#terraform - March 2022

does anyone know why when i cut a new release for my module, the terraform registry does not update to reflect it?

I really wish CloudPosse modules would all bump to 1.0. The lack of semver is really annoying when upgrading. I have to carefully read each release's changelog and try to determine if a change is backwards-compatible myself. For instance, this changelog (picking on myself):

v0.29.0

Only specify ttl block if ttl_enabled is true @alexjurkiewicz (#95)

Is this backwards-compatible from 0.28.0? Who knows! I have to either read the PR's diff or upgrade and check the plan.

hmm... so the https://github.com/cloudposse/terraform-yaml-config module ... have a question on "variability" of list entries ... 🧵

v1.1.7
1.1.7 (March 02, 2022)
BUG FIXES:
terraform show -json: Improve performance for deeply-nested object values. The previous implementation was accidentally quadratic, which could result in very long execution time for generating JSON plans, and timeouts on Terraform Cloud and Terraform Enterprise. (#30561)
cloud: Update go-slug for...

Is there a good argument for or against adding remote_state entries in a Terraform module? We're developing one internally, and having to have all the callers pass in information they find in remote state feels kludgy

Hi everybody, I was wondering if I could get some input here. I am attempting to use your terraform-aws-rds-cluster module to manage some of our postgres aurora clusters. These clusters already exist, and I will need to import them into Terraform. The subnet group already has a name (which was autogenerated by Cloudformation, it is not pretty), which does not match the module.this.id pattern the module is using. The problem with this is that changing the name causes the subnet group to be recreated, which in turn will cause the database to be recreated (which we want to avoid). Are there are suggested work arounds here? Would it be possible to add a “subnet_group_name” variable to this module, to solve for cases like this? Thanks!

Anyone know a way around feeding aws_iam_policy_documents into a for_each? Complains about The "for_each" value depends on resource attributes that cannot be determined until apply, which (to me) doesn't make much sense, because that data source is just a way to specify a blob of json

anyone else tried using the tfstate-backend module v0.38.1 ? appears it's broken and undeployable

Trying to use “cloudtrail-s3-bucket” - getting 2 messages This object does not have an attribute named "enable_glacier_transition".. Im sure its a UFU but I don’t know where to look

Getting aws-auth exception when i try to make changes to eks cluster like updating security group and apply, tried to use apply load from local config but that also did not work. Any work around for this? i can make changes to node group though.

Exception:

null_resource.add_custom_tags_to_asg: Refreshing state... [id=5885391824448464606]
╷
│ Error: Get "<http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth>": dial tcp [::1]:80: connect: connection refused
│
│   with module.eks_cluster.kubernetes_config_map.aws_auth[0],
│   on .terraform/modules/eks_cluster/auth.tf line 135, in resource "kubernetes_config_map" "aws_auth":
│  135: resource "kubernetes_config_map" "aws_auth" {
│

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(module.eks_cluster.eks_cluster_certificate_authority_data)
  token                  = data.aws_eks_cluster_auth.cluster.token
}
module "eks_cluster" {
  source                                    = "cloudposse/eks-cluster/aws"
  version                                   = "0.45.0"

module "eks_node_group" {
  source                                   = "cloudposse/eks-node-group/aws"
  version                                  = "0.27.3"
  namespace                                = var.namespace
  stage                                    = var.stage

Hi everyone, I'm currently building a Terraform-like application for declarative cloud provisioning, using python/django. The reason for this is that Terraform cannot be used reliably within an automated system, for example when launching managed services as part of a SaaS offering. I was wondering if anyone else here is looking at solving the same problem? I am looking for contributors.

is this a "the way to get tech support online is to say something obviously wrong" technique question? Terraform is perfect for managing PaaS infra

No not at all. Terraform is great but it isn't reliable if you are launching resources in customer's accounts or VPCs, where numerous problems can arise

Imagine launching thousands of services across thousands of clients, being able to fail gracefully, destroy resources, report errors, negotiate availability and so on.

Starting from scratch seems a bit questionable. Have you considered: https://www.pulumi.com ? I haven't used it myself but I believe it's python friendly. There is a k8s project called cross plane that might also be worth looking at too. Also, have you thought about just forking the TF provider code base? I think cloudposse does this with the AWS provider.

Or maybe crossplane... https://crossplane.io/

Thank you Venkata and Loren. I will take a closer look at Pulumi. As for crossplane, it looks interesting but I'm not so interested in being tied to k8s. I basically want a terraform clone for creating resources.

Running the commands for creation, deletion etc can be done with the cloud providers' python clients. But managing the state changes, retries, error reporting etc seems like something that I would need to build?

