#terraform - May 2025

Hey @Erik Osterman (Cloud Posse), I was watching the office hours and wanted to mention that opentofu will support oci registries for both providers AND modules. This is working in alpha 2 😄 https://opentofu.org/blog/help-us-test-opentofu-1-10-0-alpha2/

So you can do this

module "vpc" {
  source = "<oci://example.com/modules/vpc/aws>"
}

We will have more documentation about this later before a full release.

Wow! That’s awesome

What about as a state backend?

Does anyone know how to opt-in to the 6.0.0-beta provider with OpenTofu? I was following this guide, but it appears to not work.

Initializing provider plugins...
- Finding hashicorp/aws versions matching "6.0.0-beta"...
╷
│ Error: Failed to resolve provider packages
│ 
│ Could not resolve provider hashicorp/aws: no available releases match the given constraints 6.0.0-beta
╵

Has anyone come up with any good sets of cursorrules/copilot-instructions for terraform? Looking for some inspiration

Does anyone know of any SweetOps components that currently support managing cost allocation tags in AWS?

I've searched the Cloud Posse documentation and Github orgs and I didn't get any hits.

In my exploration of this topic, I also discovered that the Hashicorp AWS Terraform provider supports managing CE (Cost Explorer) resources, such as aws_ce_cost_allocation_tag:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_cost_allocation_tag


Would there be any interest in adding support for cost allocation tags in the near future?

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is May 14, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

Recently, we've started getting warnings from our Trivy CI jobs for this "misconfiguration".
Essentially, Trivy now throws an error if it comes across Get* or Put* in any S3 IAM policies (issue discussing the change here, with the reasoning based on findings in this blog post).
An example of the underlying code that's throwing the error is here.

I was curious what Cloud Posse's thoughts are on this, if any?
Essentially, I'm trying to determine whether I should just add ignore statements for this ID, or to make pull requests in the underlying CP modules we're using to "fix" the problem.

v1.12.0-rc2
1.12.0-rc2 (May 07, 2025)
NEW FEATURES:

Added Terraform backend implementation for OCI Object Storage (#34465)

ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (<a href="https://github.com/hashicorp/terraform/issues/34237"...

How do we submit new TF modules for the CloudPosse org?

Hey all, I was using this component:
https://github.com/cloudposse-terraform-components/aws-config/tree/main

but I can't delete the conformance_packs when they are Org level, has someone seen this is also looks like the state is drifting this might be an AWS error but since I don't see any comment of this on the component I wanted to ask here.

I saw this issue on AWS Provider is this a known issue? (edited)

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is May 21, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

i'm going through the gitops documentation for github action runners:
https://docs.cloudposse.com/layers/gitops/example-workflows/

do these actions only run individual components?

what happens when we have an atmos workflow we want to run?

for example i have an EKS cluster in one component, and dependent add-on components that i install afterwards. I have the installation in a /workflows/eks.yaml file...but how do i get this to run in an automated fashion and not manually?

We're playing around with using the [context provider](https://github.com/cloudposse/terraform-provider-context) for some of our stacks which run on opentofu in spacelift. This provider isn't yet in the tofu registry so we need to manually specify the terraform registry in the providers block, but doing so breaks loading of the schema during tofu show -json(which is used by spacelift). This is a [known issue](https://github.com/opentofu/opentofu/issues/1478) due to how tofu rewrites provider urls, is it possible to get this provider added to the tofu registry?

SecretsManager and Aurora integrates very nicely together especially with secret rotation. Would you folks be open to expanding aurora-mysql and aurora-postgres components to using secrets manager as a toggle ? or any chance you have prior art for toggling between ssm and secrets manager already ?

v1.12.0
1.12.0 (May 14, 2025)
NEW FEATURES:

Added Terraform backend implementation for OCI Object Storage (#34465)

ENHANCEMENTS:


Terraform Test command now accepts a -parallelism=n option, which sets the number of parallel operations in a test run's plan/apply operation. (<a href="https://github.com/hashicorp/terraform/issues/34237"...

This message was deleted.

Anybody else ever want code coverage in Terraform/Tofu tests or am I alone on this one? https://github.com/opentofu/opentofu/issues/2814

Has anyone created a llms.txt file with all the CP modules to use when writing terraform? I'm investing in creating some cursor rules for working with cp modules and it would be nice to have this info. If not, will make one and share.

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is May 28, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

It may be cheeky posting this here, but I think the opentofu channel was merged into here and the RSS feed unsubscribed.

