context.tf files that are part of all Cloud Posse modules that use terraform-null-labelMohammed Yahyaabout 5 years ago
terraform-provider-aws v3.28.0
- +7 NEW FEATURES including aws_securityhub_organization_admin_account
- +35 NEW ENHANCEMENTS
- +10 BUG FIXES
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.28.0
- +7 NEW FEATURES including aws_securityhub_organization_admin_account
- +35 NEW ENHANCEMENTS
- +10 BUG FIXES
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.28.0
Bobabout 5 years ago
Hello guys, this might have been asked before, but what criteria do you guys use when evaluating if something needs to be created as a module?
I recently joined a company with 6 cloud engineers that have been discussing about maturing their terraform deployment, and modules have been brought up. The -legacy- engineers wanted to create a module for everything, even simple ones. For example, azure resource groups, and the arguments were:
1. Takes me 10 mins to write it anyway
2. I can make it accept a comma-delimited name, and it creates multiple resource groups for me
3. If you want to create 1 resource group, the module can handle it anyway
4. I can ask for required tags on the resource groups, and I'm sure we're going to need something else on those resource groups in the future
Our goal is to eventually allow our app dev teams to create their terraform code to deploy their infrastructure for their apps. They originally managed the deployment by creating standalone deployments for each resources - like 1 deployment for resource group, 1 for SQL PaaS, 1 for storage account - all separate repositories and "pipeline". We would like to move to more application-based repositories that contains all the terraform code/infrastructure needed for the said application (shared services infrastructure like AKS will be separately managed)
I feel this is a case of over engineering/YAGNI, but being new, I may be biased. I don't feel simple/standalone terraform resources should have another wrapper on top of it (module). Is there a compelling reason why this pattern can bite us in the future (aka very bad idea)?
I recently joined a company with 6 cloud engineers that have been discussing about maturing their terraform deployment, and modules have been brought up. The -legacy- engineers wanted to create a module for everything, even simple ones. For example, azure resource groups, and the arguments were:
1. Takes me 10 mins to write it anyway
2. I can make it accept a comma-delimited name, and it creates multiple resource groups for me
3. If you want to create 1 resource group, the module can handle it anyway
4. I can ask for required tags on the resource groups, and I'm sure we're going to need something else on those resource groups in the future
Our goal is to eventually allow our app dev teams to create their terraform code to deploy their infrastructure for their apps. They originally managed the deployment by creating standalone deployments for each resources - like 1 deployment for resource group, 1 for SQL PaaS, 1 for storage account - all separate repositories and "pipeline". We would like to move to more application-based repositories that contains all the terraform code/infrastructure needed for the said application (shared services infrastructure like AKS will be separately managed)
I feel this is a case of over engineering/YAGNI, but being new, I may be biased. I don't feel simple/standalone terraform resources should have another wrapper on top of it (module). Is there a compelling reason why this pattern can bite us in the future (aka very bad idea)?
Yashodhan Ghadgeabout 5 years ago
hey guys!, Ive got a VPC that some other team has made via terraform , can I define a vpc module and pass in the vpc id to it to add a few more subnets to it?
Reinholds Zviedrisabout 5 years ago
Maybe here is someone who encountered something like that?
Bharat Bhushanabout 5 years ago
Hi, I have an ec2 cluster, there are multiple tags(Name) associated with cluster instances. I want to fetch these tags(Name) and pass it to a module that accepts a list of EC2 instances. Any suggestions ?
lorenabout 5 years ago
Congrats to the BridgeCrew folks? "Prisma Cloud Shifts Left With Proposed Acquisition of Bridgecrew" https://blog.paloaltonetworks.com/2021/02/prisma-cloud-bridgecrew/
kgibabout 5 years ago
I'd like to use the EKS module to deploy EKS with workers in private subnet
kgibabout 5 years ago
what is the simplest method to accomplish?
melissa Jennerabout 5 years ago
I use the terragrunt (terraform) provisioned a VPC times ago. But, today, when I re-run the script I got, "Remote state S3 bucket blue-green-terraform-state does not exist or you don't have permissions to access it.". I login to AWS console, the S3 bucket blue-green-terraform-state is there. I have no clue. Can someone help?
$ terragrunt init
[terragrunt] [/depot/infra/dev/Oregon/nsm/green/vpc] Running command: terraform --version
[terragrunt] Terraform version: 0.13.5
[terragrunt] Reading Terragrunt config file at /depot/infra/dev/Oregon/nsm/green/vpc/terragrunt.hcl
[terragrunt] Initializing remote state for the s3 backend
[terragrunt] [terragrunt] Remote state S3 bucket blue-green-terraform-state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n)
$ terragrunt init
[terragrunt] [/depot/infra/dev/Oregon/nsm/green/vpc] Running command: terraform --version
[terragrunt] Terraform version: 0.13.5
[terragrunt] Reading Terragrunt config file at /depot/infra/dev/Oregon/nsm/green/vpc/terragrunt.hcl
[terragrunt] Initializing remote state for the s3 backend
[terragrunt] [terragrunt] Remote state S3 bucket blue-green-terraform-state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n)
$ cat terragrunt.hcl
remote_state {
backend = "s3"
config = {
encrypt = false
bucket = "blue-green-terraform-state"
key = "infra/Oregon/green/vpc/terraform.tfstate"
region = "us-west-2"
dynamodb_table = "green-vpc-lock-table"
}
}
$ env | grep AWS
AWS_SECRET_ACCESS_KEY=#####################
AWS_ACCESS_KEY_ID=############Thomas Windellabout 5 years ago
Hi there! Does any know if there would be a way to use this module but have more that one service and task definition? Having multiple service seems like a common architecture with AWS ECS - is there perhaps another module that is more suitable?
