#terraform - July 2023

Hey Guys, appreciate any help with this : https://stackoverflow.com/questions/74904283/how-to-pass-variables-between-terragrunt-workspaces ,

I've applied networks-vpc workspace first and have refreshed state that shows the outputs as well. However Unable to pass the subnet values into "ec2-amz-lnx" workspac?. Not sure what am I doing wrong. Happy to provide any further info if needed. Thanks

Heya terraformers,

I would like to create an external data source but I see no timeouts… Is there a default value for reading this resource type because I have a scrit that is likely to run for about 10 minutes or so and I am hoping that my build does not fail due to a shorter timeout period

Hi all, I'm using Terraform to deploy a EC2 instance on Windows Server 2022 (using AWS base image for this)
I have a user data script that is executed at launch with no problems on Server 2019 but for some reason it doesn't seem to work at launch on Server 2022.
The script runs fine when running it locally on the box. Wondering if anyone has come across this issue?

For terraform-aws-mq-broker there seems to be a deprecated argument now with aws 5.x:

│ Warning: Argument is deprecated
│ 
│   with module.mq.module.mq_broker.aws_ssm_parameter.mq_application_username[0],
│   on .terraform/modules/mq.mq_broker/main.tf line 74, in resource "aws_ssm_parameter" "mq_application_username":
│   74:   overwrite   = var.overwrite_ssm_parameter
│ 
│ this attribute has been deprecated

I've created an issue if that's OK: https://github.com/cloudposse/terraform-aws-mq-broker/issues/64

Hello Terraformers! Here's a post that I created to show how you can grab a current list of VPC names in your environment https://www.taccoform.com/posts/tfg_p7/

aws_organizations_account terraform module how to creates account under an OU?

Does it create directly under the OU, or create in root then move to OU ?

Hi, i don't know if this is the right channel. Sometimes rolling out a helm update using cloudposse/helm-release/aws (version=0.8.1) "breaks" my helm deployment.

Thank you for any help

⎈|arn:aws:eks:us-west-2:605322476540:cluster/notifi-uw2-dev-eks-cluster:default) bruno@t490s  ~/Notifi/notifi-infra   fix/change-trace-id-string  helm ls -n prometheus --debug
NAME                            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
oauth2-proxy-alertmanager       prometheus      1               2023-07-06 20:01:06.47035317 +0000 UTC  deployed        oauth2-proxy-6.13.1     7.4.0      
oauth2-proxy-prometheus         prometheus      1               2023-07-06 20:01:00.401293758 +0000 UTC deployed        oauth2-proxy-6.13.1     7.4.0      
(⎈|arn:aws:eks:us-west-2:605322476540:cluster/notifi-uw2-dev-eks-cluster:default) bruno@t490s  ~/Notifi/notifi-infra   fix/change-trace-id-string  k get secrets -n prometheus
NAME                                                           TYPE                 DATA   AGE
alertmanager-kube-prometheus-stack-alertmanager                Opaque               2      19h
alertmanager-kube-prometheus-stack-alertmanager-generated      Opaque               2      19h
alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0   Opaque               0      19h
alertmanager-kube-prometheus-stack-alertmanager-web-config     Opaque               1      19h
kube-prometheus-stack-admission                                Opaque               3      19h
kube-prometheus-stack-grafana                                  Opaque               3      19h
oauth2proxy-alertmanager                                       Opaque               3      19h
oauth2proxy-prometheus                                         Opaque               3      19h
prometheus-kube-prometheus-stack-prometheus                    Opaque               1      19h
prometheus-kube-prometheus-stack-prometheus-tls-assets-0       Opaque               1      19h
prometheus-kube-prometheus-stack-prometheus-web-config         Opaque               1      19h
sh.helm.release.v1.kube-prometheus-stack.v1                    <http://helm.sh/release.v1|helm.sh/release.v1>   1      19h
sh.helm.release.v1.kube-prometheus-stack.v2                    <http://helm.sh/release.v1|helm.sh/release.v1>   1      37m
sh.helm.release.v1.kube-prometheus-stack.v3                    <http://helm.sh/release.v1|helm.sh/release.v1>   1      22m
sh.helm.release.v1.oauth2-proxy-alertmanager.v1                <http://helm.sh/release.v1|helm.sh/release.v1>   1      19h
sh.helm.release.v1.oauth2-proxy-prometheus.v1                  <http://helm.sh/release.v1|helm.sh/release.v1>   1      19h

PS: i have to delete the secret and the release comes back

Hey Guys, I've used terraform to create an ecs cluster and it works locally. when i try and use it in a git hub action the terraform apply is successful but no resources are created and when i check the terraform state via my local machine it say there are no resources. However when i then run a terraform apply from my local machine it says some roles already exist that didn't exist prior to the github actions apply. They are using the same back end so it shouldn't be a state file issue. Does anyone know whats happening

I published a new TF module that allow you to utilize docker to build artifacts (eg, zip file that contains lambda source code) without polluting the machine running TF and docker. May or may not find it useful, but I found it very useful. Especially for building lambda@edge functions that has deployment specific configuration.

https://registry.terraform.io/modules/sgtoj/artifact-packager/docker/latest

Any Hashi folks in here these days? https://github.com/hashicorp/terraform-provider-aws/pull/31284 has been sitting there for 2 months.

