#pr-reviews (2022-02)

Pull Request Reviews for Cloud Posse Projects

2022-02-10

kevcube avatar
kevcube

Hey guys, requesting a little love for this repo https://github.com/cloudposse/terraform-aws-iam-assumed-roles/pull/20

Trying to spin it up, but failing because it hasn’t been updated since before the 0.12.0 days.

I could make a PR that fixes some of the issues, but I wasn’t sure if renovate will do that automatically.

Configure Renovate by renovate[bot] · Pull Request #20 · cloudposse/terraform-aws-iam-assumed-rolesattachment image

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin. To activate Renovate, merge this Pull Request. To disable Renovate,…

1
Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

I will give this a shot

Configure Renovate by renovate[bot] · Pull Request #20 · cloudposse/terraform-aws-iam-assumed-rolesattachment image

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin. To activate Renovate, merge this Pull Request. To disable Renovate,…

1
Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

@Erik Osterman (Cloud Posse) are we still using this module anywhere?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We are not using this anywhere

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

should probably archive it

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

@kevcube were you actually going to use it for something or were you just doing some maintenance chores?

kevcube avatar
kevcube

@Yonatan Koren (Codefresh) I was going to use it but ended up using the aws terraform iam role module. Does cloudposse have an alternative for creating assumable roles that is recommended?

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Well, we have this https://github.com/cloudposse/terraform-aws-iam-role — there’s a principals variable for allowlisting IAM principals to assume the role

There’s also this module for IRSA https://github.com/cloudposse/terraform-aws-eks-iam-role

cloudposse/terraform-aws-iam-role
cloudposse/terraform-aws-eks-iam-role
Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Is that sufficient for your use case ,on first glance?

kevcube avatar
kevcube

yes actually, this contains almost everything i need. one preference with iam role modules however is the ability to pass in HCL for the role policy though, because I use terragrunt and don’t like to maintain a json file next to my terragrunt files.

I typically do this inline with a jsonencode() function but would like if the module supported creating a aws_iam_policy_document. I may PR for this, but before that – is there a particular reason CloudPosse has preferred JSON inputs rather than an HCL object for the IAM Policy?

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)
cloudposse/terraform-aws-iam-role

A Terraform module that creates IAM role with provided JSON IAM polices documents.

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Is there something I’m missing?

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Ahhh it’s the module description itself A Terraform module that creates IAM role with provided JSON IAM polices documents.

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

@Erik Osterman (Cloud Posse) is this inaccurate? Maybe we need to update it

kevcube avatar
kevcube

ah yes I missed reading the example - and no I’d say the description is accurate because the input variable is the json encoded output of that data object

What I’m wondering is if it makes sense to accept an input object that constructs the iam_policy_document data object inside the module rather than (or maybe in addition to) taking JSON as an input

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Ah I see what you mean

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

@Erik Osterman (Cloud Posse) nvm on the earlier ping.

And @kevcube yes if you can take a couple minutes to create that feature request as a GH issue, that would be amazing

1
kevcube avatar
kevcube

Will do!

1
kevcube avatar
kevcube

Describe the Feature

I am requesting the ability to pass a new input variable that defines a aws_iam_policy_document internal to the module, so that it gets constructed within the module rather than needing to pass in a JSON object to define the role policy.

This would enable all the modules inputs to be HCL rather than requiring a JSON input.

Expected Behavior

A variable iam_policy_object or something that is a custom object which lines up with the structure of aws_iam_policy_document, and that variable is the input to a data source inside of the module that creates the iam policy document.

Use Case

I prefer to define all infrastructure in HCL and use Terragrunt, so if I want to pass in a JSON object I usually use the terraform function json_encode() and pass in the HCL which would define the IAM policy. This would save me having to wrap my HCL inputs in json_encode()

Describe Ideal Solution

see expected behavior

Alternatives Considered

Using json_encode() isn’t terribly inconvenient

1

2022-02-12

2022-02-14

2022-02-15

2022-02-16

kevcube avatar
kevcube

@Yonatan Koren (Codefresh) can you please kick off tests here? https://github.com/cloudposse/terraform-aws-route53-cluster-zone/pull/50

what

• remove unused template provider

why

• template provider does not have darwin/arm64 binary, modules including it don’t work on m1 mac.

kevcube avatar
kevcube

sorry they’ll fail, don’t yet

what

• remove unused template provider

why

• template provider does not have darwin/arm64 binary, modules including it don’t work on m1 mac.

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Ok just ping me again

2022-02-18

kevcube avatar
kevcube
1
Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

@kevcube I took the liberty to revert some of the output name changes in #52. We want to maintain backwards compatibility, although I think you named all the outputs beautifully and logically if it wasn’t for that practical bit we want to maintain.

EDIT: Brain fart on my part, for some reason I thought these were the root [variables.tf](http://variables.tf)

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

Also pushed a minor fix to the test suite

kevcube avatar
kevcube

haha, we pushed that at like the same second.

1
kevcube avatar
kevcube

Describe the Bug

If you run this module with -target 'aws_route53_zone.default[0]' you will get a hosted zone that has NS and SOA records.
Applying the module without such targeting will also create resource "aws_route53_record" "soa" which doesn’t include any customization options, therefore it isn’t currently valuable for this record to be managed in terraform.

If you implement this module for a private hosted zone like #52 allows, then for some reason resource "aws_route53_record" "soa" will fail to create.
Therefore I propose that resource "aws_route53_record" "soa" is removed from this module.

Unfortunately this will cause deletion of that resource for people who have provisioned this module.

Seeking input from @cloudposse members on how to proceed.

Expected Behavior

Route53 hosted zones can be created, whether public or private, and will contain an SOA record after creation

Steps to Reproduce

Steps to reproduce the behavior:

  1. provision module with targeting so that only a hosted zone is created
  2. see SOA record created in AWS console
  3. destroy module
  4. provision module without targeting to create hosted zone and SOA record
  5. see SOA record created in AWS console
  6. destroy module
  7. provision module with VPC as enabled in #52
  8. SOA record will fail to create
kevcube avatar
kevcube

this issue suggests a breaking change but is the only way for this module to work with private zones (from my testing)

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

I don’t think that the SOA resource should be removed. Simply, private zones should not have SOAs created, because they do indeed fail to create and are only valid for public zones.

In #52 I’ve pushed changes to make that happen, however I’m running to other issues relating to the count meta attribute on the SOA resource.

Yonatan Koren (Codefresh) avatar
Yonatan Koren (Codefresh)

I’ve gotten the PR to where I want it to be, except for the fact that examples/complete fails to apply beause we are calculating the count meta attribute on the length of var.private_hosted_zone_vpc_attachments,

I’m going to keep going tomorrow with it

2022-02-21

2022-02-22

kevcube avatar
kevcube

PR enabling creation of ECS cluster with ec2-autoscale-group..

https://github.com/cloudposse/terraform-aws-ec2-autoscale-group/pull/84

Seeking review on one quirk regarding userdata string

what

• Enable optional creation of an ECS cluster with this module • See #83

why

• No CloudPosse module currently exists to create this resource • Closes #83

    keyboard_arrow_up