Bart Coddensabout 5 years ago
Hey all with the s3 user module: https://github.com/cloudposse/terraform-aws-iam-s3-user I want to do this:
Bart Coddensabout 5 years ago
module "s3_user" {
source = "cloudposse/iam-s3-user/aws"
label_order = ["namespace", "name", "environment", "stage", "attributes"]
namespace = "dspace"
name = var.name
environment = "s3"
stage = var.tier
s3_actions = ["s3:GetBucketAcl", "s3:GetBucketVersioning", "s3:ListBucket", "s3:GetBucketLocation"]
s3_resources = ["arn:aws:s3:::cloudposseisawesome"]
s3_actions = ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"]
s3_resources = ["arn:aws:s3:::cloudposseisawesome/*"]
}Bart Coddensabout 5 years ago
This does not work because the s3_actions is defined double
Bart Coddensabout 5 years ago
a bit puzzled howto do this
Bradai Hazemabout 5 years ago
Hello there !
Please i have a question, i'm using terraform-aws-nlb module, i'm trying to add 2 listners in the same nlb, there is a way to do that ? Thanks !
Please i have a question, i'm using terraform-aws-nlb module, i'm trying to add 2 listners in the same nlb, there is a way to do that ? Thanks !
Danielabout 5 years ago(edited)
Hi, I was hoping to understand the background on the sensitive output change introduced in terraform-aws-ecs-container-definition#118.
The PR mentions an issue with the terraform-aws-ecs-alb-service-task module but I cannot find any references or examples of the actual issue's code or error. Is there any examples of the actual error and the use-case? While I understand 0.14's sensitive flagging behavior, I'm confused as to what values were being used in the OP's container definition that were flagged as sensitive and caused this issue. In my modules, all the secrets are dumped into SM/SSM Parameters and only their ARN references are exposed in the container definition. I've been using TF 0.14 without issue in this manner. To my knowledge, those are not sensitive values.
My concern is that sensitive outputs are infectious for a lack of better words. Some outputs are indeed sensitive but I don't see how the container definitions are.
The PR mentions an issue with the terraform-aws-ecs-alb-service-task module but I cannot find any references or examples of the actual issue's code or error. Is there any examples of the actual error and the use-case? While I understand 0.14's sensitive flagging behavior, I'm confused as to what values were being used in the OP's container definition that were flagged as sensitive and caused this issue. In my modules, all the secrets are dumped into SM/SSM Parameters and only their ARN references are exposed in the container definition. I've been using TF 0.14 without issue in this manner. To my knowledge, those are not sensitive values.
My concern is that sensitive outputs are infectious for a lack of better words. Some outputs are indeed sensitive but I don't see how the container definitions are.
Bart Coddensabout 5 years ago
Hi all, I am iplementing replication with this module: https://github.com/cloudposse/terraform-aws-s3-bucket
Bart Coddensabout 5 years ago
in my original configuration I had:
Bart Coddensabout 5 years ago
replication_configuration {
role = "cloudposseisthebest-role"
rules {
id = "Replicate to DEEP_ARCHIVE on target"
priority = 0
status = "Enabled"
destination {
bucket = "arn:aws:s3:::cloudposseisthebest-role"
storage_class = "DEEP_ARCHIVE"
}
}
}Bart Coddensabout 5 years ago
can you set the storage class with this module ?
Bart Coddensabout 5 years ago
hah this does the trick:
Bart Coddensabout 5 years ago
replication_rules = [
{
id = "Replicate to DEEP_ARCHIVE on target"
destination = {
bucket = "arn:aws:s3:::cloudposse-${var.name}-is-awesome"
storage_class = "DEEP_ARCHIVE"
}
}
]Mohammed Yahyaabout 5 years ago
rssabout 5 years ago(edited)
v0.14.7
0.14.7 (February 17, 2021)
ENHANCEMENTS:
cli: Emit an "already installed" event when a provider is found already installed (#27722)
provisioner/remote-exec: Can now run in a mode that expects the remote system to be running Windows and excuting commands using the Windows command interpreter, rather than a Unix-style shell. Specify...
0.14.7 (February 17, 2021)
ENHANCEMENTS:
cli: Emit an "already installed" event when a provider is found already installed (#27722)
provisioner/remote-exec: Can now run in a mode that expects the remote system to be running Windows and excuting commands using the Windows command interpreter, rather than a Unix-style shell. Specify...
michael sewabout 5 years ago(edited)
Question about the branches I see in several of the cloudposse TF modules:
ie. https://github.com/cloudposse/terraform-aws-rds/branches
I see a
is the intention to maintain separate branches for each major TF version?
update: nevermind, i see that support was dropped for 0.12 , so
master = tf0.13
0.12/master = tf0.12 , which i presume features are at standstill
0.11/master = tf0.11, which i presume was stopped back when you guys moved to 0.12
ie. https://github.com/cloudposse/terraform-aws-rds/branches
I see a
master, 0.11/master, 0.12/master branch.is the intention to maintain separate branches for each major TF version?
update: nevermind, i see that support was dropped for 0.12 , so
master = tf0.13
0.12/master = tf0.12 , which i presume features are at standstill
0.11/master = tf0.11, which i presume was stopped back when you guys moved to 0.12
David Lozanoabout 5 years ago(edited)
Hi everyone,
Does anyone know why is this conditions returning
main.tf
console
Does anyone know why is this conditions returning
false? and what would be the right expression to compare with to get true ?main.tf
variable "empty_list" {
type = list(string)
default = []
}console
tf console
> var.empty_list
tolist([])
>
> var.empty_list == []
false
> var.empty_list == tolist([])
falseBart Coddensabout 5 years ago
HI all, I am a bit confused with tagging my root volume:
Bart Coddensabout 5 years ago
resource "aws_instance" "bladibla" {
disable_api_termination = true
tags = {
"Tier" = "DEV"
"Application" = "DSpace"
"Name" = "UPGRADE-EXPRESS"
"Terraform" = "True"
"Patch Group" = "patch-dev"
}
root_block_device {
volume_type = "standard"
volume_size = 30
delete_on_termination = false
tags = {
"Application" = "DSpace"
"Data" = "HOME"
"Name" = "UPGRADE-EXPRESS-HOME"
"Tier" = "DEV"
}
}
}Bart Coddensabout 5 years ago
when I do this, the tool refuses with:
Bart Coddensabout 5 years ago
tags is not expected here
Nikola Milicabout 5 years ago
If i use s3 backend for my terraform state, how should I fetch that information for use in my web application or some job in the pipeline?
