#terraform - August 2021 | Slack Archive

112 messages

Archive: https://archive.sweetops.com/terraform/

Jul 2021

August 2021

Sep 2021

Alexander Schererover 4 years ago(edited)

Good evening everyone. I'm new here and hopefully you don't mind a really noobish question but i'm trying to add my lambda functions dynamically to the api gateway integration like so:

// need to do it dynamically somehow but it won't let me assign the key name with variable
  dynamic "integrations" {
    for_each = module.lambdas
    content {
      "ANY /hello-world" = {
        lambda_arn             = module.lambdas["hello-world"].lambda_function_arn
        payload_format_version = "2.0"
        timeout_milliseconds   = 12000
      }
    }
  }

// this works
//  integrations = {
//    "ANY /hello-world" = {
//      lambda_arn             = module.lambdas["hello-world"].lambda_function_arn
//      payload_format_version = "2.0"
//      timeout_milliseconds   = 12000
//    }
//  }

any help on how to archive this in tf would be awesome!

Brad McCoyover 4 years ago

Hi All we did a webinar on intro to IAC and Terraform in the weekend if anyone is interested: https://www.youtube.com/watch?v=2keKHXtvY5c

Alex Jurkiewiczover 4 years ago

Is there a way to perform a deep merge like following:

locals {
  a = { foo = { age = 12, items = [1] } }
  b = { foo = { age = 12, items = [2] }, bar = { age = 4, items = [3] } }
  c = { bar = { age = 4, items = [] } }

  # desired output
  out = { foo = { age = 12, items = [1,2] }, bar = { age = 4, items = [3] } }
}

I have many maps of objects. The objects with same key are identical except for one list field. I want to merge all items with the same key, except concat the list field.

Vitalii Morvaniukover 4 years ago

Hi all.
Have a question about working with provider aliases. In my case I have several accounts in AWS:

provider "aws" {
  region = var.region
}

provider "aws" {
  region = "eu-west-2"
  alias = "aws.eu-west-2"
}

provider "aws" {
  region = "eu-central-1"
  alias = "aws.eu-central-1"
}

I want to create same shared WAF rules in this accounts. Could I use for_each somehow to get call module creating this rules and iterating over different provider aliases?

Alex Sover 4 years ago(edited)

Hi all, I’m using the terraform-aws-ecs-alb-service-task module and running into a bit of an issue; I’ve set deployment_controller_type to CODE_DEPLOY and using the blue/green deployment method - when Code Deploy diligently switches to the green autoscaling group, the next run of the module deletes/recreates the ecs service because it’s trying to put back the blue target group (or both)… Has anyone tried to run this setup? I can make a PR to ignore changes to load balancers, but if you look at the module it’s going to become an immediate nightmare to support the 3 different ignore combinations. Any advice greatly appreciated.

Kenan Virtucioover 4 years ago

Hi, just asking again https://github.com/cloudposse/terraform-aws-cloudfront-cdn for this module. Is there a plan in the roadmap for users to be able to modify default_cache_behavior ?

Grubholdover 4 years ago

Hello folks, I'm facing this issue when trying to deploy https://github.com/cloudposse/terraform-aws-elasticsearch using all other modules that this one requires. I'll link the files I have in the thread

│ Error: Error creating ElasticSearch domain: ValidationException: You must specify exactly two subnets because you've set zone count to two.
│
│   with module.elasticsearch.aws_elasticsearch_domain.default[0],
│   on modules/elasticsearch/main.tf line 100, in resource "aws_elasticsearch_domain" "default":
│  100: resource "aws_elasticsearch_domain" "default" {
│
╵
╷
│ Error: Error creating Security Group: InvalidGroup.Duplicate: The security group 'elastic-test-es-test' already exists for VPC 'vpc-0fbda4f1d6105a68c'
│ 	status code: 400, request id: 6ad8d766-7954-49d5-b257-8b2213d1f8ec
│
│   with module.vpc.module.security_group.aws_security_group.default[0],
│   on modules/sg-cp/main.tf line 28, in resource "aws_security_group" "default":
│   28: resource "aws_security_group" "default" {

Benover 4 years ago

Hello folks, I have a question regarding terraform-aws-eks-cluster https://github.com/cloudposse/terraform-aws-eks-cluster/blame/master/README.md#L100
The readme contains two statements that seem contradicting but maybe I’m just not getting it. It states:

The KUBECONFG file is the most reliable [method], […]

and a few lines below:

At the moment, the exec option appears to be the most reliable method, […]

Grubholdover 4 years ago

Hello folks, is there a workaround for the current security group module where using it with another module such as Elasticsearch it yells that xyz security group already exists? This PR seems to address this but its not yet merged.

