#terraform - January 2024

Hi! Here are two PRs for your review. Until the first one is merged, the second will not pass the /terratest, since its depends on the first module update
1. https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack/pull/45
2. https://github.com/cloudposse/terraform-aws-budgets/pull/26

hey there.

I created a PR in terraform-aws-vpc-peering-multi-account (https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account/pull/82) - december 4'th, with a proposed fix for https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account/issues/81 - teardown/enabled = false - not working because of an enabled check on the provider config, specifically for assumerole usage.

not sure if the codeowners are swamped, or no longer there, but it seems other PR's are also stranded. I couldn't find guidelines regarding where/what/who to poke to try and alleviate the issue. currently we have to use the proposed fix PR as module, or we cannot do cross account vpc peering teardown. I don't mind if it's not deemed an acceptable fix, but some feedback would be good 😉

pointers?

Hello,

Could I ask question about module: https://github.com/cloudposse/terraform-aws-sso/tree/1.2.0/modules/permission-sets I would like to deploy following inline policy with aws sso role:

data "aws_iam_policy_document" "dev_env_developer" {

  statement {
    sid    = "ROAccessRDS"
    effect = "Allow"
    actions = [
      "rds-db:connect",
    ]
    resources = [
      "arn:aws:rds-db:*:111111111111:dbuser:*/dev_ro"
    ]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values   = ["true"]
    }
  }
}

Could I somehow setup account ID dynamically? We have multiple products and I would like to provide access only for resources in account where policy will be deployed.

Hey folks! I have a weird issue that popped up 1 day after I had been running terraform successfully, I'm using the CloudPosse EKS Cluster Module, and it started giving me this error message when I try to spin up my sandbox cluster:

(oops, sorry hit enter too quickly, one moment)

Error: Value Conversion Error

  with module.eks_cluster.provider["registry.****.io/hashicorp/kubernetes"],
  on .****/modules/eks_cluster/auth.tf line 96, in provider "kubernetes":
  96: provider "kubernetes" {

An unexpected error was encountered trying to build a value. This is always
an error in the provider. Please report the following to the provider
developer:

Received unknown value, however the target type cannot handle unknown values.
Use the corresponding `types` package type or a custom type that handles
unknown values.

Path: exec
Target Type: []struct { APIVersion basetypes.StringValue
"tfsdk:\"api_version\""; Command basetypes.StringValue "tfsdk:\"command\"";
Env map[string]basetypes.StringValue "tfsdk:\"env\""; Args
[]basetypes.StringValue "tfsdk:\"args\"" }
Suggested Type: basetypes.ListValue
[Pipeline] }
[Pipeline] // stage
[Pipeline] slackSend

I looked at auth.tf , should I _you can disable it by setting var.dummy_kubeapi_server = null_ ?
TF version: "~> 1.6.6"
AWS provider: "5.31.0"
---

  source  = "cloudposse/eks-cluster/aws"
  version = "3.0.0"

I was going to open up an issue/bug report on the repo, but I searched around and no one else is hitting this error, making me seem it might be me 🤷 I figured I'd ask here first
• was also kind of confused if I should go to the providers repo or CP 🤷 🙃

Is there a better way to do this than having to do a double lookup call? Code in 🧵

Hi everyone! I’m trying to create a Redis instance using your module. The apply pass but i’m not being able to connect to host from my local. This is my TF definition

module "vpc" {
  source                  = "cloudposse/vpc/aws"
  ipv4_primary_cidr_block = "172.16.0.0/16"
}

module "subnets" {
  source               = "cloudposse/dynamic-subnets/aws"
  availability_zones   = ["us-east-1a", "us-east-1b"]
  vpc_id               = module.vpc.vpc_id
  igw_id               = [module.vpc.igw_id]
  ipv4_cidr_block      = [module.vpc.vpc_cidr_block]
  nat_gateway_enabled  = true
  nat_instance_enabled = true
}

resource "aws_security_group" "elasticache_sg" {
  name        = "elasticache-sg${local.suffix}"
  description = "Security group for ElastiCache cluster"
  vpc_id      = module.vpc.vpc_id
}

resource "aws_security_group_rule" "elasticache_ingress" {
  type                     = "ingress"
  from_port                = 6379
  to_port                  = 6379
  protocol                 = "tcp"
  security_group_id        = aws_security_group.elasticache_sg.id
  source_security_group_id = module.redis.security_group_id
}

module "redis" {
  source                     = "cloudposse/elasticache-redis/aws"
  description                = "Redis cluster"
  name                       = "${var.project}-redis"
  availability_zones         = ["us-east-1a", "us-east-1b"]
  vpc_id                     = module.vpc.vpc_id
  allowed_security_group_ids = [aws_security_group.elasticache_sg.id]
  subnets                    = module.subnets.private_subnet_ids
  cluster_size               = 1
  instance_type              = "cache.t2.micro"
  apply_immediately          = true
  automatic_failover_enabled = false
}

