189 messages
Hrishikesh D Kakkadalmost 5 years ago
terraform-aws-ecs-alb-service-task - looking at this, it does not create the ALB. Am I right? Any particular reason why?
The argument
The argument
<https://github.com/cloudposse/terraform-aws-ecs-alb-service-task#input_ecs_load_balancers|ecs_load_balancers> takes the name of the existing ALB
Michael Koroteevalmost 5 years ago
Hi Guys, Is there an example of how to create a node group based on bottlerocket ami using this module - https://github.com/cloudposse/terraform-aws-eks-node-group ?
Thanks!
Thanks!
Piotr Perzynaalmost 5 years ago
Hey all, This PR is waiting 6 months for review and this is very elegant way to secure s3 bucket.
https://github.com/cloudposse/terraform-aws-s3-bucket/pull/49
Could you make a magic and merge it?
https://github.com/cloudposse/terraform-aws-s3-bucket/pull/49
Could you make a magic and merge it?
Steve Wade (swade1987)almost 5 years ago
has anyone seen this before ...
cloud-nuke defaults-aws
INFO[2021-04-01T13:40:37+01:00] Identifying enabled regions
ERRO[2021-04-01T13:40:37+01:00] session.AssumeRoleTokenProviderNotSetError AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
<http://github.com/gruntwork-io/gruntwork-cli@v0.1.2/errors/errors.go:81|github.com/gruntwork-io/gruntwork-cli@v0.1.2/errors/errors.go:81> (0x16a1565)
runtime/panic.go:969 (0x1036699)
<http://github.com/aws/aws-sdk-go@v1.22.3/aws/session/session.go:318|github.com/aws/aws-sdk-go@v1.22.3/aws/session/session.go:318> (0x1974a25)
<http://github.com/gruntwork-io/cloud-nuke/aws/aws.go:50|github.com/gruntwork-io/cloud-nuke/aws/aws.go:50> (0x19749ca)
<http://github.com/gruntwork-io/cloud-nuke/aws/aws.go:66|github.com/gruntwork-io/cloud-nuke/aws/aws.go:66> (0x1974b36)
<http://github.com/gruntwork-io/cloud-nuke/aws/aws.go:86|github.com/gruntwork-io/cloud-nuke/aws/aws.go:86> (0x1974ce6)
<http://github.com/gruntwork-io/cloud-nuke/commands/cli.go:281|github.com/gruntwork-io/cloud-nuke/commands/cli.go:281> (0x199506c)
<http://github.com/gruntwork-io/gruntwork-cli@v0.1.2/errors/errors.go:93|github.com/gruntwork-io/gruntwork-cli@v0.1.2/errors/errors.go:93> (0x16a175e)
<http://github.com/urfave/cli@v1.20.0/app.go:490|github.com/urfave/cli@v1.20.0/app.go:490> (0x1691402)
<http://github.com/urfave/cli@v1.20.0/command.go:210|github.com/urfave/cli@v1.20.0/command.go:210> (0x169269b)
<http://github.com/urfave/cli@v1.20.0/app.go:255|github.com/urfave/cli@v1.20.0/app.go:255> (0x168f5e8)
<http://github.com/gruntwork-io/gruntwork-cli@v0.1.2/entrypoint/entrypoint.go:21|github.com/gruntwork-io/gruntwork-cli@v0.1.2/entrypoint/entrypoint.go:21> (0x1996478)
<http://github.com/gruntwork-io/cloud-nuke/main.go:13|github.com/gruntwork-io/cloud-nuke/main.go:13> (0x19966a7)
runtime/proc.go:204 (0x10395e9)
runtime/asm_amd64.s:1374 (0x106b901)
error="AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set."Steve Wade (swade1987)almost 5 years ago(edited)
looking for some guidance here ...
Do people normally wrap https://github.com/cloudposse/terraform-aws-rds-cloudwatch-sns-alarms and https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack together?
If so, do you configure all this as part of your RDS module or have it seperate?
Also does anyone have an example out in slack from https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack ?
Do people normally wrap https://github.com/cloudposse/terraform-aws-rds-cloudwatch-sns-alarms and https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack together?
If so, do you configure all this as part of your RDS module or have it seperate?
Also does anyone have an example out in slack from https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack ?
Mahi Calmost 5 years ago
Hi All,
I have issues while creating the terraform Module for the RabbitMQ
Terraform supports AWS version 3.34.0(latest version) for RabbitMQ which is released on November 2020 but in our organization we are using the AWS 2.67.0 version. I was encountering below error.
expected engine_type to be one of [ACTIVEMQ], got RabbitMQ [0m
[0m on .terraform/modules/amazon-mq/amazon-mq/main.tf line 63, in resource "aws_mq_broker" "mq":
63: resource "aws_mq_broker" "mq" [4m{ [0m
[0m
[0m [0m
[31m
[1m [31mError: [0m [0m [1mexpected deployment_mode to be one of [SINGLE_INSTANCE ACTIVE_STANDBY_MULTI_AZ], got CLUSTER_MULTI_AZ [0m
I have issues while creating the terraform Module for the RabbitMQ
Terraform supports AWS version 3.34.0(latest version) for RabbitMQ which is released on November 2020 but in our organization we are using the AWS 2.67.0 version. I was encountering below error.
expected engine_type to be one of [ACTIVEMQ], got RabbitMQ [0m
[0m on .terraform/modules/amazon-mq/amazon-mq/main.tf line 63, in resource "aws_mq_broker" "mq":
63: resource "aws_mq_broker" "mq" [4m{ [0m
[0m
[0m [0m
[31m
[1m [31mError: [0m [0m [1mexpected deployment_mode to be one of [SINGLE_INSTANCE ACTIVE_STANDBY_MULTI_AZ], got CLUSTER_MULTI_AZ [0m
Mahi Calmost 5 years ago
But I have tried updating the version to 3.34.0 in terraform root config.tf file but facing issues in other modules regarding the version change.
the below issue with s3 module which is running on AWS version 2.57
the below issue with s3 module which is running on AWS version 2.57
Mahi Calmost 5 years ago
Will it related to the older versions for the S3 bucket in the root module
Matt Gowiealmost 5 years ago
For those of you with a couple seconds to spare — this issue could always use another round of 👍️’s: https://github.com/hashicorp/terraform-provider-aws/pull/15966
Rhys Daviesalmost 5 years ago
Hey all, is there a way to do dynamic blocks in terraform 0.11?
Rhys Daviesalmost 5 years ago
To give a concrete example: I'm stuck on an old version of Terraform and have never done the upgrade from HCL1 to HCL2 and 0.12 so a bit hesitant to attempt it. Writing an ECS Service module with a dynamic load balancer block would do me wonders right now in cleaning up the code
Rhys Daviesalmost 5 years ago
but I'm a bit lost on how to achieve a similar result to dynamic blocks in 0.12+ or if it's even possible?
tweetyixalmost 5 years ago
I'm not aware of such. I'd rather ask what's blocking you from migrating to tf0.12/HCL2?
Tim Birkettalmost 5 years ago(edited)
@Rhys Davies the upgrade isn't too scary... There's a 0.12upgrade helper Terraform command that works pretty well. If your Terraform code is split up into small modular stacks, you can use tfenv to help make sure you're using the correct Terraform version and avoid needing to upgrade everything at once.
Hrishikesh D Kakkadalmost 5 years ago
Guys not able to pass environment variables rightly in my container definition
Hrishikesh D Kakkadalmost 5 years ago
Can someone help? We can get on a call
Rhys Daviesalmost 5 years ago
Thanks for the reply guys, ok good to know that I wasn't just missing some ancient secret Terraform. Yeah, looks like I'm gonna gear up to do the upgrade to 0.12 and +. I guess I was a bit reticent because the delta is gonna be massive with all those syntax changes!
