2024-08-01

Moritz

Could https://github.com/cloudposse/terraform-aws-ecs-web-app/pull/189 please be reopened, the issue with the dependency should be fixed? (cc @kevcube as original author)

1

Gabriela Campana (Cloud Posse)

06:10:51 PM

@Igor Rodionov @Andriy Knysh (Cloud Posse)

mihai.plesa

01:52:18 PM

just another friendly ping on this

Gabriela Campana (Cloud Posse)

04:52:58 PM

@Moritz comment by Andriy:
please add linux_parameters support in a separate PR.
This PR is very old and introduced many changes.
thank you

mihai.plesa

07:31:58 PM

done in https://github.com/cloudposse/terraform-aws-ecs-web-app/pull/285

#285 linux parameters add

Re-do of #189

what

• set initProcessEnabled = true in container definition if user has opted to enable ecs_exec (it is optional, but recommended by AWS)

why

• it will remove zombie processes in containers after exec is run • because AWS recommended it

1

2024-08-02

Yangci Ou

02:44:39 PM

Would love to get a review on this PR which adds local file path support for Spacelift policies (in addition to the currently existing inline and http URL support): https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/pull/183.

One thing to note though is that all the terratest in the repo seem to be failing even for dependency updates (not even at the code level, terraform can’t be initalized). Tofu is suceeding. Can someone who’s familiar with how Terratest works take a look at that?

+ echo 'Unable to locate executable for terraform '
Unable to locate executable for terraform 

1

Yangci Ou

02:55:21 PM

I see that the Terratest command performs FULL_VERSION=$(vert -s "$(terraform-config-inspect --json examples/complete | jq -r '.required_core[]')" "$TF012" "$TF013" "$TF014" "$TF015" "$TF1" | head -1) || [[ -n "$VERSION" ]]

However, this repo is kind of a mono-module repo, so instead of examples/complete it has examples/spacelift-policy and examples/spacelift-stack etc.

Yangci Ou

02:56:04 PM

What are y’all thoughts on this test? Does that seem like the problem in this repo?

Yangci Ou

02:56:25 PM

Potential options: adding a boilerplate examples/complete or adding a fallback in the test script?

Yangci Ou

04:37:18 PM

Got the tests fixed with the gracious help from @Veronika Gnilitska! Just pending a review now.

2

Yangci Ou

04:37:45 PM

This should also address the other pending PR’s in this same repository where the test fails unrelated to the actual code

Gabriela Campana (Cloud Posse)

06:12:08 PM

@Igor Rodionov @Dan Miller (Cloud Posse)

Dan Miller (Cloud Posse)

01:59:56 PM

Merged! Thanks for the contribution!

1

2024-08-05

2024-08-08

2024-08-09

Ray Finch

08:18:34 PM

Hello, could I get a PR review of https://github.com/cloudposse/terraform-aws-dms/pull/30?

#30 Add feature missing s3_settings attribute use_task_start_time_for_ful…

…l_load_timestamp

what

Add feature missing s3_settings attribute use_task_start_time_for_full_load_timestamp

why

This attribute is available in the aws provider and we need it for an integration.

references

closes #29
relates to #20

1

2024-08-20

nnsense

01:04:25 PM

Hi, just wanted to bring to your attention https://github.com/cloudposse/terraform-aws-lambda-function/pull/69 by @jpalomaki I just badly need to use that feature…

#69 Add support for declaring simple lambda permissions in-module

what

Allow lambda configuration author to optionally declare lambda:InvokeFunction lambda permissions directly in this module.

More complex permissions configurations could still be done outside of this module.

why

This co-locates permissions related to the lambda in the module configuration (where we also declare lambda IAM role permissions), which can help a reader understand where the lambda is invoked from, e.g. in cases where the actual event sources are declared in a different root configuration.

In our specific use case, we use terragrunt to deploy the lambda function (straight from terraform registry module), so this feature would also help us avoid having to create a wrapper module just to add the necessary permission resources.

questions

Because we support terraform 0.14+ (no default value support for optionals), we scope this to just the specific action lambda:InvokeFunction and keep the number of attributes a user has to fill in, small. Does this look like a sane approach (looks like it could cover a lot of ground already, judging by examples)?
Because we support terraform 0.14+, we can’t do replace_triggered_by. Not entirely sure if that is a problem though, since we just attach the permission to the function itself (and not an alias or version)
The resource for_each is keyed by list index, which isn’t ideal, since it would force recreations if items are shuffled/inserted

references

Slack discussion, cc/ @osterman

1

Erik Osterman (Cloud Posse)

01:32:29 PM

@jpalomaki looks like there’s some updates on your PR

#69 Add support for declaring simple lambda permissions in-module

what

Allow lambda configuration author to optionally declare lambda:InvokeFunction lambda permissions directly in this module.

