112 messages
Alexander Schererover 4 years ago(edited)
Good evening everyone. I'm new here and hopefully you don't mind a really noobish question but i'm trying to add my lambda functions dynamically to the api gateway integration like so:
any help on how to archive this in tf would be awesome!
// need to do it dynamically somehow but it won't let me assign the key name with variable
dynamic "integrations" {
for_each = module.lambdas
content {
"ANY /hello-world" = {
lambda_arn = module.lambdas["hello-world"].lambda_function_arn
payload_format_version = "2.0"
timeout_milliseconds = 12000
}
}
}
// this works
// integrations = {
// "ANY /hello-world" = {
// lambda_arn = module.lambdas["hello-world"].lambda_function_arn
// payload_format_version = "2.0"
// timeout_milliseconds = 12000
// }
// }any help on how to archive this in tf would be awesome!
Brad McCoyover 4 years ago
Hi All we did a webinar on intro to IAC and Terraform in the weekend if anyone is interested: https://www.youtube.com/watch?v=2keKHXtvY5c
Alex Jurkiewiczover 4 years ago
Is there a way to perform a deep merge like following:
I have many maps of objects. The objects with same key are identical except for one list field. I want to merge all items with the same key, except concat the list field.
locals {
a = { foo = { age = 12, items = [1] } }
b = { foo = { age = 12, items = [2] }, bar = { age = 4, items = [3] } }
c = { bar = { age = 4, items = [] } }
# desired output
out = { foo = { age = 12, items = [1,2] }, bar = { age = 4, items = [3] } }
}I have many maps of objects. The objects with same key are identical except for one list field. I want to merge all items with the same key, except concat the list field.
Vitalii Morvaniukover 4 years ago
Hi all.
Have a question about working with provider aliases. In my case I have several accounts in AWS:
I want to create same shared WAF rules in this accounts. Could I use
Have a question about working with provider aliases. In my case I have several accounts in AWS:
provider "aws" {
region = var.region
}
provider "aws" {
region = "eu-west-2"
alias = "aws.eu-west-2"
}
provider "aws" {
region = "eu-central-1"
alias = "aws.eu-central-1"
}I want to create same shared WAF rules in this accounts. Could I use
for_each somehow to get call module creating this rules and iterating over different provider aliases?Alex Sover 4 years ago(edited)
Hi all, I’m using the terraform-aws-ecs-alb-service-task module and running into a bit of an issue; I’ve set deployment_controller_type to
CODE_DEPLOY and using the blue/green deployment method - when Code Deploy diligently switches to the green autoscaling group, the next run of the module deletes/recreates the ecs service because it’s trying to put back the blue target group (or both)… Has anyone tried to run this setup? I can make a PR to ignore changes to load balancers, but if you look at the module it’s going to become an immediate nightmare to support the 3 different ignore combinations. Any advice greatly appreciated.Kenan Virtucioover 4 years ago
Hi, just asking again https://github.com/cloudposse/terraform-aws-cloudfront-cdn for this module. Is there a plan in the roadmap for users to be able to modify
default_cache_behavior ?Grubholdover 4 years ago
Hello folks, I'm facing this issue when trying to deploy https://github.com/cloudposse/terraform-aws-elasticsearch using all other modules that this one requires. I'll link the files I have in the thread
│ Error: Error creating ElasticSearch domain: ValidationException: You must specify exactly two subnets because you've set zone count to two.
│
│ with module.elasticsearch.aws_elasticsearch_domain.default[0],
│ on modules/elasticsearch/main.tf line 100, in resource "aws_elasticsearch_domain" "default":
│ 100: resource "aws_elasticsearch_domain" "default" {
│
╵
╷
│ Error: Error creating Security Group: InvalidGroup.Duplicate: The security group 'elastic-test-es-test' already exists for VPC 'vpc-0fbda4f1d6105a68c'
│ status code: 400, request id: 6ad8d766-7954-49d5-b257-8b2213d1f8ec
│
│ with module.vpc.module.security_group.aws_security_group.default[0],
│ on modules/sg-cp/main.tf line 28, in resource "aws_security_group" "default":
│ 28: resource "aws_security_group" "default" {Benover 4 years ago
Hello folks, I have a question regarding terraform-aws-eks-cluster https://github.com/cloudposse/terraform-aws-eks-cluster/blame/master/README.md#L100
The readme contains two statements that seem contradicting but maybe I’m just not getting it. It states:
and a few lines below:
The readme contains two statements that seem contradicting but maybe I’m just not getting it. It states:
The KUBECONFG file is the most reliable [method], […]
and a few lines below:
At the moment, the exec option appears to be the most reliable method, […]Grubholdover 4 years ago
Hello folks, is there a workaround for the current security group module where using it with another module such as Elasticsearch it yells that xyz security group already exists? This PR seems to address this but its not yet merged.
