#terraform - April 2023

Hey so I'm using the datadog terraform provider to create some dashboards using the datadog_dashboard_json resource and it works great except there's permadrift. Any ideas how I can deal with this?
• I see in the provider that it does expose this value, but it says it's deprecated in the actual datadog api documentation
• I do not see this value exposed really in the dashboard itself
• I've tried actually putting this value in the dashboard as both false and null and both don't prevent the permadrift

# datadog_dashboard_json.dashboard_json will be updated in-place
  ~ resource "datadog_dashboard_json" "dashboard_json" {
      ~ dashboard               = jsonencode(
          ~ {
              - is_read_only              = false -> null
                # (8 unchanged elements hidden)
            }
        )
        id                      = REDACTED
        # (2 unchanged attributes hidden)
    }

Anyone seen this https://aws.amazon.com/about-aws/whats-new/2023/04/aws-service-catalog-terraform-open-source/

Heya all, trying to figure something out with Terraform. I have a list of IP addresses and I want to grab the last octet of each IP address in the list and put it into another list, but I can't see to quite figure it out. My list looks like:

  ips = [
    "44.194.111.252",
    "44.194.111.253",
    "44.194.111.254"
  ]

and I'm trying to put the newly created list into a local called "ip_last_octet"

I have one more for the group, although I'm not sure if it's possible. I have a network interface that has I attached as a secondary interface to an ec2 instance. The resource is configured to configure multiple private IPs which then get an elastic IP associated with it. I want the private IP to always map to the same elastic IP as the application that runs on this ec2 instance is sensitive to IP changes (it has a virtual servers configuration file which binds to specific IPs). I'm currently doing this.

  sending_ips = [
    "44.194.111.252",
    "44.194.111.253",
    "44.194.111.254",
    "44.194.111.251",
    "44.194.111.250"
  ]

data "aws_eip" "sending_ips" {
  count     = length(var.sending_ips)
  public_ip = var.sending_ips[count.index]
}

resource "aws_network_interface" "secondary_interface" {
  subnet_id         = data.aws_subnet.public.id
  private_ips_count = length(var.sending_ips) - 1
}

resource "aws_network_interface_attachment" "secondary_interface" {
  instance_id          = aws_instance.ems.id
  network_interface_id = aws_network_interface.secondary_interface.id
  device_index         = 1
}

resource "aws_eip_association" "sending_ips" {
  count                = length(var.sending_ips)
  network_interface_id = aws_network_interface.secondary_interface.id
  allocation_id        = data.aws_eip.sending_ips[count.index].id
  private_ip_address   = element(data.aws_network_interface.secondary_interface.private_ips, count.index)
  allow_reassociation  = false
}

The problem I'm having is that if I remove or add IP addresses to the sending_ips variable the private ip to elastic ip mappings change. I want to try and figure out a way to allow AWS to dynamically assign IPs but still maintain a consistent mapping once a private IP paired with an elastic IP.

v1.5.0-alpha20230405
No content.

v1.5.0-alpha20230405
This is a development snapshot for the forthcoming v1.5.0 release, built from Terraform's main branch. These release packages are for early testing only and are not suitable for production use.
The following is the v1.5.0 changelog so far, at the time of this snapshot:
UPGRADE NOTES:

This is the last version of Terraform for which macOS 10.13 High Sierra or 10.14 Mojave are officially supported. Future Terraform versions may not function correctly on these older versions of macOS.


This is...

AWS Lattice support forthcoming in Terraform https://github.com/hashicorp/terraform-provider-aws/issues/30380

This kind of NOTE (see attached image) means that if a terraform module uses cloudfront function in cache of cloudfront distro, the cicd must generate a plan, query it for replacement of function, and if there is a replacement planned, must take a side path to set some custom var to false so that the cloudfront distro no longer uses the function, then terraform apply the distro as target, then finally can resume normal workflow. This is a lot of work! Did you guys have to implement something like this, or is there another trick?

Here is my issue,
I am creating a new VPC in AWS with 2 public and 2 private subnets, peering it with an existing vpc and testing things using Terratest, in which i'm basically checking ssh connectivity between a bastion host in the existing vpc and the hosts in the new vpc both in private and public subnets using ssh.CheckPrivateSshConnectionE my issue is that connectivity between the bastion and the hosts in. the private subnets in the new vpc works perfectly, but connectivity between the bastion and hosts in the public subnets in the new vpc does not happen, what could be going wrong?
Please note there different route tables in the new VPC 1 for private subnets and 1 for public subnets.

