#terraform - March 2025

Hi 🙂, I would like to know if anyone can give me an advice on the usage of the awsutils provider, I've been struggling in trying to ouput the contents of the data source awsutils_ec2_client_vpn_export_client_config as it's not picking up the configurations I setted up for profile/role configuration; I have:

terraform {
  # Specify the required Terraform version
  required_version = "~> 1.10.0"

  required_providers {
    # AWS provider configuration
    aws = {
      source  = "hashicorp/aws"  # Source of the AWS provider
      version = "~> 5.0"         # Specify the version of the AWS provider
    }
    awsutils = {
      source  = "cloudposse/awsutils"
      version = "~> 0.19.1"
    }
    local = {
      source  = "hashicorp/local"
      version = "~> 2.0"
    }
  }
}

provider "awsutils" {
  # AWS region where resources will be managed
  region                      = local.aws_region
  
  # Profile configuration for development environment
  profile                     = local.aws_profile
  shared_credentials_files    = ["~/.aws/credentials"]
  shared_config_files         = ["~/.aws/config"]

  # Configuration for CI/CD environment
  assume_role {
    role_arn    = "arn:aws:iam::${local.account_id}:role/my-role"
    external_id = "ex-id-XXX"
  }
}

But the thing is that whenever I try to run terrafom (plan), it's not picking the profile I've passthrough, it just keep using the "default" profile configuration (that currently I've configured to use localstack for my dev setup), so, it'll try to call the endpoint of it instead of the one I have for my company's terraform profile. Do you know how to sort this out? (I'll have to do it via null_resource if not 😅). The error I get is:

│ Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, exceeded maximum number of attempts, 9, https response error StatusCode: 0, RequestID: , request send failed, Post "<http://localhost.localstack.cloud:4566/>": dial tcp 127.0.0.1:4566: connect: connection refused
│ 
│   with provider["registry.terraform.io/cloudposse/awsutils"],
│   on providers.tf line 30, in provider "awsutils":
│   30: provider "awsutils" {

Any insights would be greatly appreciated 😄

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Mar 12, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

Yo, a lot of people still believe LLMs can't be any better at Terraform, in this talk I explain 4 of the techniques we tried over the past year to make LLMs significantly better at Terraform code modification / generation

https://youtu.be/ulAOjl4OM5M?si=3LZneA7W7RUPxN37

Hi Guys I have a quick question

I am newbie in opensource contributions, the question I had is.... can I review any open PRs for any of projects? or how to contribute as a PR reviewer (which is created by someone else)

I mean open PRs can be reviewed by anyone? or any specific peeps are allowed to review a PR

v1.11.1
1.11.1 (March 5, 2025)
BUG FIXES:


Temporarily revert updated Windows symlink handling until we can account for known existing configurations using non-symlink junctions. (#36575)


terraform test: Fix crash when a run block attempts to cleanup after a non-applyable plan. (<a...

Is the null label module going to a provider as a custom provider function? Cause this would be neat

locals {
  label = provider::cloudposse_utils::null_label({
    namespace   = "org"
    region      = "us-east-1"
    region_type = "fixed"
    account     = "prod"
    name        = "bananas"
    attributes  = ["rds"]
  })
}

To create a label like this

org-ue1-prod-bananas-rds

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Mar 19, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

Anyone ever use multiple container_definitions in a aws_ecs_task_definition resource? If so how would that look?

Not certain if this has already been posted here but this web app is pretty decent at generating terraform from diagrams and has a fairly comprehensive set of templates for azure/aws -> https://app.brainboard.co

is terraform null label + context still the best way to manage metadata/tags in 2025? or are there better methods nowadays?

v1.11.2
1.11.2 (March 12, 2025)
ENHANCEMENTS:

Azure Backend supports ADO Pipelines OIDC token refresh by using the oidc_request_url, oidc_request_token and (the new) ado_pipeline_service_connection_id. (#36458)

BUG FIXES:


Return error when the templatestring function contains only a single interpolation that evaluates to a null value...

v1.12.0-alpha20250312
1.12.0-alpha20250312 (March 12, 2025)
ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (#34237)


Logical binary operators can now short-circuit (<a href="https://github.com/hashicorp/terraform/issues/36224"...

Hello, I am evaluating atmos (alongside terragrunt) for revamping how my company does IAC. I am trying to understand if Atmos has the ability to define terraform and provider versions outside of what a module contains (e.g. overrides). In terragrunt, I am able to do this via include blocks and "overwrite" files. I think with the terraform version, it's easy enough to manage using tfswitch, but what about providers? For example, if I am making a POC to deploy https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/v4.6.0, but want to override the provider to use aws provider 5.30, how would I do this with Atmos?

how are people handling terraform for transit gateways these days?

