#terraform - May 2023

Hi I am looking at how to dynamically create resources in multiple regions but as far as I can see, It is not supported yet by terraform. Has anyone tried any work around as I have over 3000 resources to create across multiple regions?

New 🎉 Podcast 🎤- theiacpodcast.com
Hi all, my name is Ohad Maislish and I am the CEO and co-founder of www.env0.com
We launched yesterday our new podcast about IaC and 3 episodes are already up in the air - with amazing guests such as the CEO of Infracost.io and the CTO of aquasec.com (tfsec+trivy OSS)

@Erik Osterman (Cloud Posse) I see there are already 2 open PR's on the S3 bucket module. The issue is blocking new deployments. It will be much appreciated if one of the 2 solutions are merged into main. https://github.com/cloudposse/terraform-aws-s3-bucket/pulls
│ Error: error creating S3 bucket ACL for bucket: AccessControlListNotSupported: The bucket does not allow ACLs

AWS Lattice support ready! https://sweetops.slack.com/archives/CHDR1EWNA/p1683141452849139

v1.5.0-alpha20230504
1.5.0-alpha20230504 (May 4, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...

v1.5.0-alpha20230504
1.5.0-alpha20230504 (May 4, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...

https://github.com/cloudposse/terraform-aws-elasticache-memcached

curious to know why we can't modify the security group created by this module. (everything should be known at plan time)

Anyone familiar with the Confluent Terraform provider? I am unable to get confluent_kafka_cluster_config resources working. I always get this error:

error creating Kafka Config: 400 Bad Request: Altering resources of type BROKER is not permitted

Oddball question: what are all the possible resource actions for a plan?

When a terraform plan is reported, it includes what will happen to each resource. ie:

  # aws_security_group_rule.ec2-http will be created
  # azurerm_container_group.basics will be destroyed
  # azurerm_container_group.basics will be replaced

With emphasis on created,destroyed, and replaced.

Are there any other options?

Would you happen to know the source file in the repo that contains the options? (I’ll be digging into the repo in a sec)

Hi All. I'm trying to put tags on an autoscaling group. I would like them to propogate to the underlying ec2 instances. So I put this block in

  tag = {
    key                 = "service"
    value               = "prometheus_server"
    propagate_at_launch = true
  }

On the aws_autoscaling_group resource.

It complained that

╷
│ Error: Unsupported argument
│
│   on prometheus.tf line 93, in resource "aws_autoscaling_group" "prometheus-server":
│   93:   tag = {
│
│ An argument named "tag" is not expected here. Did you mean "tags"?

So I put used tags instead but then I got

│ Warning: Argument is deprecated
│
│   with aws_autoscaling_group.prometheus-server,
│   on prometheus.tf line 93, in resource "aws_autoscaling_group" "prometheus-server":
│   93:   tags = [{
│   94:     key                 = "service"
│   95:     value               = "prometheus_server"
│   96:     propagate_at_launch = true
│   97:   }]
│
│ Use tag instead

Versions Im using

Terraform v1.4.6
on darwin_arm64
+ provider <http://registry.terraform.io/grafana/grafana|registry.terraform.io/grafana/grafana> v1.36.1
+ provider <http://registry.terraform.io/hashicorp/aws|registry.terraform.io/hashicorp/aws> v4.66.1
+ provider <http://registry.terraform.io/hashicorp/helm|registry.terraform.io/hashicorp/helm> v2.9.0
+ provider <http://registry.terraform.io/hashicorp/kubernetes|registry.terraform.io/hashicorp/kubernetes> v2.20.0
+ provider <http://registry.terraform.io/hashicorp/tls|registry.terraform.io/hashicorp/tls> v4.0.4

wondering if anyone had some thoughts or design references for creating an 2 s3 buckets. one source bucket, and one replication bucket in a single module using the terraform-aws-s3-bucket module.

since the target bucket accepts the outputted replication_role_arn from the source, and the s3_replication_rules references the target bucket, which doesn’t yet exist

Folks who use Atlantis for Terraform Self Service - what pains you the most?

We are building an Open Source GitOps tool for Terraform (https://github.com/diggerhq/digger) and are looking for what’s missing. We also read & asked around. We found the following pain points already, curious for more:

1. In Atlantis, anyone who can run a plan, can exfiltrate your root credentials. This talked about by others and was highlighted at the Defcon 2021 conference. (CloudPosse)
2. “Atlantis shows plan output, if it's too long it splits it to different comments in the PR which is not horrible, just need to get used to it.” (User feedback)
3. Anyone that stumbles upon your Atlantis instance can disable apply commands, i.e. stopping production infrastructure changes. This isn’t obvious at all, and it would be a real head scratcher to work out why Atlantis suddenly stopped working! (Loveholidays blog)
4. “Atlantis does not have Drift Detection.” (Multiple users)
5. “The OPA support in atlantis is very basic.” (Multiple users)
As CloudPosse themselves explain - “Atlantis was the first project to define a GitOps workflow for Terraform, but it's been left in the dust compared to newer alternatives.” The problem though is that none of the newer alternatives are Open Source, and this is what we want to change. Would be super grateful for any thoughts/insights and pain points you have faced.