And this is my output

output "elasticache_cluster_endpoint" {
  value = module.redis.host # blank btw
}

After a brief investigation, looks like i need this https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/accessing-elasticache.html but i’m not sure about how to incorporate these changes into my tf code.

My final user case is to connect redis with a few lambdas.

Any help is welcome 😄

Hello, I have an aws account that contains some infrastructure created manually. Are there tools out there that can discover the infra and also create terraform script for the infra? appreciate any info

OpenTofu is now stable! 😄

I am configuring an SFTP server using cloudposse terraform-aws-transfer-sftp. I don't see a way to give it a lambda identity provider. Is there one? Thanks in advance!

also a custom hostname (SFTP server using cloudposse terraform-aws-transfer-sftp)

v1.7.0-rc2
1.7.0-rc2 (January 11, 2024)
UPGRADE NOTES:


Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

Users of...

Hey there!

I'm using the cloudposse/elastic-beanstalk-environment module, and I'm having some issues with the S3 policy and ElasticBeanstalk resource from the module.

│ Error: Error putting S3 policy: MalformedPolicy: Policy has invalid resource
│       status code: 400, request id: R97RSKZPBGGW6FP5, host id: uKnFrAwfNP4l5KEhJpJwmm9Sy8qMMg4AwYdV4vbeBmoU4kgFv5HsIigIPZciVDT4Pd3lY4Tc9LU=
│ 
│   with module.eb_environment_core_api[0].module.elb_logs.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_policy.default[0],
│   on .terraform/modules/eb_environment_core_api.elb_logs.s3_bucket.aws_s3_bucket/main.tf line 461, in resource "aws_s3_bucket_policy" "default":
│  461: resource "aws_s3_bucket_policy" "default" {
│ 
╵
╷
│ Error: waiting for Elastic Beanstalk Environment (e-rkgqnkyvjp) create: couldn't find resource (21 retries)
│ 
│   with module.eb_environment_core_api[0].aws_elastic_beanstalk_environment.default[0],
│   on .terraform/modules/eb_environment_core_api/main.tf line 602, in resource "aws_elastic_beanstalk_environment" "default":
│  602: resource "aws_elastic_beanstalk_environment" "default" {

I would appreciate it if you guys could help me with this.

I'm leaving the module code in a snippet below, and please let me know if you need more information that I can provide.

@rviniandrade, can you try setting s3_bucket_access_log_bucket_name to some value.
The error is a bit weird. If the workaround works, message me. I will try to investigate the bug

Hi team! Could you have a look at this PR please? https://github.com/cloudposse/terraform-aws-config/pull/80

Ping 🙂

v1.7.0
1.7.0 (January 17, 2024)
UPGRADE NOTES:


Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

Users of Terraform...

How am I meant to be using the terraform null label with a root module that also includes a sub-module to loop through a list of config options, where I need the sub-module resources to be tagged with the same tags as the root module?

It seems like I can't just pass in the same context that I'm using in my root module, to the child module, without also having to pass in all of the context variables that I already set in my root module

Hey all,
I am using the cloudposse/terraform-aws-vpc-peering-multi-account module and I want to override the provider defined here.
Is it possible? I am getting this error.

The configuration of module.vpc_peering has its
90│ own local configuration for aws.accepter, and so it cannot accept an
91│ overridden configuration

Mainly I was trying to solve Provider configuration not present as explained here

any recommendations? thanks.