I have simulated same scenario and it was working fine.

this is a noisy feed

Agreed. I’m also wondering why its in the #terraform channel. 🤔

It’s gotta be a stack exchange bug. We have had this for maybe a year.

I will unsubscribe it for now and delete those messages

The feed is https://stackoverflow.com/feeds/tag/cloudposse (recording here to make it easier to add later)

Hello,

Does anybody have an example of using ip_set_reference_statement_rules in cloudposse/terraform-aws-waf ?

Specifically the statement block

v1.4.5
1.4.5 (April 12, 2023)
Revert change from [#32892] due to an upstream crash.
Fix planned destroy value which would cause terraform_data to fail when being replaced with create_before_destroy (<a href="https://github.com/hashicorp/terraform/issues/32988" data-hovercard-type="pull_request"...

Hello! I’m wondering if anyone has examples of ECS with ALB? I’m having issues fitting the two together with the modules that are around.

anyone has seen this ?

Error:          Received unexpected error:
                                FatalError{Underlying: error while running command: exit status 1; ╷
                                │ Error: creating Amazon S3 (Simple Storage) Bucket (eg-test-vpc-subnets-qbp5cs): InvalidBucketAclWithObjectOwnership: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting
                                │       status code: 400, request id: KDSFKDKFFFFFF, host id: ASDFASDFADFASDFASDFASDFASDFASDFASDFASDFADFS

We are using the CloudPosse flow-log module that uses the s3-log bucket module and this works on one region on the same account but if we deploy to another region in the same account it fails (different bucket names)

Hello! Is cold start reference tutorial not available anymore?

Hi everyone. I am stuck in an issue w.r.t cloudposse/iam-role/aws module. I need to configure an IAM role which needs to have below as the trust relationship. I am able to figure out actions as well as principle but having hard time figuring out the conditions. It's a show stopper for at the moment. Can someone please help me out?

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxxxxxxxx:saml-provider/xxxxxx"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:xxx": "<https://signin.aws.amazon.com/saml>"
}
}
}
]
}

Is there we can avoid terraform destroy to be run accidentally

Not to destroy resources

I have seen prevent_destroy

But from security perspective

If someone has code

They can modify to remove prevent_destroy and run terraofmr destroy it will vanish

Hey all, I'm wondering how to configure my CI/CD.

I have a github repo configured with GHAs to talk to terraform cloud to perform plans and applies.

My repo is configured like this:

.
├── accounta
│   ├── us-east-1
│   │   └── customer-project
│   └── us-east-2
│       └── customer-project
├── accountb
│   ├── us-east-1
│   │   └── customer-project
│   └── us-east-2
│       └── customer-project
└── accountc
    ├── us-east-1
    │   └── customer-project
    └── us-east-2
        └── customer-project

Every customer-project dir has it's own state file.

I want to use a single account to manage resources in all accounts, and then allow it to assume a role that relates to that account. I have configured this, and it works well. But I'm hardcoding the assume_role arn in each customer-projects provider. Can someone more intelligent than me tell me if there's a better way to achieve this without hardcoding the role in an automated way?

Hi everyone. I need help in understanding one thing w.r.t terraform-aws-iam-role module. I configured multiple policy documents and while applying it, it's failing with below error. As far as I know, I can create a single policy with using this module. Is there a possibility of splitting the policy into more than 1?

Error: updating IAM policy arn:aws:iam::xxxxxxxxxxxx:policy/xxxxx: LimitExceeded: Cannot exceed quota for PolicySize: 6144 status code: 409

Any suggestions for open source UI for terraform. I am looking for something similar to terraform cloud but free.

I’m looking at using the account component from https://github.com/cloudposse/terraform-aws-components/blob/master/modules/account/README.md. Can anyone confirm if this supports organizational units more than one level deep in AWS Organizations?

The README doesn’t mention this and I haven’t found any examples. I’m trying to import my existing AWS organization and manage it with this component, but I’m having trouble figuring out how it should be modeled using the organization_config variable.

Hello, Is anyone using TFLint + Terratest + Terragrunt with Atlantis, if so what does the flow look like?.

I have a simple req. So simple.... I just want to be able to create an s3 bucket in a region specified by var.aws_region.
Anyone overcome this issue?