│ Error: Error creating Security Group: InvalidGroup.Duplicate: The security group 'logger-test-es-test' already exists for VPC 'vpc-0e868046c92d7bb2a'
│ 	status code: 400, request id: be88d8b8-1ed0-43ac-8246-e37265782098
│
│   with module.vpc.module.security_group.aws_security_group.default[0],
│   on modules/sg-cp/main.tf line 28, in resource "aws_security_group" "default":
│   28: resource "aws_security_group" "default" {

Geraldover 4 years ago

Hi folks, I want to include the snippet section below from my ECS task definition for datadog container but the problem volume argument not supported? Anyone can give me advise. Thank you

  mount_points                  = [
    {
      containerPath = "/var/run/docker.sock"
      sourceVolume = "docker_sock"
      readOnly = true
    },
    {
      containerPath = "/host/sys/fs/cgroup"
      sourceVolume = "cgroup"
      readOnly = true
    },
    {
      containerPath = "/host/proc"
      sourceVolume = "proc"
      readOnly = true
    }
  ]

  volumes                       =  [
    {
      host_path = "/var/run/docker.sock"
      name      = "docker_sock"
      docker_volume_configuration = []
    },
    {
      host_path = "/proc/"
      name      = "proc"
      docker_volume_configuration = []
    },
    {
      host_path = "/sys/fs/cgroup/"
      name      = "cgroup"
      docker_volume_configuration = []
    }
  ]

BTW: I'm using this module https://github.com/cloudposse/terraform-aws-ecs-container-definition/blob/master/main.tf

Geraldover 4 years ago

possible we can add this line here?

  dynamic "volume" {
    for_each = var.volumes
    content {
      name      = volume.value.name
      host_path = lookup(volume.value, "host_path", null)

      dynamic "docker_volume_configuration" {
        for_each = lookup(volume.value, "docker_volume_configuration", [])
        content {
          autoprovision = lookup(docker_volume_configuration.value, "autoprovision", null)
          driver        = lookup(docker_volume_configuration.value, "driver", null)
          driver_opts   = lookup(docker_volume_configuration.value, "driver_opts", null)
          labels        = lookup(docker_volume_configuration.value, "labels", null)
          scope         = lookup(docker_volume_configuration.value, "scope", null)
        }
      }
    }
  }

rssover 4 years ago(edited)

v1.0.4
1.0.4 (August 04, 2021)
BUG FIXES:
backend/consul: Fix a bug where the state value may be too large for consul to accept (#28838)
cli: Fixed a crashing bug with some edge-cases when reporting syntax errors that happen to be reported at the position of a newline. (<a href="https://github.com/hashicorp/terraform/issues/29048"...

Unwovenover 4 years ago

Hello 😄
i'm trying to create a proper policy for the cluster-autoscaler service account (aws eks) and I need the ASG ARNs.
Any ideas on how I can get them from the eks_node_group module?
I can only get the ASG name from the node_group "resource" attribute, which I can use to get the ARN from the aws_autoscaling_group data source. Unfortunately this will be known only after apply. Do the more experienced folks have a decent workaround or a better way to do this?

Brent Garberover 4 years ago

Trying to use cloudposse/terraform-aws-ec2-instance-group and it may be lack of sleep but I can't figure out how to get it to not generate spurious SSH keys if I'm using an existing key?

If I pass in ssh_key_pair , I'll want to specify generate_ssh_key_pair as false, but if I do that ssh_key_pair module goes "Oh, well we're using an existing file then", and then plan dies with

│ Error: Invalid function argument
│
│   on .terraform\modules\worker_tenants.worker_tenant.ssh_key_pair\main.tf line 19, in resource "aws_key_pair" "
imported":
│   19:   public_key = file(local.public_key_filename)
│     ├────────────────
│     │ local.public_key_filename is "C:/projects/terraform-network-worker/app-dev-worker-worker-arrow.pub"
│
│ Invalid value for "path" parameter: no file exists at

Brent Garberover 4 years ago

Can workaround the error by passing true to generate_ssh_key_pair but then I got an extra keypair for every instance group being generated.

Steve Wade (swade1987)over 4 years ago

is there an easy way to get TF to ignore data resource changes (see below)

data "tls_certificate" "eks_oidc_cert" {
  url = aws_eks_cluster.eks.identity.0.oidc.0.issuer
}

~ id           = "2021-08-05 16:09:43.671261128 +0000 UTC" -> "2021-08-05 16:09:58.401961984 +0000 UTC"

Rhys Daviesover 4 years ago

Hey folks, wondering if anyone has what they consider a good, or definitive, resource on how to do a major version upgrade of an RDS database with Terraform?

Eric Alfordover 4 years ago(edited)

Hoping someone can give an update on this issue with the terraform aws ses module. Any idea when we can get a fix in? I think ideally the resource would be configurable by an input variable similar to how the iam_permissions is configurable. https://github.com/cloudposse/terraform-aws-ses/issues/40

Dustin Leeover 4 years ago

Just curious i am using the https://github.com/cloudposse/terraform-aws-alb and https://github.com/cloudposse/terraform-aws-alb-ingress just curious how to set the instance targets for the default target group ?