Hey everyone! I have an issue trying to spin up a new elasticache cluster in AWS. I did search slack for the error, however I couldn't find much help for my scenario.

crap, one second I hit enter too quickly

Root module:

module "elasticache-redis" {
  source  = "cloudposse/elasticache-redis/aws"
  version = "1.2.0"
  // <https://github.com/cloudposse/terraform-aws-elasticache-redis>

  namespace = var.namespace
  stage     = var.stage
  name      = var.name

  apply_immediately          = true
  at_rest_encryption_enabled = true
  transit_encryption_enabled = true
  cluster_mode_enabled       = true
  automatic_failover_enabled = true
  auto_minor_version_upgrade = true
  create_security_group      = false

  instance_type  = var.instance_type
  engine_version = var.engine_version
  family         = var.family
  # parameter                            = var.parameter
  auth_token                           = data.vault_kv_secret_v2.hcp_secret.data.secret
  cluster_mode_num_node_groups         = var.cluster_mode_num_node_groups
  cluster_mode_replicas_per_node_group = var.cluster_mode_replicas_per_node_group
  final_snapshot_identifier            = timestamp()
  maintenance_window                   = var.maintenance_window

  vpc_id                        = module.vpc.vpc_id
  associated_security_group_ids = [module.elasticache_sg.id]
  subnets                       = module.subnets.private_subnet_ids

  tags = var.tags

Here is the error:

Plan: 40 to add, 0 to change, 0 to destroy.
╷
│ Error: Inconsistent conditional result types
│
│   on .terraform/modules/elasticache_sg/main.tf line 197, in resource "aws_security_group_rule" "keyed":
│  197:   for_each = local.rule_create_before_destroy ? local.keyed_resource_rules : {}
│     ├────────────────
│     │ local.keyed_resource_rules is object with 2 attributes
│     │ local.rule_create_before_destroy is true
│
│ The true and false result expressions must have consistent types. The 'true' value includes object attribute
│ "_allow_all_egress_", which is absent in the 'false' value.
╵
╷
│ Error: Inconsistent conditional result types
│
│   on .terraform/modules/elasticache_sg/main.tf line 229, in resource "aws_security_group_rule" "dbc":
│  229:   for_each = local.rule_create_before_destroy ? {} : local.keyed_resource_rules
│     ├────────────────
│     │ local.keyed_resource_rules is object with 2 attributes
│     │ local.rule_create_before_destroy is true
│
│ The true and false result expressions must have consistent types. The 'false' value includes object attribute
│ "_allow_all_egress_", which is absent in the 'true' value.

Provider info:

terraform {
  required_version = "~> 1.6.0"
###
    aws = {
      source  = "hashicorp/aws"
      version = "5.26.0"
    }

I can't seem to figure this one out yet, I'm still researching the error too.

oh wait, I think I see whats going on, I wasn't looking at my security group root module. One moment let me take a closer look at that

ok, I think this is where I left off when I was workin on this last. I will make sure I have finished the security group root module.. its likely that I did not finish this aspect when I was working on it last. Nothing to see here, carry on 🙂

Hello everyone. I am using this terraform-aws-sso terraform module from this github repo: cloudposse/terraform-aws-sso: Terraform module to configure AWS Single Sign-On (SSO) (github.com), and I got this error:

Error: Invalid for_each argument
on .terraform/modules/sso_account_assignments/modules/account-assignments/main.tf line 29, in resource "aws_ssoadmin_account_assignment" "this":
  for_each = local.assignment_map
local.assignment_map will be known only after apply
The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.

When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.

Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.

And I've forked the repo and added my fix with this commit: https://github.com/wquan1/terraform-aws-sso/commit/c2049b3e08d278aa79413f40540b1009746faf73. It seems working fine for me. Here is the Pull Request: https://github.com/cloudposse/terraform-aws-sso/pull/53. Please help review and let me know. Thanks!

@Andriy Knysh (Cloud Posse) once the PR has been merged, how long does it usually take to propagate changes to Terraform registry?

The cloudposse/config/aws//modules/conformance-pack still has only 1.1.0 version available

hello, can I pass in helm plugin commands to the terraform-helm-release provider?