More complex permissions configurations could still be done outside of this module.

why

This co-locates permissions related to the lambda in the module configuration (where we also declare lambda IAM role permissions), which can help a reader understand where the lambda is invoked from, e.g. in cases where the actual event sources are declared in a different root configuration.

In our specific use case, we use terragrunt to deploy the lambda function (straight from terraform registry module), so this feature would also help us avoid having to create a wrapper module just to add the necessary permission resources.

questions

Because we support terraform 0.14+ (no default value support for optionals), we scope this to just the specific action lambda:InvokeFunction and keep the number of attributes a user has to fill in, small. Does this look like a sane approach (looks like it could cover a lot of ground already, judging by examples)?
Because we support terraform 0.14+, we can’t do replace_triggered_by. Not entirely sure if that is a problem though, since we just attach the permission to the function itself (and not an alias or version)
The resource for_each is keyed by list index, which isn’t ideal, since it would force recreations if items are shuffled/inserted

references

Slack discussion, cc/ @osterman

Tyler Rankin

04:51:14 PM

Hey all! Would appreciate a review on adding support for Origin Access Control to the terraform-aws-cloudfront-s3-cdn component

#319 Add support for origin-access-control

what

• add Origin Access Control feature
• add var.origin_access_type to enable Origin Access Identity or Origina Access Control policy
• add aws_cloudfront_origin_access_control.default resource
• add origin_access_control_id argument to origin config on aws_cloudfront_distribution.default • update example code • update README

why

• provide the ability to make use of an Origin Access Control
• retain default origin access identity behavior • AWS recommends using origin access control • Origin Access Identities are flagged in AWS Security Hub

references

• Closes #244 • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Erik Osterman (Cloud Posse)

01:33:09 PM

@Ben Smith (Cloud Posse) @Jeremy White (Cloud Posse)

#319 Add support for origin-access-control

what

• add Origin Access Control feature
• add var.origin_access_type to enable Origin Access Identity or Origina Access Control policy
• add aws_cloudfront_origin_access_control.default resource
• add origin_access_control_id argument to origin config on aws_cloudfront_distribution.default • update example code • update README

why

• provide the ability to make use of an Origin Access Control
• retain default origin access identity behavior • AWS recommends using origin access control • Origin Access Identities are flagged in AWS Security Hub

references

• Closes #244 • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Gabriela Campana (Cloud Posse)

05:17:26 PM

@Jeremy White (Cloud Posse) bumping this up

Jeremy White (Cloud Posse)

05:31:25 PM

Please see comment. It looks like some of the depends_on changes could have caused it:

Jeremy White (Cloud Posse)

05:31:38 PM

Returning due to fatal error: FatalError{Underlying: error while running command: exit status 1; ╷
│ Error: reading S3 Bucket CORS Configuration (eg-test-cf-s3-cdn-lambda-18717-origin): couldn't find resource
│ 
│   with module.cloudfront_s3_cdn.aws_s3_bucket_cors_configuration.origin[0],
│   on ../../main.tf line 352, in resource "aws_s3_bucket_cors_configuration" "origin":
│  352: resource "aws_s3_bucket_cors_configuration" "origin" {
│ 
╵}

Tyler Rankin

07:29:27 PM

It’s interesting, I run both terraform and opentofu tests using docker and they always pass - I suppose the opentofu CI job was unlucky? :thinking_face:

I’ve added a depends_on to the aws_s3_bucket_cors_configuration.origin resource in hopes that corrects it. I’ll admit it seems a bit odd of an error, cannot find a resource that it is in the middle of creating.

Tyler Rankin

05:27:40 PM

Looks like latest terratest passed. I believe I corrected the lint formatting with my latest commit and hoping that clears up the bats failure on the next ci run

1

Jeremy White (Cloud Posse)

12:27:16 PM

oof, sorry that I got busy yesterday. Re-running now

Tyler Rankin

03:48:09 PM

sorry looks like i hadn’t saved all the changes before my previous commit just pushed up what i think should handle the failures

Jeremy White (Cloud Posse)

11:35:27 PM

not sure what’s up with the chatops action. I’ll look into it on monday if no one else does this weekend

Tyler Rankin

11:39:36 PM

awesome. hope you enjoy the weekend!

