#terraform - June 2023

Is there an example out there of how to put my entire org's tfstate into a specific account? Multiple buckets is fine, but ideally I'd like to house it all in a specific account. I see that the tfstate-backend module has a tfstate_account_id , should I be wrapping that in another module to pass the account ID from the account-map module, or is there a better way? Using atmos if that matters.

Hello,
I am using terraform-aws-eks-workers and I would like to bump its version from v0.20.0 to v1.0.0 . Unfortunately, I was using the input security_groups like so

security_groups        = [aws_security_group.eks_nodegroups_security_group.id, aws_security_group.eks_alb_ingress.id]

and I cannot figure out what is the new right way to configure my worker module, any idea?

Hello!
Could you please take a look at this PR?
https://github.com/cloudposse/terraform-aws-ecs-cluster/pull/9
It really important, because now it doesn’t work with current version of module.

Heya guys, got a quick ask for help, I'm still pretty new with Terraform. I have this local variable in which I'm trying to build a listing of host, internal_ip and external_ip. The last octet of the internal_ip is derived from external_ip, I've got mostly everything working except I can't seem to wrap my head around how to construct the internal ip.

I know I can use split(".", ip)[3]to extract the last octet from the ip, but I can't seem to figure out/understand how to combine that with join(".", slice(split(".", data.aws_subnet.sending[k].cidr_block), 0, 3)) to construct a complete ip address

  sending_ip_map = flatten([
    for k, v in var.sending_ips : [
      for ip in v : [
        {
          host        = k,
          external_ip = ip,
          private_ip  = join(".", slice(split(".", data.aws_subnet.sending[k].cidr_block), 0, 3))
        }
      ]
    ]
  ])

With the current code, my output looks like

debug = [
      + {
          + external_ip = "44.194.111.252"
          + host        = "eis1"
          + private_ip  = "10.0.234"
        },
      + {
          + external_ip = "44.194.111.254"
          + host        = "eis1"
          + private_ip  = "10.0.234"
        },
      + {
          + external_ip = "44.194.111.253"
          + host        = "eis2"
          + private_ip  = "10.0.234"
        },
      + {
          + external_ip = "44.194.111.255"
          + host        = "eis2"
          + private_ip  = "10.0.234"
        },
    ]

v1.5.0-rc2
1.5.0-rc2 (June 5, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...

Anyone else had weird behaviour using the helm provider? I'm just ran a plan, one in tf cloud, and one locally, and they're both wildy different. The code is the same, the providers look the same too. same backend. Everything. I can't workout why this would be. Anyone got any idea?

I have question, when you create an environment in elasticbeanstalk with loadbalancer there will be a created security group
now I have a custom security group named mysql-secgrp, now my question is how can I automatically add the security group id of the elasticbeanstalk environment to my custom security group.

i’m trying to explore the terraform “data” and the “output” but I’m stuck…

Hello! Is there any Github managers here? Our infra is blocked from upgrading ElasticBeanstalk module to newer modules due to a issue raised. There has been a solution offered but there has been no movement.

is there any chance of getting this looked at?

Can someone explain why trim doesn't trim this hyphen, but replace operates on it as expected?

> trim("foo-bar", "-")
"foo-bar"
> replace("foo-bar", "-" , "")
"foobar"

Hello guys, do you have any ideas on how to create a warm pool terraform-aws-eks-workers module?

Hi, I recall; carrying out an AWS ASG Rolling Update through Terraform was not previously possible (due to no Update Policy API being exposed ). This was something comparatively easily achievable in CloudFormation through update policy. Is this ASG Rolling Update achievable now in TF ? Thanks in advance !

v1.5.0
1.5.0 (June 12, 2023)
NEW FEATURES:

check blocks for validating infrastructure: Module and configuration authors can now write independent check blocks within their configuration to validate assertions about their infrastructure.
The new independent check blocks must specify at least one assert block, but possibly many, each one with a condition expression and an error_message expression matching the existing <a...

Hi, Just wondering if it is advisable to use only s3 lock feature without dynamoDB for the state files. We are trying to get rid of dynamoDB to save some costs.

Hey guys - had a quick question about Terraform and was wondering if anyone knew about this.

The Arbitrary Expressions with Argument Syntax docs page implies that all blocks are supported as arrays (Which was welcome news to me, having hated blocks ever since they were introduced), meaning this should work if settings was usually defined in block syntax and api_settings was an object:
settings = [var.api_settings]

However, I get Unsupported Argument. Is support for this dependent on the provider, or am I misunderstanding the docs?