Use this assumptions:
1. terraform did provision my resources (let’s say - RDS) and saved the state remotely on s3
2. my web application needs those resource informations for the provisioned RDS (some are secrets)
Here are what’s coming to my mind:
1. write a shell script that uses terraform CLI to fetch these secrets from the state and write them to .env file so that the web app can load them
2. use some secret management software, from AWS? Vault (Overkill?)
Take note that I use Gitlab CI for the pipeline, and I know that there is a Terraform integration present there, but I want to know what is the correct way of managing this if I were to transition to Github pipelines some day or something else.
Use this assumptions:
1. terraform did provision my resources (let’s say - RDS) and saved the state remotely on s3
2. my web application needs those resource informations for the provisioned RDS (some are secrets)
Here are what’s coming to my mind:
1. write a shell script that uses terraform CLI to fetch these secrets from the state and write them to .env file so that the web app can load them
2. use some secret management software, from AWS? Vault (Overkill?)
Take note that I use Gitlab CI for the pipeline, and I know that there is a Terraform integration present there, but I want to know what is the correct way of managing this if I were to transition to Github pipelines some day or something else.
Bart Coddensabout 5 years ago
Hi all, I used the iam-system-user module to create a user with access key and secret. Could you handle over this data to ansible to store it on the machine ? I know this is not best practice but the legacy application cannot work without this
Bart Coddensabout 5 years ago
the output generates this:
Mohammed Yahyaabout 5 years ago
Bart Coddensabout 5 years ago
Hi all, how do you guys manage the state backend on s3, when I try to do something like this:
Bart Coddensabout 5 years ago
terraform {
backend "s3" {
bucket = "bla-test-tfstate"
key = "s3/${var.name}/terraform.tfstate"
region = "eu-west-1"
}
}Bart Coddensabout 5 years ago
it fails
Steve Wade (swade1987)about 5 years ago
does anyone have a module (or know of one) that can easily configure the necessary subnet CIDRs for the upstream VPC module?
i know the VPC CIDR block I would like to use and will only ever go across 3 AZs so will need 12 CIDR blocks from the VPC CIDR provided
i know the VPC CIDR block I would like to use and will only ever go across 3 AZs so will need 12 CIDR blocks from the VPC CIDR provided
Steve Wade (swade1987)about 5 years ago
i am trying to automate this away as much as possible to make it super simple for people
David Lozanoabout 5 years ago
Hi everyone,
Has anyone encountered this issue before? I think it has to do with the way terraform processes list values.
If I make the first
main.tf
ERROR
Has anyone encountered this issue before? I think it has to do with the way terraform processes list values.
If I make the first
cidr_blocks an empty list [] to match the second cidr_blocks type it throws a different error "source_security_group_id": conflicts with cidr_blocks since cidr_blocks and source_security_group_id can not be present in the same rule.main.tf
module "sg" {
source = "<http://github.com/cloudposse/terraform-aws-security-group?ref=0.1.3|github.com/cloudposse/terraform-aws-security-group?ref=0.1.3>"
rules = [
{
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = null
self = null
source_security_group_id = "sg-0000aaaa1111bbb"
},
{
type = "egress"
from_port = 0
to_port = 65535
protocol = "all"
cidr_blocks = ["0.0.0.0/0"]
self = null
source_security_group_id = null
}
]
vpc_id = "vpc-0000aaaa1111bbb"
context = module.this.context
}ERROR
David Lozanoabout 5 years ago
tf apply
panic: inconsistent list element types (cty.Object(map[string]cty.Type{"cidr_blocks":cty.DynamicPseudoType, "from_port":cty.Number, "protocol":cty.String, "self":cty.DynamicPseudoType, "source_security_group_id":cty.String, "to_port":cty.Number, "type":cty.String}) then cty.Object(map[string]cty.Type{"cidr_blocks":cty.Tuple([]cty.Type{cty.String}), "from_port":cty.Number, "protocol":cty.String, "self":cty.DynamicPseudoType, "source_security_group_id":cty.String, "to_port":cty.Number, "type":cty.String}))
goroutine 545 [running]:
<http://github.com/zclconf/go-cty/cty.ListVal(0xc000e784c0|github.com/zclconf/go-cty/cty.ListVal(0xc000e784c0>, 0x2, 0x2, 0xc0005465e0, 0x1, 0x1, 0x1)
/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/value_init.go:166 +0x5a8
<http://github.com/zclconf/go-cty/cty/convert.conversionTupleToList.func2(0x3860460|github.com/zclconf/go-cty/cty/convert.conversionTupleToList.func2(0x3860460>, 0xc000bc5420, 0x2f350a0, 0xc000bc5440, 0x0, 0x0, 0x0, 0x3860320, 0x2cebaef0, 0x10, ...)
/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/convert/conversion_collection.go:327 +0x794
<http://github.com/zclconf/go-cty/cty/convert.getConversion.func1(0x3860460|github.com/zclconf/go-cty/cty/convert.getConversion.func1(0x3860460>, 0xc000bc5420, 0x2f350a0, 0xc000bc5440, 0x0, 0x0, 0x0, 0xc001009c50, 0xc0005465d0, 0x3860360, ...)
/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/convert/conversion.go:46 +0x433
<http://github.com/zclconf/go-cty/cty/convert.retConversion.func1(0x3860460|github.com/zclconf/go-cty/cty/convert.retConversion.func1(0x3860460>, 0xc000bc5420, 0x2f350a0, 0xc000bc5440, 0xc0005465d0, 0x0, 0x0, 0x0, 0xc00030c270, 0x10000c001c70000)
/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/convert/conversion.go:188 +0x6b
<http://github.com/zclconf/go-cty/cty/convert.Convert(0x3860460|github.com/zclconf/go-cty/cty/convert.Convert(0x3860460>, 0xc000bc5420, 0x2f350a0, 0xc000bc5440, 0x3860360, 0xc000877040, 0xc000bc5420, 0x2f350a0, 0xc000bc5440, 0x0, ...)