Rhys Daviesalmost 5 years ago
Guess I can feel good about pumping those Github -/+'s numbers 🙂
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago
Anyone using TF Enterprise here? (the on-prem version) We're working on TFE integration and would appreciate feedback on the user instructions we're publishing.
Rahul Sarkaralmost 5 years ago
Hey guys, Happy Easter Monday. I need an assist with debugging the terraform_provider_azurerm on my local - trying to get started to see if I can help the community and increase my understanding of terraform..
I have posted the question on stackoverflow.
https://stackoverflow.com/questions/66945925/attempting-to-debug-the-terraform-provider-azurerm-so-that-i-can-contribute-to-t
Any help will be much appreciated! 🙂
I have posted the question on stackoverflow.
https://stackoverflow.com/questions/66945925/attempting-to-debug-the-terraform-provider-azurerm-so-that-i-can-contribute-to-t
Any help will be much appreciated! 🙂
Darren Palmost 5 years ago(edited)
I've got an interesting idea that I would like to see if anyone has any experience or advice.
I work for a non-profit and am automating out project deployments at the moment.
To ensure we're as cost-optimal as possible, I've decided that non-production projects will share as many AWS resources as possible. These projects are essentially their own ECS Service and will share 1 ECS cluster and 1 RDS database.
With this multi-tenant approach, I'm wondering what the best way to manage creation of multiple databases/users.
I'm using Terragrunt and wanted to see if I could have these db "migrations" executed per terragrunt.hcl/project.
My first thought was to create a terraform module that contained a lambda function or perhaps even a docker container.
I work for a non-profit and am automating out project deployments at the moment.
To ensure we're as cost-optimal as possible, I've decided that non-production projects will share as many AWS resources as possible. These projects are essentially their own ECS Service and will share 1 ECS cluster and 1 RDS database.
With this multi-tenant approach, I'm wondering what the best way to manage creation of multiple databases/users.
I'm using Terragrunt and wanted to see if I could have these db "migrations" executed per terragrunt.hcl/project.
My first thought was to create a terraform module that contained a lambda function or perhaps even a docker container.
Michael Koroteevalmost 5 years ago
has someone tried using the the EKS node group module to deploy bottlerocket-based workers ?
Stepan Kuksenkoalmost 5 years ago(edited)
guys does somebody know why it is not supported now https://github.com/cloudposse/terraform-aws-kops-efs ? is there another solution to make EFS for kops maybe kops addon or something ?
I
Ignasalmost 5 years ago(edited)
Hi there! 🙂 I’m new to Terraform (and DevOps in general). I’m trying to automate infra on a project I’m working on and I’m a bit confused on logical separation of modules/resources. At the moment I’m refactoring the initial version (I’m splitting state per env) and wondering what could be a better approach to doing VPC configuration (I’m on Hetzner, not AWS). Right now I store all IP ranges in separate variables, grouped by purpose (app, backoffice), then I create the subnets and refer to those in my
prod/main.tf when building instances, but this feels awkward. I’m wondering if it makes more sense to have smaller configuration units and move each subnet into it’s specific service module (or something like that). I broke my code and looking for a smarter approach to this 🙂 Maybe someone has an existing project with similar configuration that I could take a look at?
Ignasalmost 5 years ago
Probably worth mentioning that I’ll be generating an Ansible inventory file from all of this.
paulgearalmost 5 years ago
Hi all. Anyone know of a tool to automatically generate test code for terraform classes? At the moment writing tests seems very mechanical, and I'd like to take the heavy lifting out of the equation.
Padarnalmost 5 years ago
Hi guys - curious about how
ignore_changes is implemented in providers? We’re trying to debug part of the azure provider that doesn’t seem to respect this. Anyone have pointers?
Anton Sh.almost 5 years ago
Hello 👋
I can’t configure
could some one direct me to example please?
I can’t configure
log_configuration in terraform-aws-ecs-container-definition . I need to configure aws cloudwhatch drivercould some one direct me to example please?
Steve Wade (swade1987)almost 5 years ago(edited)
is there a way to override https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack/blob/master/main.tf#L13 so that my lambda's aren't called
default every time?
Mike Martinalmost 5 years ago
Not directly a Terraform question, but does anyone know how to get in touch with Hashicorp sales? Specifically Terraform Cloud. We’ve reached out to support who routed us to the sales email, but haven’t heard back yet. Is anyone here from hashicorp or know any of the sales folks there? Thanks in advance!
Barak Schosteralmost 5 years ago
does someone know a good tf module for reverse proxy?
Steve Wade (swade1987)almost 5 years ago(edited)
i have a weird issue where manually firing messages into SNS fires my lambda to slack perfectly
however, rds event subscriptions do not seem to be adding messages to SNS
I have created a gist https://gist.github.com/swade1987/c80cef29079255f052099ca232c0d96c
however, rds event subscriptions do not seem to be adding messages to SNS
I have created a gist https://gist.github.com/swade1987/c80cef29079255f052099ca232c0d96c
Steve Wade (swade1987)almost 5 years ago
i have manually rebooted the RDS instance loads of times but nothing fires
Steve Wade (swade1987)almost 5 years ago
does anyone have any ideas as I am running out myself
Steve Wade (swade1987)almost 5 years ago
the issue is 100% the KMS policy
Steve Wade (swade1987)almost 5 years ago
as soon as I remove encryption everything starts working
Ryanalmost 5 years ago
Hi all, question. I want to check out a git repo in TF (can do this will null_resource), then I want to read a YAML file from that repo into a TF var. Anyone know if
Also what is the future of
null_resource is the only way to accomplish this?Also what is the future of
null_resource as its flagged as deprecated? It seems to me that there is still use cases that locals don’t solve (like this, the repo doesn’t exists when locals are parsed).
Milosbalmost 5 years ago
HI guys,
I am trying to create aws routes dynamically for each route table, and each peering connection that I specify
I've done it eventually, but I have feeling that there could/should be smoother way for do it. Generally I had quite headache with maps/list manipulation.
Is there any better approach to achieve something like this?
I am trying to create aws routes dynamically for each route table, and each peering connection that I specify
I've done it eventually, but I have feeling that there could/should be smoother way for do it. Generally I had quite headache with maps/list manipulation.
Is there any better approach to achieve something like this?
locals {
route_table_ids = ["rtb-1111111111111","rtb-2222222222222", "rtb-333333333333333"]
cidr_peerings = [
{
"cidr_block" = "10.180.0.0/21"
"vpc_peering_id" = "pcx-1111111111111111111"
},
{
"cidr_block" = "10.184.0.0/21"
"vpc_peering_id" = "pcx-2222222222222222"
},
]
routes = {
for i in setproduct(local.route_table_ids, local.cidr_peerings):
"${i[0]}_${i[1].vpc_peering_id}" => merge(i[1], {route_table_id: i[0]})
}
}
resource "aws_route" "this" {
for_each = local.routes
route_table_id = each.value.route_table_id
destination_cidr_block = each.value.cidr_block
vpc_peering_connection_id = each.value.vpc_peering_id
}
Bart Coddensalmost 5 years ago
Question for a conditional create. I query the instance type like this:
Bart Coddensalmost 5 years ago
data "aws_instance" "instancetoapplyto" {
filter {
name = "tag:Name"
values = [var.instancename]
}
}Bart Coddensalmost 5 years ago
this gives back: data.aws_instance.instancetoapplyto.instance_type
Bart Coddensalmost 5 years ago
now I would like to use this in a conditional create context, if the value equals t3.* then set count to 1
Steve Wade (swade1987)almost 5 years ago
what is the different between using
and just
resource "aws_autoscaling_attachment" "asg" {
count = length(var.load_balancers)
autoscaling_group_name = aws_autoscaling_group.asg.name
elb = element(var.load_balancers, count.index)
}and just
load_balancers = [] directly in the ASG config?Bart Coddensalmost 5 years ago
The solution is:
Bart Coddensalmost 5 years ago
count = format("%.1s", data.aws_instance.instancetoapplyto.instance_type) == "t" ? 1 : 0
marc slaytonalmost 5 years ago
Hey all -- I have a general question about using cloudposse components and modules. I've been through the tutorials on atmos and Geodesic and both make good sense. I feel like I'm still missing something, however -- specifically, a step-by-step for building a master account module, or just a 'my first stack' tutorial. Wondering if such a thing might exist? Or am I missing something very obvious? Cheers --
Petro Gorobchenkoalmost 5 years ago
Hello,
I have a question on source =
Been getting an error
I haven't seen any support on this yet, or wasn't able to find it.