Mazin Ahmedover 4 years ago

Hi all 👋🏽
I'm speaking today on DEFCON Cloud Village about attacking Terraform environments. It will different attacks I have seen in the years against TF environments, and how engineers can make use of it in security their TF environment.

Please join me today at 12.05 PDT at Cloud Village livestream!

mfridhover 4 years ago

https://github.com/cloudposse/terraform-aws-rds-cluster --

Use case:
• provisioned
• aurora-mysql
• Upgrading of an example engine_version: 5.7.mysql_aurora.2.09.1 => 5.7.mysql_aurora.2.09.2 ...
Instead of just bumping the cluster resource and letting RDS handle the instances, it deletes and recreates each aws_rds_cluster_instance as well.

Thoughts?

Piece of Cakeover 4 years ago(edited)

It'll awesome if aws_dynamic_subnet module has support to specific number of private & public subnets

Julian Gogover 4 years ago

cross-post BUG👋 I’m here! What's up?
I was about to create a bug ticket and and saw the link to your slack. So I want to make sure its a Bug before opening a ticket.
its about the terraform-aws-s3-bucket.
if you specify the privileged_principal_arns option it will never create a bucket policy. Is this a wanted behaviour, since the a aws_iam_policy_document is created?
My guess is that in the the privileged_principal_arns is missing in the count option here:

resource "aws_s3_bucket_policy" "default" {
  count      = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || var.policy != "") ? 1 : 0
  bucket     = join("", aws_s3_bucket.default.*.id)
  policy     = join("", data.aws_iam_policy_document.aggregated_policy.*.json)
  depends_on = [aws_s3_bucket_public_access_block.default]
}

ok I am almost 100% sure its a bug, so here are the issue and the PR

Bug-Issue: https://github.com/cloudposse/terraform-aws-s3-bucket/issues/100

PR: https://github.com/cloudposse/terraform-aws-s3-bucket/pull/101

Julian Gogover 4 years ago

As a workaround, I thought I could specify a dedicated policy like this:

  policy = jsonencode({
    "Version" = "2012-10-17",
    "Id"      = "MYBUCKETPOLICY",
    "Statement" = [
      {
        "Sid" = "${var.bucket_name}-bucket_policy",
        "Effect" = "Allow",
        "Action" = [
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObject",
          "s3:ListBucket",
          "s3:ListBucketMultipartUploads",
          "s3:GetBucketLocation",
          "s3:AbortMultipartUpload"
        ],
        "Resource" = [
          "arn:aws:s3:::${var.bucket_name}",
          "arn:aws:s3:::${var.bucket_name}/*"
        ],
        "Principal" = {
          "AWS" : [var.privileged_principal_arn]
        }
      },
    ]
  })

but this results in this error:

Error: Invalid count argument

  on .terraform/modules/service.s3-bucket.s3_bucket/main.tf line 367, in resource "aws_s3_bucket_policy" "default":
 367:   count      = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || var.policy != "") ? 1 : 0

The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.

does anyone has a clue why?

Dustin Leeover 4 years ago

Hello, anybody had issues with this before

aws_cloudwatch_event_rule.this: Creating...
╷
│ Error: Creating CloudWatch Events Rule failed: InvalidEventPatternException: Event pattern is not valid. Reason: Filter is not an object

Dustin Leeover 4 years ago

i have tried umpteen ways of trying to get the thing to work with jsonencoding, tomaps, etc

Dustin Leeover 4 years ago

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_cloudwatch_event_rule.this will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "This is event rule description."
      + event_bus_name = "default"
      + event_pattern  = "\"{\\\"detail\\\":{\\\"eventTypeCategory\\\":[\\\"issue\\\"],\\\"service\\\":[\\\"EC2\\\"]},\\\"detail-type\\\":[\\\"AWS Health Event\\\"],\\\"source\\\":[\\\"aws.health\\\"]}\""
      + id             = (known after apply)
      + is_enabled     = true

Dustin Leeover 4 years ago

The event pattern is what's getting me

Dustin Leeover 4 years ago

sussed it out issue in the module it self

Mr.Devopsover 4 years ago

Any tools to help simplify state migration in a mono repo without destroying your current infrastructure?

Grubholdover 4 years ago

Hi folks, I’ve been working on https://github.com/cloudposse/terraform-aws-elasticsearch and it’s dependencies, its working great and deploying successfully. I have two questions regarding this that I need your assistance with;
1. How is CloudWatch subscription filter managed by this resource, I believe for ES we need a Lambda function for that, does CloudPosse have a module for this, that I missed?
2. How is access to Kibana managed by this module? Looking at the config it seems that its depending on VPC and access through a Route53 resource, if so how to access the dashboard of Kibana?

OZZZYover 4 years ago

rssover 4 years ago(edited)

v1.1.0-alpha20210811
1.1.0 (Unreleased)
NEW FEATURES:
cli: terraform add generates resource configuration templates (#28874)
config: a new type() function, only available in terraform console (<a href="https://github.com/hashicorp/terraform/issues/28501" data-hovercard-type="pull_request"...

