#terraform - August 2023

v1.6.0-alpha20230802
1.6.0-alpha20230802 (August 02, 2023)
NEW FEATURES:

terraform test: The previously experimental terraform test command has been moved out of experimental. This comes with a significant change in how Terraform tests are written and executed.
Terraform tests are now written within .tftest.hcl files, controlled by a series of run blocks. Each run block will execute a Terraform plan or apply command against the Terraform configuration under test and can execute conditions against the resultant...

I'm trying to customize the image used for the datadog agent, specifically to install the puma integration as described here. Datadog support directs me at running this command in the image build. I am having trouble figuring out where to start looking to do this. In our configuration, we have a datadog-agent terraform component, but the abstraction is too great for my limited terraform knowledge to figure out how to dig deeper. I see that this component defines

module "datadog_agent" {
  source  = "cloudposse/helm-release/aws"

but I am unable to make sense of this terraform source to understand where it sources the datadog agent image, and how I could go about customizing ours. If anyone could give me a few pointers to help me know where to look, it'd be greatly appreciated!

v1.5.5
1.5.5 (August 9, 2023)
terraform init: Fix crash when using invalid configuration in backend blocks. (#33628)

https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license

Do you know why I’m getting this DNS fwd/rev mismatch error for aws msk module? previously I used different older module and didn’t see such error

nc -vz msk-dev-broker-1.dev.project.internal 9092
DNS fwd/rev mismatch: <http://b-1.egdev1devmskdev.avevhi.c8.kafka.eu-central-1.amazonaws.com|b-1.egdev1devmskdev.avevhi.c8.kafka.eu-central-1.amazonaws.com> != ip-10-10-21-57.eu-central-1.compute.internal
<http://b-1.egdev1devmskdev.avevhi.c8.kafka.eu-central-1.amazonaws.com|b-1.egdev1devmskdev.avevhi.c8.kafka.eu-central-1.amazonaws.com> [10.10.21.57] 9092 (?) open

Do none of the cloudposse subnet modules (dynamic, multi-az, named) support a single NAT gateway mode, rather than a 1 per az? They all seem to feed off the number of priv subnets you pass in

hey all 👋 anyone have advice for 1) sorting a variables.tf file alphabetically, and 2) linting variables to make sure they all have types and descriptions?

I would appreciate if you could take a look on the PR
Its for firewall-manager - waf_v2.tf
@Andriy Knysh (Cloud Posse) @Dan Miller (Cloud Posse)

v1.6.0-alpha20230816
1.6.0-alpha20230816 (Unreleased)
NEW FEATURES:

terraform test: The previously experimental terraform test command has been moved out of experimental. This comes with a significant change in how Terraform tests are written and executed.
Terraform tests are now written within .tftest.hcl files, controlled by a series of run blocks. Each run block will execute a Terraform plan or apply command against the Terraform configuration under test and can execute conditions against the resultant plan...

anyone know of any tools to facilitate provider upgrades? I'm looking at dependabot and wondering if I should consider something else

Hello, I have a question. In the https://github.com/cloudposse/terraform-aws-cloudwatch-events module I am trying to create an event_pattern, I am using terragrunt to create an here is my terragrunt.hcl. Where i do not understand is whatevet i've tried the event pattern is always wrong.

include {
  path = find_in_parent_folders()
}

locals {
  common_vars                       = yamldecode(file(find_in_parent_folders("common_vars.yaml")))
  name                              = "cms"
  cloudwatch_event_rule_description = "ecs task autoscale was stopped from an external state"
  cloudwatch_event_rule_is_enabled  = true
  cloudwatch_event_target_id        = "ECSTaskStopped"
  cloudwatch_event_rule_pattern = {
    source      = ["aws.ecs"]
    detail-type = ["ECS Task State Change"]
    detail = {
      group = ["service:${local.common_vars.namespace}-${local.common_vars.environment}-${local.name}"]
      stoppedReason = [{
        anything-but = {
          prefix = "Scaling activity initiated by (deployment"
        }
      }]
      lastStatus = ["STOPPED"]
    }
  }
}