Erik Osterman (Cloud Posse)

11:44:44 PM

@Jeremy White (Cloud Posse) check contributors channel

1

2024-08-21

2024-08-22

nnsense

08:32:56 AM

Hi there, a very very quick change to the cloudwatch submodule into the lamdba one, to allow the context to be passed to the submodule instead of just vars. Thanks

https://github.com/cloudposse/terraform-aws-lambda-function/pull/74

#74 Change cloudwatch submodule to pass context

what

A patch to pass the context instead of just vars to the CloudWatch submodule.

why

This module is only setting the context vars instead of the whole context, leaving up to the submodule to set its own context.
By settings the context (as advised by cloudposse) the root deployment are passed to the submodule, and an upper/camel/pascal case function_name will be consistent with the Cloudwatch group name.

references

• Closes #73

1

Gabriela Campana (Cloud Posse)

09:27:33 PM

@Dan Miller (Cloud Posse)

#74 Change cloudwatch submodule to pass context

what

A patch to pass the context instead of just vars to the CloudWatch submodule.

why

This module is only setting the context vars instead of the whole context, leaving up to the submodule to set its own context.
By settings the context (as advised by cloudposse) the root deployment are passed to the submodule, and an upper/camel/pascal case function_name will be consistent with the Cloudwatch group name.

references

• Closes #73

Dan Miller (Cloud Posse)

10:56:50 PM

Thanks for submitting the PR! Looks good to me, but I left 1 minor comment

nnsense

11:11:48 AM

Updated, thanks for checking

Gabriela Campana (Cloud Posse)

12:37:11 PM

@Dan Miller (Cloud Posse)

Dan Miller (Cloud Posse)

02:58:24 PM

@nnsense we accidentally introduce a breaking change! I’m fixing it now, but we have to revert this PR https://github.com/cloudposse/terraform-aws-lambda-function/issues/78

#78 v0.6.0 breaks `aws_cloudwatch_log_group` names

Describe the Bug

#74 actually breaks aws_cloudwatch_log_group names

module.lambda_cloudtrail_lookup[0].module.cloudwatch_log_group.aws_cloudwatch_log_group.default[0] must be replaced

-/+ resource “aws_cloudwatch_log_group” “default” { ~ arn = “arn:aws:logs:us-east-1:012345678910:log-group:/aws/lambda/compromised-keys-cloudtrail-lookup” -> (known after apply) ~ id = “/aws/lambda/compromised-keys-cloudtrail-lookup” -> (known after apply) ~ log_group_class = “STANDARD” -> (known after apply) ~ name = “/aws/lambda/compromised-keys-cloudtrail-lookup” -> “namespace-environment-stage-/aws/lambda/compromised-keys-cloudtrail-lookup” # forces replacement + name_prefix = (known after apply) ~ tags = { ~ “Name” = “namespace-environment-stage-compromised-keys” -> “namespace-environment-stage-/aws/lambda/compromised-keys-cloudtrail-lookup” } ~ tags_all = { ~ “Name” = “namespace-environment-stage-compromised-keys” -> “namespace-environment-stage-/aws/lambda/compromised-keys-cloudtrail-lookup” # (15 unchanged elements hidden) } # (2 unchanged attributes hidden) }

# module.lambda_delete_key[0].module.cloudwatch_log_group.aws_cloudwatch_log_group.default[0] must be replaced -/+ resource “aws_cloudwatch_log_group” “default” { ~ arn = “arn:aws:logs:us-east-1:012345678910:log-group:/aws/lambda/compromised-keys-delete-key” -> (known after apply) ~ id = “/aws/lambda/compromised-keys-delete-key” -> (known after apply) ~ log_group_class = “STANDARD” -> (known after apply) ~ name = “/aws/lambda/compromised-keys-delete-key” -> “namespace-environment-stage-/aws/lambda/compromised-keys-delete-key” # forces replacement + name_prefix = (known after apply) ~ tags = { ~ “Name” = “namespace-environment-stage-compromised-keys” -> “namespace-environment-stage-/aws/lambda/compromised-keys-delete-key” } ~ tags_all = { ~ “Name” = “namespace-environment-stage-compromised-keys” -> “namespace-environment-stage-/aws/lambda/compromised-keys-delete-key” # (15 unchanged elements hidden) } # (2 unchanged attributes hidden) }

# module.lambda_notify_security[0].module.cloudwatch_log_group.aws_cloudwatch_log_group.default[0] must be replaced -/+ resource “aws_cloudwatch_log_group” “default” { ~ arn = “arn:aws:logs:us-east-1:012345678910:log-group:/aws/lambda/compromised-keys-notify-security” -> (known after apply) ~ id = “/aws/lambda/compromised-keys-notify-security” -> (known after apply) ~ log_group_class = “STANDARD” -> (known after apply) ~ name = “/aws/lambda/compromised-keys-notify-security” -> “namespace-environment-stage-/aws/lambda/compromised-keys-notify-security” # forces replacement + name_prefix = (known after apply) ~ tags = { ~ “Name” = “namespace-environment-stage-compromised-keys” -> “namespace-environment-stage-/aws/lambda/compromised-keys-notify-security” } ~ tags_all = { ~ “Name” = “namespace-environment-stage-compromised-keys” -> “namespace-environment-stage-/aws/lambda/compromised-keys-notify-security” # (15 unchanged elements hidden) } # (2 unchanged attributes hidden) }

Plan: 3 to add, 0 to change, 3 to destroy.