Hello #terraform Has anyone setup google binary authorization policy to sign the images in Google's AR

Hey all. Is there a way to do string expressions in Terraform? For example, I have this:

resource "aws_ssm_parameter" "authz_server_name" {
  name        = "server_name"
  value       = module.authz_server_remote_state.outputs.authz_server_name
  description = "Server name"
  type        = "String"
  overwrite   = true
}

but I would like to do this:

resource "aws_ssm_parameter" "authz_server_name" {
  name        = "server_name"
  value       = eval("module.authz_server_remote_state.outputs." + var.value_key_name)
  description = "Server name"
  type        = "String"
  overwrite   = true
}

Is something like this possible with Terraform?

v1.5.3
1.5.3 (July 12, 2023)
BUG FIXES:
core: Terraform could fail to evaluate module outputs when they are used in a provider configuration during a destroy operation (#33462)
backend/consul: When failing to save state, consul CAS failed with transaction errors no longer shows an error instance memory address, but an actual error message....

What is the best book to learn Terraform?

Hi All..I am trying to create vpc using module.
module "vpc" {
source = "cloudposse/vpc/aws"
# Cloud Posse recommends pinning every module to a specific version
version = "2.1.0"
namespace = "eg"
stage = "test"
name = "app"

ipv4_primary_cidr_block = "10.0.0.0/16"

assign_generated_ipv6_cidr_block = false
}

But it is prompting to enter vpc_id for tfplan

$ terraform plan
var.vpc_id
VPC ID where subnets will be created (e.g. vpc-aceb2723)

Enter a value:

Hi, has anyone been able to successfully run userdata (powershell script) at launch of an EC2 instance on Windows Server 2022 using Amazons base image for this?

Hey @PePe Amengual -- Since you're the expert, how do you typically run Atlantis? ECS or just on EC2? Do you use the CP module? Any suggestions for success on that front?

ECS

a lot of people uses Antons atlantis module

I use the cloudposse components in atmos

the cloudposse module is severely out of date

I just declare a ECS cluster and task def using the ghr image and pass the necessary variables

Gotcha 👍️ Thanks for the info!

Hi All,
I'm new to this group and terraform.can someone help me what's the best way to learn terraform .Any good GitHub repo to do hands on and learn

Is anyone here familiar with the cloudposse/label/null module?

We’ve just started adopting it in a project for consistency and would like to understand the best way to label some resources in a module.

For example, would you use the same label for a lambda function and a security group for the lambda function? Is there any guidance on best practices so as not to run into any naming issues?

If anyone is using Yopass for secret sharing over the web, I have a TF module to deploy it to AWS managed/serverless resources. It uses CP's naming patterns.
https://github.com/sgtoj/terraform-aws-yopass

Hi! I’m relatively new to Terraform, but have read “Up and Running”.

I was looking for good templates on how to deploy a full web app end-to-end with best practices and came across the terraform-aws-ecs-web-app module. I was wondering whether people think it’s generally good practice to use something end-to-end like this, or if it’s better avoid using a pre-packaged module for something as complex as this. Any opinions?

Hi all, I am using this module: https://github.com/cloudposse/terraform-aws-security-group

Can I point to another (already existing) security group as a destination ?

like this:

Have the aws provider docs gone? https://registry.terraform.io/providers/hashicorp/aws/latest/docs

v1.6.0-alpha20230719
1.6.0-alpha20230719 (Unreleased)
NEW FEATURES:

terraform test: The previously experimental terraform test command has been moved out of experimental. This comes with a significant change in how Terraform tests are written and executed.
Terraform tests are now written within .tftest files, controlled by a series of run blocks. Each run block will execute a Terraform plan or apply command against the Terraform configuration under test and can execute conditions against the resultant plan and...

Hi,

I'm currently reworking our Terraform setups which currently use the AWS Provider with assume_role. Now I want to move this over to use OIDC instead, so the assume_role needs to become assume_role_with_web_identity. This works fine in our pipelines however this does break running Terraform locally (we usually run a plan before committing it / creating an MR).

I'm not sure yet as to what the best approach would be to ensure that CI uses OIDC and local uses the "old" method, except for keeping the original assume_role in the provider config and adding a script in the pipeline that replaces that before running Terraform commands. But it feels like a bit of a dirty workaround.

