#terraform - July 2022 | Slack Archive

46 messages

Archive: https://archive.sweetops.com/terraform/

Jun 2022

July 2022

Aug 2022

Vengariumover 3 years ago

god, i feel so useless.
I have 0 terraform knowledge, i'm trying to modify an existing template and the thrown errors don't help me much on fixing them 😞
This is the template -> https://github.com/kaisoz/terraform-nextcloud-ec2-rds-s3
My first mission is moving it from RDS MySQL to RDS Postgres
To do that, i searched for another example that was using RDS Postgres -> https://github.com/terraform-aws-modules/terraform-aws-rds/blob/v4.4.0/examples/complete-postgres/main.tf
I tried to copy some bits and here's when i fail.
I set

engine_version, family, major_engine_version

right under engine attribute at https://github.com/kaisoz/terraform-nextcloud-ec2-rds-s3/blob/master/modules/data/mysql/main.tf#L7
but terraform validate says

 An argument named "engine_version" is not expected here.

(for each new attr that i set)

Rechecking the other example, i noticed that i'm placing the attrs under a "resource" block, so tried moving them to https://github.com/kaisoz/terraform-nextcloud-ec2-rds-s3/blob/master/main.tf#L40
with the same result.

Okay, i'm placing them on the wrong place, i get it. But, how i know where i should be placing them?

Paulo Castroover 3 years ago

Hi Team, can anyone educate me on what is this Bridecrew / Code analysis step in githhub and how to correct it https://github.com/cloudposse/terraform-aws-emr-cluster/pull/54 ?

MSaadover 3 years ago(edited)

Hello 👋, i’m new to TF. I have some TF code that create a gcp bucket with a service account that should also have a condition. But for some reason the service account is created but its not linked to the bucket when created. what i mean by that is you can find the newly created SA in the SA section under the IAM and admin section but not under permissions in the created bucket. This is what the TF looks like ⬇️

Edward Nover 3 years ago

Hello hello. We're trying to augment our internal web-based deployment tool to use TerraformCloud instead of pure scripts. But, assigning a TFC Workspace to each customer causes friction in the implementation. Which makes me doubt if I'm using Workspaces correctly.
Is it a good design to assign a TFC Workspace name per customer environment?

Each customer, that buys our product, has a number of resources created for them and assigned to said customer. For example, cloud VMs. Our internal web-based tool, in essence, will wrap the creation of Terraform Workspaces, and their managed resources, for each customer using a tf module. We chose TFC so we can run multiple backend instances (high availability) and have TFC sync an environment's status.

But:
A tf module can't read the Workspace name from a tf variable. This makes us "sed" the tf module and inject the Workspace name. e.g., customer X will have a Workspace named "customer-x". This implementation feels wrong. As if Workspace names were meant to be fixed/rare.

Is it a good design to assign a TFC Workspace name per customer environment? Is using Workspace tags a better design? Can, at least, one Workspace tag be read from a tf variable, if it is a better design?

Christopher Boydover 3 years ago

Hi, all!
When using modules from git or the registry, is there a way to prevent multiple downloads?
For example, the following results in separate copies of the Git repo within my .terragrunt-cache/.../.terraform/modules:


module "iam_group_with_assumable_roles_policy" {
  source = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"
  version = "5.2.0"
...
}

module "iam_assumable_role" {
  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "5.2.0"
...
}

rssover 3 years ago

v1.3.0-alpha20220706
1.3.0 (Unreleased)
NEW FEATURES:

Optional attributes for object type constraints: When declaring an input variable whose type constraint includes an object type, you can now declare individual attributes as optional, and specify a default value to use if the caller doesn't set it. For example:
variable "with_optional_attribute" {
type = object({
a = string # a required attribute
b = optional(string) # an optional attribute
c = optional(number, 127) # an...