Lots of cool features incoming in opentofu 1.10 😄 https://opentofu.org/blog/help-us-test-opentofu-1-10-0-beta1/

I’m curious if any community members have any recommendations or personal experiences about migrating to OpenTofu. Are there any potential "gotchas" or challenges to watch out for when transitioning from Terraform 1.5.6 to Tofu?

v1.12.1
1.12.1 (May 21, 2025)
BUG FIXES:


Include resource identity in import apply UI output (#37044)


Fix regression during provider installation by reverting back to not sending HEAD requests. (<a href="https://github.com/hashicorp/terraform/issues/36998" data-hovercard-type="pull_request"...

v1.13.0-alpha20250521
1.13.0-alpha20250521 (May 21, 2025)
NEW FEATURES:


The new command terraform stacks exposes some stack operations through the cli. The available subcommands depend on the stacks plugin implementation. Use terraform stacks -help to see available commands. (#36931)


Deferred actions: The plan, apply, and refresh commands now...

Heads up! Someone is impersonating cloudposse, likely with nefarious intent.

THESE ARE FAKE:
• https://github.com/cloudposee
• https://github.com/osterrman
• https://registry.terraform.io/namespaces/cloudposee
• https://registry.terraform.io/namespaces/osterrman
They've been reported to GitHub.

Join us for "Office Hours" every Wednesday 01:30PM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Jun 04, 2025 01:30PM.

👉️ Register for Webinar

#office-hours (our channel)

hello again! i've been going through and setting up a whole bunch more of the cloudposse tf modules, and im not sure if i've come across some inconsistencies or expected behavior? The issue i've come across seems to specifically stem from the use (or not using) the tenant "property" for accounts. Some context: my project is under a singular account, so i've "simulated" the use of multiple accounts by effectively overriding the entire account component and outputting whatever seems to be the expected values for the account component. This has worked well for most of the components. However, I've noticed that there's some components that either do not provide a way to override a tenant, or the tenant is entirely missing?

Some places i've noticed this and have had to override some specific variables:

https://github.com/cloudposse-terraform-components/aws-team-roles/blob/e8b899b9f4d23ea540306b9d04ab595ab5b0f1ac/src/main.tf#L35
I'm not entirely sure where/how module.this.account is supposed to be initialized, but since it does not exist, this resolves only to the stage name (e.g. dev). which is fine, however the "account name" is really plat-dev since it includes the tenant.

https://github.com/cloudposse-terraform-components/aws-account-map/blob/6fe663fd67125ae95b2db968004038d56a557506/src/modules/iam-roles/main.tf#L37
this felt similar to the above? I'm not sure how module.always.descriptors is setup? am i missing some account config stuff for this?

https://github.com/cloudposse-terraform-components/aws-ecs/blob/92975d801a090991b2a1bc7e141bb6a5d29bdc4f/src/remote-state.tf#L10
I've had to add an override to include the tenant as core for dns-delegated module, since this would use the ecs's context which would be under a plat tenant.

https://github.com/cloudposse-terraform-components/aws-ecs-service/blob/1de6bd695d93c0f64163d5c79fcfef9c57bb1f3f/src/remote-state.tf#L128
similar issue here, maybe I'm misunderstanding this piece? but seems like this just points to the dns-delegated component which should be under core-gbl-dns, so i had to override that module's stage and tenant.

https://github.com/cloudposse-terraform-components/aws-aurora-postgres/blob/eedd8d26c3e4a8b4017cc9632a9bda7ea34144bc/src/remote-state.tf#L39
same issue as above, had to override stage and tenant

I'm happy to create separate issues in the respective repos for these if that is easier. Or (hopefully) I'm just missing something relatively simple...thanks!

Shameless plug for a totally unnecessary (but fun) little tool I built. Lately I’ve been leaning into the CLI life and all the tools that come with it, so I wrote something that’s basically Neofetch, but for Terraform.

It scans your Terraform repo and spits out stats like how many variables, resources, modules, outputs, etc. you’ve got—styled up nice and clean for the terminal. Great for screenshots, repo overviews (GitHub Action included), or just showing off your infra.

Feel free to kick the tires on it! https://github.com/RoseSecurity/terrafetch

Hi there, is it just me, or the variables/outputs blocks are gone from the README on (apparently) all cloudposse github pages? If that was a choice, it's not really convenient, as you know variables and outputs can be exposed from any .tf page, without your aggregated export some might be missing (by just looking inside variables.tf and outputs.tf). Thanks! :)