#terraform - May 2024

Hi Team, i am trying to create read replica for document DB with different instance class than primary

module "documentdb_cluster" {
  source                          = "cloudposse/documentdb-cluster/aws"

since instance_class is string i cannot have different instance class for my read replica - any suggestions on this ? how do i have different instance class for my replica (edited)

v1.9.0-alpha20240501
1.9.0-alpha20240501 (May 1, 2024)
ENHANCEMENTS:


terraform console: Now has basic support for multi-line input in interactive mode. (#34822)
If an entered line contains opening paretheses/etc that are not closed, Terraform will await another line of input to complete the expression. This initial implementation is primarily intended...

Super cool experiment in the 1.9 alpha release, they're looking for feedback if you want to give it a go...
https://discuss.hashicorp.com/t/experiment-feedback-input-variable-validation-can-cross-reference-other-objects/66644

👋 Hello, team!

I am having a slight issue with your terraform-aws-lambda-elasticsearch-cleanup module. It use to work fine, but since I upgrade the TF AWS provider to 5.47.0 from 4.20.1 and bumped the pinned module version to 0.14.0 from 0.12.3 I am getting the following error.
I am using Terraform version 1.8.2

 Error: External Program Execution Failed
│ 
│   with module.lambda-elasticsearch-cleanup.module.artifact.data.external.curl[0],
│   on .terraform/modules/lambda-elasticsearch-cleanup.artifact/main.tf line 3, in data "external" "curl":
│    3:   program    = concat(["curl"], var.curl_arguments, ["--write-out", "{\"success\": \"true\", \"filename_effective\": \"%%{filename_effective}\"}", "-o", local.output_file, local.url])
│ 
│ The data source received an unexpected error while attempting to execute
│ the program.
│ 
│ Program: /usr/bin/curl
│ Error Message: curl: (22) The requested URL returned error: 404
│ 
│ State: exit status 22

Have I missed an upgrade step somewhere or is there an issue with the file?

Announcement: In support of using OpenTofu, starting with Geodesic v2.11.0, we are pre-installing package repos to allow you to easily install OpenTofu in your Dockerfile.

ARG OPEN_TOFU_VERSION=1.6.2
RUN apt-get update && apt-get install tofu=${OPEN_TOFU_VERSION}

Guys is this normal behavior? In AWS EKS I have upgraded my nodes into t3.large from t3.medium, I saw before confirming "yes" that terraform will destroy the old nodes in order to proceed with the upgrade but I didn't expect it to delete the volumes as well, good thing it only happened in our testing environment, my question is this normal behavior if I upgrade the instance_types? Because I was hoping to be able to upgrade it without affecting my persistent volumes

any luck on this ?

Hello all, 🥳

This is my first message here in Slack! I found a little bug on memcached module. Issue is opened: https://github.com/cloudposse/terraform-aws-elasticache-memcached/issues/78 is someone can check and help to me for send a PR? 🙂 my changes are ready on my local. Thanks! 🫶

v1.8.3
1.8.3 (May 8, 2024)
BUG FIXES:

terraform test: Providers configured within an overridden module could panic. (#35110)
core: Fix crash when a provider incorrectly plans a nested object when the configuration is null (<a href="https://github.com/hashicorp/terraform/issues/35090" data-hovercard-type="pull_request"...

Hi, not sure if this is an issue but I'm having cycles every time I try to destroy a service and after a long work, I discovered that it's related to the security groups. If I manually remove the service SG and rules, the cycles are gone.
This is related to the ecs alb service module

This might have been talked about in an earlier thread already, but is anyone else seeing some weird behavior in their editor within terragrunt-cache for the module download for terraform-null-label? VSCode is throwing an error in the cache folder, when i tunnel down it takes me to /examples/autoscalinggroup/main.tf line 28:

# terraform-null-label example used here: Set tags on everything that can be tagged
  tag_specifications {
    for_each = ["instance", "volume", "elastic-gpu", "spot-instance-request"]

with the error message "Unexpected attribute: An attribute named "for_each" is not expected here. Terraform"

Hi Expertis,

I would like to learn about the IaC (Terraform with Terragrunt), but I have no experience with it. If possible, please help me continue to explore the next step profile.

Hello Team I am beginner to terraform, I want to set up the environment specified in https://github.com/cloudposse/terraform-datadog-platform. Can some one help me to point out the documentation. I know its stupid question

Kindly provide me basic flow and installation, set up. I am referring this solution so that I can customize to read swagger.Json file and convert it synthetic tests automatically. Its end goal. want to build solution for same

Hello everyone! I hope you're all doing well.
I'm currently facing an issue with creating simple infrastructure using terragrunt as wraper for terraform.
Goal is to create 2 subnetworks in 2 different zones and create for 3 vms in each subnetwork.
Subnetworks created without issues, the problem arises when I try to create 3vms in each subnetworks.