Max Asherover 3 years ago

👋 Hello, team! Please accept my apology if my question would sound silly. I am using cloudposse sftp transfer module. I have a user map that I want to use in two different module instances. My first module was created few days ago. With second module, Terraform returns error saying IAM role is already defined for all users in user map. I understand because the same users in a same usermap is given to second sftp tranfer module which is trying to create roles with same arn/ids.

How can I solve this? Thank you.

Tomerover 3 years ago(edited)

Hi...
I am using the WAFv2 module from CloudPosse and am wondering how I can implement mixed and_statement and not_statement rules...
My current rule defined using aws provider WAFv2 resources looks like this (see code snippet) but it would seem that the module does not support this pattern... or I just didn't understand how to do it. Not a bug, but maybe a feature request if it isn't currently supported

  rule {
    name     = "AllowMSAPIFromOffice"
    priority = 1
    action {
      block {}
    }
    statement {
      and_statement {
        statement {
          byte_match_statement {
            search_string = "/test-site"
            field_to_match {
              uri_path {}
            }
            text_transformation {
              priority = 0
              type     = "NONE"
            }
            positional_constraint = "STARTS_WITH"
          }
        }
        statement {
          not_statement {
            statement {
              ip_set_reference_statement {
                arn = aws_wafv2_ip_set.msys[0].arn
              }
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "msys-test-site-metrics"
      sampled_requests_enabled   = true
    }
  }

Julio Chanaover 3 years ago

Hi!

I’m creating a cluster with the eks cluster module, and I’d like to know if it’s possible to specify a specific port range when allowing access to the cluster from a CIDR block.

Thanks!

yasin yaqoobiover 3 years ago

Hello, I am using the cloudposse/ecs-web-app/aws and everything works great except I am not sure how to have ecs start a task when a new definition is uploaded. I set the ignore_changes_task_definition = false but it fully deletes the service and creates a new one. Is this the default behavior or can we just launch a new task in the existing service and once that’s live we kill the old one.

Khaled Hussainover 3 years ago

Hello, I’ve raised a bug for the terraform-aws-sso project where any changes to policy definitions results in a mass destroy and (re-)create of terraform resources; we followed the example tf definitions but I’m wondering if we’re doing something wrong and if we can avoid this behaviour… any thoughts would be appreciated
https://github.com/cloudposse/terraform-aws-sso/issues/29

rssover 3 years ago(edited)

v1.2.5
1.2.5 (July 13, 2022)
BUG FIXES:
Report correct error message when a prerelease field is included in the required_version global constraint. (#31331)
Fix case when extra blank lines were inserted into the plan for unchanged blocks. (<a href="https://github.com/hashicorp/terraform/issues/31330" data-hovercard-type="pull_request"...

azecover 3 years ago

Hey friends!
I have been impacted by this bugfix in Terraform AWS provider v4.22.0 :
ISSUE: https://github.com/hashicorp/terraform-provider-aws/issues/25680
PULL REQUEST: https://github.com/hashicorp/terraform-provider-aws/pull/25681/files

I have described the regression which is affecting my current configuration in these comments:
1. https://github.com/hashicorp/terraform-provider-aws/issues/25680#issuecomment-1183812969
2. https://github.com/hashicorp/terraform-provider-aws/issues/25680#issuecomment-1183818419
Very simple PR, very simple fix, but feels like it introduces other issues to aws credentials chain flow.
Curious if anyone else is experiencing something similar?

In theory ( according to Authentication and Configuration ) , provider configuration is just 1st place where provider would try to find AWS configuration, but it shouldn't stop there if it fails.

ghostfaceover 3 years ago

i am using an assume_role block in my terraform aws provider block like this:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/ROLE_NAME"
  }
}

when running terraform however, it seems like that role isn't being used.

how can i confirm what role terraform is using?

ghostfaceover 3 years ago

does the 'assume_role' in the provider block get used to look up the state file in S3? or do the local credentials get used for reading the state file?