Yoni Leitersdorf (Indeni Cloudrail)over 4 years ago

If you use Mac with M1, this is really cool: https://github.com/kreuzwerker/m1-terraform-provider-helper (I do, and have run into what the author described there)

managedkaosover 4 years ago

Hello team!

TLDR Question: Do you have tips/suggestions/pointers/resources on creating plugins for tflint?

Details: I have a group of 15-20 modules that I'd like to be coded consistently, specifically:
• All modules have inputs for name, environment, and tags
• All variables have a description, and optionally a type if applicable
• All outputs have a description
• All AWS resources that can be tagged, have their tag attribute assigned like tag = merge(vars.tags, local.tags) and optionally an resource level override like tag = merge(vars.tags, local.tags, {RESOURCE = OVERRIDE})
So far I have python scripts that are doing most of these but as I went deeper into the weeds, I thought a tool like tflint might be better suited. So before I go down that route, I'm looking for best practices and tips from those that have been there and done that. Thanks! 👋🏾

Bill Davidsonover 4 years ago

Hello, all.

I am trying to use the CloudPosse ec2-autoscale-group module and every time I do a terraform apply, it just repeatedly generates EC2s that are automatically terminated. Any thoughts on where to begin?

Thanks!

Tony Bowerover 4 years ago

Hello! First, thanks for the cloudposse modules, they've been very helpful. I've got an issue trying to implement two instances of
cloudposse/terraform-aws-datadog-integration

Details in thread.

I'm not sure if this is the right place to ask, but I figured I'd try.

Jackson Delahuntover 4 years ago

Hi all! I'm using Terraform Cloud for state storage and terraform execution. I've been running on 0.12.26 , but a module requires me to upgrade to 1.0.4. When changing the workspace version to the new version I get the error in the screenshot. I'm required to run terraform 0.13upgrade to upgrade the state files, however I don't know how to target state in Terraform Cloud from my local cli. Can anyone advise how I can target Terraform Cloud state from my local cli?

Mihai Cindeaover 4 years ago

hey everyone!
Trying to use terraform-aws-waf but no matter how I use it I get:

Error: Unsupported block type

  on .terraform/modules/wafv2/rules.tf line 253, in resource "aws_wafv2_web_acl" "default":
 253:             dynamic "forwarded_ip_config" {

Blocks of type "forwarded_ip_config" are not expected here.


Error: Unsupported block type

  on .terraform/modules/wafv2/rules.tf line 306, in resource "aws_wafv2_web_acl" "default":
 306:             dynamic "ip_set_forwarded_ip_config" {

Blocks of type "ip_set_forwarded_ip_config" are not expected here.


Error: Unsupported block type

  on .terraform/modules/wafv2/rules.tf line 409, in resource "aws_wafv2_web_acl" "default":
 409:             dynamic "forwarded_ip_config" {

Blocks of type "forwarded_ip_config" are not expected here.

I also tried using the code from examples/complete, but still have the same issue.
Is it a minimum version other than 0.13? I'm currently using 0.14.11

Murali Manoharover 4 years ago

Hi Team,

Can someone please help me to rocksdb alerts setup using terraform using write stalls.
I am new to datadog and terraform.
looking for a syntax to setup alert.

https://github.com/facebook/rocksdb/wiki/Write-Stalls

atomover 4 years ago

Morning, is this the right place to ask questions about CloudPosse Terraform modules?

Julian Gogover 4 years ago

Hey everyone,
I am getting this error using your S3-module with the privileged_principal_arns option. Any clue why? I am using TF version 0.14.9. this was a common error at earlier versions 😕

Error: Invalid count argument

  on .terraform/modules/service.s3_bucket.s3_bucket/main.tf line 367, in resource "aws_s3_bucket_policy" "default":
 367:   count      = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || var.policy != "") ? 1 : 0

The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.

ERRO[0043] Hit multiple errors:
Hit multiple errors:
exit status 1

Alex Jurkiewiczover 4 years ago

what's that project which auto-adds tags to your terraform resources based on file/repo/commit?

Alex Jurkiewiczover 4 years ago

it has some name like yonder

Phillip Hockingover 4 years ago(edited)

hey, any thoughts as to how to update public ptr of an ec2 public ip programmatically? i think typically you have to ask aws support to do that... but it would be nice to do it via terraform/api

Phillip Hockingover 4 years ago

looks like it can be done via the aws cli: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-address-attribute.html

Andrew Rothover 4 years ago

Example repo I made for running shell-based tests inside an ephemeral EC2 instance using Terratest, if anyone's interested in that kind of thing 🙂

https://github.com/RothAndrew/terratest-shell-e2e-poc

Mark juanover 4 years ago

Hie all, do anyone having idea about how to add cloudwatch as grafana data source via terraform(helm chart) and also verify it

OZZZYover 4 years ago

Hi guys, I am new at Terraform. How can I create more than one site2site vpn connection.

