#terraform - October 2023

Hi All, I was hoping to create some validation for some variables in a module. I have a list of strings that the incoming variable needs to be one of. What I would like is to have a single list and then use that list in the validation and the error message. Like so

locals {
  components = ["django", "rabbitmq"]
}

variable "asset_component" {
  type = string
  validation {
    condition     = contains(locals.components, var.asset_component)
    error_message = "Invalid input, options: ${join(", ", local.components)}."
  }
}

But when I do that I get the following error

│ Error: Invalid reference in variable validation
│
│   on ../modules/switchdin-tags/variables.tf line 44, in variable "asset_component":
│   44:     error_message = "Invalid input, options: ${join(", ", local.components)}."
│
│ The error message for variable "asset_component" can only refer to the variable itself, using var.asset_component.

Any tips on how to wrangle this better?

Reference: https://github.com/cloudposse/terraform-opsgenie-incident-management - does anyone have any guidance on how best to integrate this across multiple environments and subsequently link it up to the end services they want to alert from? Would you deploy the module three times for each of dev, uat and prod or just deploy it once and handle the alert config within that module?

hello everyone, quick question. What is the recommended way to upgrade a redis cluster using https://github.com/cloudposse/terraform-aws-elasticache-redis. Updating just engine version and family is not possible because of the following error:

╷
│ Error: deleting ElastiCache Parameter Group (poller): InvalidCacheParameterGroupState: One or more cache clusters are still members of this parameter group poller, so the group cannot be deleted.
│       status code: 400, request id: 00e2d0be-e52c-435d-9731-a1d8a382feb5

Hi All.. I am trying to create multiple lambda functions using https://github.com/cloudposse/terraform-aws-lambda-function in the same tf file. Any hints to achieve?

open-source Terraform registry: https://github.com/terrariumcloud/terrarium-lite

v1.6.0
1.6.0 (October 4, 2023)
UPGRADE NOTES:

On macOS, Terraform now requires macOS 10.15 Catalina or later; support for previous versions has been discontinued.
On Windows, Terraform now requires at least Windows 10 or Windows Server 2016; support for previous versions has been discontinued.
The S3 backend has a number of significant changes to its configuration format in this release, intended to match with recent changes in the hashicorp/aws provider:

Configuration settings related to assuming...

with the hashicorp open source fiasco, do all of the supporters / contributors plan to support ONLY opentofu?

(and not terraform post version xyz)

All our GitHub pipelines are suddenly failing with this error across all accounts:

Error while initializing Terraform:

Error: Invalid KMS Key ARN

  on backend.tf line 2, in terraform:
   2:   backend "s3" {}

Value must be a valid KMS Key ARN, got
"arn:aws:kms:eu-west-1:account_id:alias/aws/s3"

Nothing I'm aware of has changed, the role we use got the same policy as it has for months, same for the S3 bucket and KMS key.
If I checkout the repo and run the same code locally everything works as expected

Ok, so Im trying to use the default_tags stuff to automatically tag my AWS resources. But I get a perpetual diff on the tags_all attribute like

  # aws_iam_instance_profile.sep2app will be updated in-place
  ~ resource "aws_iam_instance_profile" "sep2app" {
        id          = "AppInstance"
        name        = "AppInstance"
        tags        = {}
      ~ tags_all    = {} -> (known after apply)
        # (5 unchanged attributes hidden)
    }

No matter how many times I apply this it is still a diff. I ran across this issue -> https://github.com/hashicorp/terraform-provider-aws/issues/18311 which seems to suggest that its a case of default_tags and tags interactiing with each other is a not so great way. This particular resource doesnt have tags attached onto it. And I think I have the right provider versions

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.6.0"
    }
  }

Any tips?

Hi there, I'm trying to add actions to an module with source = "cloudposse/s3-bucket/aws" via allowed_bucket_actions but changing this and applying the configuration, it doesn't see any changes

When running TF in CI, what do people do with the TF output to be able to browse it later or alert on errors? It's not formatted like logs. For the moment we rely on a wrapper to capture errors, but that's a bit ugly

Has anyone done a comparison of what you gain from the new terraform testing approach vs terratest?

So we have a monorepo of terraform with a bunch of different folders containing different sets of terraform. Each with its own provider and statefile. I understand that you cant use variables in the Provder or Configuration blocks, which makes centralizing the version of all this different things difficult. How do folks do this?

v1.6.1
1.6.1 (October 10, 2023)
ENHANCEMENTS:

backend/s3: The skip_requesting_account_id argument supports AWS API implementations that do not have the IAM, STS, or metadata API. (#34002)

BUG FIXES:

config: Using sensitive values as one or both of the results of a conditional expression will no longer crash. [<a class="issue-link...

does anyone ship terraform output to log analytics tools? I have TF running in CI that ships raw (not JSON) logs to SaaS tool. The problem is these are not logs so no way to filter for errors (no severity information other than the color coding). There must be a better way, right?