│ Error: Error creating Security Group: InvalidGroup.Duplicate: The security group 'logger-test-es-test' already exists for VPC 'vpc-0e868046c92d7bb2a'
│ status code: 400, request id: be88d8b8-1ed0-43ac-8246-e37265782098
│
│ with module.vpc.module.security_group.aws_security_group.default[0],
│ on modules/sg-cp/main.tf line 28, in resource "aws_security_group" "default":
│ 28: resource "aws_security_group" "default" {Geraldover 4 years ago
Hi folks, I want to include the snippet section below from my ECS task definition for datadog container but the problem
BTW: I'm using this module https://github.com/cloudposse/terraform-aws-ecs-container-definition/blob/master/main.tf
volume argument not supported? Anyone can give me advise. Thank you mount_points = [
{
containerPath = "/var/run/docker.sock"
sourceVolume = "docker_sock"
readOnly = true
},
{
containerPath = "/host/sys/fs/cgroup"
sourceVolume = "cgroup"
readOnly = true
},
{
containerPath = "/host/proc"
sourceVolume = "proc"
readOnly = true
}
]
volumes = [
{
host_path = "/var/run/docker.sock"
name = "docker_sock"
docker_volume_configuration = []
},
{
host_path = "/proc/"
name = "proc"
docker_volume_configuration = []
},
{
host_path = "/sys/fs/cgroup/"
name = "cgroup"
docker_volume_configuration = []
}
]BTW: I'm using this module https://github.com/cloudposse/terraform-aws-ecs-container-definition/blob/master/main.tf
Geraldover 4 years ago
possible we can add this line here?
dynamic "volume" {
for_each = var.volumes
content {
name = volume.value.name
host_path = lookup(volume.value, "host_path", null)
dynamic "docker_volume_configuration" {
for_each = lookup(volume.value, "docker_volume_configuration", [])
content {
autoprovision = lookup(docker_volume_configuration.value, "autoprovision", null)
driver = lookup(docker_volume_configuration.value, "driver", null)
driver_opts = lookup(docker_volume_configuration.value, "driver_opts", null)
labels = lookup(docker_volume_configuration.value, "labels", null)
scope = lookup(docker_volume_configuration.value, "scope", null)
}
}
}
}rssover 4 years ago(edited)
v1.0.4
1.0.4 (August 04, 2021)
BUG FIXES:
backend/consul: Fix a bug where the state value may be too large for consul to accept (#28838)
cli: Fixed a crashing bug with some edge-cases when reporting syntax errors that happen to be reported at the position of a newline. (<a href="https://github.com/hashicorp/terraform/issues/29048"...
1.0.4 (August 04, 2021)
BUG FIXES:
backend/consul: Fix a bug where the state value may be too large for consul to accept (#28838)
cli: Fixed a crashing bug with some edge-cases when reporting syntax errors that happen to be reported at the position of a newline. (<a href="https://github.com/hashicorp/terraform/issues/29048"...
Unwovenover 4 years ago
Hello 😄
i'm trying to create a proper policy for the cluster-autoscaler service account (aws eks) and I need the ASG ARNs.
Any ideas on how I can get them from the eks_node_group module?
I can only get the ASG name from the node_group "resource" attribute, which I can use to get the ARN from the aws_autoscaling_group data source. Unfortunately this will be known only after apply. Do the more experienced folks have a decent workaround or a better way to do this?
i'm trying to create a proper policy for the cluster-autoscaler service account (aws eks) and I need the ASG ARNs.
Any ideas on how I can get them from the eks_node_group module?
I can only get the ASG name from the node_group "resource" attribute, which I can use to get the ARN from the aws_autoscaling_group data source. Unfortunately this will be known only after apply. Do the more experienced folks have a decent workaround or a better way to do this?
Brent Garberover 4 years ago
Trying to use
If I pass in
cloudposse/terraform-aws-ec2-instance-group and it may be lack of sleep but I can't figure out how to get it to not generate spurious SSH keys if I'm using an existing key?If I pass in
ssh_key_pair , I'll want to specify generate_ssh_key_pair as false, but if I do that ssh_key_pair module goes "Oh, well we're using an existing file then", and then plan dies with│ Error: Invalid function argument
│
│ on .terraform\modules\worker_tenants.worker_tenant.ssh_key_pair\main.tf line 19, in resource "aws_key_pair" "
imported":
│ 19: public_key = file(local.public_key_filename)
│ ├────────────────
│ │ local.public_key_filename is "C:/projects/terraform-network-worker/app-dev-worker-worker-arrow.pub"
│
│ Invalid value for "path" parameter: no file exists atBrent Garberover 4 years ago
Can workaround the error by passing
true to generate_ssh_key_pair but then I got an extra keypair for every instance group being generated.Steve Wade (swade1987)over 4 years ago
is there an easy way to get TF to ignore data resource changes (see below)
data "tls_certificate" "eks_oidc_cert" {
url = aws_eks_cluster.eks.identity.0.oidc.0.issuer
}~ id = "2021-08-05 16:09:43.671261128 +0000 UTC" -> "2021-08-05 16:09:58.401961984 +0000 UTC"Rhys Daviesover 4 years ago
Hey folks, wondering if anyone has what they consider a good, or definitive, resource on how to do a major version upgrade of an RDS database with Terraform?
Eric Alfordover 4 years ago(edited)
Hoping someone can give an update on this issue with the terraform aws ses module. Any idea when we can get a fix in? I think ideally the
resource would be configurable by an input variable similar to how the iam_permissions is configurable. https://github.com/cloudposse/terraform-aws-ses/issues/40Dustin Leeover 4 years ago
Just curious i am using the https://github.com/cloudposse/terraform-aws-alb and https://github.com/cloudposse/terraform-aws-alb-ingress just curious how to set the instance targets for the default target group ?
Mazin Ahmedover 4 years ago
Hi all 👋🏽
I'm speaking today on DEFCON Cloud Village about attacking Terraform environments. It will different attacks I have seen in the years against TF environments, and how engineers can make use of it in security their TF environment.
Please join me today at 12.05 PDT at Cloud Village livestream!
I'm speaking today on DEFCON Cloud Village about attacking Terraform environments. It will different attacks I have seen in the years against TF environments, and how engineers can make use of it in security their TF environment.