terraform {
  source = "<http://github.com/cloudposse/terraform-aws-cloudwatch-events//.?ref=0.6.1|github.com/cloudposse/terraform-aws-cloudwatch-events//.?ref=0.6.1>"
}

inputs = {
  name                              = "${local.common_vars.namespace}-${local.common_vars.environment}-${local.name}"
  cloudwatch_event_target_arn       = dependency.sns_topic.outputs.sns_topic_arn
  cloudwatch_event_rule_description = local.cloudwatch_event_rule_description
  cloudwatch_event_rule_is_enabled  = local.cloudwatch_event_rule_is_enabled
  cloudwatch_event_target_id        = local.cloudwatch_event_target_id
  cloudwatch_event_rule_pattern     = local.cloudwatch_event_rule_pattern

  tags = local.common_vars.tags
}

dependency "sns_topic" {
  config_path = "../../sns/slack-notify"
}

I am not 100% sure that the event pattern is correct, but i have tried with the example in the module too it is not working and here is the error message.

aws_cloudwatch_event_rule.this: Creating...
╷
│ Error: creating EventBridge Rule (dummy-service-name): InvalidEventPatternException: Event pattern is not valid. Reason: Filter is not an object
│  at [Source: (String)""{\"detail\":{\"eventTypeCategory\":[\"issue\"],\"service\":[\"EC2\"]},\"detail-type\":[\"AWS Health Event\"],\"source\":[\"aws.health\"]}""; line: 1, column: 2]
│
│   with aws_cloudwatch_event_rule.this,
│   on main.tf line 10, in resource "aws_cloudwatch_event_rule" "this":
│   10: resource "aws_cloudwatch_event_rule" "this" {
│

Any ideas here ?

Hi all, I was trying to create eks cluster using terraform with eksctl cluster config file, however terraform eksctl provider doesn't have any proper documentation and updates, is there any way to achieve this, please suggest

Our team recently released an open source tool, cloud-concierge, a container that implements drift-detection, codification, cost estimation and security scanning, allowing you to add these features to an existing Terraform management stack. All results are output directly as a Pull Request. Still very early stages, so please share any and all feedback! https://github.com/dragondrop-cloud/cloud-concierge, video demo of managed instance attached below

Cross-posting here as a suggestion from a commenter: https://sweetops.slack.com/archives/CB2PXUHLL/p1691684768008609

Hey all, looking for a little assistance/advice (e.g. if I’m doing it wrong) on terraform. I want to have a map of configuration for each tenant and their configuration that I can reference to pass into something like the aws ec2_instance module to create EC2 instances. My configuration block looks something like below as an example.

locals {
  tenant_config = {
    tenant1 = {
      ec2_config = {
        vm1 = {
          instance_type    = "m6i.xlarge"
          root_volume_size = "32"
          data_volume_size = "200"
        },
        vm2 = {
          instance_type    = "m6i.2xlarge"
          root_volume_size = "32"
          data_volume_size = "500"
        },
        vm3 = {
          instance_type    = "m6i.4xlarge"
          root_volume_size = "32"
          data_volume_size = "250"
        }
      },
      elastic_ips = {
        vm1 = ["1.1.1.1"],
        vm2 = ["1.1.1.2"],
        vm3 = ["1.1.1.3"]
      }
    },
    tenant2 = {
      ec2_config = {
        vm1 = {
          instance_type    = "m6i.xlarge"
          root_volume_size = "32"
          data_volume_size = "200"
        },
        vm2 = {
          instance_type    = "m6i.2xlarge"
          root_volume_size = "32"
          data_volume_size = "500"
        }
      },
      elastic_ips = {
        vm1 = ["1.1.1.4"],
        vm2 = ["1.1.1.5"]
      }
    }
  }
}

and the module I'm using (the variables are all currently broken because I can't figure out a good way to reference the items in the map).