I'm not a fan of k8s, generally, but crossplane is interesting in that I think the idea is to declare the desired state and let crossplane use k8s to converge to it

Otherwise, what you're taking about sounds like something any of the TACOS might help with, e.g. Terraform Cloud, Spacelift, Env0, Atlantis, Scalr, etc...

Imagine launching thousands of services across thousands of clients, being able to fail gracefully, destroy resources, report errors, negotiate availability and so on.

I think this is a perfect reason to use a tool like Terraform for Pulumi on your back end.

Your webapp could just be a wrapper with permission to call the correct commands on the backend with the correct permission.

But question, @Ross Rochford, how much variance is contained in the resources you would be deploying across so many clients? If its more than 2-3, you might need to place more effort in customer support to tweak all the changes needed per client. But if you are deploying just a few different collections of resources, you would be well served to code up a module in TF or Pulumi that describes the collection, test the heck out of it, and then have your webapp (or a TACO or other “Infra as code” manager) deploy your configurations.

I have another sidebar question: who would be using the webapp? You or the clients? I’m just trying to get an idea of who would benefit from the experience and what the needs are.

Hello everyone,

I have a question about for_each

I have cluster role binding,
resource "kubernetes_cluster_role_binding" "example" {
metadata {
name = "terraform-example"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
namespace = "*"
name = "https://sts.windows.net/3e3f1922-84b0-4718-a307-431aa543dae5/#mike@microsoft.com"
}
subject {
kind = "User"
namespace = "*"
name = "https://sts.windows.net/3e3f1922-84b0-4718-a307-431aa543dae5/#david@microsoft.com"
}
subject {
kind = "User"
namespace = "*"
name = "https://sts.windows.net/3e3f1922-84b0-4718-a307-431aa543dae5/#adam@microsoft.com"
}
subject {
kind = "User"
namespace = "*"
name = "https://sts.windows.net/3e3f1922-84b0-4718-a307-431aa543dae5/#ranne@microsoft.com"
}
subject {
kind = "User"
namespace = "*"
name = "https://sts.windows.net/3e3f1922-84b0-4718-a307-431aa543dae5/#ken@microsoft.com"
}
}

subject {
kind = "User"
namespace = "*"
for_each = toset(["mike", "david", "adam", "ranne", "ken"])
name = "https://sts.windows.net/3e3f1922-84b0-4718-a307-431aa543dae5/#"-"${each.value}"-"@microsoft.com"
}

I feel not right, can anyone help plz ?

thank you

maybe you want a dynamic block instead?

@managedkaos I will take a closer look at Pulumi but my experience with Terraform suggests that it is simply not designed for my use case. It often fails without grace or runs into problems with its state. There are various hacks, but in the long run I don't see it as reliable in the way I need it to be. When a failure occurs it is important that we can trace exactly what the issue was and that we have full access to the API responses from the cloud provider.

In terms of variance, we would like this problem to be solved in general, for many use cases, resource types and environments. The business is a marketplace for managed services, we mediate between developers who provision and deploy services, and customers who want to run them with the support of people who have expertise in those services (say for example Redis clusters). This mediation involves providing convenient APIs to developers, so a robust terraform-like declarative API would be a key part of our offering.

There are various hacks, but in the long run I don’t see it as reliable in the way I need it to be.

Got it. I can agree that everything isn’t for everyone. 🙂

This mediation involves providing convenient APIs to developers, so a robust terraform-like declarative API would be a key part of our offering.

It sounds like you’re set on building a very viable solution. I think in the end, you will likely have something that is on par with terraform and wonder if you would consider offering your solution as a business along with the business built on top of it.

If external developers are using your solution, I think that changes your focus a bit since its very likely the developers will want new features, updates to match changes in cloud provider APIs, support for any problems and so on. I totally get your point about not using TF as a solution and I’m on board with you figuring out your path without it, but I feel like using a third party solution like TF or Pulumi would save you from having to do a lot of the heavy lifting that’s already being done with those technologies.

I wish you all the best and look forward to hearing more about your solution! 👍️🏾

Yes, it is definitely a large project to take on and merits some caution on not reinventing the wheel.

On the other hand, my initial prototype suggests that this problem has a lot of repeated functionality that can be reused across all resources and providers. The webapp does the declarative->imperative mapping magic, so implementing a new resource simply involves adding 1-2 DB tables and 3-5 custom methods (create, list, get, delete, update). These are typically fairly short implementations because they can avail of the cloud provider's python API client.