I've encountered something with cloudposse/label/null that feels like an issue to me, or at least a potential feature, and wanted to get some opinions before I try fixing it. When setting label_key_case, the Name tag is still affected the same as every other tag. Its value is treated as a special case (getting the id), but not the key itself. I know it's kind of AWS specific, but it feels to me like Name should always be title-cased regardless of label_key_case.

Hi, How do you disable encryption_at_rest on terraform documentdb by cloudposse?
seems there is no option to do that

Who wants a brain teaser? Getting this error with terraform-aws-config but my config appears (to my eyes) to be valid.

I would appreciate if you could take a look on the PR
Its for firewall-manager - shield_advanced.tf
@Andriy Knysh (Cloud Posse) @Dan Miller (Cloud Posse)

Hi guys, thanks for having me here 🙂 Does anybody knows if OpenSearch support for terraform-aws-elasticsearch is going to be available soon, I'm planing an upgrade but wanted to continue using cloudposse module?

anyone knows how these files are getting generated (via terraform / terragrunt)...? ive inherited a couple of legacy aws accounts and noticed that theres this bucket getting exploded with all of these gibberish (10gb+) , but im not sure where it's coming from and how to stop it.

Hey guys,
I am seeking feedback from those who have begun utilizing check blocks in their Terraform configurations.
1. What has your experience been like so far?
2. Could you highlight any specific use-cases where you found the application of check blocks particularly beneficial?
3. Have you encountered any potential pitfalls, challenges, or concerns in their implementation?
Any feedback or insights would be greatly appreciated 😊

v1.5.1
1.5.1 (June 21, 2023)
BUG FIXES:
core: plan validation would fail for providers using nested set attributes with computed object attribute (#33377)

Hi folks, I have a question 🙂 Lets say im building a libary of terraform modules and publishing them to a private registry e.g. citizen. I have an internal development portal that is effectively through pipelines calling these individual modules to stand up infra resources. What would be better, establishing a means of downloading the module from the private registry? Calling the module in a .tf file within the examples directory? (But then how do i dynamically control the version o the module?)

I wanted to share this article. It's a result of a lot of thinking and talking with many Terraform users about where IaC and Terraform should go in the next few years. It's very opinionated. Would be great to hear people's thoughts even if they strongly disagree with the post. The tl;dr version of it is that ClickOps + HCL is the future, continuing to use HCL is a good thing because humans and computers can read, write, and modify HCL, and it enables Terraform users to get powerful tooling, especially around GUIs that could consume and produce HCL. Additionally, we believe CDKs are the wrong direction.

https://terrateam.io/blog/the-future-of-terraform-is-clickops

Can someone remind me what terraform does with "looped" resources if the order in the list changes?

my.tfvars

buckets = {
  one = {
    replication_enabled = true
  }
  two = {
    replication_enabled = true
  }
}

main.tf

module "bucket" {
  for_each = {for k, v in var.buckets : k => v}
  name = k
  replication_enabled = v.replication_enabled
}

Terraform probably destroys and recreates the resources if I change my.tfvars to:

buckets = {
  two = {
    replication_enabled = true
  }
  one = {
    replication_enabled = true
  }
}

But maybe someone can confirm it.

Are there any decent ways to generate half-way decent graphs of TF resources?
Use case - putting a pretty picture in our TF modules READMEs so our co-workers can get a better idea what a module does without being experts

Hi folks,

Anyone around who is publishing the modules into a private registry - TFC or others and then is using rennovate for upgrades ?

If so do you have a sample on how that configuration looks like? Note i'm trying to do the following:
• the token api to access TFC private registry is / should be in GH org secret or at least repo secrets
• in rennovate.json i'd like to use the secret
• upgrades for child modules defined in root modules (easy to achieve) but equally for child of child modules)

Hello!
Cloud Posse team, could you please review this PR?
https://github.com/cloudposse/terraform-aws-alb-ingress/pull/68

Can anyone help me to understand why adding

  filter {
    name = "instance-state-name"
    values = ["running"]
  }

in the data source for aws_instance starts complaining saying no matching EC2 instance found. The total code block is

data "aws_instance" "syslog" {

  filter {
    name   = "tag:Name"
    values = ["xx-yy"]
  }

  filter {
    name  = "tag:ManagedBy"
    values = ["Terraform"]
  }

  filter {
    name = "instance-state-name"
    values = ["running"]
  }
}

Hi all. We’re looking to implement a TACOS solution like atlantis, spacelift, env0, etc (solution hasn’t been selected yet). Most of the solutions appear to handle plan review and apply in git PRs. While I’m sure this is fine for most changes, I’m concerned that complex changes, new modules, etc would be awkward to test and troubleshoot via PR comments. For those using these kinds of solutions:

* Is troubleshooting complex changes via PR comments painful? Is there another workflow available in the tool you use?

