#cloudposse (2024-05)

<http://cloudposse.com/quizcloudposse.com/quiz>

Want to hire Cloud Posse? Take our quiz. <http://cloudposse.com/quizcloudposse.com/quiz>

2024-05-01

slackbot avatar
slackbot
01:22:36 PM

Upgrade to reconnect this channel

Your team recently switched to a free plan. Cloud Posse, LLC has been removed from this channel. To automatically reconnect this channel, upgrade to a paid plan by Sunday, May 5th.

2024-05-15

Enrique avatar
Enrique

Good morning (or what suits for you) Folks! Id like to provide a PR to solve this issue. But before start working on it wondering if someone has already a plan… Shall I introduce a new variable waf_rules for backward compatibilities and add a deprecated announcement on firewall_rules description? WAF is the only one I need for now…

#25 Deprecated Resource: `cloudflare_firewall_rule` and `cloudflare_filter`

Describe the Bug

The cloudposse/zone/cloudflare module makes use of resources cloudflare_firewall_rule and cloudflare_filter. Because of this, there are these deprecation messages.

`cloudflare_firewall_rule` resource is in a deprecation phase that will
│ last for one year (May 1st, 2024). During this time period, this
│ resource is still fully supported but you are strongly advised
│ to move to the `cloudflare_ruleset` resource. For more information, see
│ <https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-terraform-users>.

and

`cloudflare_filter` resource is in a deprecation phase that will
│ last for one year (May 1st, 2024). During this time period, this
│ resource is still fully supported but you are strongly advised
│ to move to the `cloudflare_ruleset` resource. For more information, see
│ <https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-terraform-users>.

Expected Behavior

Should be able to use the module without any deprecation messages.

Steps to Reproduce

Create [main.tf](http://main.tf) and add the following

module "cloudflare_zone" {
  source  = "cloudposse/zone/cloudflare"
  version = "0.5.0"
  enabled = true

  account_id   = "<your_account_id>"
  zone         = "<your_zone>"
  zone_enabled = false

  records = [
    # Google Site Verification
    {
      name    = "example.com"
      value   = "google-site-verification=123"
      type    = "TXT"
      ttl     = 1
      proxied = false
    }
  ]
}

Running apply will produce the deprecation messages.

Screenshots

No response

Environment

• OS: OSX • OS Version: 12.6.3 • Module Version: 0.5.0 • Terraform Version: 1.4.5

Additional Context

Firewall rules are becoming WAF custom rulesRelevant changes for Terraform users

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks, yes - please proceed if you have the time to open a PR.

#25 Deprecated Resource: `cloudflare_firewall_rule` and `cloudflare_filter`

Describe the Bug

The cloudposse/zone/cloudflare module makes use of resources cloudflare_firewall_rule and cloudflare_filter. Because of this, there are these deprecation messages.

`cloudflare_firewall_rule` resource is in a deprecation phase that will
│ last for one year (May 1st, 2024). During this time period, this
│ resource is still fully supported but you are strongly advised
│ to move to the `cloudflare_ruleset` resource. For more information, see
│ <https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-terraform-users>.

and

`cloudflare_filter` resource is in a deprecation phase that will
│ last for one year (May 1st, 2024). During this time period, this
│ resource is still fully supported but you are strongly advised
│ to move to the `cloudflare_ruleset` resource. For more information, see
│ <https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-terraform-users>.

Expected Behavior

Should be able to use the module without any deprecation messages.

Steps to Reproduce

Create [main.tf](http://main.tf) and add the following

module "cloudflare_zone" {
  source  = "cloudposse/zone/cloudflare"
  version = "0.5.0"
  enabled = true

  account_id   = "<your_account_id>"
  zone         = "<your_zone>"
  zone_enabled = false

  records = [
    # Google Site Verification
    {
      name    = "example.com"
      value   = "google-site-verification=123"
      type    = "TXT"
      ttl     = 1
      proxied = false
    }
  ]
}

Running apply will produce the deprecation messages.