/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/convert/public.go:51 +0x1b9
<http://github.com/hashicorp/terraform/terraform.(*nodeModuleVariable).EvalModuleCallArgument(0xc000594900|github.com/hashicorp/terraform/terraform.(*nodeModuleVariable).EvalModuleCallArgument(0xc000594900>, 0x389bce0, 0xc001c441a0, 0xc0005ca301, 0x0, 0x0, 0x0)
/home/circleci/project/project/terraform/node_module_variable.go:238 +0x265
<http://github.com/hashicorp/terraform/terraform.(*nodeModuleVariable).Execute(0xc000594900|github.com/hashicorp/terraform/terraform.(*nodeModuleVariable).Execute(0xc000594900>, 0x389bce0, 0xc001c441a0, 0xc00003a004, 0x30ada40, 0x3202b60)
/home/circleci/project/project/terraform/node_module_variable.go:157 +0x7f
<http://github.com/hashicorp/terraform/terraform.(*ContextGraphWalker).Execute(0xc000ebc270|github.com/hashicorp/terraform/terraform.(*ContextGraphWalker).Execute(0xc000ebc270>, 0x389bce0, 0xc001c441a0, 0x2da00048, 0xc000594900, 0x0, 0x0, 0x0)
/home/circleci/project/project/terraform/graph_walk_context.go:127 +0xbc
<http://github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x3202b60|github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x3202b60>, 0xc000594900, 0x0, 0x0, 0x0)
/home/circleci/project/project/terraform/graph.go:59 +0x962
<http://github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc000594960|github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc000594960>, 0x3202b60, 0xc000594900, 0xc000e78340)
/home/circleci/project/project/dag/walk.go:387 +0x375
created by <http://github.com/hashicorp/terraform/dag.(*Walker).Update|github.com/hashicorp/terraform/dag.(*Walker).Update>
/home/circleci/project/project/dag/walk.go:309 +0x1246
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!
Terraform crashed! This is always indicative of a bug within Terraform.
A crash log has been placed at "crash.log" relative to your current
working directory. It would be immensely helpful if you could please
report the crash with Terraform[1] so that we can fix this.
When reporting bugs, please include your terraform version. That
information is available on the first line of crash.log. You can also
get it by running 'terraform --version' on the command line.
SECURITY WARNING: the "crash.log" file that was created may contain
sensitive information that must be redacted before it is safe to share
on the issue tracker.
[1]: <https://github.com/hashicorp/terraform/issues>
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!Danabout 5 years ago
Hello! Is there a way to pass a lifecycle ignore_changes in the inputs section when you are trying to point to a source module? (Using Terragrunt.hcl)
Steve Wade (swade1987)about 5 years ago(edited)
can anyone tell me what i am doing wrong please?
public_subnets = var.subnet_cidrs == {} ? local.subnet_cidr_map["public"] : var.subnet_cidrs["public"]
private_subnets = var.subnet_cidrs == {} ? local.subnet_cidr_map["private"] : var.subnet_cidrs["private"]
intra_subnets = var.subnet_cidrs == {} ? local.subnet_cidr_map["intra"] : var.subnet_cidrs["intra"]
database_subnets = var.subnet_cidrs == {} ? local.subnet_cidr_map["database"] : var.subnet_cidrs["database"]var.subnet_cidrs is empty map of dynamicError: Invalid index
on .terraform/modules/base.vpc/modules/vpc/main.tf line 20, in module "vpc":
20: private_subnets = var.subnet_cidrs == {} ? local.subnet_cidr_map["private"] : var.subnet_cidrs["private"]
|----------------
| var.subnet_cidrs is empty map of dynamic
The given key does not identify an element in this collection value.Bart Coddensabout 5 years ago
hi all while using the module:
Bart Coddensabout 5 years ago
I would like to create a prefix: so the name of the bucket should be cloudposseisawesome-prod/var.name
Mohammed Yahyaabout 5 years ago
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.29.0
•
•
aws_securityhub_invite_accepter is finally out Bart Coddensabout 5 years ago
Dear all, the module: https://github.com/cloudposse/terraform-aws-s3-bucket
Bart Coddensabout 5 years ago
does not seem to support a transition to DEEP_ARCHIVE yet, how can I request this ?
michael sewabout 5 years ago
Just curious how people have managed terraform version upgrades with modules? It seems that since the state is not backwards compatible, we have several workspaces all at some version of 0.12.x .
nnsensealmost 5 years ago(edited)
QQ: is this null_data_source still required as a workaround for nodes to wait for EKS module and cm to be in place? Yesterday I've seen this message from a deployment using it:
What if I move the two from
I even tried to move the two vars into locals, and the deployment completed successfully... but I have the strong feeling I'm missing something here... but, if I'm not, and moving those into
Warning: Deprecated Resource
The null_data_source was historically used to construct intermediate values to
re-use elsewhere in configuration, the same can now be achieved using localsWhat if I move the two from
null_data_source shown into examples from that into a locals { cluster_name = module.eks_cluster.eks_cluster_id } ? Would that achieve the same (waiting for aws-auth cm to exist)? On the same subject, what's the second variable (kubernetes_config_map_id) for? I cannot find it anywhere into the code, how the two are tied together if set into locals (provided it's the right option if we want to make terraform happy and stop using null_data_sourceI even tried to move the two vars into locals, and the deployment completed successfully... but I have the strong feeling I'm missing something here... but, if I'm not, and moving those into
locals is everything we need to get rid of that message, I'm happy to update and send a PR.Steve Wade (swade1987)almost 5 years ago(edited)
does anyone know of a tool that can mass
i need to get our route53 hosted zones and records under terraform management and away from people using ClickOps to update them all.
i swear there was something from Google that I have seen before but can't for the life of me find it
i think its https://github.com/GoogleCloudPlatform/terraformer
terraform import resources from AWS?i need to get our route53 hosted zones and records under terraform management and away from people using ClickOps to update them all.
i swear there was something from Google that I have seen before but can't for the life of me find it
i think its https://github.com/GoogleCloudPlatform/terraformer
Hao Wangalmost 5 years ago
just a quick update, the RDS wouldn’t be recreated if a snapshot is used, https://github.com/hashicorp/terraform-provider-aws/issues/17037
Hao Wangalmost 5 years ago
by the way, recently I am thinking if there is a package manager for Cloudposse modules, so the modules can be upgraded in TF files, just bump the version something like that 🙂
Bart Coddensalmost 5 years ago
Hi all, I made some changes to the s3 bucket module to support transition to deep archive storage class
Bart Coddensalmost 5 years ago
where can I submit my code ?
