#terraform - November 2024

v1.11.0-alpha20241106
1.11.0-alpha20241106 (November 6, 2024)
EXPERIMENTS:
Experiments are only enabled in alpha releases of Terraform CLI. The following features are not yet available in stable releases.

terraform test accepts a new option -junit-xml=FILENAME. If specified, and if the test configuration is valid enough to begin executing, then Terraform writes a JUnit XML test result report to the given filename, describing similar information as included in the normal test output. (<a...

One of my devs created a security group in AWS using terraform. He has create_before_destroy set to false Now he needs to replace that SG but can not cause downtime by having the first SG deleted and the recreated. If he sets create_before_destroy to true after the SG already exists will terraform honor that and create the new SG along with rules before destroying the older SG? Im thinking it will but ive never tried it and I dont want to test in prod 🙂

Hello everyone, I'm using terraform to deploy all my infrastructure code , from k8s cluster creation to pod deployment, we have multiple environments : develop, staging and prod but we don't use diffrent branches for our repository, we want to automate the terraform applies, specially for develop and staging and we are wondering what are the existing open source tools that worked for you

Hi everyone,

I’m wanting to use the CloudPosse AWS Config module - https://github.com/cloudposse/terraform-aws-config/tree/main

I’ve read through all the documentation and looked through the complete example provided, but I’m not clear on something, hoping someone has used this before:

I want to set this up at the Org level. We have AWS Organizations setup with several accounts, 2 main ones and some smaller ones, and I want to use this module to setup a proper centralised setup like it recommends on the AWS docs using trusted access via Organisations etc, and what I’m not clear on looking at this module code is if this does this for you automatically or if you need to apply this code to all accounts, the examples provided don’t really mention anything about multi-account setups

v1.10.0-rc1
1.10.0-rc1 (November 13, 2024)
NEW FEATURES:

Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

ephemeralasnull function: a function takes a...

Does anyone know of a decent tool that creates decent diagrams from code? The graph command just doesn’t cut it

👋 Atmos newbie here, loving the product so far and enjoying being able to consume your open source modules! They're helping make quick work of our new environmental standup and the hiera-style hierarchy is a beautiful thing to see working with TF.

I'm currently working my way through a little bit of a side questing exercise (importing our existing resources into the foundational account, account-map, and tfstate-backendmodules) and am trying to get the account-map module to work correctly (I'm very close, having already gotten account and tfstate-backend functional against existing accounts and OU mappings for our AWS Org).

Currently, I'm running into an issue with account-map where it seems to be trying to load different atmos.yaml settings from some default than what I have specified at my top level and where I run the atmos commands from. Specifically, I'm seeing the following error when trying to run atmos terraform plan account-map --stack sre-bootstrap :

│ Error: failed to find a match for the import '/atmos/components/terraform/account-map/stacks/orgs/**/*.yaml' ('/atmos/components/terraform/account-map/stacks/orgs' + '**/*.yaml')

The plan technically succeeds, producing the desired plan output, but then atmos itself seems unhappy about the result. Looking at the pathing above, I'm running my commands from within /atmos and my atmos.yaml is located at /atmos/atmos.yaml (and I don't define or expect any stacks to be defined within the vendored account-map module, nor do we organize based on org at our toplevel).

stacks:
  base_path: "stacks"
  included_paths:
    - "**/*"
  excluded_paths:
    - "**/_defaults.yaml"
    - "mixins/**/*"
    - "catalog/**/*"
  name_pattern: "{environment}-{stage}"

Any guidance ya'll can provide would be tremendously helpful as to where or how to address this!

v1.10.0-rc2
1.10.0-rc2 (November 20, 2024)
NEW FEATURES:

Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

ephemeralasnull function: a function takes a...

Is there any way I can use templates to get either a "plan" or "apply" value depending on the atmos command that's been ran?
Something like {{ .command }} (which right now outputs "tofu" for me since I'm using OpenTF) ?

I have a multi-account AWS org setup with IAM groups/roles already implemented (so no way for me to switch to aws-teams for the foreseeable future), and my idea is to dynamically assume either a "tf-plan-role" or "tf-apply-role" on the target account based on the command, doing something like this:

# ....
terraform:
providers:
aws:
region: "eu-west-1"
assume_role:
role_arn: 'arniam::481665110431:role/tf-{{ .command }}-role'

That's to allow developers to plan locally without having to publish a PR etc, but leaving enough flexibility to allows us admins to apply locally without having to manually edit the stack files.
I am sure there is a way better solution out there, but given my constraints on using the current IAM groups / roles setup I haven't thought of it yet.

this might be a silly question but is why dose CloudPosse modules have some tags with prefix v and other do not but all release have the prefix, is this a bug?

Like this module cloudposse/terraform-null-label releases are with v prefix (v0.25.0) but tag is without (0.25.0)
but then we have this module cloudposse/terraform-aws-alb where it matches and both tag and release have the prefix v (v2.1.0)

what is the prefer way?

Terraform 1.9.0 (released June 2024) added support for variable validation rules referencing other objects/variables.
Is there any guidance/policy/plan to bump the required_version to enable those in cloudposse modules?

v1.10.0-rc3
1.10.0-rc3 (November 25, 2024)
NEW FEATURES:

Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

ephemeralasnull function: a function takes a...

v1.10.0
1.10.0 (November 27, 2024)
NEW FEATURES:

Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.

ephemeralasnull function: a function takes a value...

Hey folks -- we're doing one of our Terraform Audits for one of our clients. As part of that audit, we run tflint + a trivy scan against their Terraform codebase to get some artifacts about how they're doing regarding conventions and security. We're looking for other tools that we might want to add to that list. Does anyone here have any suggestions on similar static analysis tools in the TF space that you think provide value?