I'll keep you posted, would be great to demo it to this slack channel.

Error creating SSM activation: ValidationException: Nonexistent role or missing ssm service principal in trust policy module beanstalk environment.. What is wrong?

It is appears after first apply. When I run terraform apply next time all works fine

Hi colleagues, i need to import a key pair but our infra is in terraform cloud, any ideas of how i can get terminal access on terraform cloud please?

How would you setup IIS with Terraform in a Windows EC2 instance?

I know that there's the user_data argument that can be passed to the launch_configuration but I'm unsure of where to go from there.

The goal is to have instances setup for hosting without having to setup envs by hand

Hi all, Trying to make changes to the Loadbalancer SG on CloudPosse ElasticBeanstalk v0.40.0, I’m trying to affect this by using the loadbalancer_managed_security_group but when referencing either a SG id or arn. when doing this i’m getting this error response:

Error: Error waiting for Elastic Beanstalk Environment (e-tpbxpwqcnp) to become ready: 2 errors occurred:
│       * 2022-03-15 14:30:44.562 +0000 UTC (e-tpbxpwqcnp) : Service:AmazonCloudFormation, Message:[/Resources/AWSEBV2LoadBalancer/Type/SecurityGroups] 'null' values are not allowed in templates
│       * 2022-03-15 14:30:44.704 +0000 UTC (e-tpbxpwqcnp) : Failed to deploy configuration.

When starting this the environment is in a OK state.

Any help would be appreciated

I’m having an issue with awscc provider, I just added the provider to required_providers but I’m not using yet and after init I can’t plan anymore and I get this error 🧵

I'm using "cloudposse/elastic-beanstalk-environment/aws" (v0.46.0) with loadbalancer_type = "classic" and tier = "WebServer" and I'm getting a bunch of modifications to elb settings every time I run plan (This is just one of the settings that changes):

      - setting {
          - name      = "HealthCheckInterval" -> null
          - namespace = "aws:elasticbeanstalk:environment:process:default" -> null
          - value     = "10" -> null
        } 

These changes are on an embedded resource of the module, so I don't think there is a way to use lifecycle.ignore_changes. Are there any recommendations for reducing the noise in the output of terraform plan?

Hi, does anyone have any tips on how to change the origin of the Default behavior when using this terraform-aws-cloudfront-s3-cdn module?
The default behavior routes traffic to the S3 origin - I’d like it routed elsewhere.

Hi! Is there any docs or best-practices about how you folks @ CloudPosse do TF refactoring? I mean suppose you have some functionality in the root module and you realise that some parts should go to a dedicated module. I’m mostly interested in how you manipulate with the state during the refactoring of the modules that are in use. What’s the workflow, who is responsible for making changes to the state, how you control this, etc. I do remember the discussion about when one should decide to write a module. However, I don’t remember the discussions about the refactoring:) Now we have this cool moved {} possibility, probably it’s a great help here. But last time we tried it didn’t work for modules outside of the current repo.

Hello! I’m using the module from Cloudposse to create waf acl / rules, i think module is not supporting the “RuleLabels” feature when adding a new rule based on countries, can someone help me? 🙏
https://github.com/cloudposse/terraform-aws-waf#input_geo_match_statement_rules
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#rule_label
Thanks!!!

Hi everyone! I am interested in recommended approaches for managing infrastructure with terraform involving providers not accessible from a cloud based pipeline via public internet. My use case here looks like this:
1. cloud based pipeline creates initial AWS stack (VPC, EKS, IAM stuff, etc.)
2. another (cloud based?) pipeline using TF with Kubernetes, Vault and other providers creates resources in the cluster
Now, this all works fine, when the Kubernetes API, Vault and other involved services are publicly accessible. However, if Kubernetes API and Vault is only accessible from within the cluster (or VPC) the 2. pipeline concept breaks as TF can’t manage resources using the Vault provider (the Kubernetes API connection might get worked around with whitelisting or such).

Also, my understanding is that some web hook based tooling might also break since GitHub would not be able to trigger anything inside the cluster.
Are my assumptions correct? If so, are there any best practices or blue prints how to set things up in these scenarios? Appreciate any input here. Thanks!

Hello world. Does anyone have any good examples in managing AWS landing zones with AWS control tower? Or Landing Zones in general?

Hello people, I need to “copy and paste” all the resources from one AWS account to another. I am planning to try https://github.com/GoogleCloudPlatform/terraformer Do you have any experience on that? whats your feedback?

