#terraform - September 2024

Hi, have a question about "cloudposse/backup/aws" module
I would like to create a separate plan under the same vault, and that plan would use different rules. Is it possible? Or is it a good practice, to have S3 and RDS backup under the same vault, but with different set of rules and plan? Thank you

Hey everyone, has anyone found any good no-code alternatives to terraform? Could be as simple as just supporting resource version control.

hi folks, i'm working with the cloudposse/efs/aws module. we did some console tweaks that we're trying to reflect in the TF but i'm struggling.

tf plan shows three diffs like this, because the tf doesn't have the security group that was added in the console.

  ~ resource "aws_efs_mount_target" "default" {
        id                     = "fsmt-092000dbd046024f2"
      ~ security_groups        = [
          - "sg-0473cc37c73272716",
            # (1 unchanged element hidden)
        ]
        # (10 unchanged attributes hidden)
    }

same module, different question. what's the right way to incorporate this console rule addition?

  # module.efs.module.security_group.aws_security_group.default[0] has changed
  ~ resource "aws_security_group" "default" {
        id                     = "sg-06fa9a39d9a9c6f77"
      ~ ingress                = [
          + {
              + cidr_blocks      = [
                  + "10.103.21.119/32",
                ]
              + description      = "Allow jenkins-data-sync to access EFS"
              + from_port        = 2049
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 2049
            },
            # (1 unchanged element hidden)
        ]
        name                   = "terraform-20240722194649647100000001"
        tags                   = {}
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Hi, I'm having an error with the

cloudposse/ec2-client-vpn/aws

When I try to use the module, I get an error in the awsutil dependency:

│ Error: Invalid provider configuration
│ 
│ Provider "<http://registry.terraform.io/cloudposse/awsutils|registry.terraform.io/cloudposse/awsutils>" requires explicit
│ configuration. Add a provider block to the root module and configure the
│ provider's required arguments as described in the provider documentation.

This is not a dependency in the module and the examples have no reference to this provider.
I have configured the provider and it still fails with the same error.
Any hints?

I am a team looking for help with the yml pipeline for Azure DevOps to Azure static Apps service in the nextjs application.

v1.10.0-alpha20240911
1.10.0-alpha20240911 (September 11, 2024)
NEW FEATURES:

Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

terraform output -json now displays ephemeral outputs. The value of an ephemeral output is always null unless a plan or apply is being run. Note that terraform output (without the -json) flag does not yet display ephemeral...

Is there a script that converts json into the formatting expected here? https://github.com/cloudposse/terraform-aws-iam-policy/blob/main/examples/complete/fixtures.us-east-2.tfvars

I tried this online one but i's different than what the module expects https://flosell.github.io/iam-policy-json-to-terraform/

Hello everyone.
Has anyone had to rotate aws access key in the module cloudposse/terraform-aws-iam-system-user ?
I encountered this problem when trying to rotate a key. To do this, I try to do the following
• Manually create a new key
• Manually Update new key and new key_secret in ssm manager
• Delete the old key from the state

 terraform state rm 'module.system_user.aws_iam_access_key.default[0]'

• Import the new key

terraform import 'module.system_user.aws_iam_access_key.default[0]' <new_key_id>

All of the above was successfully completed

But then when I try to do plan or apply I get this error

│ Error: Invalid combination of arguments
│ 
│   with module.system_user.module.store_write[0].aws_ssm_parameter.default["/<ssm-path>/secret_access_key"],
│   on .terraform/modules/system_user.store_write/main.tf line 13, in resource "aws_ssm_parameter" "default":
│   13: resource "aws_ssm_parameter" "default" {
│ 
│ "insecure_value": one of `insecure_value,value` must be specified
╵
╷
│ Error: Invalid combination of arguments
│ 
│   with module.system_user.module.store_write[0].aws_ssm_parameter.default["/<ssm-path>/secret_access_key"],
│   on .terraform/modules/system_user.store_write/main.tf line 21, in resource "aws_ssm_parameter" "default":
│   21:   value           = each.value.value
│ 
│ "value": one of `insecure_value,value` must be specified

And I don't understand how to fix it
As far as I can see, there are still records about the old access-key in the state file
How can I update them correctly?

User creates whit following parameters:

module "system_user" {
  source  = "git::<https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/1.2.0>"
  context = module.label.context

  ssm_base_path = "/${local.ssm_params_prefix}"
}

PS. its not possible to remove old key and create new, because the key uses a running application for which you can't do a downtime

I would be grateful for any help

Hi Team, my company is deploying infra as code pipelines into AWS using Gitlab. We are reading lots of platform engineering blogs, lots of different choices to make. What is the guidance on latest and greatest to support multi accounts? We are currently thinking of self-hosted runners, using OIDC to auth to AWS accounts. With simple gitlab-ci-yml to run terraform plan and apply once MR is approved. Any big issues here? We are also considering Atlantis (but unsure about a public webhook into our build account), have been pointed to Atmos also. Any tips here would be great!