Hi I am trying to write an integration test for an already working mwaa module (This is already working in production) The module is almost similar to this https://github.com/cloudposse/terraform-aws-mwaa. However, when i run the test i get the error "ValidationException: Unable to read env-mwaa-staging-eu-west-1-dags/plugins.zip". If I try to upload the plugins.zip and requirement.txt. The mwaa get stucked in creating mode till the test will timeout. Has anyone encounter this before?

I want to learn variable priority to create resuaable modules

How merging happens or how priority precendence take values of variable

Alternative for ngrok

To use with Atlantis and integrate with bitbucket

v1.4.6
1.4.6 (Unreleased)
BUG FIXES
Fix bug when rendering plans that include null strings. (#33029)
Fix bug when rendering plans that include unknown values in maps. (#33029)...

v1.4.6
1.4.6 (April 26, 2023)
BUG FIXES
Fix bug when rendering plans that include null strings. (#33029)
Fix bug when rendering plans that include unknown values in maps. (<a href="https://github.com/hashicorp/terraform/issues/33029" data-hovercard-type="pull_request"...

Curious about the terraform-aws-security-group module: https://github.com/cloudposse/terraform-aws-security-group

I’ve read through the entire README and I understand the gotchas.

What I’m curious about is, if it is 100% necessary for this module to manage both the security group and its corresponding security group rules in order to maintain no interruptions (when used correctly),
how do you avoid circular dependencies when using this module as part of a for_each, where a security group rule might dynamically reference a security group within the same for_each map?

Such as:

locals = {
  security_groups = {
    "example-1" = {
      name        = "example"
      attributes  = ["1"]
      enabled     = true
      description = "Security group for example-1"
      vpc_id      = module.vpc["example"].vpc_id
      rules_map = {
        "ingress" = [
          {
            type        = "ingress"
            description = "Allow inbound HTTP traffic from CloudFront."
            from_port   = 80
            to_port     = 80
            protocol    = "TCP"
            prefix_list_ids = [
              data.aws_ec2_managed_prefix_list.cloudfront.id
            ]
          }
        ]
      }
    }
    "example-2" = {
      name        = "example"
      attributes  = ["2"]
      enabled     = true
      description = "Security group for example-2"
      vpc_id      = module.vpc["example"].vpc_id
      rules_map = {
        "ingress" = [
          {
            type        = "ingress"
            description = "Allow inbound HTTP traffic from ALB."
            from_port   = 80
            to_port     = 80
            protocol    = "TCP"
            source_security_group_id = module.security_group["example-1"].id
          }
        ]
      }
    }
  }
}

module "label_security_group" {
  source  = "cloudposse/label/null"
  version = "0.25.0"

  for_each = local.security_groups

  enabled    = each.value.enabled
  name       = each.value.name
  attributes = try(each.value.attributes, [])

  context = module.label_default.context
}

module "security_group" {
  source  = "cloudposse/security-group/aws"
  version = "2.0.1"

  for_each = local.security_groups

  vpc_id                     = each.value.vpc_id
  security_group_description = try(each.value.description, "Managed by Terraform")
  create_before_destroy      = try(each.value.create_before_destroy, true)
  preserve_security_group_id = try(each.value.preserve_security_group_id, false)
  allow_all_egress           = try(each.value.allow_all_egress, true)
  rules_map                  = try(each.value.rules_map, {})

  context = module.label_security_group[each.key].context
}

^ In this case, a circular dependency would be created due to the circular reference: source_security_group_id = module.security_group["example-1"].id

Normally, the solution for this is to break the module down into smaller modules, such as an aws_security_group_rule module, but due to the nature of security groups, security group rules, and Terraform, it almost seems impossible, and I’m kind of shocked I didn’t fully understand this until now.

For example, the CloudPosse terraform-aws-security-group module clearly states the gotchas of what happens when it is not managing both the aws_security_group and the aws_security_group_rule resources from a single instance of the module.

Any ideas?

Hi all,
Can someone help me to import the cloudsql(mysql) from gcp to terraform??
i have my sql running on one project and im trying to import it to another project directory.
i have used below command

terraform import google_sql_database.default {{projectid(where my sql resides)}}/{{instance(sqlinstancename)}}/{{name(sqlinstancename)}}

but its throwing this error

Error: Error when reading or editing SQL Database Instance "{{sqlinstancename}}": googleapi: Error 400: Invalid request: instance name ({{sqlinstancename}})., invalid

can someone help on this..