module "ec2_instance" {
  source = "terraform-aws-modules/ec2-instance/aws"

  for_each = var.ec2_config

  name = "${var.tenant}-${each.key}"

  ami                = try(each.value.ami, "ami-xxxxxx")
  instance_type      = try(each.value.instance_type, "m6i.large")
  key_name           = try(each.value.key_name, "ssh_key")
  monitoring         = true
  enable_volume_tags = false

  root_block_device = [
    {
      delete_on_termination = false
      encrypted             = true
      volume_size           = try(each.value.root_volume_size, null)
      volume_type           = try(each.value.root_volume_type, "gp3")
      iops                  = try(each.value.root_volume_iops, null)
      throughput            = try(each.value.root_volume_throughput, null)

      tags = merge(var.default_tags, {
        Name   = "${var.tenant}-${each.key} - root"
        Tenant = "${var.tenant}"
      })
    }
  ]

  network_interface = [
    {
      device_index          = 0
      network_interface_id  = aws_network_interface.private_interface[each.key].id
      delete_on_termination = false
    }
  ]
}

resource "aws_ebs_volume" "data" {
  for_each          = var.ec2_config
  availability_zone = element(random_shuffle.availability_zone[each.key].result, 0)
  encrypted         = true
  size              = try(each.value.data_volume_size, 100)
  type              = try(each.value.data_volume_type, "gp3")
  iops              = try(each.value.data_volume_iops, null)
  throughput        = try(each.value.data_volume_throughput, null)
  final_snapshot    = true

  tags = {
    Name   = "${var.tenant}-${each.key} - data"
    Tenant = "${var.tenant}"
  }
}

resource "aws_volume_attachment" "data" {
  for_each    = var.ec2_config
  device_name = "/dev/sdf"
  volume_id   = aws_ebs_volume.data[each.key].id
  instance_id = module.ec2_instance[each.key].id
}

There's probably some for loop magic to do what I want but I still have a really hard time wrapping my head around using for loops in terraform.

Any suggestions? Am I going about this all wrong?

random question, anyone by any chance have a list of times Hashicorp have changed their pricing model for TFC/TFE? I think that could help me elaborate why I really don’t trust them cause they keep changing the game and majority of time results in a expensive bill for its customers u_u

interview with Terragrunt, Massdriver and Terrateam. They sound confident that collectively they have enough FTEs and VC dollars to support the fork which will be published next week.

we estimated that Hashicorp has a small fraction of the people working on Terraform as compared to what we can marshall as a consortium.
...
we had members of the terraform core contributor team from times past express their support

Also sounds like morale at Hashicorp is pretty low so perhaps some current maintainers could be enticed.

https://www.youtube.com/watch?v=QaU94LY891M&t=134s

v1.5.6
1.5.6 (Unreleased)
BUG FIXES:
terraform_remote_state: Fixed a potential unsafe read panic when reading from multiple terraform_remote_state data sources (#33333)

v1.5.6
1.5.6 (August 23, 2023)
BUG FIXES:
terraform_remote_state: Fixed a potential unsafe read panic when reading from multiple terraform_remote_state data sources (#33333)

opentf logo https://github.com/opentffoundation/brand-artifacts

I am seeing a similar trend as when MySQL was acquired by Oracle/SUN, now it is another time to migrate from Terraform to next software, System Initiative may be the one

Their github repo needs more loves 🙂

i'm surprised how little pulumi seems to have gotten in the past week

then what about opentf

?

if systeminit

is it alternative to terraform

is it opensource

Maybe SI’s ambition is not to replace Terraform, https://github.com/systeminit/si/issues/2694#issuecomment-1692290443

OpenTF fork & roadmap announced today
https://github.com/orgs/opentffoundation/projects/3

Is there any go pkg that wraps up cli better than just invoking directly or even better using the hashicorp source directly?

I think terratest has methods but wanted to know something else out there that was well recognized for Go based control eliminating wrapper around cli.

Going to write some tf automation today /refactor and figured maybe y’all here had a good recommendation. Well supported/used and org maintained.

With regards to templatefile, is there a way to do some sort of bash magic like around array expansion...?

# within the template, and im only doing this because it doesnt recognize local variables, and i need to pass in the var from template_file... /facepalm
# anyways, as you can see in my snippet i need to expand the array but somehow tf doesnt like @...

jq --null-input \
   --arg region "${AWS_REGION}" \
   --argjson collect_list_json "$(echo ${COLLECT_LIST[@]} | jq -Rs....
...