Screenshots

No response

Environment

• OS: OSX • OS Version: 12.6.3 • Module Version: 0.5.0 • Terraform Version: 1.4.5

Additional Context

Firewall rules are becoming WAF custom rulesRelevant changes for Terraform users

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Comment on #25 Deprecated Resource: `cloudflare_firewall_rule` and `cloudflare_filter`

Any pull requests welcome. We don’t have any active customer engagements that could sponsor this work. Tag us in #pr-reviews on SweetOps to prioritize review.

1
RB avatar

Kinda related, loosely related to deprecations.

I like this module and have used it in the past but i had to shy away from it recently when i ended up managing too many resources in a single module instantiation.

I wrote this up just now to hopefully break up the module into smaller modules to create separate components and still reuse upstream modules

https://github.com/cloudposse/terraform-cloudflare-zone/issues/40

#40 Break up module into smaller modules

Describe the Feature

Cloudflare is a lot like AWS. It’s turning into its own cloud.

They have r2, workers, dns, waf, rate limit rules, pages, transform rules, etc. Most of these resources are either attributed to the account or to a domain (zone in cloudflare lingo). Thus, thus module dedicated to a zone would encourage a teralith.

Expected Behavior

Break apart the existing module into separate modules

Use Case

Fewer resources managed by a single module

Describe Ideal Solution

See above

Alternatives Considered

No response

Additional Context

• current resources managed https://github.com/cloudposse/terraform-cloudflare-zone?tab=readme-ov-file#resources • New ones on the way https://github.com/cloudposse/terraform-cloudflare-zone/issues

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Agree - some of our older modules create factories inside of terraform that are unwieldly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I like the hybrid approach, were a subset of resources are created this way, and then it can be re-instantiated multiple times to break the state down into smaller pieces. E.g. by team, or product

2024-05-16

2024-05-20

andrew.nemiroff avatar
andrew.nemiroff

Hi all,

https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket/issues/96

Can anyone take a look at this and tell me what I am doing wrong. I feel its prob a stupid mistake. Basically a ID for Life Cycle Rules isn’t being passed

#96 ID is not getting assigned to bucket_lifecycle_configuration

Describe the Bug

I have a main module that uses your module as a sub module , which is turn is passed to a template. There has been no alteration to your code.

When , I try to generate the plan I get 18 resources created:

│ Error: expected length of rule.0.id to be in the range (1 - 255), got

│ with module.logging.module.cloudtrail-s3.module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0],
│ on .terraform\modules\logging.cloudtrail-s3.cloudtrail_s3_bucket.s3_bucket.aws_s3_bucket[lifecycle.tf](http://lifecycle.tf) line 157, in resource “aws_s3_bucket_lifecycle_configuration” “default”:
│ 157: resource “aws_s3_bucket_lifecycle_configuration” “default” {

Expected Behavior

All resources are able to be created in the plan.

I also expect when I set the

“variable “lifecycle_rule_enabled” {
description = “Enable lifecycle events on this bucket”
type = bool
default = false
}”

I would expect no lifecycle rules to be created and thus this error wouldn’t even occur.

Steps to Reproduce

Module:

Main.tf

module “cloudtrail-s3” {
source = “cloudposse/cloudtrail-s3-bucket/aws//examples/complete”
version = “0.26.4”
region = “us-east-1”
}

providers.tf

terraform {
required_version = “~> 1.5”

required_providers {
aws = {
source = “hashicorp/aws”
version = “~> 5.16.0”
}

}
}

variables.tf

variable “abort_incomplete_multipart_upload_days” {
description = “Maximum time (in days) that you want to allow multipart uploads to remain in progress”
type = number
default = 5
}

variable “access_log_bucket_name” {
description = “Name of the S3 bucket where s3 access log will be sent to”
type = string
default = “”
}

variable “acl” {
description = “The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services”
type = string
default = “log-delivery-write”
}

variable “additional_tag_map” {
description = “Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.”
type = map(string)
default = {}
}

variable “allow_ssl_requests_only” {
description = “Set to true to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests”
type = bool
default = true
}