Any ideas how to tackle this issue?

hi ,

Hi All,
I am trying to create VPC along with dynamic subnet modules.
locals {
vpc_availability_zones = ["us-east-1a","us-east-1b","us-east-1c","us-east-2a","us-east-2b","us-east-2c"]
use_az_ids = true
az_name_map = {
"us-east-1a" = "AZ-1",
"us-east-1b" = "AZ-2",
"us-east-1c" = "AZ-3",
"us-east-2a" = "AZ-4",
"us-east-2b" = "AZ-5",
"us-east-2c" = "AZ-6"
# Add more mappings for your availability zones
}
}


module "vpc" {
source = "cloudposse/vpc/aws"
# Cloud Posse recommends pinning every module to a specific version
version = "2.1.0"
namespace = "eg"
stage = "test"
name = "app"

ipv4_primary_cidr_block = "10.0.0.0/16"

assign_generated_ipv6_cidr_block = false
}

module "dynamic_subnets" {
source = "cloudposse/dynamic-subnets/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "test"
name = "app"
availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"]
vpc_id = module.vpc.vpc_id
igw_id = [module.vpc.igw_id]
ipv4_cidr_block = ["10.0.0.0/16"]
}

But I am getting the error
Error: Invalid index
│
│ on .terraform\modules\dynamic_subnets\outputs.tf line 9, in output "availability_zone_ids":
│ 9: for az in local.vpc_availability_zones : local.az_name_map[az]
│ ├────────────────
│ │ local.az_name_map is map of string with 6 elements
│
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│
│ on .terraform\modules\dynamic_subnets\outputs.tf line 9, in output "availability_zone_ids":
│ 9: for az in local.vpc_availability_zones : local.az_name_map[az]
│ ├────────────────
│ │ local.az_name_map is map of string with 6 elements
│
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│
│ on .terraform\modules\dynamic_subnets\outputs.tf line 9, in output "availability_zone_ids":
│ 9: for az in local.vpc_availability_zones : local.az_name_map[az]
│ ├────────────────
│ │ local.az_name_map is map of string with 6 elements
│
│ The given key does not identify an element in this collection value.

Inspite of locals defined..throwing error

Hi, anybody is using https://www.winglang.io/ ?

Anyone have any articles, books or videos discussing approaches and tooling for dealing with large amounts of infrastructure code. I'm looking for experiential opinions on:
- dealing with a lot of terraform workspaces and their potential interdependencies
- module versioning approaches (use a proper registry or just use git sources)
- keeping workspaces up to date
- terraform version: often something is built and then activity on that thing stops, someone goes in a few years later to do something and realizes it was built with terraform 0.0.1 which doesn't even exist for you new m1 mac
- provider versions: upgrading providers causes a property to become a resource
- apply approaches: apply from workstation or use something like atlantis to have somewhat a log of applies along with some group review
- monorepo vs 1 repo per module vs 1 repo per module group

Hy folks, I'm using rds module and getting Error: creating RDS DB Instance (dev-devdb): InvalidParameterValue: Invalid master user name Is this related to database_user variable?

Has anyone had any good/bad experiences with Terragrunt? We’re considering adopting it to be more DRY.

Should the name field for each account be the same value of stage in the account component module (aws-terraform-components)?

Full context in the 🧵

Terraform cloud question : 🧵

Hello all, quick question on Terraform deployed via Github actions to AWS. I’m looking for a complete guide on how to do it correctly and what to include/exclude. Would anyone have any suggestions please? Some documents mention Route 53 config others don’t so it’s all very confusing

Hey all! Had a question about Terraform and AWS IAM, specifically using the aws_iam_policy resource.

Context: When I run terraform apply to update a policy, AWS performs 2 operations in the background: CreatePolicyVersion and DeletePolicyVersion (since I’m always at the customer managed-policy limit of 5). According to the AWS doc https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html, the API call has the request parameter “SetAsDefault”.

Question: is it possible to configure Terraform so that running terraform apply on the modified aws_iam_policy resource has AWS run CreatePolicyVersion without setting the new policy as default?

v1.5.4
1.5.4 (July 26, 2023)
BUG FIXES:
check blocks: Fixes crash when nested data sources are within configuration targeted by the terraform import command. (#33578)
check blocks: Check blocks now operate in line with other checkable objects by also executing during import operations. (<a...

Hi folks,

Anyone have the bandwidth to opine a little bit at someone just starting out with Terraform?
We’re a shop who has lots of AWS stuff built out on cloudformation, and we are just starting to build out stuff in terraform. We’re getting to the point where we need to design a platform for running our terraform, figuring out where we’ll save state, etc. More threaded !

How could I apply indent to multiline string in Terraform template? The following below only indents the first line.

grafana:
  dashboards:
    default:
      dgraph-control-plane-dashboard:
        json: |
           ${indent(8, "${dashboard_dgraph_control_plane}")}

Team, I am wondering if we can assign custom endpoint (manually created) to RDS cluster writer instances via terraform

Hi! I have a conceptual question about deploying multiple lightly-dependent services through terraform. Specifically I’d like to know whether I should 1. run terraform apply separately on each service, or 2. create one monolithic terraform file (with modules) and run terraform apply once on this. Details in the thread.