Jeremy (UnderGrid Network Services)over 3 years ago

Running into an interesting issue with the ec2-instance module... I need to spin up 4 instances, 2 in each of 2 regions... So I'm passing providers = { aws = aws.<alias> } to each of the module { } blocks... I'm getting 2 of the 4 running into issues during plan stage saying query returns no results, but they aren't for the same alias, it's actually one of each but the other 2 aren't erroring out

dan callumover 3 years ago

👋 Hello, everyone!

dan callumover 3 years ago(edited)

I am looking for suggestions on how to tackle a resource situation in AWS. The resource is "aws_backup_framework" used for compliance reporting and it checks backup plans and vaults for different controls. Has anyone tried deploying this resource to check multiple backup plans?
Say I have a daily backup plan, a weekly, a monthly backup plan with different backup frequency and backup retention settings. Use of MAP will make this messy very fast, IMO. Could be wrong though hence I need suggestions. What could be a decent method to deploy this? Should I do 1 framework per backup plan in flat file structure but then I am repeating myself again and again. 😕

Neil Caldwellover 3 years ago

👋 Hi all! I'm here, my name is Neil 🙂

András Sándorover 3 years ago

Hey CloudPosse, I'm having some troubles with the https://github.com/cloudposse/terraform-aws-ec2-instance . I'm attaching an IAM instance profile to give the instance access to my S3 bucket, but the credentials are never configured when I run any cli command:

admin@ip-10-5-1-11:~$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
admin@ip-10-5-1-11:~$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key <not set> None None
secret_key <not set> None None
region <not set> None None

I can see the IAM policy, role and profile successfully created and attached to the instance by terraform, I can query the metadata and it shows the role attached:

TOKEN=curl -X PUT "<http://169.254.169.254/latest/api/token>" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/role

* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Accept-Ranges: bytes
< Content-Length: 1470
< Content-Type: text/plain
< Date: Tue, 19 Jul 2022 05:40:30 GMT
< Last-Modified: Tue, 19 Jul 2022 05:08:23 GMT
< X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600
< Connection: close
< Server: EC2ws
<
{
"Code" : "Success",
"LastUpdated" : "2022-07-19T05:08:07Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "access-id",
"SecretAccessKey" : "secret-key",
"Token" : "token"
}

I've used the console to create an instance with the same AMI and profile, and also created and instance with terraform with same AMI profile, but not using the module, only an aws_instance resource, and both have the credentials configured on startup.

I couldn't find anything in the module the would keep the instance profile from being assumed, but based on the troubleshooting I did, it only seem to happen when using the module.

Any help appreciated.

Neil Caldwellover 3 years ago

Any tips/links on how to setup a lambda -> slack/teams webhook for notifications of SNS topics/cloudwatch alarms? Using terraform over around a dozen AWS accounts?

Hakan Kayaover 3 years ago

Hi everyone, I am trying to iterate over a list of strings (EKS cluster roles) and would like to have generate an output for the aws-auth configmap if the role name matches with IAM role ARNs which are being iterated over in the outer loop. Since the IAM role includes a non-predictable random part, the match should be based on a substring, ideally provided by replacing the variable of the cluster role string. I am thinking of something like this (pseudo-code):

locals {
  sso_arns = [for group in local.permission_sets.clustername : {
    groups   = [group]
    username = "${group}:{{SessionName}}"
    rolearn  = toset([for role in data.aws_iam_roles.sso_roles.names : role if role == group])

  }]
  map = yamlencode(local.sso_arns)
}

I am unsure about the if condition to match role with group and think that regex filter might make more sense, but then I have the problem of a variable substitution within the expression and I have no idea if this is even possible with Terraform by doing something like this:

rolearn  = toset([for role in data.aws_iam_roles.sso_roles.names : role if regex(".*${group}.*, role)])

Obviously, the part with ${group} would need proper escaping but this is where I am lost and I’d really appreciate any help here. Thanks!