• is it a root module for the hub AND spokes?
• are the spokes tightly coupled with the vpc modules?
been thinking about the ideal pattern, and drawing a blank :)

Anyone have a good example of a bucket policy for letting a loadbalancer put its access log in the bucket? I cant figure out how to get this working for the life of me and Ive found about a half dozen examples that are all different. Even tried using chatgpt to help me and its not helping either.

Hi everyone,
I'm setting up an ECS Fargate service using cloudposse/ecs-cluster/aws and cloudposse/ecs-alb-service-task/aws. The service is up and running, but I’m struggling to properly attach an Application Load Balancer (ALB) to it.
I have a typical CloudPosse VPC setup, including:
• Public and private subnets
• NAT instances/gateway for outbound traffic
• ECS tasks running in private subnets
I would really appreciate any guidance or an example on how to properly integrate an ALB with my ECS Fargate service. Thanks in advance!

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Mar 26, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

Hello,
I'm setting up and eks managed node group in existing eks cluster with this module cloudposse/eks-node-group/aws but node does not join to cluster. Here is my minimal settings in atmos component:

instance_types
 - t2.medium
subnet_ids: !terraform.output vpc .private_subnet_ids
min_size: 1
max_size: 2
cluster_name: !terraform.output vpc .eks_cluster_id
create_before_destroy: true
kubernetes_version: 1.31

error from kubelet:

csi_plugin.go:884] Failed to contact API server when waiting for CSINode publishing: Unauthorized
Mar 18 17:26:44 ip-10-20-29-177.eu-west-1.compute.internal kubelet[2204]: E0318 17:26:44.940190    2204 controller.go:145] "Failed to ensure lease exists, will retry" err="Unauthorized" interval="7s"

eks is in private subnet with routes to NAT so there is internet connection

UPDATE - I used other IAM role with proper permission and it's join to cluster. Any idea why IAM worker role created by module does not work?

Hi, does the cloudposse/cloudtrail/aws module supports creating an organization trail from a delegated admin account as suggested by AWS documentation ?
I'm currently facing the following error when executing the module:

With:
• 111111111111 being the "management" account
• 222222222222 being the "child" account; that has cloudtrail delegated admin. This is where i run cloudposse/cloudtrail/aws .

╷
│ Error: reading CloudTrail Trail (arn:aws:cloudtrail:eu-south-2:111111111111:trail/eg-production-orgtrail): operation error CloudTrail: DescribeTrails, https response error StatusCode: 400, RequestID: ffffffff-aaaa-bbbb-cccc-dddddddddddd, InvalidTrailNameException: Trail ARN is not valid: arn:aws:cloudtrail:eu-south-2:111111111111:trail/eg-production-orgtrail. Account number does not match caller's account.
│ 
│   with module.cloudtrail.aws_cloudtrail.default[0],
│   on .terraform/modules/cloudtrail/main.tf line 1, in resource "aws_cloudtrail" "default":
│    1: resource "aws_cloudtrail" "default" {
│ 

Note the arn pointing to the management account 111111111111.

This issue seems to be similar as the one encountered here by a CDK user.

Am i missing something ? Would there be an input variable to override i didn't notice ?
Thank you in advance 🙏

v1.12.0-alpha20250319
1.12.0-alpha20250319 (March 19, 2025)
ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (#34237)


Logical binary operators can now short-circuit (<a href="https://github.com/hashicorp/terraform/issues/36224"...

The Cloud Posse team’s recent addition of GolangCI linting to the GitHub Code Scanning inspired me to attempt uploading tflint findings in Sarif format to the GitHub Code Scanning (https://github.com/marketplace/actions/tflint-findings-upload). I created a quick GitHub Action for it!

Can anyone help me with setting up multiple providers to be passed into a module and then have everything in that module be applied against each region that corresponds with the provider region? Ive been messing with this for 2 days and the error and warning messages in TF have me chasing my tail. We are still on TF 1.5.5 and we use workspaces. Code example of what I have in thread.

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Apr 02, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

v1.11.3
1.11.3 (March 26, 2025)
BUG FIXES:


Fixes unintended exit of CLI when using the remote backend and applying with post-plan tasks configured in HCP Terraform (#36686)


Modules with zero instances that contain ephemeral resources could produce an error during apply (<a href="https://github.com/hashicorp/terraform/issues/36719"...

Open source Terraform/OpenTofu cost estimates from plans and state files (no API keys required :D)
https://github.com/terrateamio/openinfraquote

I'm looking for some advice/guidance on workspace structure to cater for regional and global resources (AWS). Historically I have set up folder/workspace structures in tiers e.g

- cloud_account
- network
- data
- application

Each layer builds on the next with a dependency on the layer below. This has worked well for resources in a single region (sometimes multiple regions depending on the resources). However I am looking at splitting this out to regional and global so that in the event of a single region being available that I can still provision resources.

I was thinking of a similar structure like

- cloud_account
- network
  - region 1
     - ... tf.vars
  - region 2
     - .... 

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Apr 09, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)