Any help/info is much appreciated.
I have a question on source =
"cloudposse/rds/aws" => version = "0.35.1" .Been getting an error
DBName must begin with a letter and contain only alphanumeric characters . Although my database_name only contains hyphens and is less than 64 in length.I haven't seen any support on this yet, or wasn't able to find it.
Any help/info is much appreciated.
rssalmost 5 years ago
v0.15.0-rc2
0.15.0 (Unreleased)
BUG FIXES:
core: Fix crash when rendering JSON plans containing iterable unknown values (#28253)
0.15.0 (Unreleased)
BUG FIXES:
core: Fix crash when rendering JSON plans containing iterable unknown values (#28253)
marc slaytonalmost 5 years ago
Hey all -- I'm putting together my first atmos build using terraform. I've just added a 'vpc' module, one of two I found on the cloudposse site. The vpc builds with the new config, but it's giving me WARNING errors like the following:
marc slaytonalmost 5 years ago
The root module does not declare a variable named "vpc_flow_logs_enabled" but
a value was found in file "uw2-dev-vpc.terraform.tfvars.json". To use this
value, add a "variable" block to the configuration.marc slaytonalmost 5 years ago
I'm curious whether this is a known issue, or perhaps I'm using the wrong vpc module? I've declared all the above variables in the stacks/globals.yaml config. The warning seems to come from terraform itself, and might be related to newer versions of terraform 0.14. Is this a known issue?
Alex Jurkiewiczalmost 5 years ago
The warning is saying that you are providing a variable which your Terraform configuration isn't using. For example,
This isn't related to the VPC module, but to your root (top-level) Terraform configuration
terraform plan -var foo=bar in a Terraform configuration with no variable "foo" { ... } block.This isn't related to the VPC module, but to your root (top-level) Terraform configuration
François Davieralmost 5 years ago
Hi all
François Davieralmost 5 years ago
trying to use cloud posse aws backup module, working well under terraform enterprise, but when i want to re launch plan apply , i've got some issue:
François Davieralmost 5 years ago
Error: Provider produced inconsistent final plan
When expanding the plan for module.backup.aws_backup_plan.default[0] to
include new values learned so far during apply, provider
"<http://registry.terraform.io/hashicorp/aws|registry.terraform.io/hashicorp/aws>" produced an invalid new value for .rule:
planned set element
cty.ObjectVal(map[string]cty.Value{"completion_window":cty.NumberIntVal(240),
"copy_action":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"destination_vault_arn":cty.UnknownVal(cty.String),
"lifecycle":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"cold_storage_after":cty.UnknownVal(cty.Number),
"delete_after":cty.UnknownVal(cty.Number)})})})}),
"lifecycle":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"cold_storage_after":cty.NullVal(cty.Number),
"delete_after":cty.NumberIntVal(2)})}),
"recovery_point_tags":cty.MapVal(map[string]cty.Value{"Name":cty.StringVal("oa-uso-fda-plt1-env1-tenantfda_kpi-tenantfda"),
"Namespace":cty.StringVal("oa-uso-fda-plt1-env1-tenantfda")}),
"rule_name":cty.StringVal("oa-uso-fda-plt1-env1-tenantfda_kpi-tenantfda"),
"schedule":cty.StringVal("cron(0 3 * * ? *)"),
"start_window":cty.NumberIntVal(60),
"target_vault_name":cty.StringVal("oa-uso-fda-plt1-env1-tenantfda_kpi-tenantfda")})
does not correlate with any element in actual.
This is a bug in the provider, which should be reported in the provider's own
issue tracker.François Davieralmost 5 years ago
this is how i use module:
François Davieralmost 5 years ago(edited)
#Cloudposse backup
module "backup-idp-env" {
source = "tfe.xxx.xxx.com/techsol-devops/backup/aws"
# Cloud Posse recommends pinning every module to a specific version
version = "0.6.1"
namespace = var.workspace_name
name = var.rds_identifier-idp
delimiter = "_"
backup_resources = [module.rds_dbserver-odp.db_instance_arn]
schedule = "cron(0 3 ? *)"
start_window = 60
completion_window = 240
delete_after = 2
destination_vault_arn = data.aws_backup_vault.dr_idp.arn
copy_action_delete_after = 7
}
module "backup-idp-env" {
source = "tfe.xxx.xxx.com/techsol-devops/backup/aws"
# Cloud Posse recommends pinning every module to a specific version
version = "0.6.1"
namespace = var.workspace_name
name = var.rds_identifier-idp
delimiter = "_"
backup_resources = [module.rds_dbserver-odp.db_instance_arn]
schedule = "cron(0 3 ? *)"
start_window = 60
completion_window = 240
delete_after = 2
destination_vault_arn = data.aws_backup_vault.dr_idp.arn
copy_action_delete_after = 7
}
François Davieralmost 5 years ago
backup vault is an external local exec process creation with some aws cli command, so backup vault is not impacted when we want to destroy infra because not in the state
François Davieralmost 5 years ago
is anyone already had this issue please ?, thank you
Steve Wade (swade1987)almost 5 years ago
is there an easy way to move terraform state to a different dynamo db key?
Steve Wade (swade1987)almost 5 years ago
i want to move from
"us-east-1/rules-engine-prd/env-01/terraform.tfstate" to "us-east-1/rules-engine-prd/XXX/terraform.tfstate"
Mr.Devopsalmost 5 years ago
is it possible to use aws s3 as a backend state storage for azure although i know there's one for azure (blob storage)?
Mr.Devopsalmost 5 years ago
pls... ☝️
Joe Presleyalmost 5 years ago
I’m reviewing some code and am curious about a choice made in it. Would there be a reason to use
node_pools = zipmap(local.node_pool_names, tolist(toset(var.node_pools))) instead of node_pools = zipmap(local.node_pool_names, var.node_pools) ? var.node_pools type is list(map(string)). I’m basically curious why someone would convert the list of maps to a set and then convert it back to a list.Joe Presleyalmost 5 years ago
The local
node_pools would be used in a for_each block on creating node pools for a GKE cluster.Joe Presleyalmost 5 years ago
From my experiments it looks like the way the code is written avoids destructive modifications if the order of the
var.node_pools list changes. I don’t understand why that happens though. Any thoughts on why it works?
sheldonhalmost 5 years ago
Any free tier provider like spacelift or env0 that now covers pr integration with azure devops? Spacelift didn't seem to have that yet so just checking if any recent updates. Right now using dynamic backend config similar to atmos approach with a go based app I've been fiddling with.
sheldonhalmost 5 years ago
Seperate discussion....
I get that terraform doesn't fit into the typical workflow with CI CD very well at least out of the box.
To be fair though if these tools such as terraform cloud, spacelift, env0 are in essence running the same CLI tool that you can run in your own CI CD job that preserves the plan artifact, what do you feel is the actual substantial difference for the core part of terraform plans?
Don't get me wrong I love working with stuff like terraform cloud, but I guess I'm still struggling to see the value in that if you write a pipeline then handles plan artifacts
I get that terraform doesn't fit into the typical workflow with CI CD very well at least out of the box.
To be fair though if these tools such as terraform cloud, spacelift, env0 are in essence running the same CLI tool that you can run in your own CI CD job that preserves the plan artifact, what do you feel is the actual substantial difference for the core part of terraform plans?