Hello,
I have setup provisioned concurrency with scheduled scaling for my lambda. However, successive terraform runs cause the error : Error updating lambda alias resourceConflictexception: Alias can’t be used for provisioned concurrency configuration on an already provisioned version. Is this something anyone else has run into ?

Hello all, I was wondering if anyone has had success with delivering developer permissions within AWS SSO and the proper guardrail system for permission in a build system that runs terraform. I also acknowledge it is slower to iterate on Terraform changes when you have to check in a change and run a build each time. Maybe others have found success in the balance between security and speed

Hey all, I'm trying to use the terraform module cloudposse/firewall-manager/aws on version 0.3.0

I can't find the right way to add the logging_configuration block in order to use S3 bucket as the waf_v2_policies direct log destination.

just had a question regarding custom terraform modules, is it generally considered best practice to "pin" things like terraform version, provider versions in the module? I feel like thats where it should be done but just looking for some advice

Hi, does anyone know how to implement something like this where the user calling the module can say if they want to install the EKS addon and optionally provide configuration for it?

v1.5.0-beta1
1.5.0-beta1 (May 15, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...

Hey guys, I am using the EMR Cluster module and it is creating all my master and core instances with the same name. Is there a way to give them unique to easily identify them instead?

Good Morning! I'm new here so I'm looking for a place where I can jump in and get started. Is this still the best place to start? https://github.com/cloudposse/reference-architectures

We launched Digger v4.0 today on Product hunt today! It has been quite a journey from Digger Classic (v1.0), to AXE (v2.0), to Trowel (v3.0) and finally to our current version.

Read more about our iterative journey in the blog and please share your feedback (good and bad) on Product Hunt

I'm really excited to release Terrateam Self-Hosted today. Full feature parity with our Cloud version. This is our first step to making Terrateam open source. Looking forward to community feedback, feature requests, etc.

https://github.com/terrateamio/terrateam
https://terrateam.io/blog/terrateam-self-hosted

Terrateam should support bitbucket

First in place don't depend on GitHub in terms of git.providers

Congratulations 🎉🎉 terrateam

Thanks @Kunalsing Thakur -- We have seriously thought about supporting BitBucket (also GitLab) but our journey hasn't taken us there yet. I'm curious though. Are you doing anything now with Terraform + BitBucket?

Hello, I'm trying to get started with CloudPosse and SweetOps and want to make sure I'm starting at square one. This is the old reference architecture https://github.com/cloudposse/reference-architectures. Has anything replaced it and if not where is a good place to start? Thank you

hey guys I have an issue with elastic search cloud posse module not being able to enable view_index_metadata is there any way that someone can help me out perhaps ?

or is it a version block sicne I am at 0.35.1 version of the module

Managed to enable it but the way it was done is just dumb since no where I managedd to fin correlation in between es:HTTPHead and view_index_metadata

Hi! I'm looking for advice as I'm new to Terraform projects. My team and I are starting to migrate all our infrastructure to Infrastructure as Code (IaC) using Terraform. The Minimum Viable Product (MVP) consists of approximately 60 microservices. This is because these services have dependencies on certain databases. Currently, we have deployed some of this infrastructure in a development environment. These services are built using different technologies, have different environment variables, and require different permissions. We are using preexisting modules, but we have a separate folder for each service for the particular configurations of each one. We have started a monorepo with a folder for each environment. However, the apply process is taking around 15 minutes, and our project organization is structured as follows:
• Staging
◦ VPC
▪︎ VPC-1
• ECS
◦ Service-1
◦ Service-2
◦ Service-3
◦ Service-N
• RDS
◦ RDS-1
◦ RDS-2
◦ RDS-3
◦ RDS-N
▪︎ VPC-2
• ECS
◦ Service-1
◦ Service-2
◦ Service-3
◦ Service-4
◦ Service-N
• RDS
◦ RDS-1
▪︎ VPC-3
• ECS
◦ Service-1
◦ Service-2
◦ Service-3
can you give me your advice?

How do you folks manage terraform provider updates? For example we have a lot of terraform and we prefer to bring everything to the same version across our many repos/state files. We have used lock files and/or manually pinned each provider but this has significant overhead as we need to go to each repo or module and make updates. Would love to know if anyone has found a more optimal solution to this.

