#terraform - December 2023

v1.7.0-beta1
1.7.0-beta1 (December 6, 2023)
UPGRADE NOTES:


Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

Users of...

Hi all, I'm using the cloudposse/elasticache-redis/aws terraform module, and every time I update the security group rules with a new rule, I run into the error from terraform saying that there is a conflicting rule.
Upon investigation I noticed that this module is using cloudposse/security-group/awsversion 1.0.1, and the latest version of that module is 2.2.0. Is there a particular reason this module hasn't been bumped? I've tested it locally in a fork, and it appears to be working and resolved my issue

Does anyone have an example of doing a data lookup of subnet cidrs in a vpc and then adding those cidrs into a cidr_block in a security group? Im having to refactor some very old code and im running into a roadblock here. Code in thread.

Since im updating a security group does this mean the actual instance will be replaced and getting a new instance ID OR does this mean that the instance will stay as is and terraform will just replace the SG thats attached to it?

# module.thing.aws_instance.instance[0] will be updated in-place
  ~ resource "aws_instance" "instance" {
        id                                   = "i-1234567890"
        tags                                 = {
            "Environment" = "prod"
            "Name"        = "thing-api1"
            "Role"        = "thing-api"
            "Service"     = "thing"
            "Team"        = "thing"
        }
      ~ vpc_security_group_ids               = [
          - "sg-0987654321",
            # (1 unchanged element hidden)
        ]
        # (34 unchanged attributes hidden)

        # (7 unchanged blocks hidden)
    }

Hi, i’m looking for an example of how to implement AWS Backup with RDS in terraform. The docs are very confusing and mostly don’t give complete examples for RDS. Any help would be greatly appreciated!

Hello, I'm seeking your advice on the best tools to integrate Terraform with GitOps. Options I'm considering include Atlantis, env0, and HashiCorp Cloud (theres more to consider?).
My primary criteria are ease of use, a comprehensive set of features, and reliability.
Budget constraints are not a concern in this scenario.
Which solution would you recommend based on these requirements?

Hello I am looking for a baseline (basically a what would to build in a green field AWS project if you had the chance) of sorts that alights well with the AWS Architected framework that exists in Terraform, something similar to GCP’s Foundational Toolkit. Articles or blog posts are welcomed, but ideally I’d love to just look at some code.

Hello friends,
Can any of you help me to deploy website deployment in S3 with Codepipeline using terraform?🙏

Hello All,
I am trying to create a service account in GCP using terraform also I want to generate a private key for that SA with JSON format, I have followed the terraform documentation and added the below block in the code but still i am unable to get the output in JSON format,
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key_type

resource "google_service_account" "user1" {
  account_id = "dev_google_service_account"
  display_name = "dev_google_service_account"
}
resource "google_service_account_key" "sa_private_key" {
  service_account_id = google_service_account.user1.name
  private_key_type = "TYPE_GOOGLE_CREDENTIALS_FILE"
}
output "service_account_key" {
  value = <http://google_service_account_key.sa|google_service_account_key.sa>_private_key.private_key
  sensitive = true
}

But i am unable to download the key in JSON format, can someone help me to get this?

I am trying to do an automation where user provides a list of principals i.e. IAM roles which has to be assigned to IAM policy. I often run in to an issue if one of the principal doesn't exist in the account or typo in the value.
How could I ignore the errors and applying the principals that are valid.

Has anyone been able to import an aws_organizations_account to an existing org? I’m getting Import successful but terraform state list does not show the index for the resource at all 🧵

v1.7.0-beta2
1.7.0-beta2 (December 13, 2023)
UPGRADE NOTES:


Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

Users of...

v1.6.6
1.6.6 (December 13, 2023)
BUG FIXES:

terraform test: Stop attempting to destroy run blocks that have no actual infrastructure to destroy. This fixes an issue where attempts to destroy "verification" run blocks that load only data sources would fail if the underlying infrastructure referenced by the run blocks had already been destroyed. (<a href="https://github.com/hashicorp/terraform/pull/34331" data-hovercard-type="pull_request"...

Ihttps://x.com/mitchellh/status/1735410621859221931?s=20

Hashimoto left HashiCorp

I just deployed Config and Security hub using the CloudPosse components but then I saw this:

anyone know if this steps needs SuperAdmin https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty#deploy-organization-settings-in-delegated-administrator-account?

and another one, anyone have seen this:

module.cloudtrail.aws_cloudtrail.default[0]: Creating...
╷
│ Error: creating CloudTrail Trail (pepe-global-audit): InvalidParameter: 2 validation error(s) found.
│ - minimum field size of 1, CreateTrailInput.TagsList[4].Value.
│ - minimum field size of 1, CreateTrailInput.TagsList[6].Value.
│ 
│ 
│   with module.cloudtrail.aws_cloudtrail.default[0],
│   on .terraform/modules/cloudtrail/main.tf line 1, in resource "aws_cloudtrail" "default":
│    1: resource "aws_cloudtrail" "default" {

Hello Team,

we are facing some issue while using https://github.com/cloudposse/terraform-aws-dynamic-subnets module

error which we are getting is.. with the retirement of EC2-Classic no new non-VPC EC2 EIPs can be created

Hello

Hey folks, what is the best practice around handling public DNS zones in a multi account setup? Currently my domain ownership is in my root/management account. I am considering adding another account. Ideally I want to setup public records directly in this account as well but for the same zone. I’m curious about the various approaches to solving this.

Regarding github-actions-runner component

How come so many default iam actions are for the self hosted runner role ? Doesn’t the role for the arc runner only need access to assume other roles ?

Has anyone managed GitHub Enterprise Cloud using Terraform? I'm not sure if I'm just misreading the provider docs or if this provider currently doesn't support Enterprise cloud at all. If it doesn't, what do you guys currently do instead of using Terraform?

v1.7.0-rc1
1.7.0-rc1 (December 20, 2023)
UPGRADE NOTES:


Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

Users of...

Hello, I am using alb module for my current project but unable to put my usecase together. Can anyone suggest.

My usecase is i have 5 API ECS Services and 5 Frontend ECS Services and i want to have 2 alb 1 for api services and 1 for frontend services. These ALBs will have multiple listeners and target groups. How can i use cloudposse modules to achieve this? I want to have it dynamic so if need to add a new target group for a specific api then the terraform should add listener with that new port to specific ALB accordingly.

Hello
Has anyone used the mongodbatlas provider and managed to work with the SecretsManager authentication without providing a role to assume? I'm also using the AWS provider in the same execution and my role has permissions to SecretsManager