Please join me today at 12.05 PDT at Cloud Village livestream!
mfridhover 4 years ago
https://github.com/cloudposse/terraform-aws-rds-cluster --
Use case:
• provisioned
• aurora-mysql
• Upgrading of an example engine_version:
Instead of just bumping the cluster resource and letting RDS handle the instances, it deletes and recreates each
Thoughts?
Use case:
• provisioned
• aurora-mysql
• Upgrading of an example engine_version:
5.7.mysql_aurora.2.09.1 => 5.7.mysql_aurora.2.09.2 ...Instead of just bumping the cluster resource and letting RDS handle the instances, it deletes and recreates each
aws_rds_cluster_instance as well.Thoughts?
Piece of Cakeover 4 years ago(edited)
It'll awesome if aws_dynamic_subnet module has support to specific number of private & public subnets
Julian Gogover 4 years ago
cross-post BUG👋 I’m here! What's up?I was about to create a bug ticket and and saw the link to your slack. So I want to make sure its a Bug before opening a ticket.
its about the terraform-aws-s3-bucket.
if you specify the
privileged_principal_arns option it will never create a bucket policy. Is this a wanted behaviour, since the a aws_iam_policy_document is created?My guess is that in the the
privileged_principal_arns is missing in the count option here:resource "aws_s3_bucket_policy" "default" {
count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || var.policy != "") ? 1 : 0
bucket = join("", aws_s3_bucket.default.*.id)
policy = join("", data.aws_iam_policy_document.aggregated_policy.*.json)
depends_on = [aws_s3_bucket_public_access_block.default]
}ok I am almost 100% sure its a bug, so here are the issue and the PR
Bug-Issue: https://github.com/cloudposse/terraform-aws-s3-bucket/issues/100
PR: https://github.com/cloudposse/terraform-aws-s3-bucket/pull/101
Julian Gogover 4 years ago
As a workaround, I thought I could specify a dedicated policy like this:
but this results in this error:
does anyone has a clue why?
policy = jsonencode({
"Version" = "2012-10-17",
"Id" = "MYBUCKETPOLICY",
"Statement" = [
{
"Sid" = "${var.bucket_name}-bucket_policy",
"Effect" = "Allow",
"Action" = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource" = [
"arn:aws:s3:::${var.bucket_name}",
"arn:aws:s3:::${var.bucket_name}/*"
],
"Principal" = {
"AWS" : [var.privileged_principal_arn]
}
},
]
})but this results in this error:
Error: Invalid count argument
on .terraform/modules/service.s3-bucket.s3_bucket/main.tf line 367, in resource "aws_s3_bucket_policy" "default":
367: count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || var.policy != "") ? 1 : 0
The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.does anyone has a clue why?
Dustin Leeover 4 years ago
Hello, anybody had issues with this before
aws_cloudwatch_event_rule.this: Creating...
╷
│ Error: Creating CloudWatch Events Rule failed: InvalidEventPatternException: Event pattern is not valid. Reason: Filter is not an objectDustin Leeover 4 years ago
i have tried umpteen ways of trying to get the thing to work with jsonencoding, tomaps, etc
Dustin Leeover 4 years ago
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_cloudwatch_event_rule.this will be created
+ resource "aws_cloudwatch_event_rule" "this" {
+ arn = (known after apply)
+ description = "This is event rule description."
+ event_bus_name = "default"
+ event_pattern = "\"{\\\"detail\\\":{\\\"eventTypeCategory\\\":[\\\"issue\\\"],\\\"service\\\":[\\\"EC2\\\"]},\\\"detail-type\\\":[\\\"AWS Health Event\\\"],\\\"source\\\":[\\\"aws.health\\\"]}\""
+ id = (known after apply)
+ is_enabled = trueDustin Leeover 4 years ago
The event pattern is what's getting me
Dustin Leeover 4 years ago
sussed it out issue in the module it self
Mr.Devopsover 4 years ago
Any tools to help simplify state migration in a mono repo without destroying your current infrastructure?
Grubholdover 4 years ago
Hi folks, I’ve been working on https://github.com/cloudposse/terraform-aws-elasticsearch and it’s dependencies, its working great and deploying successfully. I have two questions regarding this that I need your assistance with;
1. How is CloudWatch subscription filter managed by this resource, I believe for ES we need a Lambda function for that, does CloudPosse have a module for this, that I missed?
2. How is access to Kibana managed by this module? Looking at the config it seems that its depending on VPC and access through a Route53 resource, if so how to access the dashboard of Kibana?
1. How is CloudWatch subscription filter managed by this resource, I believe for ES we need a Lambda function for that, does CloudPosse have a module for this, that I missed?
2. How is access to Kibana managed by this module? Looking at the config it seems that its depending on VPC and access through a Route53 resource, if so how to access the dashboard of Kibana?
OZZZYover 4 years ago
hi
rssover 4 years ago(edited)
v1.1.0-alpha20210811
1.1.0 (Unreleased)
NEW FEATURES:
cli: terraform add generates resource configuration templates (#28874)
config: a new type() function, only available in terraform console (<a href="https://github.com/hashicorp/terraform/issues/28501" data-hovercard-type="pull_request"...
1.1.0 (Unreleased)
NEW FEATURES:
cli: terraform add generates resource configuration templates (#28874)
config: a new type() function, only available in terraform console (<a href="https://github.com/hashicorp/terraform/issues/28501" data-hovercard-type="pull_request"...
Yoni Leitersdorf (Indeni Cloudrail)over 4 years ago
If you use Mac with M1, this is really cool: https://github.com/kreuzwerker/m1-terraform-provider-helper (I do, and have run into what the author described there)
managedkaosover 4 years ago
Hello team!