Don't get me wrong I love working with stuff like terraform cloud, but I guess I'm still struggling to see the value in that if you write a pipeline then handles plan artifacts
marc slaytonalmost 5 years ago(edited)
Hey all -- I'm looking into initializing remote tfstates in conjunction with atmos. To initialize a remote tfstate, I need to execute a command equivalent to: "terraform apply -auto-approve" -- only from within the atmos wrapper. It's not entirely clear how to construct this command. I've tried a few intuitive combinations using the docs, but they do not seem to work as expected. Does anyone have a quick example of how to run atmos with 'terraform apply -auto-approve' and then 'init -force-copy' as one-time commands to initialize a remote tfstate?
Bart Coddensalmost 5 years ago
Hey all, I would like to use a arimethric based on the value from a variable
Bart Coddensalmost 5 years ago
now I have this:
Bart Coddensalmost 5 years ago
resource "aws_ebs_volume" "backup" {
count = var.tier != "PROD" ? 0 : 1
availability_zone = var.aws_az
size = "${var.homesize} * 1.5"
type = "standard"
}Bart Coddensalmost 5 years ago
but this does not seem to work
Bart Coddensalmost 5 years ago
size = var.homesize * 2
Bart Coddensalmost 5 years ago
this does it
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago
Any users of Infracost here? Can you share feedback on the tool?
Mohammed Yahyaalmost 5 years ago
@Erik Osterman (Cloud Posse) gonna be very helpful https://www.terraform.io/docs/language/functions/defaults.html
marc slaytonalmost 5 years ago(edited)
Hey all -- I ran into a couple module bugs I'd really like to submit a PR for. To debug, I'm looking for a way to print out the objects being passed from one module to another during a 'terraform plan'. Not quite sure how to manage this from within atmos/Geodesic. The terraform console seems a bit awkward in this context as well. Pointers on how to delve into debugging would be much appreciated!
Jurgenalmost 5 years ago
hey, random question:
https://www.terraform.io/docs/language/functions/fileset.html
we are using the above fucntion and then for_each over a bunch of files to create some resources. The problem is, its sequential and a bit slow. Any idea on how to make it async?
https://www.terraform.io/docs/language/functions/fileset.html
we are using the above fucntion and then for_each over a bunch of files to create some resources. The problem is, its sequential and a bit slow. Any idea on how to make it async?
Garethalmost 5 years ago(edited)
Good morning,
I'm struggling from Monday morning fog. Can somebody please suggest a quick way of converting this
into
I've tried merge and using the (...) but I think I'm over complicating this. As I assume it should be as simply a for loop but for the life of my I can't get the syntax correct.
I'm struggling from Monday morning fog. Can somebody please suggest a quick way of converting this
myconfig = {
"/ErrorPages" = "mys3bucket"
"/client-assets" = "mys3bucket"
}into
mys3bucket = ["/ErrorPages", "/client-assets"]I've tried merge and using the (...) but I think I'm over complicating this. As I assume it should be as simply a for loop but for the life of my I can't get the syntax correct.
type of example I feel it should be but isn't working or syntactically correct
locals {
newlist = tolist([
for k, v local.myconfig : v.value {
tolist(v)
}
])
}Matt Gowiealmost 5 years ago
Hey we’re looking for a maintainer of our popular beanstalk module — if you use Beanstalk and this module and would be interested in being a contributor then reach out and let us know!
https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment#searching-for-maintainer
https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment#searching-for-maintainer
sheldonhalmost 5 years ago
I'm used to Terraform Remote backend. I'm using the dynamo + s3 and find lots of lock issues (i'm only one running it), as it seems easily stuck at times. Ideally I'd like to have my backend configure itself with it's own state backend on initialization like Terraform Cloud makes easy, so either TF Cloud, Env0, or spacelift depending on what I evaluate, just for backend state simplification only, not for runners at this time.
Am I using this stuff wrong and it's normally easy to initialize and go, or would I be better served to use a remote backend that creates on initialization to simplify that part?
Am I using this stuff wrong and it's normally easy to initialize and go, or would I be better served to use a remote backend that creates on initialization to simplify that part?
Brij Salmost 5 years ago
does anyone have a way to obtain AWS RAM share arn’s using terraform and not the awscli?
Tom Duganalmost 5 years ago
Is there a pattern to resolve the
value depends on resource attributes that cannot be determine until apply when a resource is created where a variable is defined but the variable definition is created in the same state as the calling terraform? Example in thread.Steve Wade (swade1987)almost 5 years ago
does anyone have a recommended way of running
tflint on a monorepo of modules?Mr.Devopsalmost 5 years ago
i'm running into the following error when running terragrunt with azure provider. Has anyone come across this? Seems a possible bug i may have encountered?
I'm running tf version
I'm running tf version
0.14.9 and tg version 0.28.20azurerm_role_definition.default: Creating...
Error: rpc error: code = Unavailable desc = transport is closing....
2021/04/12 19:38:12 [TRACE] dag/walk: upstream of "provider[\"<http://registry.terraform.io/hashicorp/azurerm\|registry.terraform.io/hashicorp/azurerm\>"] (close)" errored, so skipping
2021/04/12 19:38:12 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021-04-12T19:38:12.459-0700 [DEBUG] plugin: plugin exited
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!
Terraform crashed! This is always indicative of a bug within Terraform.
A crash log has been placed at "crash.log" relative to your current
working directory. It would be immensely helpful if you could please
report the crash with Terraform[1] so that we can fix this.
When reporting bugs, please include your terraform version. That
information is available on the first line of crash.log. You can also
get it by running 'terraform --version' on the command line.
SECURITY WARNING: the "crash.log" file that was created may contain
sensitive information that must be redacted before it is safe to share
on the issue tracker.
[1]: <https://github.com/hashicorp/terraform/issues>
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!
ERRO[0079] Hit multiple errors:
Hit multiple errors:
exit status 1 Brij Salmost 5 years ago(edited)
Hi all, I’m trying to dynamically obtain the ARNS of aws resource share invitations. I found that the data source for RAM doesn’t really support this. I’m attempting to mimic this example instead and I’ve been able to retrieve the ARNS using the following awscli command below:
However, I’m not sure how I can get it into the correct format that
aws ram get-resource-share-invitations \
--query 'resourceShareInvitations[*]|[?contains(resourceShareName,`prefix`)==`true`].resourceShareInvitationArn' \
--region us-east-1 However, I’m not sure how I can get it into the correct format that
data.external requires. Ideally Id want the output to be:{ resrouceShareName: resourceShareInvitationArn }Brij Salmost 5 years ago
any ideas? 🤔
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago
Wrote a short blog post about drift and Terraform, specifically in the case of AWS IAM: https://indeni.com/blog/identifying-iam-configuration-drift/
Would love to hear more examples from people here about drift issues you care about. I'm hearing more and more about the need to identify drift, and would like to focus is on specific use cases (vs all drift). Thoughts anyone?
Would love to hear more examples from people here about drift issues you care about. I'm hearing more and more about the need to identify drift, and would like to focus is on specific use cases (vs all drift). Thoughts anyone?
mrwackyalmost 5 years ago
I've taken a cursory glance, but can't find anywhere
regex_replace_chars is used anywhere in https://github.com/cloudposse/terraform-null-label (or any callers). Am I missing something? Have y'all ever used this?rssalmost 5 years ago
v0.15.0
0.15.0 (April 14, 2021)
UPGRADE NOTES AND BREAKING CHANGES:
The following is a summary of each of the changes in this release that might require special consideration when upgrading. Refer to the Terraform v0.15 upgrade guide for more details and recommended upgrade steps.
"Proxy configuration blocks" (provider blocks with only alias set) in shared modules are now replaced with a more explicit...
0.15.0 (April 14, 2021)
UPGRADE NOTES AND BREAKING CHANGES:
The following is a summary of each of the changes in this release that might require special consideration when upgrading. Refer to the Terraform v0.15 upgrade guide for more details and recommended upgrade steps.