Frankalmost 5 years ago
Anyone else experienced this issue when updating the AWS provider from v3.28.0 -> v.3.29.0 (with the terraform-aws-rds module)
Not sure what the issue is here.
Error: ConflictsWith
on .terraform/modules/rds_postgres_db/main.tf line 44, in resource "aws_db_instance" "default":
44: snapshot_identifier = var.snapshot_identifier
"snapshot_identifier": conflicts with username
Releasing state lock. This may take a few moments...Not sure what the issue is here.
snapshot_identifier is not set (so defaults to "") and database_username is set to a custom value so I don't see why it would conflict.Nikola Milicalmost 5 years ago
I’ve successfully created a Gitlab CI pipeline v0.1 where I test, build and publish my docker image to ECR repository. Also in this codebase, there is Terraform fully set up (with remote s3 backend) but it’s not automated (connected with CI), but rather provisioning is version controled - but done manually.
I’m ready to step up and create v0.2 - the same thing as above, but where CI actually does provisioning if there are changes to infra. Can you give me some guidelines on where to start?
I’m ready to step up and create v0.2 - the same thing as above, but where CI actually does provisioning if there are changes to infra. Can you give me some guidelines on where to start?
Asisalmost 5 years ago
Hi 👋
Any harshicop vault experts here ..
I m unable to unseal vault using the 3 master keys . I had the backend storage as consul . Is there a way I can kill the existing vault and recreate attach backend storage as consult.
Any harshicop vault experts here ..
I m unable to unseal vault using the 3 master keys . I had the backend storage as consul . Is there a way I can kill the existing vault and recreate attach backend storage as consult.
Bart Coddensalmost 5 years ago
Hi all, I have some a tag on the root volume, I want terraform to ignore it
Bart Coddensalmost 5 years ago
in my config I have:
Bart Coddensalmost 5 years ago
lifecycle {
ignore_changes = [tags, ami]
}
ignore_changes = [tags, ami]
}
Bart Coddensalmost 5 years ago
the plan says:
Bart Coddensalmost 5 years ago
~ root_block_device {
delete_on_termination = false
device_name = "/dev/xvda"
encrypted = false
iops = 0
~ tags = {
- "Name" = "IOWA-TEST-ROOT" -> null
}
throughput = 0
volume_id = "vol-04e6d26cb3fd7a43a"
volume_size = 8
volume_type = "standard"
}
}RBalmost 5 years ago
try
ignore_changes = [root_block_device.tags, tags, ami]Bart Coddensalmost 5 years ago
ha ok, but as such you cannot modify the size of the root volume right ?
RBalmost 5 years ago
i dont believe so
Bart Coddensalmost 5 years ago
but that's ok, changing the root volume size is rare
Leon Garciaalmost 5 years ago
hi, I'm facing an issue with latest version of
terraform-aws-cloudfront-s3-cdn I have set values for custom_origins and now it asks for custom_headers after adding a blank object list, I get other errors related to path, domain, etc...so I set my version to 0.48.1 and works fine should I open a ticket in github?Leon Garciaalmost 5 years ago
i see some related changes to custom_headers recently.. but I can't find why I get the errors for other stuff..
Mike Robinsonalmost 5 years ago
Hello team. I'm working with the eks-iam-role module. We have other modules that are responsible for, among other things, adding policies to existing IAM roles when resources (ie. SQS) are created. Thus I do not have a policy to pass into this module, so
However, this line leads me to think that
Should I file a bug to get
eks-iam-role cannot plan because aws_iam_policy_document is a required value, and I'd prefer our SQS module handle the IAM policy.However, this line leads me to think that
aws_iam_policy_document was intended to be optional. If I pass "{}" into the module, similar to this coalesce(), the plan works.Should I file a bug to get
aws_iam_policy_document made optional? Hopefully all those words I wrote makes sense to someone. 🙂Fred Torresalmost 5 years ago
Are folks having issues downloading providers right now?
could not query provider
registry for <http://registry.terraform.io/hashicorp/aws|registry.terraform.io/hashicorp/aws>: failed to retrieve
authentication checksums for provider: 404 Not FoundMike Robinsonalmost 5 years ago
@Fred Torres Yes, same here and on multiple providers and sources
Error verifying checksum for provider "aws"
The checksum for provider distribution from the Terraform Registry
did not match the source. This may mean that the distributed files
were changed after this version was released to the Registry.RBalmost 5 years ago
tf cloud is having issues, it appears.
Robert Horroxalmost 5 years ago
This outage is also affecting regular terraform runs
Robert Horroxalmost 5 years ago
Error: Failed to install provider
Error while installing hashicorp/aws v3.29.0: unsuccessful request to
<https://releases.hashicorp.com/terraform-provider-aws/3.29.0/terraform-provider-aws_3.29.0_linux_amd64.zip>:
404 Not FoundRobert Horroxalmost 5 years ago
that provider is missing on their releases site
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago
Have you guys been getting "File is not a zip file" too?
E
erikalmost 5 years ago
melissa Jenneralmost 5 years ago
Question on the module, cloudposse/elasticache-redis/aws. I use this module created redis cluster. See the output below.