Hello! I am facing an issue... I developed a terraform module on a private repo on GitHub; it has:

examples     main.tf      tests        variables.tf

However, I am failing at the moment of calling the module; I am using a for_each to iterate over different services that need the module; the issue is:
I can't put a provider in the module due to the for_each
If I did not put the provider in the module, terraform tries to use a source that doesn't exist ( I have to use 'DataDog/datadog', but it tries to use 'hashicorp/datadog' ). In any part of the module, I didn't declare 'hashicorp/datadog.'

Anyone have thoughts on how to handle circular dependencies within security groups, across modules? Modules seem to need to be created as a package. So if I use a cloudposse-style module for my application, it creates a security group in the application module. I want to also pass in that security group to the elasticsearch module for ingress access, and then use the elasticsearch security group in the applications egress access rule.

Is there a way to have subject_alternative_names that are not in the same route53 zone as the zone_name when using "cloudposse/acm-request-certificate/aws?

For instance if I set:

 domain_name                       = <http://foo.bar.example.com|foo.bar.example.com>
 subject_alternative_names         = <http://foo.exmaple.com|foo.exmaple.com>
 zone_name                         = <http://bar.example.com|bar.example.com>

bar.example.com and example.com are two different route53 zones. The module will only try to set the certificate validation in the zone specified by zone_name and thus will fail waiting for it to be approved

Curious what TF provider folks are using for provisioning things in PostgreSQL ?

I need to deploy some AWS extensions in PgSQL … aws_commons & aws_lambda to allow triggering of Lambda from PostgreSQL …

Historically we have been using https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs
but I absolutely hate how it handles grants for DB resources.

v1.2.0-alpha-20220328
1.2.0 (Unreleased)
NEW FEATURES:
precondition and postcondition check blocks for resources, data sources, and module output values: module authors can now document assumptions and assertions about configuration and state values. If these conditions are not met, Terraform will report a custom error message to the user and halt further evaluation.
Terraform now supports run tasks, a Terraform Cloud...

hi guys please i need help with any pointers.
I am trying to write terraform for route53 healthcheck and it requires fqdn or ip_address

resource "aws_route53_health_check" "example" {
  fqdn              = "<http://example.com|example.com>"
  port              = 80

problem is i am getting the fqdn dynamically from the output of api gateway stage (the invoke url) which is returned as <https://example.com>
Do you know any function i can use to get rid of https:// so it will only input <http://example.com|example.com> to my health check resource or how can i achieve this (edited)

heyy lowww everyone

I had a question about the cloudposse/elasticsearch/aws terraform module

Does it support provisioning a cluster on the nvme ssds of the i3.2xlarge instances?

Hi there, what do you do when you need something that hasn't been implemented in provider terraform-provider-aws yet? I'm missing this merge request https://github.com/hashicorp/terraform-provider-aws/pull/21766 😞

hi all, using the cloudposse rds-cluster module and running into some issues trying to perform a major engine version upgrade. made a bug ticket here: https://github.com/cloudposse/terraform-aws-rds-cluster/issues/134 but the tl;dr is when the plan is applied AWS returns this error:

Failed to modify RDS Cluster (api-db): InvalidParameterCombination: The current DB instance parameter group api-db-xxxxxxx is custom. You must explicitly specify a new DB instance parameter group, either default or custom, for the engine version upgrade.

don't believe i have the ability to set that parameter group name (or even use the default), so at a loss on the workaround here

Hi Terraformers, how do you organize your local variables? Do you use single file eg. locals.tf and then you define all local variables in single file or you have locals all over the files?

I tend to have a locals.tf at least for the root modules to increase readability, but now I am facing an issue that I need to have locals {} in separate file, well to increase readability in junction with aws_organizations_policy .

Example as follows, please ignore generic resource names. Should serve just as an example.

locals {
  policy_template = templatefile("${path.module}/templates/template.tftpl", {
   {...}
  })
}

resource "aws_organizations_policy" "policy" {
  name        = local.policy_name
   content     = local.policy_template
  type        = "BACKUP_POLICY"

}

Hey all, while using the cloudposse terraform-aws-efs module https://github.com/cloudposse/terraform-aws-efs, I have stumbled on an issue and trying to figure out if there is a workaround for it.

So I have a efs file system created and within that I have 5 access points defined ( one for each micro service, so they have restricted access to subdirectories). Now if I add a name to the efs file system using name variable, then all the access points also get the same name.
And from the code it looks like this is because of https://github.com/cloudposse/terraform-aws-efs/blob/master/main.tf#L86 where in the access points are using the same set of tags as been used by the efs file system.
doesn't it make sense to use "${each.key}" or something dynamic so each access point can have a different name.