#terraform - April 2025

v1.12.0-beta1
1.12.0-beta1 (April 02, 2025)
ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (#34237)


Logical binary operators can now short-circuit (<a href="https://github.com/hashicorp/terraform/issues/36224"...

short-circuit for binary operators will be very welcome!

Asked a question over in hangops the other day about whether it was possible validate the change in a terraform plan using a postcondition, and had a really good discussion with one of the opentofu maintainers. Resulted in this feature request. Give it a thumbs up if you'd find this useful!
https://github.com/opentofu/opentofu/issues/2639

Thoughts on this issue https://github.com/cloudposse/terraform-aws-s3-bucket/issues/269

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Apr 16, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

Are there any examples of using tags with the Terraform context provider? I was poking around the Atmos demo-context directory, ran a terraform plan on the configuration:

# Create tags based on the context. Add the value of the name label to the tags
data "context_tags" "this" {
    values = {
    "type" = var.pet
  }
}

output "tags" {
  description = "Generated Resource Tags"
  value = data.context_tags.this.tags
}

Which returned:

Changes to Outputs:
  + delimiter = "-"
  + label     = ""
  + pet_set   = [
      + "🐶 ",
      + "🐶 ",
      + "🐶 ",
    ]
  + size      = 3
  + tags      = {}

Is there something I'm missing to populate these?

v1.11.4
1.11.4 (April 9, 2025)
BUG FIXES:


disable X25519Kyber768Draft00 in TLS to prevent timouts with some AWS network firewalls (#36791)


write-only attributes: internal providers should set write-only attributes to null (<a href="https://github.com/hashicorp/terraform/issues/36824" data-hovercard-type="pull_request"...

Can someone double check my code and hepl me figure out what im not seeing please? Im trying to setup Config in an account that is part of our organization. I need to monitor 4 regions in this account. I create 1 bucket and want everything written to that bucket. Everything creates just fine except for the ConfigService Delivery Channel. Error in Thread. The error basically says that something cant write to the bucket because it cant see the acl. Well I dont have an acl on the bucket because everything is bucket-owner-full-control as per the AWS docs. Im missing something somewhere in here and I cant figure it out. Been fighting this for over a week now and im stuck.

hey all, trying to reference the karpenter-controller as just a tf module... https://github.com/cloudposse-terraform-components/aws-eks-karpenter-controller/

I'm trying this in the module;

module "karpenter" {
  source = "<http://github.com/cloudposse-terraform-components/aws-eks-karpenter-controller//src?ref=v1.535.2|github.com/cloudposse-terraform-components/aws-eks-karpenter-controller//src?ref=v1.535.2>"
...

Don't think this will work - getting some errors on init.

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Apr 23, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

🤨 are these planned out one week ahead? I made it thought for a second that there isn't one this week.

v1.12.0-beta2
1.12.0-beta2 (April 16, 2025)
ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (#34237)


Logical binary operators can now short-circuit (<a href="https://github.com/hashicorp/terraform/issues/36224"...

lol, even HashiCorp is talking about terraliths now!

Anyone know a solid module that can deploy/manage Image Builder Tool - EC2 Image Builder - AWS?

A lots of folks prefer using Terraform for setting up infrastructure, while using a different tool (like Ansible) for application provisioning. That really resonated with me.
I'm currently working on a project and struggling to decide which tools to use for deployment. My goal is to choose a setup that will be maintainable and scalable in the long term.
Here's how my deployment process looks right now:

1. I use Terraform to provision infrastructure (instances for the cluster in Hetzner Cloud).
2. I use Ansible to configure the Kubernetes cluster for instances from step 1.
3. I need to install Helm charts — mostly for stateful workloads like databases and services — across four environments: dev, test, staging, and prod. I'm unsure what tool would be best to manage this step effectively. I do not want to deploy statefullset databases with stateless microservices.
4. I use Skaffold (GoogleContainerTools/skaffold) to generate one YAML manifest for all stateless microservices.
5. Finally, I deploy the manifest from step 4 using ArgoCD.
My main question is about Step 3 — managing and installing multiple Helm charts across different environments.
What would you recommend as a good long-term approach for this part?
I dont know which tool use:
1. ansible
2. terraform
3. skaffold.
4. I see that is project helmfile but yaml for multi env is ugly.
5. Or maybe the best solution will be create simple helm chart with dependencies?