Expected Behavior

name should be not changed
https://github.com/cloudposse/terraform-aws-lambda-function/pull/74/files#diff-dc46acf24afd63ef8c556b77c126ccc6e578bc87e3aa09a931f33d9bf2532fbbR15

Possible solution: Provide all context variables except name

Steps to Reproduce

Create https://github.com/cloudposse/terraform-aws-lambda-function/blob/main/examples/complete/main.tf on v0.5.5
Update to v0.6.0

Screenshots

No response

Environment

No response

Additional Context

No response

nnsense

03:04:10 PM

OOPS! :smile: Right.. but then.. why name is lowercase? name is basically my reason behind that PR, if I set that to something uppercase, there’s something that set it back to lowercase, which creates a bug for the module, if you set the lambda name to something different from lowercase it will then target a cloudwatch group that doesn’t exist (being all lowercase)

nnsense

03:06:20 PM

I will try to dig more, this is not the end of it!!

nnsense

03:09:37 PM

Something that let me think, but I didn’t pay too much attention to it, is hardcoding /aws/lambda/ at the beginning of the cloudwatch group name. That is what I think is actually creating the issue.. Will try to propose a solution

1

Dan Miller (Cloud Posse)

04:43:56 PM

the name is lowercase because the log group name is run through our null-label module, which converts everything to lowercase as a convention https://github.com/cloudposse/terraform-aws-cloudwatch-logs/blob/main/main.tf#L5-L13

module "log_group_label" {
  source  = "cloudposse/label/null"
  version = "0.25.0"

  # Allow forward slashes
  regex_replace_chars = "/[^a-zA-Z0-9-\\/]/"

  context = module.this.context
}

nnsense

04:49:09 PM

I was assuming that but when I check the [variables.tf](http://variables.tf) inside null label it says “default is lower” but then default = null.. I didn’t find where that “lower” is then being set TBH https://github.com/cloudposse/terraform-null-label/blob/e88c5a8e4b8a621d4b96603bfe5c0738b96aec5b/variables.tf#L193

variable "label_value_case" {

Dan Miller (Cloud Posse)

04:51:01 PM

sorry wrong link. looking, one second

Dan Miller (Cloud Posse)

04:51:16 PM

that was the old, deprecated module, my fault. Checking

1

Dan Miller (Cloud Posse)

04:52:36 PM

so yes it is label_value_case, which if unset will choose “lower” https://github.com/cloudposse/terraform-null-label/blob/main/main.tf#L14

    label_value_case    = "lower"

1

nnsense

05:28:58 PM

Got it, thanks :slightly_smiling_face: So.. the problem lies down to the name attribute which is set to be "/aws/lambda/${var.function_name}" Trying to automate avoiding to add an additional variable for whoever wants it camelCase, PascalCase or Title but still trying to avoid breaking who is already relying on this being lower by deefault.. what do you think of…

module "cloudwatch_log_group" {
  source  = "cloudposse/cloudwatch-logs/aws"
  version = "0.6.6"

  enabled = module.this.enabled

  iam_role_enabled  = false
  kms_key_arn       = var.cloudwatch_logs_kms_key_arn
  retention_in_days = var.cloudwatch_logs_retention_in_days
  name              = "/aws/lambda/${var.function_name}"
  label_value_case  = can(regex("[A-Z]", var.function_name)) ? "none" : "lower" <-------------------- this ?

  tags = module.this.tags
}

nnsense

05:30:06 PM

Or even better null instead of lower since that’s the default

2024-08-23

2024-08-24

hamza-25

04:36:43 PM

Hey all,

Ive opened a PR to the CP subnets module to allow routing to a Transit gateway. Left more details in the pr description, looking forward to getting feedback on this change.

https://github.com/cloudposse/terraform-aws-named-subnets/pull/60

#60 add transit gateway id option to the route table

what

• The existing module only allows a user to associate the route table of a private subnet with a network interface or a nat gateway. • By adding the tgw_id argument, users of the subnet module can automatically create a route table with routing between a private subnet and a transit gateway.

