#terraform-aws-modules (2021-09)
Terraform Modules
Discussions related to https://github.com/terraform-aws-modules
Archive: https://archive.sweetops.com/terraform-aws-modules/
2021-09-01
2021-09-09
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
Hey folks, wondered if anyone could give me some advice on the aws_backup module, specifically how do I ensure that the resource tags are copied to my recovery tags, this doesn’t seem well documented at all. Any pointers would me most appreciated.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You should be provisioning those other resources with the tags
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
So the resources I’m backing up are provisioned with tags, however the Recovery point tags doesn’t give me details of the resource I’m backing up ?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
it might help to look at our aws-backup component that uses the aws-backup module
https://github.com/cloudposse/terraform-aws-components/tree/master/modules/aws-backup
Opinionated, self-contained Terraform root modules that each solve one, specific problem - terraform-aws-components/modules/aws-backup at master · cloudposse/terraform-aws-components
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
in the readme, you can see the inputs that create a special tag
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
ah ok let me take a look
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
@RB hmm not sure this is what I’m looking for, the point is I should be able to set a tag or derive a tag that reflects what I’m backing up ? Can this be done ?
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
if so how ?
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
and Ideally in the Recovery point tags
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
if this is set
selection_tags:
- type: "STRINGEQUALS"
key: "aws-backup/resource_schedule"
value: "daily-14day-backup"
then you can set a tag on a resource
like aws-backup/resource_schedule = "daily-14day-backup"
and aws-backup will manage it
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
see this resource how the selection_tags are used
Terraform module to provision AWS Backup, a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services such as EBS volumes, RDS databases, Dy…
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
yes indeed thats not the issue, I’m able to back up based on tags, but how do associate the recovery point tags with what I backup especially when the resource is an EC2 instance.
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
are you saying you can and want to tag individual recovery points ?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
these are the only resources i can find related to aws_backup
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
there is an inconsistency about the way AWS names its resources, and as such there is no issue with RDS however there is with EC2 instances and their resource IDs.
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
yes indeed I’m hitting the same brick wall. Perhaps I’m misunderstanding what the recovery point tags are for ?
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
are you saying you can and want to tag individual recovery points ?
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
What I want to do is have a tag in that represents what I actually backed up in the case of an EC2 instance.
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I’m unsure if that’s possible
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
I’m beginning to think it isn’t
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
well at least not for EC2 instances.
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
Anyone know how the aws backup module works ?
![caron.wills avatar](https://secure.gravatar.com/avatar/b138806869df5d3a2248fa8865a9ea4b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
hello anyone ?
2021-09-14
![Manuel Morejón avatar](https://avatars.slack-edge.com/2021-08-31/2435800885525_72c1c19745cac8ae834a_72.png)
Hi team! Any help needed to merge this PR? https://github.com/cloudposse/terraform-aws-iam-role/pull/30
what Add permissions_boundary as a parameter why This parameter is missing in the module as an option. references iam_role#permissions_boundary Signed-off-by: Manuel Morejon [email protected]
2021-09-15
![Manuel Morejón avatar](https://avatars.slack-edge.com/2021-08-31/2435800885525_72c1c19745cac8ae834a_72.png)
what Add permissions_boundary as a parameter Upgrade cloudposse/iam-role/aws module to version 0.13.0 why This parameter is missing in the module as an option. references PR cloudposse/iam-rol…
2021-09-16
![Manuel Morejón avatar](https://avatars.slack-edge.com/2021-08-31/2435800885525_72c1c19745cac8ae834a_72.png)
Hi @RB! One question, I’m using terraform-aws-cloudwatch-logs
to create a log-group for Opensearch (formerly Elasticsearch) and I get this error:
│ Error: ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group home-dev-es-search does not grant sufficient permissions for Amazon OpenSearch Service to create a log stream. Please check the Resource Access Policy.
this is my tf
file
module "home_dev_es_label" {
source = "cloudposse/label/null"
version = "0.25.0"
namespace = "home"
stage = "dev"
name = "es"
}
module "cloudwatch_search_log" {
source = "cloudposse/cloudwatch-logs/aws"
version = "0.5.0"
attributes = ["search"]
additional_permissions = ["logs:*"]
principals = { "Service" : ["es.amazonaws.com"] }
context = module.home_dev_es_label.context
}
Could you help me with this error?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
my guess is this has changed:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
principals = { "Service" : ["es.amazonaws.com"] }
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
[es.amazonaws.com](http://es.amazonaws.com)
is probably not right
![Manuel Morejón avatar](https://avatars.slack-edge.com/2021-08-31/2435800885525_72c1c19745cac8ae834a_72.png)
Thanks @Erik Osterman (Cloud Posse)!
I was wrong about the use of the module. This module cloudposse/cloudwatch-logs/aws
is a log group general propose, but not fit the needs for the Opensearch (formerly Elasticsearch) service.
Logs groups for Opensearch needs the component aws_cloudwatch_log_resource_policy
and this element is missing in the cloudposse module.
At the end I made an specific log module for Opensearch cloudwatch logs groups using the same standard I saw in Cloudposse
![Manuel Morejón avatar](https://avatars.slack-edge.com/2021-08-31/2435800885525_72c1c19745cac8ae834a_72.png)
Anyway than a lot for your answer
2021-09-23
2021-09-24
2021-09-27
![s2504s avatar](https://secure.gravatar.com/avatar/7812d39e082b3f710a42a33a4c2b8b35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
Hello all! I try to manage AWS API GW resources using Terraform. Today I have faced strange issue - I added some changes to the stage configuration in terraform manifest and applied these changes. But Terraform removed a previous deployment version and created new one. So, my questions are:
- Is it valid behaviour?
- Why does Terraform remove previous deployment version instead of creates new one and just switch configuration of API GW onto this configuration?
- If you use terraform for API GW, do you have deployment history with previous deployed versions?
![Brian Ojeda avatar](https://avatars.slack-edge.com/2021-05-21/2091552027955_105f68e1608ac63c274a_72.jpg)
Deploying api-gw via Terraform without using swagger/openapi spec is more trouble than it is worth. My recommendation is deploy using swagger/api spec and create new deployments whenever the swagger/api is updated.