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Apr 30, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

set the channel topic: Discussions related to Terraform, OpenTofu or Terraform Modules

v1.12.0-beta3
1.12.0-beta3 (April 23, 2025)
NEW FEATURES:

Added Terraform backend implementation for OCI Object Storage (#34465)

ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (<a href="https://github.com/hashicorp/terraform/issues/34237"...

So I have a question regarding https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/instance#ebs_block_device-1. I received a very straightforward request to add a 25GB volume to an existing instance. The code question is...interesting...

Regardless, I am not changing KMS or encryption settings, I am simply adding a new EBS block device and the plan is showing this forces replacement of the instance.

      + ebs_block_device { # forces replacement
          + delete_on_termination = false
          + device_name           = "/dev/sdb"
          + encrypted             = true
          + iops                  = (known after apply)
          + kms_key_id            = "arn:aws:kms:us-east-1:871584748070:key/2cffcd8f-2960-4f83-8eb8-9d5aa4f5fc64"
          + snapshot_id           = (known after apply)
          + throughput            = (known after apply)
          + volume_id             = (known after apply)
          + volume_size           = 1000
          + volume_type           = "gp3"
        }

Any thoughts or feedback would be appreciated.

Hey folks — quick question about the awsutils_default_vpc_deletion resource in the terraform-provider-awsutils. I’ve been running into issues in some AWS regions where it doesn’t seem to work, and I think it’s because the provider isn’t using the latest AWS Go SDK that includes all regions.

Saw there was a release not too long ago that tried to fix this, but looks like it had to be reverted and replaced. Just wondering — is there another release planned soon that’ll properly address this? Would really help us out.

Thanks!

There is a module specific for route53 aliases but it could be easily expanded to work with any route53 record type. Any reason to make this specific for aliases and not other types like CNAME ?

https://github.com/cloudposse/terraform-aws-route53-alias

hello! I'm working to setup a cloudposse ecs-service module to pull an image from a private ECR registry. as a first pass i attempted to remove the dependency to account-map, but i ran into into an error for the task. this particular error was directly in the AWS console

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 1 time(s): InvalidParameterException: Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'

the output for the actual TF apply is:

module.ecs_alb_service_task[0].aws_ecs_service.ignore_changes_desired_count[0]: Creating...
╷
│ Error: creating ECS Service (across-ue2-dev-core-server): operation error ECS: CreateService, https response error StatusCode: 400, RequestID: 835b05ac-abb1-44b2-b07c-6cac6a554a4d, InvalidParameterException: Creation of service was not idempotent.
│ 
│   with module.ecs_alb_service_task[0].aws_ecs_service.ignore_changes_desired_count[0],
│   on .terraform/modules/ecs_alb_service_task/main.tf line 635, in resource "aws_ecs_service" "ignore_changes_desired_count":
│  635: resource "aws_ecs_service" "ignore_changes_desired_count" {
│ 
╵
 Error 

exit status 1

I'm struggling a bit to understand what needs to change here? Or if there is something missing here that the ecs-service needs to pull using the account-map? I tried looking into setting up the account-map with my AWS setup which is just a single account in a separately managed organization. It seems though that the account-map looks for the account component, which doesn't exist. is there a way to pull the current account for the account component? Is that even on the right track to get this working?

thanks!

Hi, is there an alternative to AWS AFT for setting up a Landing Zone via TF? I have used AFT before and found it overly complex for simple LZ's. Also I would rather have all the pipelines in one place rather than doing account provisioning in CodePipeline.

There is AWS LZ accelerator but that is Cloud Formation.


Thoughts?

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is May 07, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

I recall reading in the atmos docs some guideline about using the ternary count = var.variable ? 1 : 0 to enable/disable a terraform module. I don't remember if that was described as an antipattern or a good thing? I can't find it with the search function.

fun morning!: https://github.com/hashicorp/terraform-provider-local/issues/408

v1.12.0-rc1
1.12.0-rc1 (April 30, 2025)
NEW FEATURES:

Added Terraform backend implementation for OCI Object Storage (#34465)

ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (<a href="https://github.com/hashicorp/terraform/issues/34237"...

If anyone is using the Terraform local provider, this is a fun one: https://github.com/hashicorp/terraform-provider-local/issues/408. An alpha release was published to the registry and is breaking our pipelines left and right