"Proxy configuration blocks" (provider blocks with only alias set) in shared modules are now replaced with a more explicit...
jack fentonalmost 5 years ago(edited)
hey guys! i forgot if you can do this... or if how
i need to get a module
this module is initialised (it's in
but i get
I only want the one module from the parent
anyone know if i am barking up the wrong tree?
i need to get a module
s3_replica_bucket_arn = module.secondary.module.stuff this module is initialised (it's in
../some_other_folder )but i get
A managed resource "secondary" "module" has not been declared in
module.secondary.
A managed resource "secondary" "module" has not been declared in
module.primary.I only want the one module from the parent
anyone know if i am barking up the wrong tree?
Matthew Tovbinalmost 5 years ago
Hi folks, who is in charge of reviewing the PRs on cloudposse / terraform-aws-rds-cloudwatch-sns-alarms ?
Matthew Tovbinalmost 5 years ago
It would be so so great if that someone could have a look on several opened PR and get some of them a go 🙂
David Napieralmost 5 years ago(edited)
Why does
terraform-aws-iam-user require a PGP key? o.ODavid Napieralmost 5 years ago
Hmm.. yeah, that makes the module pretty much useless for me. 😞 Darn.
David Napieralmost 5 years ago
Don’t get me wrong, awesome craftsmanship though. 😄
Zachalmost 5 years ago
if you’re trying to make a service user that has programmatic access only, they have a different module for it
David Napieralmost 5 years ago
Just making a list of users that can log into the dashboard. I just used the
aws_iam_user resource with a for_each loop inside.sheldonhalmost 5 years ago(edited)
moved into #terragrunt
Avoided terragrunt for a long time.
I'm now in a place where I don't have access to github, using Azure Repos. I need to deploy multiple clones of an environment and managing state is annoying. I'm doing a lot of work to realize I'm basically writing my own Go implementation of terragrunt sorta. 😂
Considering Atlantis runs with az repos, I need to simplify my layout, I'm working with Go developers, limited on github stuff, and terraform cloud and others aren't most likely options at this moment (have to role my own with azure pipelines otherwise)...
I tried the yaml config and dives in deep but since this is basically only terraform the abstraction and debugging for my use case wasn't ideal though it was pretty cool!
Is there any major reason I shouldn't just go ahead and use terragrunt for this type of workflow?
Avoided terragrunt for a long time.
I'm now in a place where I don't have access to github, using Azure Repos. I need to deploy multiple clones of an environment and managing state is annoying. I'm doing a lot of work to realize I'm basically writing my own Go implementation of terragrunt sorta. 😂
Considering Atlantis runs with az repos, I need to simplify my layout, I'm working with Go developers, limited on github stuff, and terraform cloud and others aren't most likely options at this moment (have to role my own with azure pipelines otherwise)...
I tried the yaml config and dives in deep but since this is basically only terraform the abstraction and debugging for my use case wasn't ideal though it was pretty cool!
Is there any major reason I shouldn't just go ahead and use terragrunt for this type of workflow?
Mario de Sá Veraalmost 5 years ago(edited)
Hello Folks, just wondering if any of you have already gone through this ... I want to force pre-generated secrets into RDS using locals : locals {
your_secret = jsondecode(
data.aws_secretsmanager_secret_version.creds.secret_string
)
}Mario de Sá Veraalmost 5 years ago
and then ... # Set the secrets from AWS Secrets Manager
username = "${local.your_secret.username}"
password = "${local.your_secret.password}"
Mario de Sá Veraalmost 5 years ago
but Terraform insists saying the values are not set ... tried several combinations of " 7$ \${} ... but starting to feel like I am doing the wrong thing here ... any directions please ?
Mario de Sá Veraalmost 5 years ago
and also checked : https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#bebe --- got a feeling the module is not able to access the locals !???
Mazin Ahmedalmost 5 years ago
I'm trying to write a parser for tfstate files. Version 4 sounds doable, but Version 3 is quite hard to normalize. Is there is a way that I can automatically migrate version 3 to version 4 without doing a full upgrade on the codebase?
Mohammed Naseralmost 5 years ago
Any
terratest users here? I'm wondering if anyone has hacked/played with integrating it with KinD to get a Kubernets cluster-on-the-fly inside TerratestMohammed Yahyaalmost 5 years ago
a quick and dirty idea: Do you think using TOML instead for YAML | JSON for passing
tfvars to Terraform Stack will make sense?
ROalmost 5 years ago
Hi everyone
Just a baby learning terraform here. Will watch your channel and ask questions as they come
Just a baby learning terraform here. Will watch your channel and ask questions as they come
Brij Salmost 5 years ago(edited)
Hi everyone, just wanted to see if anyone had a clever way of doing the following;
I’d like to turn the following into a module (which is the easy part )
If multiple account id’s are required then I can pass in a list to
I’d like to turn the following into a module (which is the easy part )
resource "vault_auth_backend" "aws" {
type = "aws"
}
resource "vault_aws_auth_backend_role" "example" {
backend = vault_auth_backend.aws.path
bound_account_ids = ["123456789012"]
bound_iam_role_arns = ["arn:aws:iam::123456789012:role/MyRole"]
}If multiple account id’s are required then I can pass in a list to
bound_account_ids and use count to iterate through it, however, if I wanted the IAM role name to be different for some of the account ids how could I achieve this? for_each ?Matt Gowiealmost 5 years ago
Hey all — this Terraform issue could use some 👍️. It’s been around for almost 2 years and causes a lot of confusion with modules in the registry (which the Cloud Posse module library of course gets hit by): https://github.com/hashicorp/terraform/issues/21417
Steve Wade (swade1987)almost 5 years ago
how likely (in time) would it be that if I created a PR for https://github.com/cloudposse/terraform-aws-documentdb-cluster that it would be merged and tagged?
Barak Schosteralmost 5 years ago
Checkov 2.0 is released ! 🌟
A ton of work went into this from the Bridgecrew team (and from you all) and we’re super excited for this milestone for the project. TL;DR the update includes:
• A completely rearchitected graph-based Terraform scanning framework. This allows for multi-resource queries with improved variable resolution and drastically increases performance.
• Checkov can now scan Dockerfiles for misconfigurations.
• We’ve added nearly 250 new out-of-the-box policies, including existing attribute-based ones and new graph-based ones.
To learn more, check out:
• The Bridgecrew blog post: Checkov 2.0: Deeper, broader, and faster IaC scanning
A ton of work went into this from the Bridgecrew team (and from you all) and we’re super excited for this milestone for the project. TL;DR the update includes:
• A completely rearchitected graph-based Terraform scanning framework. This allows for multi-resource queries with improved variable resolution and drastically increases performance.
• Checkov can now scan Dockerfiles for misconfigurations.
• We’ve added nearly 250 new out-of-the-box policies, including existing attribute-based ones and new graph-based ones.
To learn more, check out:
• The Bridgecrew blog post: Checkov 2.0: Deeper, broader, and faster IaC scanning
Brandon Metcalfalmost 5 years ago
hello. is there an open issue to address the deprecated use of null_data_source: https://github.com/cloudposse/terraform-aws-ec2-instance/blob/4f28ecce852107011f66bf74bb6b32691605b368/main.tf#L153 ? i didn't find anything and can submit a PR. thanks.
Garethalmost 5 years ago
Hopefully a simple question...
Is it possible to do multiple comparisons like this?