James Wadeover 4 years ago

Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "aws_codebuild_project.lambda", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's
│ configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

Anyone else ever had an issue with this?

OZZZYover 4 years ago

Hi.. I am new at Terraform. How can I create more than one site2site vpn connection.❓️🆘

Yoni Leitersdorf (Indeni Cloudrail)over 4 years ago

Users of driftctl, I have a few questions for you:
AFAIK, driftctl only catches three kinds of drift that are not already caught by Terraform’s refresh process: 1. SG rule changes, 2. IAM policy assignment, 3. SSO permission set assignments.

1. Is there anything else driftctl catches that I’m missing?
2. If I’m correct about the above, why do you use driftctl and not simply run a TF plan on a cron and see if any drifts are detected (like env0 are suggesting, or even Spacelift)?

andylampover 4 years ago(edited)

hi there, I am trying to use: https://github.com/cloudposse/terraform-aws-elasticache-redis however, then I use subnets fetched through a data resource in the form of:

data "aws_vpc" "vpc-dev" {
  tags       = { environment = "dev" }
  depends_on = [module.vpc-dev]
}

data "aws_subnet_ids" "vpc-dev-private-subnet-ids" {
  vpc_id     = data.aws_vpc.vpc-dev.id
  depends_on = [module.vpc-dev]
  tags = {
    Name = "*private*"
  }
}

And plug that into the configuration it throws an error saying:

│ Error: Invalid count argument
│ 
│   on .terraform/modules/my-redis-cluster.redis/main.tf line 31, in resource "aws_elasticache_subnet_group" "default":
│   31:   count      = module.this.enabled && var.elasticache_subnet_group_name == "" && length(var.subnets) > 0 ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use
│ the -target argument to first apply only the resources that the count depends on.

has anyone encountered that error before? If so, how did you solve it?

Mark juanover 4 years ago

Do anyone know how to add cloudwatch as grafana data source by using helm chart(prometheus-grafana)?

Mark juanover 4 years ago

For better context i'm using this values.yaml

podSecurityPolicy:
  enabled: true
grafana:
  datasources:
    datasources.yaml:
    apiVersion: 1
    datasources:
    - name: Cloudwatch
      type: cloudwatch
      isDefault: true
      jsonData:
        authType: arn
        assumeRoleArn: "${ASSUME_ROLE_ARN}"
        defaultRegion: "${CLUSTER_REGION}"
        customMetricsNamespaces: ""
    version: 1
  grafana.ini:
    feature_toggles:
      enable: "ngalert"
  autoscaling:
    enabled: true
    minReplicas: 1
    maxReplicas: 10
    metrics:
    - type: Resource
      resource:
        name: cpu
        targetAverageUtilization: 80
    - type: Resource
      resource:
        name: memory
        targetAverageUtilization: 80
  image:
    repository: grafana/grafana
    tag: 8.1.0
  ingress:
  %{ if GRAFANA_HOST != "" }
    enabled: true
    hosts:
      - ${GRAFANA_HOST}
  %{ else }
    enabled: false
  %{ endif }
prometheus:
  prometheusSpec:
    storageSpec:
      ## Using PersistentVolumeClaim
      volumeClaimTemplate:
        spec:
          storageClassName: gp2
          accessModes: ["ReadWriteOnce"]
          resources:
            requests:
              storage: 50Gi

Pierre-Yvesover 4 years ago

nice trick I learn today: conditionnally create a block
https://codeinthehole.com/tips/conditional-nested-blocks-in-terraform/

AugustasVover 4 years ago

For login to AWS, right now I manually using some bash scripts to assume role, but that MFA token expire every 1 hour. What would be option to automate those tasks? I would like probably to use docker

managedkaosover 4 years ago(edited)

Hello team! Asking a question about name length limits.

TLDR
Is there a document listing resources and their associated limits for the name and name_prefix lengths?

Details
Some resources have limits imposed on how long the name or name_prefix can be when being created in terraform. For aws_iam_role , for example, the name_prefix limit is 32 characters.

I sometimes have long values for the variables i use to populate the name prefix so I protect from errors by using substr like this:

var.name        = "super-cool-unicorn-application"
var.environment = "staging"

resource "aws_iam_role" "task" {
    ...
    name_prefix = substr("${var.name}-${var.environment}-task-", 0, 32)
    ...
}

However, I know that other resources allow for longer values for name_prefix (can’t think of one off the top of my head… will add it if i find it).

I’d like to use a reference for these lengths so I can allow my names and prefixes to be as long as possible.

Does such a reference exist? If not, is there a where to “mine” it out of the terraform and/or provider source code? 🤔

Erik Osterman (Cloud Posse)over 4 years ago

Live HashiCorp Boundary demo right now!

https://sweetops.slack.com/archives/CB3579ZM3/p1629311407009500

rssover 4 years ago(edited)

v1.0.5
1.0.5 (August 18, 2021)
BUG FIXES:
json-output: Add an output change summary message as part of the terraform plan -json structured logs, bringing this format into parity with the human-readable UI. (#29312)
core: Handle null nested single attribute values (<a href="https://github.com/hashicorp/terraform/issues/29411"...