variable “attributes” {
description = “ID element. Additional attributes (e.g. workers or cluster) to add to id, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiter and treated as a single ID element.”
type = list(string)
default = []
}

variable “block_public_acls” {
description = “Set to false to disable the blocking of new public access lists on the bucket”
type = bool
default = true
}

variable “block_public_policy” {
description = “Set to false to disable the blocking of new public policies on the bucket”
type = bool
default = true
}

variable “bucket_notifications_enabled” {
description = “Send notifications for the object created events. Used for 3rd-party log collection from a bucket. This does not affect access log bucket created by this module. To enable bucket notifications on the access log bucket, create it separately using the cloudposse/s3-log-storage/aws”
type = bool
default = false
}

variable “bucket_notifications_prefix” {
description = “Prefix filter. Used to manage object notifications”
type = string
default = “”
}

variable “bucket_notifications_type” {
description = “Type of the notification configuration. Only SQS is supported.”
type = string
default = “SQS”
}

variable “context” {
description = “Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.”
type = any
default = {
additional_tag_map = {},
attributes = [],
delimiter = null,
descriptor_formats = {},
enabled = true,
environment = null,
id_length_limit = null,
label_key_case = null,
label_order = [],
label_value_case = null,
labels_as_tags = [“unset”],
name = null,
namespace = null,
regex_replace_chars = null,
stage = null,
tags = {},
tenant = null
}
}

variable “create_access_log_bucket” {
description = “A flag to indicate if a bucket for s3 access logs should be created”
type = bool
default = false
}

variable “delimiter” {
description = “Delimiter to be used between ID elements. Defaults to - (hyphen). Set to “” to use no delimiter at all.”
type = string
default = null
}

variable “descriptor_formats” {
description = “Describe additional descriptors to be output in the descriptors output map. Map of maps. Keys are names of descriptors. Values are maps of the form { format = string labels = list(string) } (Type is any so the map values can later be enhanced to provide additional options.) format is a Terraform format string to be passed to the format() function. labels is a list of labels, in order, to pass to format() function. Label values will be normalized before being passed to format() so they will be identical to how they appear in id. Default is {} (descriptors output will be empty).”
type = any
default = {}
}

variable “enable_glacier_transition” {
description = “Glacier transition might just increase your bill. Set to false to disable lifecycle transitions to AWS Glacier.”
type = bool
default = false
}

variable “enabled” {
description = “Set to false to prevent the module from creating any resources”
type = bool
default = null
}

variable “environment” {
description = “ID element. Usually used for region e.g. ‘uw2’, ‘us-west-2’, OR role ‘prod’, ‘staging’, ‘dev’, ‘UAT’”
type = string
default = null
}

variable “expiration_days” {
description = “Number of days after which to expunge the objects”
type = number
default = 90
}

variable “force_destroy” {
description = “(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable”
type = bool
default = false
}

variable “glacier_transition_days” {
description = “Number of days after which to move the data to the glacier storage tier”
type = number
default = 60
}

variable “id_length_limit” {
description = “Limit id to this many characters (minimum 6). Set to 0 for unlimited length. Set to null for keep the existing setting, which defaults to 0. Does not affect id_full.”
type = number
default = null
}

variable “ignore_public_acls” {
description = “Set to false to disable the ignoring of public access lists on the bucket”
type = bool
default = true
}

variable “kms_master_key_arn” {
description = “The AWS KMS master key ARN used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms”
type = string
default = “”
}

variable “label_key_case” {
description = “Controls the letter case of the tags keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the tags input. Possible values: lower, title, upper. Default value: title.”
type = string
default = null
}

variable “label_order” {
description = “The order in which the labels (ID elements) appear in the id. Defaults to [“namespace”, “environment”, “stage”, “name”, “attributes”]. You can omit any of the 6 labels (“tenant” is the 6th), but at least one must be present.”
type = list(string)
default = null
}

variable “label_value_case” {
description = “Controls the lett…

    keyboard_arrow_up