How can i override name variable from the concatenation of provided variables to a specific string I choose?
For example, the module concats osprey-lb-policy-aws-load-balancer-controller@all
I want to just call it "MyPolicy".

https://github.com/cloudposse/terraform-aws-eks-iam-role/tree/main

https://medium.com/thousandeyes-engineering/scaling-terraform-at-thousandeyes-b2a581b8b0b0
— I don't think this has been discussed here yet (I checked the archives)...
this reads like an opinionated implementation of the terraform preprocessor pattern.
Interested in comments/discussion/comparison vs other solutions.

v1.9.6
1.9.6 (September 18, 2024)
BUG FIXES:

plan renderer: Render complete changes within unknown nested blocks. (#35644)
plan renderer: Fix crash when attempting to render unknown nested blocks that contain attributes forcing resource replacement. (<a href="https://github.com/hashicorp/terraform/issues/35644"...

hey there. have a question around eks managed node groups and launch templates / bootstrapping (user data)

• is it better to use a custom launch template or the eks default one?
• how do i omit the second block device mapping when using bottlerocket, and use instance store volumes instead? (local NVME SSDs)
bottlerocket just released support for local NVMEs, and i'd like to avoid that second EBS for the data vol.
https://github.com/bottlerocket-os/bottlerocket/releases/tag/v1.22.0

i think i might just need to use virtual_name or no_device for the second block mapping? apparently NVME instances are auto configured… but im not too sure

v1.10.0-alpha20240918
1.10.0-alpha20240918 (September 18, 2024)
NEW FEATURES:

Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

terraform output -json now displays ephemeral outputs. The value of an ephemeral output is always null unless a plan or apply is being run. Note that terraform output (without the -json) flag does not yet display ephemeral...

Ooh, "ephemeral values" sounds like a potential shift in paradigm with regards to how secrets handling can be done via Terraform without exposure in the state file.

I have a made a list of api_passwords that I loop over creating PostgreSQL roles for each of our APIs. The problem is when I deploy, I'm getting write conflicts in the database. Anyone know how I can keep my loop, but do them sequential not in parallel.

# Create unique PostgreSQL role for each API
resource "postgresql_role" "api_read_write_roles" {
  for_each           = toset(var.api_list)
  name               = "${each.key}_read_write_role"
  password           = local.api_passwords[each.key]
  encrypted_password = true
  login              = true
  create_database    = false
  superuser          = false
  depends_on         = [data.terraform_remote_state.rds_postgresql]
}

# Grant database-level privileges (CONNECT) for each API
resource "postgresql_grant" "database_grants" {
  for_each    = toset(var.api_list)
  database    = "postgres"
  role        = postgresql_role.api_read_write_roles[each.key].name
  object_type = "database"
  privileges  = ["CONNECT"]
  depends_on  = [postgresql_role.api_read_write_roles]
}

# Grant schema-level privileges (USAGE) for each API
resource "postgresql_grant" "schema_grants" {
  for_each    = toset(var.api_list)
  database    = "postgres"
  schema      = "my_schema"
  role        = postgresql_role.api_read_write_roles[each.key].name
  object_type = "schema"
  privileges  = ["USAGE"]
  depends_on  = [postgresql_grant.database_grants]
}

# Grant table-level privileges (SELECT, INSERT, UPDATE) for each API
resource "postgresql_grant" "table_grants" {
  for_each    = toset(var.api_list)
  database    = "postgres"
  schema      = "my_schema"
  role        = postgresql_role.api_read_write_roles[each.key].name
  object_type = "table"
  privileges  = ["SELECT", "INSERT", "UPDATE"]
  depends_on  = [postgresql_grant.schema_grants]
}

💥 I get the following type of errors for grant schema and table for a random amount of APIs, rerunning the deployment a few times deploys all the resources. But it would be great to have a smoother pipeline.