Tony Bowerover 4 years ago

I see a context.tf referred to in many of the CloudPosse modules. Is that a file I should copy and commit to my project unaltered?

Mohammed Yahyaover 4 years ago

Terraform v1.0.5 now adds summary in JSON plan, 😢 I just implemented this using JQ last week 😭

Mohammed Yahyaover 4 years ago

Mark juanover 4 years ago

Do anyone know how to add cloudwatch as data source in grafana using this helm chart https://github.com/prometheus-community/helm-charts?

Alencar Juniorover 4 years ago(edited)

Hi all, I have a question about creating service connections resources on Azure Devops. Terraform stores the personal_access_token value in the state file and I would like to avoid that. I was wondering if there is a better and more secure approach of creating this resource?

resource "azuredevops_serviceendpoint_github" "serviceendpoint_github" {
  project_id            = azuredevops_project.project.id
  service_endpoint_name = "xyz"

  auth_personal {
    personal_access_token = "TOKEN"
  }
}

Andrew Rothover 4 years ago(edited)

Should I be able to do this?

module "foo" {
  source = "git::<https://foo.com/bar.git?ref=${var.module_version}>"

Specifically, pulling the ref from a TF variable

Grubholdover 4 years ago(edited)

SOLVED Hi folks, I’m using CloudPosse’s ECS web app module along with SSM Parameter store. I have a bunch of secrets and variables in .tfvars that I have used to create and pass them on SSM and encrypt with KMS. But I’m not sure how to actually pass those from SSM to ECS Task Definition for the containers? I couldn’t figure it out from the modules and I need it to be secure. Would appreciate your guidance.

Desire BANSEover 4 years ago

Hi folks.
I'm getting a AWS region issue when trying to run terraform-aws-config/examples/cis . For some reason it expects eu-west-1 while I have set it at us-east-1.

module.aws_config.aws_config_aggregate_authorization.central[0]: Creating...
aws_iam_policy.support_policy: Creating...
module.aws_config.aws_config_configuration_recorder.recorder[0]: Creating...
aws_iam_role.support_role: Creating...
module.aws_config_storage.module.storage[0].aws_s3_bucket.default[0]: Creating...
module.aws_config.aws_config_configuration_recorder.recorder[0]: Creation complete after 0s [id=config]
module.aws_config.aws_config_aggregate_authorization.central[0]: Creation complete after 1s [id=NNNNNN:us-east-1]
aws_iam_policy.support_policy: Creation complete after 1s [id=arn:aws:iam::NNNNNNNNN:policy/terraform-NNNNNN]
aws_iam_role.support_role: Creation complete after 1s [id=test-policy]
aws_iam_policy_attachment.support_policy_attach: Creating...
aws_iam_policy_attachment.support_policy_attach: Creation complete after 0s [id=test-policy]
╷
│ Error: Error creating S3 bucket: AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'eu-west-1'
│ 	status code: 400, request id: ID, host id: ID
│
│   with module.aws_config_storage.module.storage[0].aws_s3_bucket.default[0],
│   on .terraform/modules/aws_config_storage.storage/main.tf line 1, in resource "aws_s3_bucket" "default":
│    1: resource "aws_s3_bucket" "default" {

Yoni Leitersdorf (Indeni Cloudrail)over 4 years ago

Wow this is cool: https://github.com/hashicorp/terraform-provider-aws/pull/18585 I actually needed it.

Mohammed Yahyaover 4 years ago

I faced this issue in https://github.com/cloudposse/terraform-aws-dynamic-subnets

╷
│ Error: Error in function call
│ 
│   on .terraform/modules/subnets/outputs.tf line 53, in output "nat_ips":
│   53:   value       = coalescelist(aws_eip.default.*.public_ip, aws_eip.nat_instance.*.public_ip, data.aws_eip.nat_ips.*.public_ip, list(""))
│ 
│ Call to function "list" failed: the "list" function was deprecated in Terraform v0.12 and is no longer available; use tolist([ ...
│ ]) syntax to write a literal list.

with version 1.0.5 if I have time I will create a PR

Mohammed Yahyaover 4 years ago

never mind I’m using old version of the module

Adnanover 4 years ago(edited)

I want to have dedicated private subnet sets for each AWS service used such as RDS, ElastiCache, etc.
I want to use a dedicated VPC CIDR e.g. 10.0.0.0/16
I want to then break that IP Range down to many more subnets and much less hosts using a mask of /29

I wish these subent sets could be created dynamically and used for the different services without conflicts and
without me having to specify each subnet manually e.g. :

Some RDS MySQL Instance > 10.0.0.0/29, 10.0.0.8/29, 10.0.0.16/29
Another RDS MySQL Instance > 10.0.0.24/29, 10.0.0.32/29, 10.0.0.40/29
Some EC Redis Instance > 10.0.0.48/29, 10.0.0.56/29, 10.0.0.64/29
....
....