TLDR Question: Do you have tips/suggestions/pointers/resources on creating plugins for
Details: I have a group of 15-20 modules that I'd like to be coded consistently, specifically:
• All modules have inputs for name, environment, and tags
• All variables have a description, and optionally a type if applicable
• All outputs have a description
• All AWS resources that can be tagged, have their tag attribute assigned like
So far I have python scripts that are doing most of these but as I went deeper into the weeds, I thought a tool like
TLDR Question: Do you have tips/suggestions/pointers/resources on creating plugins for
tflint?Details: I have a group of 15-20 modules that I'd like to be coded consistently, specifically:
• All modules have inputs for name, environment, and tags
• All variables have a description, and optionally a type if applicable
• All outputs have a description
• All AWS resources that can be tagged, have their tag attribute assigned like
tag = merge(vars.tags, local.tags) and optionally an resource level override like tag = merge(vars.tags, local.tags, {RESOURCE = OVERRIDE})So far I have python scripts that are doing most of these but as I went deeper into the weeds, I thought a tool like
tflint might be better suited. So before I go down that route, I'm looking for best practices and tips from those that have been there and done that. Thanks! 👋🏾Bill Davidsonover 4 years ago
Hello, all.
I am trying to use the CloudPosse ec2-autoscale-group module and every time I do a terraform apply, it just repeatedly generates EC2s that are automatically terminated. Any thoughts on where to begin?
Thanks!
I am trying to use the CloudPosse ec2-autoscale-group module and every time I do a terraform apply, it just repeatedly generates EC2s that are automatically terminated. Any thoughts on where to begin?
Thanks!
Tony Bowerover 4 years ago
Hello! First, thanks for the cloudposse modules, they've been very helpful. I've got an issue trying to implement two instances of
cloudposse/terraform-aws-datadog-integration
Details in thread.
I'm not sure if this is the right place to ask, but I figured I'd try.
cloudposse/terraform-aws-datadog-integration
Details in thread.
I'm not sure if this is the right place to ask, but I figured I'd try.
J
Jackson Delahuntover 4 years ago
Hi all! I'm using Terraform Cloud for state storage and terraform execution. I've been running on 0.12.26 , but a module requires me to upgrade to 1.0.4. When changing the workspace version to the new version I get the error in the screenshot. I'm required to run
terraform 0.13upgrade to upgrade the state files, however I don't know how to target state in Terraform Cloud from my local cli. Can anyone advise how I can target Terraform Cloud state from my local cli?Mihai Cindeaover 4 years ago
hey everyone!
Trying to use terraform-aws-waf but no matter how I use it I get:
I also tried using the code from examples/complete, but still have the same issue.
Is it a minimum version other than 0.13? I'm currently using 0.14.11
Trying to use terraform-aws-waf but no matter how I use it I get:
Error: Unsupported block type
on .terraform/modules/wafv2/rules.tf line 253, in resource "aws_wafv2_web_acl" "default":
253: dynamic "forwarded_ip_config" {
Blocks of type "forwarded_ip_config" are not expected here.
Error: Unsupported block type
on .terraform/modules/wafv2/rules.tf line 306, in resource "aws_wafv2_web_acl" "default":
306: dynamic "ip_set_forwarded_ip_config" {
Blocks of type "ip_set_forwarded_ip_config" are not expected here.
Error: Unsupported block type
on .terraform/modules/wafv2/rules.tf line 409, in resource "aws_wafv2_web_acl" "default":
409: dynamic "forwarded_ip_config" {
Blocks of type "forwarded_ip_config" are not expected here.I also tried using the code from examples/complete, but still have the same issue.
Is it a minimum version other than 0.13? I'm currently using 0.14.11
Murali Manoharover 4 years ago
Hi Team,
Can someone please help me to rocksdb alerts setup using terraform using write stalls.
I am new to datadog and terraform.
looking for a syntax to setup alert.
https://github.com/facebook/rocksdb/wiki/Write-Stalls
Can someone please help me to rocksdb alerts setup using terraform using write stalls.
I am new to datadog and terraform.
looking for a syntax to setup alert.
https://github.com/facebook/rocksdb/wiki/Write-Stalls
atomover 4 years ago
Morning, is this the right place to ask questions about CloudPosse Terraform modules?
Julian Gogover 4 years ago
Hey everyone,
I am getting this error using your S3-module with the
I am getting this error using your S3-module with the
privileged_principal_arns option. Any clue why? I am using TF version 0.14.9. this was a common error at earlier versions 😕Error: Invalid count argument
on .terraform/modules/service.s3_bucket.s3_bucket/main.tf line 367, in resource "aws_s3_bucket_policy" "default":
367: count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || var.policy != "") ? 1 : 0
The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.
ERRO[0043] Hit multiple errors:
Hit multiple errors:
exit status 1 Alex Jurkiewiczover 4 years ago
what's that project which auto-adds tags to your terraform resources based on file/repo/commit?
Alex Jurkiewiczover 4 years ago
it has some name like yonder
Phillip Hockingover 4 years ago(edited)
hey, any thoughts as to how to update public ptr of an ec2 public ip programmatically? i think typically you have to ask aws support to do that... but it would be nice to do it via terraform/api
Phillip Hockingover 4 years ago
looks like it can be done via the aws cli: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-address-attribute.html
Andrew Rothover 4 years ago
Example repo I made for running shell-based tests inside an ephemeral EC2 instance using Terratest, if anyone's interested in that kind of thing 🙂
https://github.com/RothAndrew/terratest-shell-e2e-poc
https://github.com/RothAndrew/terratest-shell-e2e-poc
Mark juanover 4 years ago
Hie all, do anyone having idea about how to add cloudwatch as grafana data source via terraform(helm chart) and also verify it
OZZZYover 4 years ago
Hi guys, I am new at Terraform. How can I create more than one site2site vpn connection.