This currently errors; So, I assume not and continuing with the assumptions, I assume the only real option is to use a regular expression or
Is it possible to do multiple comparisons like this?
cookie_behavior = local.myvalue == "none" || "whitelist" || "all" ? local.myvalue : nullThis currently errors; So, I assume not and continuing with the assumptions, I assume the only real option is to use a regular expression or
cookie_behavior = local.myvalue == "none" || local.myvalue == "whitelist" || local.myvalue == "all" ? local.myvalue : null
vickenalmost 5 years ago
Has anybody run into this issue before changing number of nodes with the msk module?
https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster/issues/17
https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster/issues/17
Mohammed Yahyaalmost 5 years ago
Steve Wade (swade1987)almost 5 years ago
Can anyone recommend an upstream elastic search service module it needs to be able to handle single and multi node setups with instance and ebs storage options
Steve Wade (swade1987)almost 5 years ago
I have created my own and used it for a long time but it doesn’t fit my current clients use case as it needs to be more flexible
Garethalmost 5 years ago
Good evening, has anybody got a suggestions as to the problem here:
terraform 0.13.5 is exiting with this error:
When trying to apply a aws_cloudfront_origin_request_policy I've made.
terraform 0.13.5 is exiting with this error:
Error: rpc error: code = Unavailable desc = transport is closingWhen trying to apply a aws_cloudfront_origin_request_policy I've made.
Garethalmost 5 years ago(edited)
***removed, looks like the example did work but didn't paste correctly. Above issue must be with my inputs. Sorry to have wasted peoples time.
Garethalmost 5 years ago
Morning everyone,
I have a resource that creates aws_cloudfront_origin_request_policy. Which I then later reference in a locals section
and then merge with
The resource is togglable so won't always be there. Everything looks to work but I do a lot of sanity checking / viewing of outputs in the console when I'm trying to debug by code and when trying to view local.all_policy_maps I get
Which makes sense but my question now is...
Is there a better way I should be referencing the output of the resource?
If this was a module I'd normally use an output but its not part of a module, the resource and local are all within the same tf script and are part of the same single apply.
Welcome all comments and thank you all in advance.
I have a resource that creates aws_cloudfront_origin_request_policy. Which I then later reference in a locals section
cf_custom_request_policy_map = { for k, v in aws_cloudfront_origin_request_policy.this : k => v.id if length(aws_cloudfront_origin_request_policy.this) > 0 }and then merge with
all_policy_maps = merge(<http://local.cf|local.cf>_managed_policy_map, length(<http://local.cf|local.cf>_custom_request_policy_map) The resource is togglable so won't always be there. Everything looks to work but I do a lot of sanity checking / viewing of outputs in the console when I'm trying to debug by code and when trying to view local.all_policy_maps I get
Error: Result depends on values that cannot be determined until after "terraform apply".Which makes sense but my question now is...
Is there a better way I should be referencing the output of the resource?
If this was a module I'd normally use an output but its not part of a module, the resource and local are all within the same tf script and are part of the same single apply.
Welcome all comments and thank you all in advance.
Amit Karpealmost 5 years ago
Hi,
I am using this module (terraform-aws-elasticsearch).
Where I was looking to enable Fine-Grained Access Control in Amazon Elasticsearch Service.
Based on my understanding, can I say:
Above configuration will enable it?
I am using this module (terraform-aws-elasticsearch).
Where I was looking to enable Fine-Grained Access Control in Amazon Elasticsearch Service.
Based on my understanding, can I say:
advanced_security_options_internal_user_database_enabled = trueAbove configuration will enable it?
Amit Karpealmost 5 years ago
If not then I want to know how to enable “Fine-grained access control” for ES using above module?
Aaditya Nandeshwaralmost 5 years ago
Hello Folks,
How do I use multiple managed rules in below aws config module
How do I use multiple managed rules in below aws config module
module "example" {
source = "cloudposse/config/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
create_sns_topic = true
create_iam_role = true
managed_rules = {
account-part-of-organizations = {
description = "Checks whether AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId.",
identifier = "ACCOUNT_PART_OF_ORGANIZATIONS",
trigger_type = "PERIODIC"
enabled = true
}
}
}Aaditya Nandeshwaralmost 5 years ago
I'm trying with below approach but getting some error
module "config" {
source = "cloudposse/config/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
s3_bucket_arn = module.s3_config_bucket.bucket_arn
s3_bucket_id = module.s3_config_bucket.bucket_id
global_resource_collector_region = "ap-south-1"
create_sns_topic = false
create_iam_role = true
managed_rules = {
access-keys-rotated = {
description = "Checks if the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
identifier = "ACCESS_KEYS_ROTATED",
trigger_type = "PERIODIC"
enabled = true
input_parameters = [
{
maxAccessKeyAge = 90
}
]
},
acm-certificate-expiration-check = {
description = "Checks if AWS Certificate Manager Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import",
identifier = "ACM_CERTIFICATE_EXPIRATION_CHECK",
trigger_type = "Configuration changes"
enabled = true
input_parameters = [
{
daysToExpiration = 15
}
]
}
}
} 
Hakan Kayaalmost 5 years ago(edited)
Maybe this has already been discussed, but I could not find anything useful so I figured it might be worth asking anyway. Is there a known best way or practice to deal with a larger number of helm_releases, ideally in a dynamic fashion? My use case looks like this:
• one pipeline builds a release from repository 1 and pushes helm charts to an artifactory folder
◦ the number of the helm charts can vary from 1 to >50 (can also grow over time)
• another pipeline gets triggered from the first and starts with a terraform run, where some
◦ a module where the service parameters are fed into along with the service name from the list
◦ another method based on terraform, unknown to me so far
Or am I going the wrong path trying to solve this with terraform when it should be done with native helm?
Thank you for your suggestions.
• one pipeline builds a release from repository 1 and pushes helm charts to an artifactory folder
◦ the number of the helm charts can vary from 1 to >50 (can also grow over time)
• another pipeline gets triggered from the first and starts with a terraform run, where some
helm_release resources get deployed, the idea was to look up the list of the services from the chart repo (can be done with the jfrog cli in the pipeline) and use this list for some kind of iteration over either◦ a module where the service parameters are fed into along with the service name from the list
◦ another method based on terraform, unknown to me so far
Or am I going the wrong path trying to solve this with terraform when it should be done with native helm?
Thank you for your suggestions.
managedkaosalmost 5 years ago
sharing for the (terraform) culture!
alias moduleinit='touch {main,variables,outputs}.tf && wget <https://raw.githubusercontent.com/github/gitignore/master/Terraform.gitignore> -O .gitignore'Steve Wade (swade1987)almost 5 years ago(edited)
incoming n00b question I am trying to work out what zone awareness means in aws elasticsearch. Do you have to use it when using a multi node setup
Kimalmost 5 years ago
is anyone here can help me to use this project https://github.com/cloudposse/terraform-aws-config ?
O Kalmost 5 years ago(edited)
Hi All!
I deployed the following terraform config in one account and it works fine . Currently I’m trying to deploy the same code in another account and facing the error below elasticsearch stucks in Loading state
I checked STS is enabled in my region, so this is not a case https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-handling-errors.html#es-vpc-sts
Error:
I deployed the following terraform config in one account and it works fine . Currently I’m trying to deploy the same code in another account and facing the error below elasticsearch stucks in Loading state
I checked STS is enabled in my region, so this is not a case https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-handling-errors.html#es-vpc-sts
module "elasticsearch-app" {
source = "../../../external_modules/cloudposse/terraform-aws-elasticsearch"
stage = var.environment
name = "elasticsearch-ap"
// TODO: setup DNS zone for elasticsearch-app
// dns_zone_id = "Z14EN2YD427LRQ"
security_groups = [module.stage_vpc.default_security_group_id, module.eks.worker_security_group_id]
vpc_id = module.stage_vpc.vpc_id
subnet_ids = [module.stage_vpc.public_subnets[0]]
availability_zone_count = 1
zone_awareness_enabled = "false"
elasticsearch_version = "7.9"
instance_type = "t2.small.elasticsearch"
instance_count = 1
ebs_volume_size = 10
// TODO: create strict policies for elastic assumed roles
iam_role_arns = ["*"]
iam_actions = ["es:ESHttpGet"] #, "es:ESHttpPut", "es:ESHttpPost", "es:ESHttpHead", "es:ESHttpDelete"]
encrypt_at_rest_enabled = "false"
kibana_subdomain_name = "kibana-es-apps"
# Disable option: Require HTTPS for all traffic to the domain
# Required as global-search service doesn't work with https
domain_endpoint_options_enforce_https = false
advanced_security_options_internal_user_database_enabled = true
advanced_security_options_master_user_name = "elasticuser"
advanced_security_options_master_user_password = aws_ssm_parameter.elasticsearch_apps_password.value
// Required as workaround: <https://github.com/cloudposse/terraform-aws-elasticsearch/issues/81>
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
}Error:
module.elasticsearch-app.aws_elasticsearch_domain.default[0]: Still creating... [59m51s elapsed]
module.elasticsearch-app.aws_elasticsearch_domain.default[0]: Still creating... [1h0m1s elapsed]
Error: Error waiting for ElasticSearch domain to be created: "arn:aws:es:us-east-1:11111111111111:domain/stage-elasticsearch-ap": Timeout while waiting for the domain to be created
on ../../../external_modules/cloudposse/terraform-aws-elasticsearch/main.tf line 100, in resource "aws_elasticsearch_domain" "default":
100: resource "aws_elasticsearch_domain" "default" {O Kalmost 5 years ago
This is 0.12 version https://github.com/cloudposse/terraform-aws-elasticsearch. I wonder what should I check to solve this error
Tom Vaughanalmost 5 years ago
Is there a way to set up terraform-aws-tfstate-backend so the state file is saved to a folder in an existing S3 bucket? The way I have been using this module there is a bucket for each state file and it is getting pretty cluttered. Was hoping there was a way to do this for better organization.