1. Why is the word "replicas" part of endpoint? Is the endpoint the redis primary endpoint or replica endpoint?
2. Why output of cluster_host is empty?
1. Why is the word "replicas" part of endpoint? Is the endpoint the redis primary endpoint or replica endpoint?
2. Why output of cluster_host is empty?
cluster_host =
cluster_id = redis-replicas-blue
cluster_port = 6379
redis_cluster_endpoint = <http://clustercfg.redis-replicas-blue.ujhy8y.usw2.cache.amazonaws.com|clustercfg.redis-replicas-blue.ujhy8y.usw2.cache.amazonaws.com>
module "redis" {
source = "cloudposse/elasticache-redis/aws"
availability_zones = data.terraform_remote_state.vpc.outputs.azs
vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id
enabled = var.enabled
name = var.name
tags = var.tags
allowed_security_groups = [data.terraform_remote_state.vpc.outputs.default_security_group_id]
subnets = data.terraform_remote_state.vpc.outputs.elasticache_subnets
cluster_size = var.redis_cluster_size #number_cache_clusters
instance_type = var.redis_instance_type
apply_immediately = true
automatic_failover_enabled = true
engine_version = var.redis_engine_version
family = var.redis_family
cluster_mode_enabled = true
replication_group_id = var.replication_group_id
replication_group_description = var.replication_group_description
at_rest_encryption_enabled = var.at_rest_encryption_enabled
transit_encryption_enabled = var.transit_encryption_enabled
cloudwatch_metric_alarms_enabled = var.cloudwatch_metric_alarms_enabled
cluster_mode_num_node_groups = var.cluster_mode_num_node_groups
snapshot_retention_limit = var.snapshot_retention_limit
snapshot_window = var.snapshot_window
dns_subdomain = var.dns_subdomain
cluster_mode_replicas_per_node_group = var.cluster_mode_replicas_per_node_group
}Alex Jurkiewiczalmost 5 years ago
dang. I get the long-term economic incentives of AWS supporting their ecosystem with contributions like this. But it's so rare to see, that it's still a little 🤯
btaialmost 5 years ago(edited)
stupid question, but using a cloudposse module for the first time (surprising) and I can’t seem to get it to provision resources as it currently says
I have the modules set up as so:
and a context.tf file that is just copypasted this and set var.enabled to true: https://github.com/cloudposse/terraform-datadog-monitor/blob/master/examples/complete/context.tf
am I missing something obvious?
No changes. Infrastructure is up-to-date.when i try to run terraform apply.I have the modules set up as so:
module "monitor_configs" {
source = "cloudposse/config/yaml"
version = "0.7.0"
enabled = true
map_config_paths = ["catalog/monitors/kube.yaml"]
context = module.this.context
}
module "synthetic_configs" {
source = "cloudposse/config/yaml"
version = "0.7.0"
enabled = true
map_config_paths = []
context = module.this.context
}
module "datadog_monitors" {
source = "git::<https://github.com/cloudposse/terraform-datadog-monitor.git?ref=master>"
enabled = true
datadog_monitors = module.monitor_configs.map_configs
datadog_synthetics = module.synthetic_configs.map_configs
# alert_tags = var.alert_tags
# alert_tags_separator = var.alert_tags_separator
context = module.this.context
}and a context.tf file that is just copypasted this and set var.enabled to true: https://github.com/cloudposse/terraform-datadog-monitor/blob/master/examples/complete/context.tf
am I missing something obvious?
Steve Wade (swade1987)almost 5 years ago
does anyone have a recommend module or starting place to implement https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial ?
Steve Wade (swade1987)almost 5 years ago
my current place have done it before but I am really not convinced with the TF code as it seems pretty hacky
Erik Osterman (Cloud Posse)almost 5 years ago
anyone know what happens in the terraform registry when you rename a terraform module git repo? does it keep the stats? does it pick up the redirect automatically? do we need to resubmit it, etc?
lorenalmost 5 years ago
Oh my gosh, been begging for this for years, was just merged! I might actually shed tears of joy/relief... https://github.com/hashicorp/terraform-provider-aws/issues/17510
Prasad Reddyalmost 5 years ago
Hi Any one can please let me know how to pass the variables.tfvars files , by using command
Prasad Reddyalmost 5 years ago
I am running this command terraform apply -var=variables.tfvars for pass the tfvars files
Rajiv Ranjanalmost 5 years ago
-var-file can use thid
Prasad Reddyalmost 5 years ago
ok sure
Prasad Reddyalmost 5 years ago
now it is working terraform apply -var-file=variables.tfvar , Thankyou
Prasad Reddyalmost 5 years ago
I am writing terraform script to launch the MSK cluster in AWS any one have reference scripts please share with me
Abraralmost 5 years ago
Hey guys, I'm writing a ecr terraform module for use with my eks clusters - I believe I need to add this policy to worker nodeInstancerRole for the cluster to be able to pull images from ecr repo: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html
Abraralmost 5 years ago
In the eks module vars, I cannot find a way to add this policy to the noderole https://github.com/cloudposse/terraform-aws-eks-cluster/blob/0.32.1/variables.tf
Abraralmost 5 years ago
Is there anyway to add an additional node role policy via cloudposse/eks repo or will I have to do this externally to the module?
Abraralmost 5 years ago
Oh I can see the cloudposse/ecr tf module already caters for this, will try it out. Nice! https://github.com/cloudposse/terraform-aws-ecr/tree/0.31.1
Ankit Rathialmost 5 years ago
Hi amazing people,
I have one question for
why do we need
I have one question for
<https://github.com/cloudposse/terraform-aws-rds>why do we need
subnet_ids here ? is it just for making the database available in at least two or more availability zones ? (does it fulfill any other requirement?)Zachalmost 5 years ago
cross posting from the hangops slack - Hashicorp has reversed and decided to allow the use of ‘undeclared vars’ in tfvars going forward.
https://github.com/hashicorp/terraform/issues/22004
https://github.com/hashicorp/terraform/issues/22004
joshmyersalmost 5 years ago
Anyone noticed anything like https://github.com/hashicorp/terraform/issues/27214#issuecomment-784229902 ?
terraform plan vs terraform show plan in 0.14.Xjoshmyersalmost 5 years ago
https://github.com/cloudposse/terraform-aws-ecs-container-definition/pull/122 ❤️ 🙏 just ran into this
lorenalmost 5 years ago
new to me: a colleague just pointed out this project, kind of a python-pytest equivalent of terratest? https://github.com/GoogleCloudPlatform/terraform-python-testing-helper
Scott Cochranalmost 5 years ago
I may have found a bug in service-control-policies/aws, unless I'm simply doing something wrong. Adding policies is working great, and adding to that policy by adding additional policies is also working. However, when I try to remove something from a policy, that is not working.
