#terraform - March 2024

Trying to get a bit more awareness in the Terraform community that state files need to be well secured. If anyone is interested, I'm happy to share some research I published going from state file edit access to code execution in a pipeline.

Anyone with some insight into the Cloudposse AWS modules or routing in S2S VPN Connections in general I posted a question here
https://sweetops.slack.com/archives/CDYGZCLDQ/p1709301177485109

Anyone with a good example of how to structure ECS resources in Terraform. 🫙

Looking to soon build an AWS ECS Fargate Cluster, numerous services (some utilizing CloudMap) and numerous tasks.

How do I organise the task definitions in the code and make use of templating as much as possible?

My idea was to use the following resource types, but I'm in doubt of the structure and what makes the most sense

data template_file reference .tpl file in another folder
aws_ecs_task_definition -> container_definitions = data.template_file.shop.rendered
aws_ecs_service -> task_definition = aws_ecs_task_definition.shop.arn
aws_appautoscaling_target
aws_appautoscaling_policy

For the external facing containers I guess I'd also need a lot of ALB resources, I was hoping a module could help me here...

Was initially looking towards this module: https://github.com/terraform-aws-modules/terraform-aws-ecs/blob/master/examples/fargate/main.tf

Any other recommendations or perhaps a repo I can peek at or a blogpost or something similar?

Hello everyone,

I've encountered an issue with my Terraform configuration for managing an Amazon RDS database. Here's the situation:

I initially created an RDS instance from a snapshot using Terraform. Now, I need to update the instance size (e.g., change from db.t2.micro to db.t3.medium).
However, when I rerun my Terraform script, it destroys the existing RDS instance and creates a new DB.

Is there a way to avoid this behavior? Ideally, I'd like to modify the existing RDS instance without causing unnecessary downtime or data loss.

Any suggestions or best practices would be greatly appreciated!

v1.8.0-beta1
1.8.0-beta1 (March 6, 2024)
UPGRADE NOTES:
If you are upgrading from Terraform v1.7 or earlier, please refer to
the Terraform v1.8 Upgrade Guide.

backend/s3: The use_legacy_workflow argument has been removed to encourage consistency with the AWS SDKs. The backend will now search for credentials in the same order as the default provider chain in the AWS SDKs and AWS CLI.

NEW FEATURES:...

Can someone explain how module.this.enabled is used across your modules? When i try to replicate in my code, terraform says "there is no module named "this"". I see it used a lot throughout your code and it looks really neat, but i'm missing something.
https://github.com/cloudposse/terraform-aws-api-gateway/blob/main/main.tf

I hate asking this but are there any user modules besides s3-user or iam-system-user? iam-system-user I ran into a few issues with where it landed the account created, and it's directly attaching policies. I'm still pretty new to TF, but I think I could make something that matches our compliance requirements with a little work, but I figured I'd ask before I go writing this. Definitely do not want to use the user, but vendor can't provide trust relationship requirements for a role otherwise. New to the community otherwise, so hi everyone.

Is there a file formatting I can use for "tftpl" template files? Does Jinja2 work? (I'm using Intellij IDE)

Been smashing my head against a wall on this one for a while. We have a set of kubernetes ingresses defined via kubernetes_ingress_v1 resources, using a kubernetes_ingress_class resource, spec’d with the the ingress.k8s.aws/alb controller. I need to update the SSL Policy for the ALB, but I can’t find documentation on how to define it. The only place that seems to be relevant is as an annotation in the ingress definition, but that means I have to define it for every ingress that uses that ingress class - which seems inefficient and prone to problems. What happens if two ingresses define different values here?

Does anyone know how to set the SSL Policy for an ALB ingress class?

v1.7.5
1.7.5 (March 13, 2024)
BUG FIXES:

backend/s3: When using s3 backend and encountering a network issue, the retry code would fail with "failed to rewind transport stream for retry". Now the retry should be successful. (#34796)

Hello,
we encounter an issue with the CloudPosse AWS backup vault module.
During the destruction of a backup vault, the process trying to remove the backup vault before the recovery points, and due to this sequence, the deployment failed.
• Do we need to update the module to be able to remove the recovery points before the backup vault ?
• Or Could we add a lifecycle in the cloudposse module ?

Hi Guys, is someone of you met this issue too ? https://github.com/cloudposse/terraform-aws-backup/issues/60

thanks

Any terragrunt users here?

Sadly yes

Haha do you prefer something over terragrunt?

Just Terraform would be nice, but with so many environments and regions it seems Terragrunt does the job we need. I am sure there are other tools like CP's , but we were already in deep with Terragrunt.

Anybody using terraform to manage kubernetes? I’m curious if you’ve found any advantage to terraform as vs any other technology to manage kubernetes objets.
…or any other opinions you have about terraform, or other kubernetes Iac solutions.