James Wadeover 4 years ago
Error: Cannot import non-existent remote object
│
│ While attempting to import an existing object to "aws_codebuild_project.lambda", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's
│ configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.Anyone else ever had an issue with this?
OZZZYover 4 years ago
Hi.. I am new at Terraform. How can I create more than one site2site vpn connection.❓️🆘
Yoni Leitersdorf (Indeni Cloudrail)over 4 years ago
Users of
AFAIK, driftctl only catches three kinds of drift that are not already caught by Terraform’s refresh process: 1. SG rule changes, 2. IAM policy assignment, 3. SSO permission set assignments.
1. Is there anything else driftctl catches that I’m missing?
2. If I’m correct about the above, why do you use driftctl and not simply run a TF plan on a cron and see if any drifts are detected (like env0 are suggesting, or even Spacelift)?
driftctl, I have a few questions for you:AFAIK, driftctl only catches three kinds of drift that are not already caught by Terraform’s refresh process: 1. SG rule changes, 2. IAM policy assignment, 3. SSO permission set assignments.
1. Is there anything else driftctl catches that I’m missing?
2. If I’m correct about the above, why do you use driftctl and not simply run a TF plan on a cron and see if any drifts are detected (like env0 are suggesting, or even Spacelift)?
andylampover 4 years ago(edited)
hi there, I am trying to use: https://github.com/cloudposse/terraform-aws-elasticache-redis however, then I use subnets fetched through a
And plug that into the configuration it throws an error saying:
has anyone encountered that error before? If so, how did you solve it?
data resource in the form of:data "aws_vpc" "vpc-dev" {
tags = { environment = "dev" }
depends_on = [module.vpc-dev]
}
data "aws_subnet_ids" "vpc-dev-private-subnet-ids" {
vpc_id = data.aws_vpc.vpc-dev.id
depends_on = [module.vpc-dev]
tags = {
Name = "*private*"
}
}And plug that into the configuration it throws an error saying:
│ Error: Invalid count argument
│
│ on .terraform/modules/my-redis-cluster.redis/main.tf line 31, in resource "aws_elasticache_subnet_group" "default":
│ 31: count = module.this.enabled && var.elasticache_subnet_group_name == "" && length(var.subnets) > 0 ? 1 : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use
│ the -target argument to first apply only the resources that the count depends on.has anyone encountered that error before? If so, how did you solve it?
Mark juanover 4 years ago
Do anyone know how to add cloudwatch as grafana data source by using helm chart(prometheus-grafana)?
Mark juanover 4 years ago
For better context i'm using this values.yaml
podSecurityPolicy:
enabled: true
grafana:
datasources:
datasources.yaml:
apiVersion: 1
datasources:
- name: Cloudwatch
type: cloudwatch
isDefault: true
jsonData:
authType: arn
assumeRoleArn: "${ASSUME_ROLE_ARN}"
defaultRegion: "${CLUSTER_REGION}"
customMetricsNamespaces: ""
version: 1
grafana.ini:
feature_toggles:
enable: "ngalert"
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
- type: Resource
resource:
name: memory
targetAverageUtilization: 80
image:
repository: grafana/grafana
tag: 8.1.0
ingress:
%{ if GRAFANA_HOST != "" }
enabled: true
hosts:
- ${GRAFANA_HOST}
%{ else }
enabled: false
%{ endif }
prometheus:
prometheusSpec:
storageSpec:
## Using PersistentVolumeClaim
volumeClaimTemplate:
spec:
storageClassName: gp2
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 50GiPierre-Yvesover 4 years ago
nice trick I learn today: conditionnally create a block
https://codeinthehole.com/tips/conditional-nested-blocks-in-terraform/
https://codeinthehole.com/tips/conditional-nested-blocks-in-terraform/
AugustasVover 4 years ago
For login to AWS, right now I manually using some bash scripts to assume role, but that MFA token expire every 1 hour. What would be option to automate those tasks? I would like probably to use docker
managedkaosover 4 years ago(edited)
Hello team! Asking a question about name length limits.
TLDR
Is there a document listing resources and their associated limits for the name and name_prefix lengths?
Details
Some resources have limits imposed on how long the name or name_prefix can be when being created in terraform. For
I sometimes have long values for the variables i use to populate the name prefix so I protect from errors by using
However, I know that other resources allow for longer values for name_prefix (can’t think of one off the top of my head… will add it if i find it).
I’d like to use a reference for these lengths so I can allow my names and prefixes to be as long as possible.
Does such a reference exist? If not, is there a where to “mine” it out of the terraform and/or provider source code? 🤔
TLDR
Is there a document listing resources and their associated limits for the name and name_prefix lengths?
Details
Some resources have limits imposed on how long the name or name_prefix can be when being created in terraform. For
aws_iam_role , for example, the name_prefix limit is 32 characters.I sometimes have long values for the variables i use to populate the name prefix so I protect from errors by using
substr like this:var.name = "super-cool-unicorn-application"
var.environment = "staging"
resource "aws_iam_role" "task" {
...
name_prefix = substr("${var.name}-${var.environment}-task-", 0, 32)
...
}However, I know that other resources allow for longer values for name_prefix (can’t think of one off the top of my head… will add it if i find it).
I’d like to use a reference for these lengths so I can allow my names and prefixes to be as long as possible.