For example:
I currently have 2 files policies in use. I add a 3rd, and I can see the additions in terraform plan. However, if I remove one of the policy files from the list_config_paths, leaving only one policy file, then terraform plan says no changes are to be applied.
For example:
I currently have 2 files policies in use. I add a 3rd, and I can see the additions in terraform plan. However, if I remove one of the policy files from the list_config_paths, leaving only one policy file, then terraform plan says no changes are to be applied.
lorenalmost 5 years ago
Discussion of a "test" command becoming native to terraform... https://twitter.com/mitchellh/status/1364273416178556928?s=19
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago(edited)
Today's an exciting day for us as we officially launch Cloudrail - a second generation security analysis tool for Terraform: http://indeni.com/cloudrail/
Basically, we looked at the good work done by the guys at checkov (congrats btw), tfsec and others, and decided to take it one step further. Cloudrail takes the TF plan, merges it in memory with a snapshot of the cloud account, and then runs context-aware rules on it. A few things that allows us to do:
1. When we look at an S3 bucket's ACLs, we know if the account has public access block set or not. This allows us to ignore "public-acl" type settings if the account blocks it anyway.
2. When we look at an IAM role/user/group, we can tell what policies are attached to it, even outside the TF code (in the cloud).
3. When an RDS database is defined without specific VPC information, we can calculate what the default VPC looks like (if there is one), what its default security group and whether that will cause a problem.
And a bunch more examples... Basically Cloudrail was built to be used in the CI pipeline from day one, so it's meant to be very dev/devops friendly.
As a token of appreciation for this amazing forum, we will be giving access to Cloudrail for free until the end of June to any member of this Slack forum. Just DM me for access after you've signed up to Cloudrail. (after June, it will be 30-evaluations/month for free, though that is also expanded to unlimited if you're part of an open source project)
Basically, we looked at the good work done by the guys at checkov (congrats btw), tfsec and others, and decided to take it one step further. Cloudrail takes the TF plan, merges it in memory with a snapshot of the cloud account, and then runs context-aware rules on it. A few things that allows us to do:
1. When we look at an S3 bucket's ACLs, we know if the account has public access block set or not. This allows us to ignore "public-acl" type settings if the account blocks it anyway.
2. When we look at an IAM role/user/group, we can tell what policies are attached to it, even outside the TF code (in the cloud).
3. When an RDS database is defined without specific VPC information, we can calculate what the default VPC looks like (if there is one), what its default security group and whether that will cause a problem.
And a bunch more examples... Basically Cloudrail was built to be used in the CI pipeline from day one, so it's meant to be very dev/devops friendly.
As a token of appreciation for this amazing forum, we will be giving access to Cloudrail for free until the end of June to any member of this Slack forum. Just DM me for access after you've signed up to Cloudrail. (after June, it will be 30-evaluations/month for free, though that is also expanded to unlimited if you're part of an open source project)
Matt Gowiealmost 5 years ago
Hey does anyone here create DataDog dashboards using Terraform? I’m just tasked an engineer on a client team with moving some of our dashboards to Terraform so we can create them for our dozen environments or so… and now I’m finding out that they don’t accept raw JSON and instead require that you write TF blocks for each widget. Seems excessive to me… and I’m wondering if any folks have a good work around for that.
kgibalmost 5 years ago
Using this module, I'd like to add another group to existing cluster https://github.com/cloudposse/terraform-aws-eks-node-group
kgibalmost 5 years ago
anyone have example? I'm not sure how to get the existing role and add another group to it
kgibalmost 5 years ago
module "eks_node_group_driver" {
source = "cloudposse/eks-node-group/aws"
version = "0.18.3"
subnet_ids = module.subnets.private_subnet_ids
cluster_name = data.null_data_source.wait_for_cluster_and_kubernetes_configmap.outputs["cluster_name"]
existing_workers_role_policy_arns = ["module.eks_node_group.node_role_arn"]
# cluster_name = aws_eks_cluster.cluster.id
# node_group_name = module.label.id
# node_role_arn =
instance_types = ["r5.4xlarge"]
desired_size = 1
min_size = 1
max_size = 1
kubernetes_labels = var.kubernetes_labels
disk_size = 100
resources_to_tag = ["instance"]
context = module.this.contextkgibalmost 5 years ago
gives
Error: Error creating IAM Role existing-cluster-workers: EntityAlreadyExists: Role with name existing-cluster-workers already exists.
status code: 409, request id: c577f222-6e43-43e0-aa23-ae2848ecaa81rssalmost 5 years ago(edited)
v0.15.0-beta1
0.15.0-beta1 (Unreleased)
BREAKING CHANGES:
Empty provider configuration blocks should be removed from modules. If a configuration alias is required within the module, it can be defined using the configuration_aliases argument within required_providers. Existing module configurations which were accepted but could produce incorrect or undefined behavior may now return errors when loading the configuration. (<a href="https://github.com/hashicorp/terraform/issues/27739"...
0.15.0-beta1 (Unreleased)
BREAKING CHANGES:
Empty provider configuration blocks should be removed from modules. If a configuration alias is required within the module, it can be defined using the configuration_aliases argument within required_providers. Existing module configurations which were accepted but could produce incorrect or undefined behavior may now return errors when loading the configuration. (<a href="https://github.com/hashicorp/terraform/issues/27739"...
larry kirschneralmost 5 years ago
Apologies if this isn't the right forum for my question regarding the terraform-aws-efs module (https://github.com/cloudposse/terraform-aws-efs)
...it looks like when I upgrade module version from
Is this by design and/or unavoidable? Is there any way I can upgrade module version and not have my fs replaced?
