#terraform-aws-modules (2019-06)

Hey all, does anyone have some recommendations on a terraform module setup for an ecs fargate cluster setup? It needs to support 4 services per cluster, alb, possible nginx side car container integration. Thoughts? I had one working for a while, but the tags broke.

I’m in the process of upgrading mine for fargate support. Need to finish it this week. Have too many things that need it

There was an awesome module by azavea but the tags broke on it for TFE, so I gotta find a new module. The last one was perfect, created the ALB, the ECS cluster, multiple services.

autoscaling policies, etc. Preferably I could find another one like it, but if I have to use multiple, oh well. What are you using in your setup?

Mine handles ECS service on ECS2, alb, , tags, and things. It is for a service. So, you can create as many services as needed. Both container and task definitions can be overridden for more complex setups (like sidecars, proxies). Partial fargate support is there. But not awsvpc networking yet

https://github.com/appzen-oss/terraform-aws-ecs-service

Also, this conversation should be in #terraform

we use https://github.com/cloudposse/terraform-aws-ecs-alb-service-task

That’s a pretty nice module. Is there a way to output the ALB DNS name for R53 records?

Woah! just hit my first v0.12 compatibility gotcha. We have extensive use of the null-label module and are running v.11. So this hit us… https://github.com/cloudposse/terraform-null-label/commit/e2b880b2bad3cd8ceaa87c56176c15d92e28775d Anyway - a quick sed -i "s/.../.../" solved it.

@David Latham please make sure you never pin to master in any of your infrastructure code

(it’s not possible to maintain backwards compatibility between releases and pinning to a release is the only way to ensure stability in a global ecosystem of terraform modules)

https://github.com/cloudposse/terraform-null-label/releases

use 0.11.1 or earlier

yup - I guess I would need to thank our consultant for that. Luckily it’s not pinned to master everywhere - just this one project and a simple enough PR to fix.

really really stupid question but I’m so lost: i’m trying to provision a cross-region rds replica but I can’t figure out how to create KMS keys for two different regions (us-east-2 for the source db and us-west-2 for the replica db). Do I resource two aws_kms_key and specify the region somehow?

@ian are you using one of these modules: https://github.com/terraform-aws-modules/

no a senior dev has rolled his own setup but it’s similar to those modules and I can use them as a reference

Has anyone tested provisioner during terraform destroy? Destroy-Time Provisioners <https://www.terraform.io/docs/provisioners/index.html>

We are currently testing it and destroy handle doesn’t seem to pick up…. If someone has tested, please advise?

Hey guys, using this module: https://github.com/cloudposse/terraform-aws-s3-log-storage?ref=master and running into an issue where the ALBs I’m creating don’t have access to the bucket. Is that an attribute input I need to set?

this channel is for https://github.com/terraform-aws-modules/

Ah my apologies. I’ll use terraform channel

thx!

anyone have an AWS AppMesh terraform module they’re working on?

Not yet. Will probably be on my project list next month

Looks like someone started already https://github.com/bitflight-public/terraform-aws-app-mesh

@jamie

@jamie has joined the channel

@cabrinha meet @jamie

hi

hello

let me know if you need any help on the app mesh module, it looks great so far

@cabrinha when did you need it by? I am starting by making an mvp using terraform 0.12, and I’m not going to include all of the node features like logging and health checks at the start

i’d like to use terraform 0.11

and need? well the sooner the better

So once the mvp is done, you can do pr’s to add in other features and such

Error downloading modules: Error loading modules: module virtual_router_label: duplicated. module names must be unique

this is the error I get as it sits now

Lol. Yeah it’s not ready yet I’ve only been writing it for about 3.5 hours

(that means Jamie will have a few PRs open in ~30m)

Ha.

It’s 7pm for me and I was about to have a beer. I am gonna keep going tomorrow:)

Btw @cabrinha are you using an existing module to create your services and ecs cluster?

Like airship?

nope, we use our own in-house module

Ok. So to make app mesh work the task definitions have to have an extra two sidecar containers running in them

sure, envoy and xray

Yeah.

thats easy, i’ve got my task-definition sorted out already

So what I’ll do it create a template wrapper for generating the task def

That adds the sidecars as well

So you can pass in your container def, and ports, and app mesh name, and it outputs the full task def

With the ports, proxy, and labels in place

hm ok that sounds cool

I’ll need to make it for when I do the example anyway

Anyway, I’ll update it further tomorrow

@jamie not sure if this affects your module approach: https://aws.amazon.com/about-aws/whats-new/2019/06/aws-app-mesh-service-discovery-with-aws-cloud-map-generally-available/

(I think I will need to watch a video or adjust my meds, because I didn’t understand that announcement…)

(oh, boy, I just noticed the video is from AWS Summit Anaheim and I was at that show …I guess I must not have been paying attention.

@cabrinha this app mesh module’s example is getting bigger than the actual module

haha

lel

yeah thats expected when you’re making on ECS cluster, VPC and all that

I have a few things still to do today:

• Complete the codepipeline build and deploy to ecr from s3 source
• Complete the task wrapper
• Complete the IAM roles required for running the tasks
• Complete the ECS Service Update pipeline

@Callum Robertson this channel will help you.

@Callum Robertson has joined the channel

Looks like I’m having some issue with the EKS module https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/4.0.2

kubectl get svc

is there no way to get VPC IPs now?

hm, maybe its just the subnet tagging that I was missing

https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html

@cabrinha the latest version of the dynamic subnet module handles the public private subnet tagging correctly.

nice thanks

are there tags needed?

never saw any docs on that

It depends. Many of the kubernetes services that need to access and discover aws resources require that those resources are tagged in a way that relates to the kubernetes cluster

Such as Spinnaker.io and cpco.io

The dynamic subnets module allows you to specify a tag and a value

i preferred the dynamic sinners module myself

Ha

https://github.com/cloudposse/terraform-aws-dynamic-subnets was converted to TF 0.12, real tests added (using bats and terratest), the tests create real resources in AWS and check them

https://g.codefresh.io/public/accounts/cloudposse/builds/5d0d1d2202e71163875706c9

@cabrinha regarding what @jamie said, there are two variables https://github.com/cloudposse/terraform-aws-dynamic-subnets/blob/master/variables.tf#L1 and https://github.com/cloudposse/terraform-aws-dynamic-subnets/blob/master/variables.tf#L7 which you can use to implement any type of tagging for the subnets

yeah we’re just starting to get into EKS now, most of our AppMesh stack is for use in ECS

Hi guys, I’m having trouble accessing the kibana web interface via a browser after running the terraform module.

I’m connect to a VPN and allowed the VPN cidr block to access the es cluster yet when I hit the kibana link, I get {"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}.

I tried adding the cidr block to the access policy but I get UpdateElasticsearchDomainConfig: {"message":"You can’t attach an IP-based policy to a domain that has a VPC endpoint. Instead, use a security group to control IP-based access."}

I can use the domain template to not require signing request with iam credential, which does allow me to access kibana but this is not my ideal way to set it up.