Does such a reference exist? If not, is there a where to “mine” it out of the terraform and/or provider source code? 🤔
Erik Osterman (Cloud Posse)over 4 years ago
Live HashiCorp Boundary demo right now!
https://sweetops.slack.com/archives/CB3579ZM3/p1629311407009500
https://sweetops.slack.com/archives/CB3579ZM3/p1629311407009500
rssover 4 years ago(edited)
v1.0.5
1.0.5 (August 18, 2021)
BUG FIXES:
json-output: Add an output change summary message as part of the terraform plan -json structured logs, bringing this format into parity with the human-readable UI. (#29312)
core: Handle null nested single attribute values (<a href="https://github.com/hashicorp/terraform/issues/29411"...
1.0.5 (August 18, 2021)
BUG FIXES:
json-output: Add an output change summary message as part of the terraform plan -json structured logs, bringing this format into parity with the human-readable UI. (#29312)
core: Handle null nested single attribute values (<a href="https://github.com/hashicorp/terraform/issues/29411"...
Tony Bowerover 4 years ago
I see a
context.tf referred to in many of the CloudPosse modules. Is that a file I should copy and commit to my project unaltered?Mohammed Yahyaover 4 years ago
Terraform v1.0.5 now adds summary in JSON plan, 😢 I just implemented this using JQ last week 😭
M
Mohammed Yahyaover 4 years ago
Mark juanover 4 years ago
Do anyone know how to add cloudwatch as data source in grafana using this helm chart https://github.com/prometheus-community/helm-charts?
Alencar Juniorover 4 years ago(edited)
Hi all, I have a question about creating service connections resources on Azure Devops. Terraform stores the
personal_access_token value in the state file and I would like to avoid that. I was wondering if there is a better and more secure approach of creating this resource?resource "azuredevops_serviceendpoint_github" "serviceendpoint_github" {
project_id = azuredevops_project.project.id
service_endpoint_name = "xyz"
auth_personal {
personal_access_token = "TOKEN"
}
}Andrew Rothover 4 years ago(edited)
Should I be able to do this?
Specifically, pulling the ref from a TF variable
module "foo" {
source = "git::<https://foo.com/bar.git?ref=${var.module_version}>"Specifically, pulling the ref from a TF variable
Grubholdover 4 years ago(edited)
SOLVED Hi folks, I’m using CloudPosse’s ECS web app module along with SSM Parameter store. I have a bunch of secrets and variables in .tfvars that I have used to create and pass them on SSM and encrypt with KMS. But I’m not sure how to actually pass those from SSM to ECS Task Definition for the containers? I couldn’t figure it out from the modules and I need it to be secure. Would appreciate your guidance.Desire BANSEover 4 years ago
Hi folks.
I'm getting a AWS region issue when trying to run
I'm getting a AWS region issue when trying to run
terraform-aws-config/examples/cis . For some reason it expects eu-west-1 while I have set it at us-east-1.module.aws_config.aws_config_aggregate_authorization.central[0]: Creating...
aws_iam_policy.support_policy: Creating...
module.aws_config.aws_config_configuration_recorder.recorder[0]: Creating...
aws_iam_role.support_role: Creating...
module.aws_config_storage.module.storage[0].aws_s3_bucket.default[0]: Creating...
module.aws_config.aws_config_configuration_recorder.recorder[0]: Creation complete after 0s [id=config]
module.aws_config.aws_config_aggregate_authorization.central[0]: Creation complete after 1s [id=NNNNNN:us-east-1]
aws_iam_policy.support_policy: Creation complete after 1s [id=arn:aws:iam::NNNNNNNNN:policy/terraform-NNNNNN]
aws_iam_role.support_role: Creation complete after 1s [id=test-policy]
aws_iam_policy_attachment.support_policy_attach: Creating...
aws_iam_policy_attachment.support_policy_attach: Creation complete after 0s [id=test-policy]
╷
│ Error: Error creating S3 bucket: AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'eu-west-1'
│ status code: 400, request id: ID, host id: ID
│
│ with module.aws_config_storage.module.storage[0].aws_s3_bucket.default[0],
│ on .terraform/modules/aws_config_storage.storage/main.tf line 1, in resource "aws_s3_bucket" "default":
│ 1: resource "aws_s3_bucket" "default" {Yoni Leitersdorf (Indeni Cloudrail)over 4 years ago
Wow this is cool: https://github.com/hashicorp/terraform-provider-aws/pull/18585 I actually needed it.
Mohammed Yahyaover 4 years ago
I faced this issue in https://github.com/cloudposse/terraform-aws-dynamic-subnets
with version 1.0.5 if I have time I will create a PR
╷
│ Error: Error in function call
│
│ on .terraform/modules/subnets/outputs.tf line 53, in output "nat_ips":
│ 53: value = coalescelist(aws_eip.default.*.public_ip, aws_eip.nat_instance.*.public_ip, data.aws_eip.nat_ips.*.public_ip, list(""))
│
│ Call to function "list" failed: the "list" function was deprecated in Terraform v0.12 and is no longer available; use tolist([ ...
│ ]) syntax to write a literal list.with version 1.0.5 if I have time I will create a PR
Mohammed Yahyaover 4 years ago
never mind I’m using old version of the module
Adnanover 4 years ago(edited)
I want to have dedicated private subnet sets for each AWS service used such as RDS, ElastiCache, etc.
I want to use a dedicated VPC CIDR e.g.
I want to then break that IP Range down to many more subnets and much less hosts using a mask of
I wish these subent sets could be created dynamically and used for the different services without conflicts and
without me having to specify each subnet manually e.g. :
Some RDS MySQL Instance > 10.0.0.0/29, 10.0.0.8/29, 10.0.0.16/29
Another RDS MySQL Instance > 10.0.0.24/29, 10.0.0.32/29, 10.0.0.40/29
Some EC Redis Instance > 10.0.0.48/29, 10.0.0.56/29, 10.0.0.64/29
....