│ Error: could not execute revoke query: pq: tuple concurrently updated
│ 
│   with postgresql_grant.table_grants["ingestion_api"],
│   on postgres_roles.tf line 35, in resource "postgresql_grant" "table_grants":
│   35: resource "postgresql_grant" "table_grants" {

@Erik Osterman (Cloud Posse) just a quick one, we're using the pr branch in prod without issue https://github.com/cloudposse/terraform-aws-eks-node-group/pull/198

I noticed that this terraform-docs config separates context inputs from the rest of the inputs which is nifty. I didn't know the tool had that capability. Is this feature planned to roll out to the cp modules soon ?

https://github.com/cloudposse/docs/blob/23077a7881cbeee284cdbf0e6e4d70dd6c635741/scripts/docs-collator/templates/modules/terraform-docs.yml

v1.10.0-alpha20240926
1.10.0-alpha20240926 (September 26, 2024)
NEW FEATURES:

Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

terraform output -json now displays ephemeral outputs. The value of an ephemeral output is always null unless a plan or apply is being run. Note that terraform output (without the -json) flag does not yet display ephemeral...

If you haven't seen yet, the AWS provider is implementing a new proposal for a pattern to manage "exclusive" relationships between resources. Essentially, some resources are "containers" for other resources, like security groups and their rules, or iam roles and their policies, or route tables and their routes. Some of these resources have "inline" blocks to implement "exclusive" management. That will in the future be implemented with a new, separate "exclusive" resource. This allows both the "container" resource, e.g. aws_iam_role, and its "attachment" resources, e.g. aws_iam_role_policy, to both manage a single primary API action. The separate "exclusive" resource will manage the actions needed to remove unspecified attachments.
https://github.com/hashicorp/terraform-provider-aws/issues/39376

I really love the new pattern, as I think it will make it easier to implement more "exclusive" attachments for more resource types. One downside, there isn't a great way to migrate using moved blocks from the old inline block approach to the separate resource... So refactoring/updating existing modules is going to be a little painful for the module users... If you also would like that to be easier, please go upvote this feature request on terraform core to implement moved semantics for inline blocks...
https://github.com/hashicorp/terraform/issues/35785

Hey all -

having some IAM race condition issues I dont understand...

resource "aws_codepipeline" "default" {
...
...
  depends_on = [
    aws_iam_role_policy_attachment.default,
    aws_iam_role_policy_attachment.s3,
    aws_iam_role_policy_attachment.codebuild,
    aws_iam_role_policy_attachment.codebuild_s3,
    aws_iam_role_policy_attachment.codestar,
    aws_codepipeline.worker_image_pipeline,
    aws_codepipeline.manager_image_pipeline,
    module.codebuild_deploy,
    aws_cloudwatch_event_rule.ecr_image_pushed,
    aws_iam_role.code_pipeline
  ]
...
}

resource "aws_iam_role_policy_attachment" "codebuild" {
  count      = module.this.enabled ? 1 : 0
  role       = join("", aws_iam_role.code_pipeline[*].id)
  policy_arn = join("", aws_iam_policy.codebuild[*].arn)
}

resource "aws_iam_policy" "codebuild" {
  count  = module.this.enabled ? 1 : 0
  policy = data.aws_iam_policy_document.codebuild.json
}

data "aws_iam_policy_document" "codebuild" {
  statement {
    sid = "AllowCodeBuild"

    actions = [
      "codebuild:BatchGetBuildBatches",
      "codebuild:BatchGetBuilds",
      "codebuild:BatchGetProjects",
      "codebuild:Describe*",
      "codebuild:List*",
      "codebuild:RetryBuild",
      "codebuild:RetryBuildBatch",
      "codebuild:StartBuild",
      "codebuild:StartBuildBatch",
      "codebuild:StopBuild",
      "codebuild:StopBuildBatch",
    ]

    resources = [module.codebuild.project_id, module.codebuild_deploy.project_id]
    effect    = "Allow"
  }
}

I need the permissions in the aws_iam_role_policy_attachment.codebuild

The pipeline executes and I get Error calling codebuild:StartBuild ... because no identity-based policy allows the codebuild:StartBuild action

But if I look at the role the policy and actions exist and then if I retry the pipeline it succeeds, making me think the codepipeline gets created prior to the iam policy attachment

Why? What am I missing?

My code is a fork of https://github.com/cloudposse/terraform-aws-ecs-codepipeline/blob/main/main.tf#L271-L277

Shameless plug for a new tool I’ve been working on! If, like me, you enjoy integrating local LLMs into your development workflow, you might enjoy this (feel free to tear it up too).

Picture this: you spin up a Terraform resource, pull the basic config from the registry, and immediately start wondering what other parameters you should enable for better security and efficiency. Sure, you could use tools like tflint or tfsec, but kuzco saves you the hassle of combing through the Terraform registry and trying to make sense of vague options. The tool leverages local LLMs to recommend which parameters should be enabled and configured. It reviews your Terraform resources, compares them against the provider schema to detect unused parameters, and uses AI to suggest improvements for a more secure, reliable, and optimized setup. This tool started as a part of my local workflow, but I wanted to share if anyone is interested in giving it a try!

https://github.com/RoseSecurity/Kuzco