Sebastian Macarescuover 3 years ago

Hello everybody. If you want to fully manage the EKS aws auth config map with terraform using clousposse eks module you can take a look at this PR: https://github.com/cloudposse/terraform-aws-eks-cluster/issues/155

Sebastian Macarescuover 3 years ago

This helped me a lot when using terragrunt to separately deploy cloudposse’s eks and nodegroup modules

tyuover 3 years ago(edited)

Hi Everyone, this might be a silly question but I'm trying to deploy an AWS EKS cluster and running into some issues.

Specifically, I have to use a custom AMI but when I specify it in terraform-aws-eks-node-group module the nodes aren't able to join the cluster. The custom AMI are built on top of existing EKS images with very light updates. Using the runbook mentioned here, it seems the /etc/eks/bootstrap.sh script in the node wasn't being run for some reason. I SSM'ed into the instance and had to run it manually by doing sudo /etc/eks/bootstrap.sh ${ClusterName}

Anyone know what's the best way for me to trigger this script moving forward?

Chandler Forrestover 3 years ago

Trying to use Cloudposse SES module (https://registry.terraform.io/modules/cloudposse/ses/aws/latest)

Failing when calling the nested ses_user module. The user and user groups are all created as expected:

module.ses_user.awsutils_expiring_iam_access_key.default[0]: Creating...
╷
│ Error: Error creating access key for user <redacted>: NoSuchEntity: The user with name <redacted> cannot be found.
│       status code: 404, request id: 2075758c-b8a1-44ab-9c6d-d322f23de3fd
│ 
│   with module.ses_user.awsutils_expiring_iam_access_key.default[0],
│   on .terraform/modules/ses_user/main.tf line 24, in resource "awsutils_expiring_iam_access_key" "default":
│   24: resource "awsutils_expiring_iam_access_key" "default" {
│ 
╵
Releasing state lock. This may take a few moments...

Eric Edgarover 3 years ago

trying to use the module https://github.com/cloudposse/terraform-aws-dynamodb with global replicated tables and autoscaling. How do I turn on autoscaling in the other regions? it seems that autoscaling is only performed on the primary region.

dan callumover 3 years ago

hey team, need some help with CloudPosse kms key module

Error: "name" must begin with 'alias/' and be comprised of only [a-zA-Z0-9/_-]
│ 
│   with MODULENAME[0].aws_kms_alias.default[0],
│   on .terraform/modules/MODULENAME/main.tf line 15, in resource "aws_kms_alias" "default":
│   15:   name          = coalesce(var.alias, format("alias/%v", module.this.id))
│

Julio Chanaover 3 years ago(edited)

Hi! I have a question about the validation of after_cluster_joining_userdata in the eks-nodes module. It’s a list of commands to run, but the validation condition is that the list has to be smaller than 2. What’s the point of this?

Ishan Sharmaover 3 years ago

Hello everyone ,
I am looking to find how can we integrate Atlantis with Tfsec , does anyone has experience with it ?
Thank you in advance

Milena Suemi Ueharaover 3 years ago(edited)

Hi everyone!
I’m trying to build a AWS CodeBuild module but having some difficulties on how to set different environment variables for each project.
Using the dynamic block for the environment variables:

dynamic "environment_variable" {
      for_each = var.env_vars
      content {
        name  = environment_variable.value.name
        value = environment_variable.value.value
        type  = environment_variable.value.type
      }
   }

The variable block:

variable "env_vars" {
  description = "Environment Variables for CodeBuild Project"
  type = list(object(
    {
      name  = string,
      value = string,
      type  = string
    }
  ))
  default = []
}

The terraform.tfvars:

env_vars = [
    {
        name  = "PROJECT-1"
        value = "NAME-1"
        type  = "PLAINTEXT"
    },
    {
        name = "REPOSITORY_URI"
        value = "*.<http://dkr.ecr.us-east-1.amazonaws.com/project-1|dkr.ecr.us-east-1.amazonaws.com/project-1>"
        type = "PLAINTEXT"
    }
]