* Do you allow any “power users” to run terraform manually when needed, trusting them to commit changes properly at the end?

I’m thinking of use cases like importing complex legacy resources that don’t currently match the “new” architecture. Today, I’d be iterating through many runs of terraform plan to identify differences, and resolve them through module updates or even ClickOps, until I could run an apply at the end a get everything fully synced. Similarly, when developing a new component, it may take a lot of iteration to get it right.

hello, I am trying to use cloudposse/terraform-aws-firewall-manager version 0.4.0 but I am running into a problem. I am trying to define multiple waf_v2_policies but I run into a problem. I would like to also enforce policy against CloudFront distributions but I know they're a special case, and need to be provisioned "globally" (aka in us-east-1) does anyone know how to go about doing that successfully? when I try to put a list of two policies (one for ALBs and one for CloudFront Distros), I get this error:

"Error: creating FMS Policy: InvalidInputException: Resource ["AWS::CloudFront::Distribution"] can not be used in region: us-east-2."

I'm not sure how to create a CloudFront-specific policy that gets set in the global region, while everything else gets provisioned in my otherwise default region of us-east-2 . Has anyone been able to do this? Once I figure it out I am happy to add an example to the module for future reference. thanks!!

https://github.com/terraform-aws-modules/terraform-aws-solutions#cloudwatch-log-retention-manager ready to use solution to deal with cloudwatch log groups without proper retention

v1.5.2
1.5.2 (June 28, 2023)
BUG FIXES:
configs: Multiple import blocks with the same id string no longer result in a validation error (#33434)

Hello Team, I am here to seek help. I am new to cloudposse. I am trying to implement datadog-synthetics-private-location Followed instructions on this page. If this is not the right place to seek help please point me to the right direction. Downloaded atmos.tool
1. I started with atmos tutorial and it works fine.
2. Created similar folder structure for datadog-synthetics-private-location . On terminal cd into datadog-synthetics-private-location folder and ran this command atmos terraform plan datadog-synthetics-private-location --stack=test .This gives me below error. I have Atmos.yaml file. What am I missing here?

│ Error: 
│ 'atmos.yaml' CLI config files not found in any of the searched paths: system dir, home dir, current dir, ENV vars.
│ You can download a sample config and adapt it to your requirements from <https://raw.githubusercontent.com/cloudposse/atmos/master/examples/complete/atmos.yaml>
│ 
│  with module.iam_roles.module.account_map.data.utils_component_config.config,
│  on .terraform/modules/iam_roles.account_map/modules/remote-state/main.tf line 1, in data "utils_component_config" "config":
│  1: data "utils_component_config" "config" {

I’ve got a question regarding the terraform-aws-sso module. Anyone else here use this to manage access to their AWS infra?

Crosspost from #aws :https://sweetops.slack.com/archives/CCT1E7JJY/p1688052257621759

Anyone else having issues installing TF providers right now?

hey guys,

i need one help on https://registry.terraform.io/modules/cloudposse/elasticache-redis/aws/latest?tab=inputs version 0.52.0

encountered an Errors related to https://github.com/cloudposse/terraform-aws-security-group/blob/main/normalize.tf

 Error: Invalid function argument
│ 
│   on .terraform/modules/redis.aws_security_group/normalize.tf line 32, in locals:
│   32:     self = lookup(rule, "self", null) == true ? true : null
│ 
│ Error: Invalid function argument
│ 
│   on .terraform/modules/redis.aws_security_group/normalize.tf line 27, in locals:
│   27:     source_security_group_id = lookup(rule, "source_security_group_id", null)
│ 
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
│ Error: Invalid function argument
│ 
│   on .terraform/modules/redis.aws_security_group/normalize.tf line 20, in locals:
│   20:     description = lookup(rule, "description", local.default_rule_description)
│ 
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

│ Error: Unsupported attribute
│ 
│   on .terraform/modules/redis.aws_security_group/normalize.tf line 19, in locals:
│   19:     protocol    = rule.protocol
│ 
│ Can't access attributes on a primitive-typed value (string).

like this and don't what to fix here

Please do let me know if i am missing anything on this.

aws = {
      source  = "hashicorp/aws"
      version = ">= 2.17.0"
}

###########
Terraform v1.5.2
on darwin_arm64
+ provider <http://registry.terraform.io/hashicorp/aws|registry.terraform.io/hashicorp/aws> v5.5.0

Can anyone help me with above issue

Thanks in Advance