If I have a data source, how am I supposed to debug to verify what exactly what that returned data looks like considering console won't let you look at it

it just tells me known after apply, but can't apply because it's not what I'm expecting

Hello .. This looks like a pretty simple PR to fix EFS for ECS .. Can we please get it merged as I’m blocked on it. Thanks!
https://github.com/cloudposse/terraform-aws-ecs-web-app/pull/235/files

https://medium.com/@xpf6677/writing-terraform-plan-polices-with-kcl-programming-language-ce94a6236798 Hi forks! I just published a blog on medium about the terraform planning policy writing with the KCL programming language. Welcome to read and provide feedback. ❤️

hey,
is there an option for configuring a pidMode in the terraform-aws-ecs-container-definition module?

How do people manage secrets when using terraform and kubernetes? We hand off some code, customer deploys product in their environment, and we want to prevent them from tampering or seeing those secrets (in backend state or aws secrets manager). Any thoughts or suggestions would be much appreciated!

How do people manage resources that should exist as a singleton, i.e. outside the usual dev/stag/prod structure? For example a route53 registered domain, or an IAM user. Would you have something like a general environment, or take a different approach? 🤔

v1.6.2
1.6.2 (October 18, 2023)
BUG FIXES

terraform test: Fix performance issues when using provisioners within configs being tested. (#34026)
terraform test: Only process and parse relevant variables for each run block. (<a href="https://github.com/hashicorp/terraform/pull/34072" data-hovercard-type="pull_request"...

I'm curious to understand what others are doing regarding Terraform vs OpenTofu. Migrating a production env to OpenTofu alpha release sounds scary. 😬 Should I keep my Terrafrom version fixed at v1.5.7 to be sure my state file and infra is compliant with OpenTofu when we at some stage in the future decide to make the change. Or is the general consensus here to keep using Terrafrom at the latest version and worry about the future another time?

I usually alias terraform to t so this switch shouldn't be too hard 🫣

https://thenewstack.io/getting-started-with-opentofu-alpha/

any Spacelift users seeing an issue with tracking/head commits not syncing on their stacks?

v1.7.0-alpha20231025
1.7.0-alpha20231025 (October 25, 2023)
UPGRADE NOTES:


Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

Users...

Are there any plans to add OpenTofu releases to this channel?

Im hitting a wall with "Provider configuration not present" errors...details in the thread...

Just published a blog post on Cloud Posse's terraform-null-label that we all know and love: https://masterpoint.io/updates/terraform-null-label/

Hi all,
We are running Terragrunt OSS and were planning to update both terraform and terragrunt to a latest verson at some point.
Back in August, Terragrunt released a statement where it said that ‘commercial products’ would not be supported beyond 1.5.5 : https://blog.gruntwork.io/the-impact-of-the-hashicorp-license-change-on-gruntwork-customers-5fcd096ba86a
At that point I thought, fine, that does not affect us because we were not using ‘commercial producuts’.
Now we are finally ready to update both Terragrunt and Terraform but when looking at ‘supported versions’ page it looks like only OpenTofu is supported with Terraform 1.6.x :
https://terragrunt.gruntwork.io/docs/getting-started/supported-versions/

This is confusing to me. Does it mean |“Terraform 1.6.x is not supported yet” ? Or does it mean “Terraform 1.6.x will not be supported, even for OSS Terragrunt “?

Currently have a project with remote state. Doing some refactoring, going to have to be doing some state mv'ing, is there a 'best practice' for testing state changes locally before pushing the refactor and doing the mv's on the remote state?

Created this so that users can compare the following tacos head to head:

Atlantis, Digger, Spacelift, Env0, Scalr and Terraform Cloud.

All data was taken either from the repos, AWS marketplace or websites of the above tacos.

https://www.tacosheadtohead.com/

PS: if anyone wants to add their TACO, happy
to add it, feel free to DM me the information along with publicly available links.

hi All,
I am trying to create GCP service account using terraform, i could create it, but i wanted to download the private_key JSON file aswell, i tried to create it using output resource in terraform, but it seems like the format is different, It is not like the same as the one which we creating in the web console.
Can someone help me the procedure to get the key in JSON format same as its creating in manual way..