...it looks like when I upgrade module version from
0.27.0 to current 0.30.0 and then apply my existing EFS filesystem gets destroyed/replaced and I get a new fs id.Is this by design and/or unavoidable? Is there any way I can upgrade module version and not have my fs replaced?
Jeff Dykealmost 5 years ago(edited)
Greetings. I had posted a question on /r/terraform, based on a response from u/CrimeInBlink47, who mentioned that I should check in here and cloudposse had published a module/provider that would allow for terragrunt type yaml(2 levels max) merging. Which is the final reason (i think) i'm still using TG and not plain TF. BTW, love the video's i've seen so far, thanks for the content. And again Hello!
michael sewalmost 5 years ago
Q: Has anybody encountered problems running
^^^ this seems like a windows/unix CrLf error.
tfenv on WSL? I've tried ubuntu and centos7, both getting similar errors. it works in windows10 git-bash, but not WSL(s).msew@NOTEBOOK:~ $ which tfenv
/c/users/msew/.local/bin/tfenv
msew@NOTEBOOK:~ $ tfenv
/usr/bin/env: 'bash\r': No such file or directory^^^ this seems like a windows/unix CrLf error.
Ankit Rathialmost 5 years ago
Hi amazing folks
I am tring to create very simple RDS mysql - https://github.com/cloudposse/terraform-aws-rds
Strangely its giving error for DB parameter groups
Don’t think the syntax is wrong somewhere ? Anything ?
I am tring to create very simple RDS mysql - https://github.com/cloudposse/terraform-aws-rds
module "rds_instance" {
source = "cloudposse/rds/aws"
# Cloud Posse recommends pinning every module to a specific version
version = "v0.33.0"
namespace = "backend"
stage = "dev"
name = "somename"
dns_zone_id = var.somezoneid
host_name = "somehostname"
security_group_ids = [module.security-group-mysql-www.this_security_group_id]
// ca_cert_identifier = "rds-ca-2021"
allowed_cidr_blocks = var.dev-vpc-all-bsae-cidr-blocks
database_name = "mysqlwww1"
database_user = "goodone"
database_password = "nicetry"
database_port = 3306
multi_az = false
storage_type = "gp2"
allocated_storage = 100
storage_encrypted = false
engine = "mysql"
engine_version = "8.0.20"
major_engine_version = "8.0"
instance_class = "db.t3.medium"
db_parameter_group = "mysql8.0"
// option_group_name = "mysql-options"
publicly_accessible = false
subnet_ids = [var.dev-vpc-public-subnets[0], var.dev-vpc-public-subnets[1]]
vpc_id = var.dev-vpc-id
snapshot_identifier = null
auto_minor_version_upgrade = true
allow_major_version_upgrade = false
apply_immediately = false
maintenance_window = "Mon:03:00-Mon:04:00"
skip_final_snapshot = false
copy_tags_to_snapshot = false
backup_retention_period = 7
backup_window = "22:00-03:00"
db_parameter = [
{ name = "myisam_sort_buffer_size" value = "1048576" },
{ name = "sort_buffer_size" value = "2097152" }
]
}Strangely its giving error for DB parameter groups
Error: Missing attribute separator
on 100-rds.tf line 65, in module "rds_instance":
65: { name = "myisam_sort_buffer_size" value = "1048576" },
Expected a newline or comma to mark the beginning of the next attribute.Don’t think the syntax is wrong somewhere ? Anything ?
kumar kalmost 5 years ago
Hello...I have upgraded one of my terraform module from 0.12.29 to 0.14.5.Now I wanted to check if i can restore to old state using a older statefile from s3 with 0.12.29 version.Is this doable?
Tomekalmost 5 years ago
👋 I have two separate terraform projects (with their own terraform state file). Project A creates a lambda that Project B wants to reference. I was going to use the
How are you meant to handle the situation where Project A may have not yet created that lambda and so it won’t exist?
aws_lambda_function data source. E.g.data "aws_lambda_function" "existing" {
function_name = var.function_name
}How are you meant to handle the situation where Project A may have not yet created that lambda and so it won’t exist?
Harold Reinsteinalmost 5 years ago
What are you using to manage tf ? terraform cloud, scalr, env0 pulumi or ?
Bart Coddensalmost 5 years ago
hi all, I am a bit confused by this module:
Bart Coddensalmost 5 years ago(edited)
can it be used to create the keypair to provision/boot a machine ?
Bart Coddensalmost 5 years ago
Hey all, I was checking out this module:
Bart Coddensalmost 5 years ago
it does not support creation of the groups right ?
Renealmost 5 years ago
Nope! It allows an IAM user to be part of a group through membership however.
See:
• https://github.com/cloudposse/terraform-aws-iam-user/blob/master/main.tf#L21
• https://github.com/cloudposse/terraform-aws-iam-user/blob/master/variables.tf#L18
See:
• https://github.com/cloudposse/terraform-aws-iam-user/blob/master/main.tf#L21
• https://github.com/cloudposse/terraform-aws-iam-user/blob/master/variables.tf#L18
RBalmost 5 years ago
if you like terraform-docs and want to see anchors supported, upvotes plz
https://github.com/terraform-docs/terraform-docs/issues/408
https://github.com/terraform-docs/terraform-docs/issues/408
Steve Wade (swade1987)almost 5 years ago
talking of terraform-docs how do people handle using it with pre-commit hooks?
Steve Wade (swade1987)almost 5 years ago
we have them enabled but when someone does a
brew update all hell breaks loseAlex Jurkiewiczalmost 5 years ago
I wrote up a proposal for the KMS module about supporting more flexible ways of customising key policy.
I'm interested in feedback from maintainers and users who use non default policies:
https://github.com/cloudposse/terraform-aws-kms-key/issues/25
I'm interested in feedback from maintainers and users who use non default policies:
https://github.com/cloudposse/terraform-aws-kms-key/issues/25