MattyBalmost 5 years ago
Regarding https://github.com/cloudposse/terraform-aws-alb and https://github.com/cloudposse/terraform-aws-nlb - is there a particular reason the module "access_logs" in nlb can't look like alb? I'm more than happy to submit the PR. I didn't know if I was missing something.
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago
Did you hear about AWS’s new policy validation API and wished you can use it with your Terraform code? Now there’s a way: https://indeni.com/blog/integrating-awss-new-policy-validation-with-terraform-in-ci-cd/
Alexander Tolstikovalmost 5 years ago
any ideas how to detect configuration drift, e.g. resources created manually without terraform? Any tools/vendors for this kind of task?
Mazin Ahmedalmost 5 years ago
I'm working on a new project that will be released soon! Would love to hear your feedback, let me know your Github ID if you would like a preview before release
https://twitter.com/mazen160/status/1383475198544936964
https://twitter.com/mazen160/status/1383475198544936964
David Fernandezalmost 5 years ago
Hi, I'm working with https://github.com/cloudposse/terraform-aws-documentdb-cluster and I wish I could use disabled the TLS of documentdb, but not find how, Is posible with this module?
M
Mazin Ahmedalmost 5 years ago
I made a PR to build up statistics on TFSec findings, to filter results by check type.
Should make analyzing Terraform vulnerabilities much easier 🙏🏼
Should make analyzing Terraform vulnerabilities much easier 🙏🏼
Amit Karpealmost 5 years ago(edited)
Hi,
I am using elasticsearch module. Which is trying to create IAM user.
Just curious, can I skip user or role creation process?
In other env, I was able to provision ES/Kibana without creating this user. I was wrong, I found that it create new Role on other env. So role creation is default process.
Want to know can we skip role creation?
Can someone guide me?
I am using elasticsearch module. Which is trying to create IAM user.
➜ tf apply -auto-approve
module.elasticsearch.aws_security_group.default[0]: Refreshing state... [id=sg-0e56e3767a5b60fe7]
module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]: Refreshing state... [id=sgrule-3053224398]
module.elasticsearch.aws_security_group_rule.egress[0]: Refreshing state... [id=sgrule-3045719721]
module.elasticsearch.aws_iam_role.elasticsearch_user[0]: Creating...
module.elasticsearch.aws_elasticsearch_domain.default[0]: Creating...
module.elasticsearch.aws_elasticsearch_domain.default[0]: Still creating... [10s elapsed]
Error: Error creating IAM Role es-msf-gplsmzapp-1-user: AccessDenied: User: arn:aws:iam::XXXX:test is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::330153026934:role/es-msf-gplsmzapp-1-user with an explicit deny
status code: 403, request id: 87e0551b-3953-4e56-b364-a02b26065841
on .terraform/modules/elasticsearch/main.tf line 68, in resource "aws_iam_role" "elasticsearch_user":
68: resource "aws_iam_role" "elasticsearch_user" {
Error: Error creating ElasticSearch domain: ValidationException: You must specify exactly one subnet.
on .terraform/modules/elasticsearch/main.tf line 100, in resource "aws_elasticsearch_domain" "default":
100: resource "aws_elasticsearch_domain" "default" {Just curious, can I skip user or role creation process?
Want to know can we skip role creation?
Can someone guide me?
Danalmost 5 years ago(edited)
Hi lads, I have an issue with cloudposse/elasticsearch/aws module
although I set
any idea what can be?
although I set
create_iam_service_linked_role = "false" and there is nothing in the plan related to AWSServiceRoleForAmazonElasticsearchService apply is trowingError: Error creating service-linked role with name <http://es.amazonaws.com|es.amazonaws.com>: InvalidInput: Service role name `AWSServiceRoleForAmazonElasticsearchService` has been taken in this account, please try a different suffix.
status code: 400, request id: 9c27ff1d-5ec9-496c-8290-cf65180ffb69
on iam.tf line 49, in resource "aws_iam_service_linked_role" "es":
49: resource "aws_iam_service_linked_role" "es" {any idea what can be?
G
Geraldalmost 5 years ago
Hi folks, I'm using Cloudfosse ECS task module. Do you have another modules that we can export the following docker label below in container to datadog logs as tags?
Joe Presleyalmost 5 years ago
Is it possible to chain Terraform
to create secret manager versions in a specific order. When I try it, I get an error on the
on_depends for a list. Basically I’m trying to do something likeresource "google_secret_manager_secret_version" "main" {
count = length(var.secret_data)
secret = google_secret_manager_secret.main.id
secret_data = var.secret_data[count.index].secret_data
enabled = var.secret_data[count.index].enabled
depends_on = [google_secret_manager_secret_version.main[count.index - 1]]
}to create secret manager versions in a specific order. When I try it, I get an error on the
depends_on line A single static variable reference is required: only attribute access and indexing with constant keys. No calculations, function calls, template expressions, etc are allowed here.Joe Presleyalmost 5 years ago
The only other way I see doing it is to create a module for a secret_version and let the user chain the
depends_on in the module calls.
Heath Snowalmost 5 years ago
Question regarding the https://github.com/cloudposse/terraform-aws-mq-broker module. It looks to me like the ingress SGs are messed up. I'm seeing from_port and to_port set to
0 for ingress but I don't see protocol set to -1 to get All TCP traffic. This means that all ingress are getting the 0 port but that just won't work for connecting to a broker. Does that sound right?
Alex Renokialmost 5 years ago
henlo
Alex Renokialmost 5 years ago
I'm here because of the call for maintainers: https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment
Alex Renokialmost 5 years ago(edited)
I have several workloads running on Elastic Beanstalk and I'm relying on this Terraform module.
Steve Wade (swade1987)almost 5 years ago
does anyone have a recommended approach for setting up guardduty in a multi account setup from a terraform perspective?
Steve Wade (swade1987)almost 5 years ago
i have seen a lot of modules but wondered if their was any alignment
Leia Renéealmost 5 years ago
Ryanalmost 5 years ago
Hi all, I want to set up a greenfield AWS project using the CP resources as intended. What is the best place to start? Is it build the geodesic environment and follow the instructions in
cloudposse/reference-architectures? The readme says to just clone the repo, set up AWS, and run make root but that target doesn’t exist.Ryanalmost 5 years ago
Also says:
That dir doesn’t exist in that repo
Update the configuration for this account by editing the configs/master.tfvar fileThat dir doesn’t exist in that repo
Ryanalmost 5 years ago
Looking through https://github.com/cloudposse/tutorials, probably will figure it out
Matt Gowiealmost 5 years ago
@Ryan docs.cloudposse.com is the spot you want to be. Feel free to ask me any question. Reference arch is out of date, I wouldn’t look there.
michaelssinghalmost 5 years ago
Is it possible to alter hostnames per instance in an ASG?