Any hashicorp ambassadors able to promote this small, simple PR: https://github.com/hashicorp/terraform/pull/30121/files

• Enables the ability to create IAM policies that give roles access to state files based on tags in S3 for fine-grained access permissions.
• It's a tiny/simple PR

Hello Community, looking for a TF module that caters for SQS, SNS and CW alerts. I am somewhat new getting into the tool. Any pointers greatly appreciated.

Heya. I'm trying to use a cloudposse module with Terraform Cloud for the first time (terraform-aws-elasticache-redis). I keep running into a problem with things named after module.this.id . I'm looking into the this module and see it should be set to an ID, but it seems to be set to an empty string.

Is this something that's known? I'm passing enabled = true to the module, which should pass it to the null context module as well.

v1.5.0-beta2
1.5.0-beta2 (May 24, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...

This message was deleted.

Hello team. Any suggestion about how to do a 🔵 /🟢 rds environments with cloudposse modules? Lets use the simpler one for this suggestion https://github.com/cloudposse/terraform-aws-rds.
Ideas? Thanks.

I'm using the terraform-aws-ec2-autoscale-group module at the moment, but in an attempt to do some cost saving I like to switch to spot instances. I see there is an option to set instance_market_options but can't get the syntax right.
Documentation says:

object({
    market_type = string
    spot_options = object({
      block_duration_minutes         = number
      instance_interruption_behavior = string
      max_price                      = number
      spot_instance_type             = string
      valid_until                    = string
    })
  })

I tried this with no luck:

  instance_market_options  = [
    {
      market_type = "spot",
      spot_options = [
        {
          spot_instance_type = "one-time"
        }  
      ]
    }
  ]

│ The given value is not suitable for module.autoscale_group.var.instance_market_options declared at .terraform/modules/autoscale_group/variables.tf:93,1-35: object required.

I have a question regarding atmos stacks and cloudposse/terraform-aws-components/account.
The email format in the example is <mailto:something+%s@example.com|something+%s@example.com>, but if the account name has hyphens in it like foo-bar, you would have an account email of <mailto:something+foo-bar@example.com|something+foo-bar@example.com>.
My question is, will this cause issues with email routing, and if so, is there a simple way to replace hyphens with dots without forking the account component?

Can somebody help me with cloudposse/ssm-tls-ssh-key-pair/aws please? I'm trying to create a keypair and store the output in SSM. This module creates the SSH keys in SSM properly, but I don't see how to then use it:
• In terraform-aws-modules/key-pair/aws If I use public_key = module.ssm_tls_ssh_key_pair.public_key, I get the error: InvalidKey.Format: Key is not in valid OpenSSH public key format (doing an ECDSA key)
• If I use cloudposse/key-pair/aws, it expects the key to be in a file (which defeats the whole purpose of using SSM, right?)
I'm sure this is obvious, but I'm missing it

(probably?) outdated docs:

https://registry.terraform.io/modules/cloudposse/vpc/aws/latest

cidr_block         = "10.0.0.0/16"

not valid anymore.. it's ipv4_cidr_block now and it's a list of strings

Hello,
I have a terrraform issue to overcome.
I am creating a azure key-vaults and secrets inside them with random password generator. It is working fine. The problem starts when i want to add to list another key-vault to be provisioned. While i run terraform again all the passwords are being regenreted because of the random function im using. Is there a possibility to persist the passwords for already created key-vaults without regenerating them for existing ones?

key-vaults are created with for_each statement from the list.

key-vault.tf

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "kv" {
  for_each                    = toset(var.vm_names)
  name                        = format("%s", each.value)
  location                    = azurerm_resource_group.db_rg.location
  resource_group_name         = azurerm_resource_group.db_rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = var.soft_delete_retention_days
  purge_protection_enabled    = false

  sku_name = var.kv_sku_name

  # TODO: add group with permissions to manage key vaults
  access_policy {
    tenant_id    = data.azurerm_client_config.current.tenant_id
    object_id    = data.azurerm_client_config.current.object_id

    key_permissions = [
    ]

    secret_permissions = [
      "Get",
      "List",
      "Set",
    ]


    storage_permissions = [
    ]
  }
}

secrets.tf
example resources from secrets

resource "random_password" "password" {
  count           = 11
  length          = 11
  special         = false
  min_upper       = 3
  min_numeric     = 3
  min_lower       = 3
}

resource "azurerm_key_vault_secret" "secret1" {
  depends_on   = [azurerm_key_vault.kv]
  for_each     = toset(var.vm_names)
  name         = "name1"
  value        = random_password.password[0].result
  key_vault_id = azurerm_key_vault.kv[each.value].id
}
resource "azurerm_key_vault_secret" "secret2" {
  depends_on   = [azurerm_key_vault.kv]
  for_each     = toset(var.vm_names)
  name         = "name2"
  value        = random_password.password[1].result
  key_vault_id = azurerm_key_vault.kv[each.value].id
}

v1.5.0-rc1
1.5.0-rc1 (May 31, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...