Project has the following structure

├── environmentsLive
│ ├── dev
│ ├── net
│ │ └── terragrunt.hcl
│ ├── vms
│ │ └── terragrunt.hcl
│ └──terragrunt.hcl
└── modules
├── network
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── vm
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf

I am running terragrunt run-all apply inside of the dev folder in order to have state file for each module specified in dev folder and it works.
The problem is that for "vms" module I need iterate over output "subnet_id" variable of "net" module which is

subnet_id = [
  "projects/playground-s-11-59f50f2a/regions/us-central1/subnetworks/dev-subnet-us-central1",
  "projects/playground-s-11-59f50f2a/regions/us-east1/subnetworks/dev-subnet-us-east1",
]

But in inputs{} block of "terragrunt.hcl" file of vms module is expected only one value per variable

The content of "terragrunt.hcl" file of vms module is:
-----------------------------------------------------------------------------------------------------

include "root" {
  path = find_in_parent_folders()
}

terraform {
  source = "/home/app/terr/Terraform/src/ModulesBySeperateState/modules/vm"
}

dependency "vpc" {
  config_path = "/home/app/terr/Terraform/src/ModulesBySeperateState/environmentsLive/dev/net"

}


inputs = {
  subnet_id = dependency.vpc.outputs.subnet_id
  first_zone_per_region = dependency.vpc.outputs.first_zone_per_region
  regions = dependency.vpc.outputs.regions
}

-----------------------------------------------------------------------------------------------------


The main.tf for vm module looks like this:
-----------------------------------------------------------------------------------------------------

resource "google_compute_instance" "vm" {
  for_each = var.names
  name = "${each.value.name}-${var.environment}-${var.first_zone_per_region[var.regions]}"
  machine_type = each.value.type
  zone = var.first_zone_per_region[var.regions]
  network_interface {
    subnetwork = var.subnet_id
	}

  } 

-----------------------------------------------------------------------------------------------------
I've tried to create a wraper module for vms to iterate over subnet_id and provide output for vms.

module   "wrapvms" {
  source = "./emptyVmModuleForWrap"
  environment           = var.environment
  count                 = length(var.subnet_id)
  region                = var.regions[count.index]
  subnet_id             = subnet_id[count.index]
  first_zone_per_region = var.first_zone_per_region
  names                 = var.names

}

But due to lack of my experience it doesn't work.
Could someone please offer some assistance or guidance? Any help would be greatly appreciated. Thank you in advance!

v1.9.0-alpha20240516
1.9.0-alpha20240516 (May 16, 2024)
ENHANCEMENTS:


terraform console: Now has basic support for multi-line input in interactive mode. (#34822)
If an entered line contains opening parentheses/etc that are not closed, Terraform will await another line of input to complete the expression. This initial implementation is primarily...

Has anyone ever come across an error like this? Im trying to update some security group rules. I looked at the link in the error and that issue was merged and closed back in 2015 and reading through the issue notes im not even sure what the issue is. I found another issue that is similar and still open but its also old as dirt and doesnt have any clear “fix”. Im on TF 1.5.5. Ive seen “taint” as a possible fix but thats not in the TF version we are on. Any ideas here??

Error: [WARN] A duplicate Security Group rule was found on (sg-0ef73123456700cc). This may be
│ a side effect of a now-fixed Terraform issue causing two security groups with
│ identical attributes but different source_security_group_ids to overwrite each
│ other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
│ information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: 10.243.16.0/23, UDP, from port: 8301, to port: 8301, ALLOW" already exists
│ 	status code: 400, request id: d3725f91-da05-450c-a2e3-b3380653f637
│

Does anyone have way to update an existing roles trust policy via terraform? permission policy etc; to remain unchanged. Initial reading seems to not be as simple as expected.

Hi CloudPosse!

We’re using cloudposse/terraform-aws-elasticache-redis at work, and we are interested in setting the maxmemory-policy, so that we can change the eviction behavior [1, 2]. But, I’m not sure it’s possible with this module.

Could someone confirm my suspicion? Or, if I’m wrong, point me at how we can set these policies?

Cheers,
Luke

1: https://docs.aws.amazon.com/whitepapers/latest/database-caching-strategies-using-redis/evictions.html
2: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html#ParameterGroups.Redis.4-0-10

v1.8.4
1.8.4 (May 22, 2024)
BUG FIXES:

core: Fix exponential slowdown in some cases when modules are using depends_on. (#35157)
import blocks: Fix bug where resources with nested, computed, and optional id attributes would fail to generate configuration. (<a href="https://github.com/hashicorp/terraform/issues/35220"...

Has anyone tried deploying helm charts on the same run when creating an AKS? I don't want to use a kubeconfig file, but my machine or a ci/cd pipeline would not have one on the initial Terraform run.