....
Can I achieve that with https://github.com/cloudposse/terraform-aws-dynamic-subnets ?
I want to use a dedicated VPC CIDR e.g.
10.0.0.0/16I want to then break that IP Range down to many more subnets and much less hosts using a mask of
/29I wish these subent sets could be created dynamically and used for the different services without conflicts and
without me having to specify each subnet manually e.g. :
Some RDS MySQL Instance > 10.0.0.0/29, 10.0.0.8/29, 10.0.0.16/29
Another RDS MySQL Instance > 10.0.0.24/29, 10.0.0.32/29, 10.0.0.40/29
Some EC Redis Instance > 10.0.0.48/29, 10.0.0.56/29, 10.0.0.64/29
....
....
Can I achieve that with https://github.com/cloudposse/terraform-aws-dynamic-subnets ?
Mark juanover 4 years ago
Hi everyone! After adding the cloudwatch as data source in grafana by using kube-prometheus-stack helm chart, it got added, but as i am testing it it's saying metric request error, also none of the dashboards are working!!
Mark juanover 4 years ago
The policy and role i'm using are
data "aws_iam_policy_document" "grafana_cloudwatch" {
statement {
sid = "AllowReadingMetricsFromCloudWatch"
effect = "Allow"
actions = [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData"
]
resources = ["*"]
}
statement {
sid = "AllowReadingLogsFromCloudWatch"
effect = "Allow"
actions = [
"logs:DescribeLogGroups",
"logs:GetLogGroupFields",
"logs:StartQuery",
"logs:StopQuery",
"logs:GetQueryResults",
"logs:GetLogEvents"
]
resources = ["*"]
}
statement {
sid = "AllowReadingResourcesForTags"
effect = "Allow"
actions = ["tag:GetResources"]
resources = ["*"]
}
}
data "aws_iam_policy_document" "base_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["<http://ec2.amazonaws.com|ec2.amazonaws.com>"]
}
effect = "Allow"
}
}
data "aws_iam_policy_document" "account_assume_role" {
source_json = data.aws_iam_policy_document.base_policy.json
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["${data.aws_caller_identity.current.arn}"]
}
effect = "Allow"
}
}
resource "aws_iam_role" "cloudwatch_role" {
name = "${local.cluster_name}-grafana-cloudwatch-role"
assume_role_policy = data.aws_iam_policy_document.account_assume_role.json
}
resource "aws_iam_policy" "data_source_policy" {
name_prefix = "${local.cluster_name}-grafana-cloudwatch-policy"
policy = data.aws_iam_policy_document.grafana_cloudwatch.json
}
resource "aws_iam_role_policy_attachment" "DataSourceCloudwatchPolicy" {
policy_arn = aws_iam_policy.data_source_policy.arn
role = aws_iam_role.cloudwatch_role.name
}Michael Dizonover 4 years ago
I think I found a bug. https://github.com/cloudposse/terraform-aws-components/blob/master/modules/iam-primary-roles/providers.tf#L17 references a couple of variables that are not defined in
iam-roleshttps://github.com/cloudposse/terraform-aws-components/blob/master/modules/account-map/modules/iam-roles/variables.tfSteve Wade (swade1987)over 4 years ago
variable noob question ... how do I make sure a string does not have the word
latest in it?Pavelover 4 years ago
trying to figure out why i cant reach my redis cluster using this https://github.com/cloudposse/terraform-aws-elasticache-redis#output_host
Pavelover 4 years ago
what subnet should i put this one?
Pavelover 4 years ago
i have private and public ones
Pavelover 4 years ago
i have ec2 which is on a public subnet, same vpc, i put the cluster on a private one, but if its same vpc shouldn't it be reachable? the sg is just anything from source vpc should allow ingress
P
Pavelover 4 years ago
what is this subnet group?
Pavelover 4 years ago
i didn't make this
Steve Wade (swade1987)over 4 years ago
its a default one that redis creates
Pavelover 4 years ago
the tf module wants a list of ids
Pavelover 4 years ago(edited)
oo i see subnet groups exist in elasticache
Pavelover 4 years ago
so it has all my pub/priv subnets
Pavelover 4 years ago
still cant get my ec2 to connect
Pavelover 4 years ago
redis-cli -h <http://master.nv21-development-redis.ez60p2.use1.cache.amazonaws.com|master.nv21-development-redis.ez60p2.use1.cache.amazonaws.com> ping i get nothing just hangs there. not even a timeoutPavelover 4 years ago
telnet just says connection timeout
Mr.Devopsover 4 years ago(edited)
hi there - trying to perform some conditional expression base on
long story short - i'm migrating our state and trying to prevent a resource recreation from a previous engineer sloppy mess.
user_data and user_data_base64 arguments for aws_instance resources. I understand that you cannot use both argument in the resource but figure i ask the community. 🙏long story short - i'm migrating our state and trying to prevent a resource recreation from a previous engineer sloppy mess.
Balazs Vargaover 4 years ago
hello all, I would like to create a cert for a private hosted zone. Before with ansible we created a public hosted zone, then created he cert and waited until it became valid then deleted the hosted zone and create the zone with same name in private mode. How can I do the same in terraform ?
Mark juanover 4 years ago
Hi everyone! I am a using a policy and added tag on it, and in the policy i'm filtering on the conditions based on the tag like this, but it's not filtering out!