Can I achieve that with https://github.com/cloudposse/terraform-aws-dynamic-subnets ?

Mark juanover 4 years ago

Hi everyone! After adding the cloudwatch as data source in grafana by using kube-prometheus-stack helm chart, it got added, but as i am testing it it's saying metric request error, also none of the dashboards are working!!

Mark juanover 4 years ago

The policy and role i'm using are

data "aws_iam_policy_document" "grafana_cloudwatch" {
  statement {
    sid    = "AllowReadingMetricsFromCloudWatch"
    effect = "Allow"
    actions = [
      "cloudwatch:ListMetrics",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:GetMetricData"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowReadingLogsFromCloudWatch"
    effect = "Allow"
    actions = [
      "logs:DescribeLogGroups",
      "logs:GetLogGroupFields",
      "logs:StartQuery",
      "logs:StopQuery",
      "logs:GetQueryResults",
      "logs:GetLogEvents"
    ]
    resources = ["*"]
  }
  
  statement {
    sid       = "AllowReadingResourcesForTags"
    effect    = "Allow"
    actions   = ["tag:GetResources"]
    resources = ["*"]
  }
}

data "aws_iam_policy_document" "base_policy" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["<http://ec2.amazonaws.com|ec2.amazonaws.com>"]
    }
    effect = "Allow"
  }
}

data "aws_iam_policy_document" "account_assume_role" {
  source_json = data.aws_iam_policy_document.base_policy.json
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = ["${data.aws_caller_identity.current.arn}"]
    }
    effect = "Allow"
  } 
}

resource "aws_iam_role" "cloudwatch_role" {
  name               = "${local.cluster_name}-grafana-cloudwatch-role"
  assume_role_policy = data.aws_iam_policy_document.account_assume_role.json
}

resource "aws_iam_policy" "data_source_policy" {
  name_prefix = "${local.cluster_name}-grafana-cloudwatch-policy"
  policy      = data.aws_iam_policy_document.grafana_cloudwatch.json
}

resource "aws_iam_role_policy_attachment" "DataSourceCloudwatchPolicy" {
  policy_arn = aws_iam_policy.data_source_policy.arn
  role       = aws_iam_role.cloudwatch_role.name
}

Michael Dizonover 4 years ago

I think I found a bug. https://github.com/cloudposse/terraform-aws-components/blob/master/modules/iam-primary-roles/providers.tf#L17 references a couple of variables that are not defined in iam-roleshttps://github.com/cloudposse/terraform-aws-components/blob/master/modules/account-map/modules/iam-roles/variables.tf

Steve Wade (swade1987)over 4 years ago

variable noob question ... how do I make sure a string does not have the word latest in it?

Pavelover 4 years ago

trying to figure out why i cant reach my redis cluster using this https://github.com/cloudposse/terraform-aws-elasticache-redis#output_host

Pavelover 4 years ago

what subnet should i put this one?

Pavelover 4 years ago

i have private and public ones

Pavelover 4 years ago

i have ec2 which is on a public subnet, same vpc, i put the cluster on a private one, but if its same vpc shouldn't it be reachable? the sg is just anything from source vpc should allow ingress

Pavelover 4 years ago

what is this subnet group?

Pavelover 4 years ago

i didn't make this

Steve Wade (swade1987)over 4 years ago

its a default one that redis creates

Pavelover 4 years ago

the tf module wants a list of ids

Pavelover 4 years ago(edited)

oo i see subnet groups exist in elasticache

Pavelover 4 years ago

so it has all my pub/priv subnets

Pavelover 4 years ago

still cant get my ec2 to connect

Pavelover 4 years ago

redis-cli -h <http://master.nv21-development-redis.ez60p2.use1.cache.amazonaws.com|master.nv21-development-redis.ez60p2.use1.cache.amazonaws.com> ping

i get nothing just hangs there. not even a timeout

Pavelover 4 years ago

telnet just says connection timeout

Mr.Devopsover 4 years ago(edited)

hi there - trying to perform some conditional expression base on user_data and user_data_base64 arguments for aws_instance resources. I understand that you cannot use both argument in the resource but figure i ask the community. 🙏

long story short - i'm migrating our state and trying to prevent a resource recreation from a previous engineer sloppy mess.

Balazs Vargaover 4 years ago

hello all, I would like to create a cert for a private hosted zone. Before with ansible we created a public hosted zone, then created he cert and waited until it became valid then deleted the hosted zone and create the zone with same name in private mode. How can I do the same in terraform ?

Mark juanover 4 years ago

Hi everyone! I am a using a policy and added tag on it, and in the policy i'm filtering on the conditions based on the tag like this, but it's not filtering out!