The way I'm currently trying to authenticate to deploy helm is as follows:

provider "helm" {
  kubernetes {
    host                   = azurerm_kubernetes_cluster.r21_new_prod_kubernetes.kube_config[0].host
    username               = azurerm_kubernetes_cluster.r21_new_prod_kubernetes.kube_config[0].username
    password               = azurerm_kubernetes_cluster.r21_new_prod_kubernetes.kube_config[0].password
    client_certificate     = base64decode(azurerm_kubernetes_cluster.r21_new_prod_kubernetes.kube_config[0].client_certificate)
    client_key             = base64decode(azurerm_kubernetes_cluster.r21_new_prod_kubernetes.kube_config[0].client_key)
    cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.r21_new_prod_kubernetes.kube_config[0].cluster_ca_certificate)
  }
}

Not sure what your preferred workflow is, but maybe worth sharing here. I believe since the latest aws provider was released the route53 alias module is no longer useable. Several teams internally have reported the same issue I had, so I’d be surprised if any implementations are not suffering the same. I opened #53 therefore.

Hey! Been trying to create couple of sftp servers and users with the module https://github.com/cloudposse/terraform-aws-transfer-sftp
This is my code:

module "sftp" {
  source  = "cloudposse/transfer-sftp/aws"
  version = "1.3.0"

  for_each = local.app_resources

  domain                 = "S3"
  s3_bucket_name         = lookup(each.value, "bucket_name", null)
  vpc_id                 = module.vpc[local.default_vpc_name].vpc_id
  subnet_ids             = local.private_subnet_ids
  vpc_security_group_ids = [module.s3_sftp_sg.security_group_id]
  domain_name            = "${lookup(each.value, "namespace", null)}-sftp.${local.stage_dns_domain}"
  zone_id                = local.private_route53_id

  sftp_users = {
    for user, config in each.value.users :
    user => {
      user_name  = config.user_name
      public_key = config.public_key
    }
  }

  delimiter = "-"
  context = {
    additional_tag_map  = {}
    attributes          = []
    delimiter           = null
    descriptor_formats  = {}
    enabled             = true
    environment         = null
    id_length_limit     = null
    label_key_case      = null
    label_order         = []
    label_value_case    = null
    labels_as_tags      = []
    name                = "sftp"
    namespace           = null
    regex_replace_chars = null
    stage               = "${each.key}"
    tags = merge(
      local.tags,
      local.app_tag
    )
    tenant = null
  }

  tags = merge(
    local.tags,
    local.app_tag
  )
}

And all works well except the endpoints and DNS names.
By default aws_transfer_server endpoint is <http://s-12345678.server.transfer.REGION.amazonaws.com|s-12345678.server.transfer.REGION.amazonaws.com> And this doesn't resolve in any IP address, and when there is a DNS CNAME created to it - it also has no IP addr behind:
According to the official doc - https://docs.aws.amazon.com/transfer/latest/userguide/transfer-file.html#openssh - we should use DNS names from the Endpoiont and they not the same as <http://s-12345678.server.transfer.REGION.amazonaws.com|s-12345678.server.transfer.REGION.amazonaws.com> . And with these DNS names from the example everything works. How is it suppose to be with this module? Is there a way to get proper DNS name of the endpoint?

How can i enable ebs addon on eks cluster?

v1.9.0-beta1
1.9.0-beta1 (May 31, 2024)
NEW FEATURES:

Input variable validation rules can refer to other objects: Previously input variable validation rules could refer only to the variable being validated. Now they are general expressions, similar to those elsewhere in a module, which can refer to other input variables and to other objects such as data resources.
templatestring function: a new built-in function which is similar to templatefile but designed to render templates obtained dynamically, such...

New aws tf provider (using cloud control api which auto generates its resources using the api) just went ga

https://aws.amazon.com/blogs/devops/quickly-adopt-new-aws-features-with-the-terraform-aws-cloud-control-provider/

https://registry.terraform.io/providers/hashicorp/awscc/latest/docs

#terraform people do you fancy getting your stack overflow points to go up 😉

And help a fellow participant out. 🙂
Take a look at my question here: https://stackoverflow.com/questions/78560433/this-bash-script-will-not-run-in-terraform

Happy to post here if your not interested in growing your points on Stack Overflow

Did a search through archives, and couldn't find confirmation....

I pin all versions of resources in most things.
However, if you are building a module for your org, do you version pin the provider in the module too?
I'm assuming no issues with this as plan would just download both, but I'm rusty having been digging into pulumi in the last year and can't recall if version pinning in the module itself is a bad practice.

Even though I'm not active here much right now I still refer all folks to you I can cause still one of the most useful/expert communities I've joined. You all rock 👋