This environment variables would be for project-1, but how would I add different ones for project-2?
I created the codebuild projects using index:

module.pipeline.aws_codebuild_project.codebuild-project[0] -> Project-1
module.pipeline.aws_codebuild_project.codebuild-project[1] -> Project-2

Jeremy (UnderGrid Network Services)over 3 years ago

Has anyone else experienced the issue with the cloudposse/terraform-aws-eks-cluster module if setting oidc_provider_enabled = true on a new EKS cluster deployment that a terraform plan will fail with thumbprint_list = [join("", data.tls_certificate.cluster.*.certficates.0.sha1_fingerprint)] and The given key does not identify an element in this collection value: the collection has no elements. If I change to be oidc_provider_enabled = false then the plan is able to execute successfully but anything further in the Terraform code being executed that expects OIDC provider will then fail.

OliverSover 3 years ago(edited)

Has anyone use qovery's terraform provider to provision infra, esp EKS cluster? Just curious about people's experiences.

Dimitris Kargatzisover 3 years ago(edited)

Hi all, I have provisioned an EKS cluster and two node-groups using the latest version of the cloudposse/eks-node-group/aws module. The max allocatable pods for a t3a.large node is 8 and I can not find a way to specify this value as the extra bootstrap arguments to be added to the bootstrap.sh script is removed in the last versions. Has anyone else experienced this issue so far?
*the max allocatable pods for a t3a.large node is 35 when you create a node-group using the EKS console.

Eric Edgarover 3 years ago

bubbling this question back to the top.
https://sweetops.slack.com/archives/CB6GHNLG0/p1658352038677179

OliverSover 3 years ago

I remember hearing in one of the meetups that cloudposse has a configuration component (I can't remember if it is a provider, module or just scripts), what is it called?

rssover 3 years ago(edited)

v1.2.6
1.2.6 (July 27, 2022)
ENHANCEMENTS:
Add a warning and guidance when terraform init fails to fully populate the .terraform.lock.hcl file. (#31399)
Add a direct link to the relevant documentation when terraform init fails on missing checksums. (<a href="https://github.com/hashicorp/terraform/issues/31408"...

mrwackyover 3 years ago

crazy question - is there a way to get the running version of Terraform in HCL?

Nishant Kumarover 3 years ago

Hi I keep getting the below issue in the terraform cloud.

Any help would be highly appreciated, as it is blocking the pipeline.

Error: Invalid Configuration for Read-Only Attributewith module.ec2_client_vpn.module.self_signed_cert_ca.tls_self_signed_cert.default
on .terraform/modules/ec2_client_vpn.self_signed_cert_ca/main.tf line 62, in resource "tls_self_signed_cert" "default":
  key_algorithm   = var.private_key_algorithm
Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.

Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that are supported.

Nishant Kumarover 3 years ago(edited)

Terraform version
1.1.5

Nishant Kumarover 3 years ago

source = “cloudposse/ec2-client-vpn/aws”
version = “0.10.1"

Nishant Kumarover 3 years ago

terraform {
  required_version = ">= 1.0.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.21.0"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 3.1.0"
    }
    awsutils = {
      source  = "cloudposse/awsutils"
      version = ">= 0.11.0"
    }
  }
}

dan callumover 3 years ago

hi all, please can someone give me a hint on how I can approach in writing a module for

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_framework

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_report_plan

A nudge in the right direction would be of great help

karandeep singhover 3 years ago

Hello, team!
https://github.com/cloudposse/terraform-aws-emr-cluster

karandeep singhover 3 years ago

Does this module support instance fleet?

oladover 3 years ago(edited)

Hi all, is there any way to provide self- service mechanism for app teams to publish terraform module into a central private registry? assuming app team don't have direct access to publish in Terraform, only DevOps team can publish

June 2022 Browse by date August 2022