Hello all
we’re using cloudposse terraform module terraform-aws-rds module which is using terraform-null-label v.0.25.0 & terraform-aws-route53-cluster-hostname v0.13.0 modules under-hood.
Suddenly, terraform fails downloading the modules saying the branch not exist as below:

│ Error: Failed to download module
│ Could not download module "this" (<http://context.tf:23|context.tf:23>) source code from
│ "git::<https://github.com/cloudposse/terraform-null-label?ref=488ab91e34a24a86957e397d9f7262ec5925586a>":
│ error downloading
│ '<https://github.com/cloudposse/terraform-null-label?ref=488ab91e34a24a86957e397d9f7262ec5925586a>':
│ /opt/homebrew/bin/git exited with 128: Cloning into
│ '.terraform/modules/this'...
│ fatal: Remote branch 488ab91e34a24a86957e397d9f7262ec5925586a not found in
│ upstream origin

However the under-hood modules are referenced by their tags not commit hashes. Any insights what could be the reason?

Hi all. Another PR pending review https://github.com/cloudposse/terraform-aws-config/pull/83

anyone have an example of using a k8s provider to create resources after this cloudposse eks module has been created?

Will cloudposse ever move to using CloudControl API via hashicorp/terraform-provider-awscc ?

Hello,

Can anyone review the PR https://github.com/cloudposse/terraform-aws-sso/pull/50 ?

v1.7.1
1.7.1 (January 24, 2024)
BUG FIXES:

terraform test: Fix crash when referencing variables or functions within the file level variables block. (#34531)
terraform test: Fix crash when override_module block was missing the outputs attribute. (<a href="https://github.com/hashicorp/terraform/issues/34563"...

Please review
https://github.com/cloudposse/terraform-aws-config/pull/83

Here's a bit of old tf kit for setting up a high availability jenkins instance backed by efs. If anyone ever needs. Though there's probably an up-to-date one at the end of a google search. :P
https://github.com/AlexAtkinson/jenkins_efs_terraform

Great tips for writing enterprise-scale terraform root modules
https://www.reddit.com/r/Terraform/comments/19arrun/comment/kinusdl/?utm_source=reddit&utm_medium=web2x&context=3

Hi, I am looking for a solution to flip-flopping tags in a module.
We use cloudposse/vpn-connection/aws to setup multiple VPNs between AWS VPCs and our DC. Every VPN uses a different tfvar with namespace, environment etc.
The DC has only one VPN gateway but connects via multiple tunnels, one tunnel per VPC.
The module expects customer_gateway_ip_address as a required input. The IP address is always the same as there is only that one VPN gateway in the DC. The tags on that aws entry are now flip-flopping with every apply.
Removing the context also removes the tags from the tunnels and not just the customer gateway.
Is there an easy solution to this?

hi! i'm curious if there is a way to tell atlantis only run plan for filenames terragrunt.hcl? Currently my repo has a lot of config files with .hcl extension and it makes it look very messy since of course those are not valid for plan files and i get errors for every single file if it's in the same directory with terragrunt.hcl

So they say best practices for an ECR repo is for immutable tags. I have a GH repo where after code is pushed, it triggers a docker build, then pushes that image to ECR. What I'm running into is how do I reference this new image in an aws_ecs_task_definition because if the workspace is VCS backed, it'll trigger off that first commit and will plan/apply before the image is built

Any one with contacts at terraform-docs can help expedite this bug fix for a crash when outputs are null?
https://github.com/terraform-docs/terraform-docs/pull/749

Not fixable. I suspected as much. RE: RDS B/G & replica state disassociation. The docs will get updated though.
https://github.com/hashicorp/terraform-provider-aws/issues/33702#issuecomment-1908696514

i'm using cloudposse/api-gateway/aws to create an api-gateway. it seems to create a log-group role with principal service "<http://ec2.amazonaws.com|ec2.amazonaws.com>" . I'm trying to update the api-gateway and i'm getting │ Error: updating API Gateway Account: BadRequestException: The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy. Shouldn't the principal service be "<http://apigateway.amazonaws.com|apigateway.amazonaws.com>"?

v1.7.2
1.7.2 (January 31, 2024)
BUG FIXES:

backend/s3: No longer returns error when IAM user or role does not have access to the default workspace prefix env:. (#34511)
cloud: When triggering a run, the .terraform/modules directory was being excluded from the configuration upload causing Terraform Cloud to try (and sometimes fail) to...

v1.8.0-alpha20240131
1.8.0-alpha20240131 (January 31, 2024)
UPGRADE NOTES:

The first plan after upgrading may show resource updates with no apparent changes if -refresh-only or -refresh=false is used. The fix introduced for <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2098393853" data-permission-text="Title is private" data-url="https://github.com/hashicorp/terraform/issues/34567" data-hovercard-type="pull_request"...