When I am using cloudposse IAM module , by default it creates namespace,stage & name as prefix to IAM role which do not want..how do I avoid?

Hi all, I'm trying to create some custom IAM policies through terraform. I don't see a dedicated iam-policy component, but it looks like it might be doable through the iam-role component? I don't quite understand how to use the policy_documents variable though. Can anyone shed some light on this? https://github.com/cloudposse/terraform-aws-components/blob/main/modules/iam-role/README.md#input_policy_documents

Does anyone have a link to a list of new features available on OpenTofu since it's fork?

I'm new to terraform and wanted to get some feedback on what is the best way of dealing with passwords in terraform files. Hypothetical case... We geneated an api key from another 3 party service. We want to add the api key to our aws secrete manger so that our services are able to use it. How would I go about getting the secrete into aws secrete manager with out committing the secrete in plain text in my terraform file? Thanks in advance

v1.8.0-rc1
1.8.0-rc1 (March 20 2024)
If you are upgrading from Terraform v1.7 or earlier, please refer to
the Terraform v1.8 Upgrade Guide.
NEW FEATURES:


Providers can now offer functions which can be used from within the Terraform configuration language.
The syntax for calling a provider-contributed function is provider::provider_name::function_name(). (<a...

Has anyone heard when Terraform stacks will go GA?

When using modules in Terraform where would I add the lifecycle ignore_changes meta-argument?
For resources it's pretty simple - https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes

A bit of searching around led me to this Terraform issue https://github.com/hashicorp/terraform/issues/27360
Seems like it cannot be done.. 😞

I'm using https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn and one of the created buckets has since had its bucket policy changed because of a migration of contents into it.. While this policy is temporary it's not something Terraform should remove/reverse...

Already tried https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn?tab=readme-ov-file#input_override_origin_bucket_policy set to false, but it doesn't change anything.. And I want the module to be in charge of creating the bucket..

Any workarounds, tips, comments?

I guess another approach is to try https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn?tab=readme-ov-file#input_additional_bucket_policy

does anyone know how I can delete the auto generated domain created by aws when deploying a cognito resource. I'm trying to add a custom domain to the cognito resource and my terraform plan fails because it needs to removed the auto generated domain first before making the change. I'm not 100% sure how to manage or refrence the domain that is auto generated by aws when deploying the cognito resource.

resource "aws_cognito_user_pool_domain" "ee_domain" {
   domain =  "${var.login_url}"
   user_pool_id = aws_cognito_user_pool.ee_user_pool.id
}
terraform apply
aws_cognito_user_pool.ee_user_pool: Destroying... [id=us-east-dafda]
╷
│ Error: deleting Cognito user pool (us-east-1dafdasfa): InvalidParameterException: User pool cannot be deleted. It has a domain configured that should be deleted first.
│ 
│ 
╵

Exited with code exit status 1

Hi All… I am bootstratting a fresh AWS environment with the intention to do as much via Terraform as possible. I am aware of higher-level tooling such as Terragrunt and Atmos but I am attempting to gain a good understanding about how everything is held together so holding off on these for now.

I have created a fresh aws root account and enabled IAM Identity Centre via the aws console… this automatically enabled AWS Organisations so my Org structure is Root (OU) - > Management (Account).

I have manually created an iam user called terraform_bootstrap via the Console and I believe having the management account and iam user is enough to do everything else in Terraform.

It is my intention that the first Terraform project run using the terraform_bootstrap user credentials to create the subsequent OUs (e.g. Core) and accounts (e.g. Identity) and then I guess each one of these accounts would have its own terraform project.

I am aiming for a single S3 bucket to store Terraform state… I’ve seen debate about whether this is the case but Cloud Posse seem ok with it… and from what I can tell I can always create a policy to restrict access to specific state files to different sub-sets of users.

Where does this S3 bucket for state files live (i.e. under which account is it created) ?

I have seen a suggestion in the #aws channel that Cloud Posse just create the S3 bucket under the root account. Based on the Org structure above I am not sure wha that means (perhaps the naming conventions are outdated)… Is it good practice to create the S3 bucket under the Management Account and have all the subsequent Terraform projects for sub-accounts store their state there? Is there a security downside to storing in the Management Account?