# error
Call to function "templatefile" failed: ...../user-data.sh:58,64-65: Invalid character; This character is not used within the language., and 1 other diagnostic(s)

it worked with echo $COLLECT_LIST[@] , but thats not the result i wanted

Hi all, I have a question regarding terraform elastic beanstalk: https://registry.terraform.io/modules/cloudposse/elastic-beanstalk-environment/aws/latest

When running the complete example from https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/tree/main/examples/complete w/ terraform apply, I get the following error:

module.elastic_beanstalk_environment.data.aws_lb_listener.http[0]: Still reading... [30s elapsed]
module.elastic_beanstalk_environment.module.dns_hostname.aws_route53_record.default[0]: Still creating... [30s elapsed]
module.elastic_beanstalk_environment.data.aws_lb_listener.http[0]: Still reading... [40s elapsed]
module.elastic_beanstalk_environment.module.dns_hostname.aws_route53_record.default[0]: Still creating... [40s elapsed]
module.elastic_beanstalk_environment.module.dns_hostname.aws_route53_record.default[0]: Creation complete after 40s [id=Z0GNBFM_api_CNAME]
╷
│ Error: Search returned 0 results, please revise so only one is returned
│ 
│   with module.elastic_beanstalk_environment.data.aws_lb_listener.http[0],
│   on .terraform/modules/elastic_beanstalk_environment/main.tf line 1125, in data "aws_lb_listener" "http":
│ 1125: data "aws_lb_listener" "http" {
│ 
╵

Any help will be appreciated, thanks in advance.

When I am using
module "lambda" {
source = "cloudposse/lambda-function/aws"
version = "0.5.1"

Inspite of placing context.tf which has this module , when I run tfplan shows below error

│ Error: Reference to undeclared module
│
│ on main.tf line 5, in locals:
│ 5: policy_name_inside = "${module.label.id}-inside"
│
│ No module call named "label" is declared in the root module.
╵
╷
│ Error: Reference to undeclared resource
│
│ on main.tf line 10, in locals:
│ 10: join("", data.aws_caller_identity.current.*.account_id),
│
│ A data resource "aws_caller_identity" "current" has not been declared in the root module.

Any hints will be appreciated.

Hi all, I'm provisioning an elastic beanstalk environment along the eb application.
I was able to provision the eb using the complete example.
Now I want to provision RDS and Elasticache (single node redis).
Does anyone have example for it?
Thanks in advance.

Hi, i was just looking at the terraform-aws-route53-dnssec module but this seems to miss of the part where you establish a chain of trust (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-enable-signing.html ) section 3… Is there anyway to do this as i can’t see a way to create an output of the public key thats generated when dnssec is enabled with the ksk. It seems that i can only create the chain of trust either through cli or through the console. Thanks, Aaron

^ whoa that's getting viral
Igor here, building Digger and supporting OpenTF

super humbled to see that level of support - thank you guys so much for spreading the word!

Funny chart:

new enhancement request on the aws provider, would appreciate thumbs-up if you have the same use case...
https://github.com/hashicorp/terraform-provider-aws/issues/33242

v1.6.0-beta1
No content.

Someone in my company posted this:

Hashicorp has updated the terms of use for their registry:
https://registry.terraform.io/terms

Looking via the wayback machine: https://web.archive.org/web/20221220134052/https://registry.terraform.io/terms

The part that changed (section 2)

Original:

You may download or copy the Content (and other items displayed on the Services for download) for personal non-commercial use only, provided that you maintain all copyright and other notices contained in such Content.

New:

You may download providers, modules, policy libraries and/or other Services or Content from this website solely for use with, or in support of, HashiCorp Terraform. You may download or copy the Content (and other items displayed on the Services for download) for personal non-commercial use only, provided that you maintain all copyright and other notices contained in such Content.

So that reads as:

You may not use anything hosted on registry.terraform.io? but providers are MPL no?

I’m waiting for the CTO of Hashicorp to leave and join another Opensource company, his style of vision and presentations are convincing