Mark juanover 4 years ago

data "aws_iam_policy_document" "grafana_datasource" {
  statement {
    sid    = "AllowReadingMetricsFromCloudWatch"
    effect = "Allow"
    actions = [
      "cloudwatch:ListMetrics",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:GetMetricData"
    ]

    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "aws:ResourceTag/Project"
      values = [
        "${local.cluster_name}"
      ]
    }
  }
  statement {
    actions   = ["sts:AssumeRole"]
    resources = [aws_iam_role.grafana_datasource.arn]
  }
}

Mark juanover 4 years ago

locals{
  common_tags = {
    Project     = local.cluster_name
    Provisioner = "TERRAFORM"
    Environment = local.environment
  }
}

Mark juanover 4 years ago

resource "aws_iam_policy" "data_source_policy" {
  name_prefix = "${local.cluster_name}-grafana-cloudwatch-policy"
  policy      = data.aws_iam_policy_document.grafana_datasource.json
  tags        = local.common_tags
}

Mark juanover 4 years ago

Can someone help me with this?

Alex Jurkiewiczover 4 years ago

iam policies are about permissions, not filtering

Alex Jurkiewiczover 4 years ago

you can't let people see only a subset of metrics with ListMetrics

Alex Jurkiewiczover 4 years ago

well, you can put the resources in seperate regions or accounts

Mark juanover 4 years ago

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html#amazoncloudwatch-policy-keys

managedkaosover 4 years ago

Hello, team! Have you seen TF resources (IAM roles in particular) show bogus changes like this:

   ~ resource "aws_iam_role" "codedeploy" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ Service = [
                              - "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",
                                "<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>",
                              + "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )

Note that this section is really just a rehash of what’s already there:

                              - "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",
                                "<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>",
                              + "<http://codedeploy.amazonaws.com|codedeploy.amazonaws.com>",

I thought it might be an ordering thing but not sure… 🤔

RBover 4 years ago

my first aws provider update. please upvote if you want better rabbitmq / mq broker support. 🙏

https://github.com/hashicorp/terraform-provider-aws/pull/20661

Almondovarover 4 years ago

Hi colleagues, i am updating our eks terraform module from v 13 to v 17 and i noticed in the terraform plan that it wants to remove the autoscaling groups, any idea why it wants to do that? 🤯

 ~ resources              = [
          - {
              - autoscaling_groups              = [
                  - {
                      - name = "eks-xxxx"
                    },
                ]
              - remote_access_security_group_id = ""
            },

Amit Karpeover 4 years ago

What are the main advantage using cp vs normal module AWS EKS?
cloudposse/terraform-aws-eks-cluster VS terraform-aws-modules/terraform-aws-eks

ekristenover 4 years ago(edited)

The releases notes for the vpc module say "this version is not recommended for 0.26.1", does that mean 0.26.1 or 0.26.0 since 0.26.0 introduced a breaking change? or should 0.26.x be avoided entirely because it's not a major bump and apparently there are some breaking changes?

Michael Dizonover 4 years ago

hey everyone. i've been using atmos to set up my latest project over the past two weeks. it's been great so far! i am strugging a little bit with accessing the s3 bucket and dynamodb table which was created in the master account, when. switch to a (terraform) that I created on the identity account that the account module created. it seems like a role and policy needs to be created for this to work. any ideas/suggestions? 🙏

Tom Vaughanover 4 years ago

When using terraform-aws-tfstate-backend is it possible to use a single dynamoDB table? Currently using it for several different services on AWS and each are in a separate folder and the result is a table for each service.

Zachover 4 years ago

You only need one dynamodb table for all of your terraform locking yes

larry kirschnerover 4 years ago(edited)

question about setting up ECS for a microservice-based app:

Is there any example that shows how to set up an app that is a collection of micro services where:

• each micro service has its own docker image/container definition
• micro services can route to other micro services w DNS names, e.g. uploads can make requests to <http://graphql.microservice>
• the ingress (ALB?) load balancer maps HTTP paths to different microservices, e.g. /home, /graphql

...I've been looking at these two modules and their examples:

https://github.com/cloudposse/terraform-aws-ecs-web-app/

https://github.com/cloudposse/terraform-aws-ecs-alb-service-task

...but I can't tell if either is intended to support an app composed of multiple ECS micro services that can intercommunicate?

AugustasVover 4 years ago

  count = length(aws_db_instance.db_instance) 
 on aws_cloudwatch_alarm.tf line 4, in resource "aws_cloudwatch_metric_alarm" "unhealthyhosts":
   4:   alarm_name          = "${aws_db_instance.db_instance[count.index].identifier}.${var.environment} unhealthy machine in ${aws_db_instance.db_instance[count.index].identifier}!"
    |----------------
    | aws_db_instance.db_instance is object with 66 attributes
    | count.index is 27

Why is that?

Alex Jurkiewiczover 4 years ago(edited)

looks like aws_db_instance.db_instance object (aka map) does not have an item called "27"

Manuel Morejónover 4 years ago

Hi team! Nice to be here with you.
I’m facing this issue https://github.com/cloudposse/terraform-aws-elasticsearch/issues/57
Do you have any suggestion to resolve it?

July 2021 Browse by date September 2021