why

• As a best practice, a user may create an AWS account for centralized networking. • To allow traffic to route from account B to account A (centralized networking account), a Transit Gateway is needed. • If a user creates a subnet using this module, the tgw_id feature will allow the user to directly associate the route table in the private subnet to an existing transit gateway. • Example architecture:
ec2 -> private subnet rtb -> tgw -> private subnet rtb-> natgw -> public internet
|——–AWS Account B——|——-AWS Account A———-|

References

Multi account practices

kevcube

10:47:45 AM

do you see the note in description that this module is deprecated? I would recommend you use cloudposse/terraform-aws-dynamic-subnets instead

#60 add transit gateway id option to the route table

what

• The existing module only allows a user to associate the route table of a private subnet with a network interface or a nat gateway. • By adding the tgw_id argument, users of the subnet module can automatically create a route table with routing between a private subnet and a transit gateway.

why

• As a best practice, a user may create an AWS account for centralized networking. • To allow traffic to route from account B to account A (centralized networking account), a Transit Gateway is needed. • If a user creates a subnet using this module, the tgw_id feature will allow the user to directly associate the route table in the private subnet to an existing transit gateway. • Example architecture:
ec2 -> private subnet rtb -> tgw -> private subnet rtb-> natgw -> public internet
|——–AWS Account B——|——-AWS Account A———-|

References

Multi account practices

1

hamza-25

01:42:57 PM

Ah didnt notice that, thanks.

nnsense

07:42:37 PM

Wow, I didn’t notice too, and I’m actively using that module. It’s a bit hard to see for me because I usually jump to the readme and read that (and I skip the header, if any :D)

2024-08-26

nnsense

07:38:57 PM

Hi cloudposse crew! Just a minor addition to the lambda module, allowing to set a Kinesis stream, DynamoDB stream, or SQS queue as a trigger for lambda. https://github.com/cloudposse/terraform-aws-lambda-function/pull/75 Thanks :)

#75 Minor: Implementation of the `aws_lambda_event_source_mapping` resource to easily set a stream or a queue as trigger for lambda.

what

Implementation of the aws_lambda_event_source_mapping resource, allowing to set a Kinesis stream, DynamoDB stream, or SQS queue as a trigger for lambda. I’ve porpousely kept things simple allowing only a few variables:

• source_mapping_arn pointing to the arn of the triggering resource (eg, the lambda execution role) • source_mapping_batch_size allowing to tune the number of events we pass to the function. • source_mapping_starting_position, because it’s usually required and terraform complains if it’s unset • source_mapping_starting_position_timestamp, if someone wants to use AT_TIMESTAMP in Kinesis.

why

It’s useful to get lambda triggered by other resources without having to set just one resource in another module.

Gabriela Campana (Cloud Posse)

09:41:28 PM

@Dan Miller (Cloud Posse)

#75 Minor: Implementation of the `aws_lambda_event_source_mapping` resource to easily set a stream or a queue as trigger for lambda.

what

Implementation of the aws_lambda_event_source_mapping resource, allowing to set a Kinesis stream, DynamoDB stream, or SQS queue as a trigger for lambda. I’ve porpousely kept things simple allowing only a few variables:

• source_mapping_arn pointing to the arn of the triggering resource (eg, the lambda execution role) • source_mapping_batch_size allowing to tune the number of events we pass to the function. • source_mapping_starting_position, because it’s usually required and terraform complains if it’s unset • source_mapping_starting_position_timestamp, if someone wants to use AT_TIMESTAMP in Kinesis.

why

It’s useful to get lambda triggered by other resources without having to set just one resource in another module.

Dan Miller (Cloud Posse)

04:04:13 PM

Left a comment. We should try to make sure any resource is covered by terratest

1

nnsense

04:24:03 PM

Fixed.. well, maybe, not sure if that’s everything needed

Dan Miller (Cloud Posse)

02:40:20 PM

@nnsense looks like terraform failed once we enabled these new resources. Can you please review the error? Let me know if you have any questions about it

nnsense

03:00:19 PM

That’s what I was expecting to happen by adding source_mapping_enabled = true, but I don’t know what to set for source_mapping_arn because that doesn’t exist (should I add a dynamodb example to sort that out?)

nnsense

08:05:31 PM

I think I’ve sorted that out passing fake parameters, hope that works…

nnsense

08:06:48 PM

aww right It doesnt

Dan Miller (Cloud Posse)

08:06:54 PM

You might need to create an example dynamodb table so that you can properly validate the resource by passing a valid ARN

nnsense

08:07:10 PM

Let’s do it