Steve Wade (swade1987)almost 5 years ago
When setting up guarduty with a master/member setup do you always send the slack notifications from the master account or have it setup to notify from each of the member accounts?
rssalmost 5 years ago(edited)
v0.15.1
0.15.1 (April 26, 2021)
ENHANCEMENTS:
config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.
The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in...
0.15.1 (April 26, 2021)
ENHANCEMENTS:
config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.
The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in...
Yoni Leitersdorf (Indeni Cloudrail)almost 5 years ago
For those who missed it - HashiCorp were hit by the Codecov issue, and so all TF versions starting 0.12 had their signing key updated. Suggest you update to the most recent patch on the minor version you use. HashiCorp said they don’t foresee anyone being able to use this to deliver mal-providers, but it’s a good step to take anyway.
https://www.bleepingcomputer.com/news/security/hashicorp-is-the-latest-victim-of-codecov-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/hashicorp-is-the-latest-victim-of-codecov-supply-chain-attack/
rssalmost 5 years ago
v0.15.1
0.15.1 (April 26, 2021)
ENHANCEMENTS:
config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.
The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in...
0.15.1 (April 26, 2021)
ENHANCEMENTS:
config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.
The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in...
rssalmost 5 years ago(edited)
v0.15.1
0.15.1 (April 26, 2021)
ENHANCEMENTS:
config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.
The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in...
0.15.1 (April 26, 2021)
ENHANCEMENTS:
config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.
The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in...
Geraldalmost 5 years ago
Hi folks, do you have group sentinel policy here?
Mazin Ahmedalmost 5 years ago
🥁Open-source project release 🥁
Feedback are welcome! Thank you everyone for the support.
https://github.com/mazen160/tfquery
Feedback are welcome! Thank you everyone for the support.
https://github.com/mazen160/tfquery
Florian SILVAalmost 5 years ago
Hello guys, I'm working on elastic beanstalk using the CLoudposse module: https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment
I know this repo is looking for maintainer and it's not main priority to update it, but could it be possible to take a closer look to this PR ? https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/pull/170. I just tested it an it sounds like clean to me and could fix an issue in the module.
I know this repo is looking for maintainer and it's not main priority to update it, but could it be possible to take a closer look to this PR ? https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/pull/170. I just tested it an it sounds like clean to me and could fix an issue in the module.
Steve Wade (swade1987)almost 5 years ago
does anyone have any recommended cloudwatch alarms for redshift?
Garethalmost 5 years ago
Afternoon, can anybody suggest why my ASG created via terraform-aws-modules/autoscaling/aws/4.1.0 doesn't force a new ASG to be built when the launch configuration changes?
paraphrased terraform apply output...
# module.asg.aws_autoscaling_group.this[0] will be updated in-place
~ launch_configuration = "my-asg-2000001" -> (known after apply)
module.asg.aws_autoscaling_group.this[0]: Modifications complete after 2s
But a no point are the existing instances replaced. I can see the module has create_before_destroy in it. Any idea what I'm missing?
paraphrased terraform apply output...
# module.asg.aws_autoscaling_group.this[0] will be updated in-place
~ launch_configuration = "my-asg-2000001" -> (known after apply)
module.asg.aws_autoscaling_group.this[0]: Modifications complete after 2s
But a no point are the existing instances replaced. I can see the module has create_before_destroy in it. Any idea what I'm missing?
lorenalmost 5 years ago(edited)
TIL, if trying to see all the validation warnings instead of the summarized "9 more similar warnings elsewhere":
terraform validate -json | jq '.diagnostics[] | {detail: .detail, filename: .range.filename, start_line: .range.start.line}'Steve Wade (swade1987)almost 5 years ago
n00b question incoming ... can someone explain to me exactly what the below actually means please ...
Requester VPC (vpc-03a0a62a6d1e42513) peering connection attributes:
DNS resolution from accepter VPC to private IP
Enabled
jason einonalmost 5 years ago
hey, hopefully an easy one to answer! although i cant get the correct syntax 😞
jason einonalmost 5 years ago
I have the following resource outputs:
aws_efs_file_system.jenkins-efs.idaws_efs_access_point.jenkins-efs.idjason einonalmost 5 years ago
I need to string them together so they appear in the following format in the deployed resource
volume_handle = aws_efs_file_system.jenkins-efs.id::aws_efs_access_point.jenkins-efs.idjason einonalmost 5 years ago
but tf doesnt like the
::Garethalmost 5 years ago
Has anybody done anything with the aws resource
aws_transfer_server and EFS. I can see support was added in provider Release v1.36.22 https://github.com/hashicorp/terraform-provider-aws/issues/17022 but the documentation on it is non existent and I'm currently gettingError: Unsupported argument
on transfer_server.tf line 42, in resource "aws_transfer_server" "this":
42: domain = "EFS"
An argument named "domain" is not expected here.Steve Wade (swade1987)almost 5 years ago
i am trying to get my head around guardduty master to member relationship. is my understanding below true ...
if we have account X (a member account) which uses region 1 and 2 that means in the master account we need to enable a detector in region 1 and 2
Question: In the master account do we need to setup
if we have account X (a member account) which uses region 1 and 2 that means in the master account we need to enable a detector in region 1 and 2
Question: In the master account do we need to setup
aws_guardduty_member per region for account X?Zachalmost 5 years ago(edited)
Does atmos have the ability to run terraform workflows in parallel? (ie, sibling root modules that aren’t dependent on each other)
managedkaosalmost 5 years ago
This made me smile 😄
https://github.com/hashicorp/terraform-ls/releases/tag/v0.16.0
“No schema found ...” warning removed, as schema is far more likely to be available now (#454)
https://github.com/hashicorp/terraform-ls/releases/tag/v0.16.0
aimbotdalmost 5 years ago
Hey all. If I was using this example and I added another worker group. what do i need to do to ensure some pods only deploy to worker group alpha while the others goto worker group bravo.
marc slaytonalmost 5 years ago(edited)
Hola, friends -- Ran into an interesting issue while spinning up a multi-account architecture with atmos/terraform. The master account was left out due to a misconfiguration of the tfstate-backend component, so I've been trying to import it. Technically, this should be possible, but when you try with atmos, using a command like:
Produces an error like this:
This error seems to come from atmos. The variant file in that locale is definitely trying to add a provider with a 'region' variable in the config.
aws-vault exec master-root -- atmos terraform import account aws_organizations_account.organization_accounts[\"master\"] XXXXXXXXXXXX -i -s masterProduces an error like this:
Error: Unsupported attribute on /modules/terraform/terraform-core.variant line 223:
This object does not have an attribute named "region".
[...]
Error: 1 error occurred:
* step "write provider override": job "terraform write override": config "override-contents": source 0: job "terraform provider override": /modules/terraform/terraform-core.variant:223,27-34: Unsupported attribute; This object does not have an attribute named "region"., and 1 other diagnostic(s)This error seems to come from atmos. The variant file in that locale is definitely trying to add a provider with a 'region' variable in the config.
Steve Wade (swade1987)almost 5 years ago
i am struggling to work out how to fix a circular dependency between an SQS queue and the policy it uses. Because the policy needs the ARN of the SQS queue itself
Jeff Dykealmost 5 years ago
Hello. I am starting to build a new environment from scratch so i can migrate my old one into an area that didn't have the quirks of console buildout. I am using cloudposse/vpc/aws and cloudposse/dynamic-subnets/aws. Currently only two subnets have public access, the rest go through 1 of 2 NATGWs. I also don't need a public facing subnet to each. I don't think in terms of money, this would end up costing that much, curious if others have considered this.