Hello, another ECS terraform question 🧵

I'm trying to create a new ECS cluster, and it's mostly working, but it's getting stuck when trying to create the S3 buckets for the ALB access logs

Hey Folks, anyone using aws eks cluster module v4.0.0.? I can't seem to get terraform to pick up my access_entry_map... terraform plan never notices it or any changes I make to it. Pretty simple setup:

module "eks_cluster" {
  source  = "cloudposse/eks-cluster/aws"
  version = "4.0.0"
  // <https://github.com/cloudposse/terraform-aws-eks-cluster>

  name      = var.name
  namespace = var.namespace
  region    = var.region
  stage     = var.stage

  cluster_encryption_config_enabled                     = true
  cluster_encryption_config_kms_key_enable_key_rotation = true
  oidc_provider_enabled                                 = true

  access_config             = var.access_config
  access_entry_map          = var.access_entry_map
  addons                    = var.addons
  addons_depends_on         = [module.eks_node_group_main, module.eks_node_group_secondary]
  endpoint_private_access   = var.endpoint_private_access
  endpoint_public_access    = var.endpoint_public_access
  enabled_cluster_log_types = var.enabled_cluster_log_types
  kubernetes_version        = var.kubenetes_version
  public_access_cidrs       = var.public_access_cidrs
  subnet_ids                = module.subnets.public_subnet_ids

  tags = var.tags
}

sandbox.tfvar:

..
..
..
access_entry_map = {
  (data.aws_iam_session_context.current.issuer_arn) = {
    access_policy_associations = {
      ClusterAdmin = {}
    }
  }
}
..
..

my var.access_config:

variable "access_config" {
  description = "Access configuration for the EKS cluster."
  type = object({
    authentication_mode = string
    bootstrap_cluster_creator_admin_permissions = bool
  })
  default =  {
    authentication_mode = "API"
    bootstrap_cluster_creator_admin_permissions = false  
  }
}

so weird, I'll keep at it and see what i'm missing, felt like posting in here as I may be missing something obvious

has anyone who is using ECS clusters successfully deployed a second cluster without messing up the ACM certificates and existing clusters?
• we now have three (3) certificates in ACM and two (2) of them contain duplicates for <environment>.<stage>.<tenant>.<domain>.<tld>
• however now our envs can no longer deploy to the platform cluster
very strange, def think we're missing something, and could not find any documentation about it

Back from a very long winter break 👋, hi everyone. Is AWS Control Tower Account Factory for Terraform (AFT) the preferred way for bootstrapping our AWS accounts now, or is there something better ?

Hey Folks, anyone using terraform private package registry of some kind for the purpose of module versioning vs using git tag ref? I wonder are there any pros and cons of switching to leverage private registry at some point.

Can someone help me,


Im trying to pass a secret which is stored in akeyless,

data "akeyless_secret" "secret" {
path = "/GCP/Secrets/cf-triggers/tf-cf-triggers"
}

provider "google" {
project = "cf-triggers"
credentials = data.akeyless_secret.secret
}

resource "google_pubsub_topic" "example" {
name = "akeyless_topic"
message_retention_duration = "86600s"
}

❯ terraform apply
data.akeyless_secret.secret: Reading...
data.akeyless_secret.secret: Read complete after 1s [id=/GCP/Secrets/cf-triggers/tf-cf-triggers]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Incorrect attribute value type
│ 
│   on main.tf line 38, in provider "google":
│   38:   credentials = data.akeyless_secret.secret
│     ├────────────────
│     │ data.akeyless_secret.secret is object with 4 attributes
│ 
│ Inappropriate value for attribute "credentials": string required.

is there a way to resolve this ?

Been working with TF a few months, had a few questions/discussion to get into based on a SO post . Been getting a lot of errors 403 and 409, using terraform on gcp (even on a fresh project), where I have to manually enable an API upon apply and manually delete a resource upon destroy, not always related to a service that maybe dependant or instantiated on a child resource, like SQL and then a db. I read that there is a Terraform resource definition called "google_project_service" that allows auto-enable api service. This is documented at google_project_service. Apparently resource "google_project_service" "project", only one service argument can be taken so would have to loop over a list of services, but will this resolve the issue, I am yet to try to loop, or the other suggestions. Any have this issue and resolve it?

resource "google_project_service" "project" {
  project = "your-project-id"
  service = "<http://iam.googleapis.com|iam.googleapis.com>"
  timeouts {
    create = "30m"
    update = "40m"
  }

  disable_dependent_services = true
  disable_on_destroy = true
}

Below is what I used now but I have to manually enable some apis and destroy some and not just ones with dependants. When I added the disable on destroy I get less destroy errors. Getting these errors isn't an issue unless provisioned resources are not terminate, which most times isnt the case, but has been the case a few times leaving chargable cloud resources.

resource "google_project_service" "iam" {
  service            = "<http://iam.googleapis.com|iam.googleapis.com>"
  # disable_on_destroy = true
}

I toggled the "run.googleapis.com/cpu-throttling" = true
option to terminate (always on) time based charging to bring down costs rather using request based option. It switches between "CPU is always allocated" to "CPU is only allocated during request processing", as I intended, I got it to work here and there but most of the time the service becomes idle, then when a request by my app, the app just keeps hangs. I have to keep CPU always allocated to get consistent work loads. I think this has something to do with cold start and 15 min timeout after requests, but it seems that max is 60 mins. Basically it seems to take advantage of less costs of "CPU is only allocated during request processing", you can only work with a 60 min window. Is there any other way to get around this 60 mins max timeout?