Mark juanover 4 years ago
data "aws_iam_policy_document" "grafana_datasource" {
statement {
sid = "AllowReadingMetricsFromCloudWatch"
effect = "Allow"
actions = [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "aws:ResourceTag/Project"
values = [
"${local.cluster_name}"
]
}
}
statement {
actions = ["sts:AssumeRole"]
resources = [aws_iam_role.grafana_datasource.arn]
}
}Mark juanover 4 years ago
locals{
common_tags = {
Project = local.cluster_name
Provisioner = "TERRAFORM"
Environment = local.environment
}
}Mark juanover 4 years ago
resource "aws_iam_policy" "data_source_policy" {
name_prefix = "${local.cluster_name}-grafana-cloudwatch-policy"
policy = data.aws_iam_policy_document.grafana_datasource.json
tags = local.common_tags
}Mark juanover 4 years ago
Can someone help me with this?
Alex Jurkiewiczover 4 years ago
iam policies are about permissions, not filtering
Alex Jurkiewiczover 4 years ago
you can't let people see only a subset of metrics with ListMetrics
Alex Jurkiewiczover 4 years ago
well, you can put the resources in seperate regions or accounts
managedkaosover 4 years ago
Hello, team! Have you seen TF resources (IAM roles in particular) show bogus changes like this:
Note that this section is really just a rehash of what’s already there:
I thought it might be an ordering thing but not sure… 🤔
~ resource "aws_iam_role" "codedeploy" {
~ assume_role_policy = jsonencode(
~ {
~ Statement = [
~ {
~ Principal = {
~ Service = [
- "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",
"<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>",
+ "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",
]
}
# (3 unchanged elements hidden)
},
]
# (1 unchanged element hidden)
}
)Note that this section is really just a rehash of what’s already there:
- "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",
"<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>",
+ "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",I thought it might be an ordering thing but not sure… 🤔
RBover 4 years ago
my first aws provider update. please upvote if you want better rabbitmq / mq broker support. 🙏
https://github.com/hashicorp/terraform-provider-aws/pull/20661
https://github.com/hashicorp/terraform-provider-aws/pull/20661
Almondovarover 4 years ago
Hi colleagues, i am updating our eks terraform module from v 13 to v 17 and i noticed in the terraform plan that it wants to remove the autoscaling groups, any idea why it wants to do that? 🤯
~ resources = [
- {
- autoscaling_groups = [
- {
- name = "eks-xxxx"
},
]
- remote_access_security_group_id = ""
}, Amit Karpeover 4 years ago
What are the main advantage using cp vs normal module AWS EKS?
cloudposse/terraform-aws-eks-cluster VS terraform-aws-modules/terraform-aws-eks
cloudposse/terraform-aws-eks-cluster VS terraform-aws-modules/terraform-aws-eks
ekristenover 4 years ago(edited)
The releases notes for the vpc module say "this version is not recommended for 0.26.1", does that mean 0.26.1 or 0.26.0 since 0.26.0 introduced a breaking change? or should 0.26.x be avoided entirely because it's not a major bump and apparently there are some breaking changes?
Michael Dizonover 4 years ago
hey everyone. i've been using atmos to set up my latest project over the past two weeks. it's been great so far! i am strugging a little bit with accessing the s3 bucket and dynamodb table which was created in the master account, when. switch to a (terraform) that I created on the identity account that the
account module created. it seems like a role and policy needs to be created for this to work. any ideas/suggestions? 🙏Tom Vaughanover 4 years ago
When using terraform-aws-tfstate-backend is it possible to use a single dynamoDB table? Currently using it for several different services on AWS and each are in a separate folder and the result is a table for each service.
Zachover 4 years ago
You only need one dynamodb table for all of your terraform locking yes
larry kirschnerover 4 years ago(edited)
question about setting up ECS for a microservice-based app:
Is there any example that shows how to set up an app that is a collection of micro services where:
• each micro service has its own docker image/container definition
• micro services can route to other micro services w DNS names, e.g.
• the ingress (ALB?) load balancer maps HTTP paths to different microservices, e.g.
...I've been looking at these two modules and their examples:
https://github.com/cloudposse/terraform-aws-ecs-web-app/
https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
...but I can't tell if either is intended to support an app composed of multiple ECS micro services that can intercommunicate?
Is there any example that shows how to set up an app that is a collection of micro services where:
• each micro service has its own docker image/container definition
• micro services can route to other micro services w DNS names, e.g.
uploads can make requests to <http://graphql.microservice>• the ingress (ALB?) load balancer maps HTTP paths to different microservices, e.g.
/home, /graphql...I've been looking at these two modules and their examples:
https://github.com/cloudposse/terraform-aws-ecs-web-app/
https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
...but I can't tell if either is intended to support an app composed of multiple ECS micro services that can intercommunicate?
AugustasVover 4 years ago
count = length(aws_db_instance.db_instance)
on aws_cloudwatch_alarm.tf line 4, in resource "aws_cloudwatch_metric_alarm" "unhealthyhosts":
4: alarm_name = "${aws_db_instance.db_instance[count.index].identifier}.${var.environment} unhealthy machine in ${aws_db_instance.db_instance[count.index].identifier}!"
|----------------
| aws_db_instance.db_instance is object with 66 attributes
| count.index is 27Why is that?
Alex Jurkiewiczover 4 years ago(edited)
looks like
aws_db_instance.db_instance object (aka map) does not have an item called "27"Manuel Morejónover 4 years ago
Hi team! Nice to be here with you.
I’m facing this issue https://github.com/cloudposse/terraform-aws-elasticsearch/issues/57
Do you have any suggestion to resolve it?
I’m facing this issue https://github.com/cloudposse/terraform-aws-elasticsearch/issues/57
Do you have any suggestion to resolve it?