#terraform-aws-modules (2023-08)

terraform Terraform Modules

Discussions related to https://github.com/terraform-aws-modules

Archive: https://archive.sweetops.com/terraform-aws-modules/

2023-08-07

Brian avatar
#796 docs: fix issue with eks/cluster usage snippet

what

• update usage snippet in readme for eks/cluster component

why

• fix incorrect shape for one of the items in aws_team_roles_rbac • improve consistency • remove variables that are not appliable for the component

references

• n/a

1
1
Brian avatar
#798 Eks cluster fix first deploy due to OIDC

what

• set a non-empty value for eks_cluster_identity_oidc_issuer as the default for module.eks (remote-state module).

why

• that value must not be empty when passed to the cloudposse/eks-iam-role/aws module for aws-ebs-csi-driver and vpc-cni addons • that will never exists on first deployment because the component itself create the OIDC provider

references

#797

1
1
Brian avatar
#799 feat: allow email to be configured at account level

what

• allow email to be configured at account level

why

• to allow importing existing accounts with email address that does not met the organization standard naming format

references

• n/a

1
Brian avatar
#800 feat: filter out “SUSPENDED” accounts for account-map

what

• filter out “SUSPENDED” accounts (aka accounts in waiting period for termination) for account-map component

why

• suspended account cannot be used, so therefore it should not exist in the account-map • allows for new active accounts with same exact name of suspended account to exists and work with account-map

references

• n/a

1
1
Brian avatar
#801 bug: update descriptions *_account_account_name variables

what

• update descriptions *_account_account_name variables • I replaced stage with short because that is the description used for the respective outputs entries

why

• to help future implementors of CloudPosse’s architectures

references

• n/a

1
1
Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

~@Dan Miller (Cloud Posse) We are going to want to reverse this PR. The problem is the “short” name for the account includes the tenant, e.g. “core-auto”, whereas the stage name is just “auto”. Sorry, Brian, but thank you anyway.~

#801 bug: update descriptions *_account_account_name variables

what

• update descriptions *_account_account_name variables • I replaced stage with short because that is the description used for the respective outputs entries

why

• to help future implementors of CloudPosse’s architectures

references

• n/a

1
1
1
Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

@Brian I’m sorry that account-map is so confusing. It is a complicated adapter supporting several different iterations of the Cloud Posse reference architecture. It even confused me, and I am the lead maintainer. @Dan Miller (Cloud Posse) Brian was right and I was wrong, the inputs are supposed to be the short names, not the stage names.

2
Brian avatar
#802 bug: handle lowercase name tag when explicitly defining Name tag

what

• gracefully handle lowercase name tag when explicitly defining Name tag • setting name to null means the provider ignore the key-value pair and therefore creates no conflicts with Name

why

• aws provider (least with latest provider) does not allow both name and Name keys to exists for tags variable

references

• n/a

Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

@Brian Can you please explain this use case? Your solution only handles the name tag, but you would have the same problem if you included other tags where the keys were distinct under case-sensitive matches but identical under case-insensitive matches. So unless we have a comprehensive solution, I’m inclined to leave it to users to clean up their inputs.

#802 bug: handle lowercase name tag when explicitly defining Name tag

what

• gracefully handle lowercase name tag when explicitly defining Name tag • setting name to null means the provider ignore the key-value pair and therefore creates no conflicts with Name

why

• aws provider (least with latest provider) does not allow both name and Name keys to exists for tags variable

references

• n/a

Brian avatar

Yes. Whenever label_key_case is set to lower in the global stack file, then both name and Name will exists in the situations this issue resolves.

I also realize sometimes Name is intentional even if all other tags are normalized to lowercase because the AWS web console will the value of Name as the name if it exists.

2023-08-08

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Brian dang!! you’re on a roll

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

cc @Dan Miller (Cloud Posse) @Ben Smith (Cloud Posse) @Jeremy G (Cloud Posse) @Jeremy White (Cloud Posse) @Andriy Knysh (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Gabriela Campana (Cloud Posse) can you help us get them reviewed

1
1
1

2023-08-09

2023-08-17

Adnan avatar
Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)

@Dan Miller (Cloud Posse)

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

This component defines the AWSNodeTemplate manifest here. That manifest uses the options given by Terraform, but at this time does not include user data. However, user data is supported by karpenter! So in order to pass user data to the nodes, add a new spec to Terraform to pass user data. Something like this:

resource "kubernetes_manifest" "provider" {
...
  manifest = {
...
    spec = merge({
...
      userData = each.value.user_data
  }
}

and then add user_data to the provisioners var

Node Templatesattachment image

Configure AWS specific settings

1

2023-08-22

Samuel Crudge avatar
Samuel Crudge

Hello again!

https://github.com/cloudposse/terraform-aws-ec2-bastion-server - All the tags since Jun 11, 2021 are classed as pre-release.

Is this intended?

cloudposse/terraform-aws-ec2-bastion-server

Terraform module to define a generic Bastion host with parameterized user_data and support for AWS SSM Session Manager for remote access with IAM authentication.

RB avatar

Yes because the sg module was refactored and it was never upgraded in this module. The most recent non pre release version is from this year may and it’s version is

https://github.com/cloudposse/terraform-aws-ec2-bastion-server/releases/tag/0.27.1

cloudposse/terraform-aws-ec2-bastion-server

Terraform module to define a generic Bastion host with parameterized user_data and support for AWS SSM Session Manager for remote access with IAM authentication.

Samuel Crudge avatar
Samuel Crudge

Thanks @RB

2023-08-25

2023-08-28

2023-08-30

Giorgio Conte avatar
Giorgio Conte

Hi to all, there is the possibility to insert a scopedown statement of managed rules in waf module?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

please specify 1) what WAF module (Terraform resource or CloudPosse waf)? 2) what is a scopedown statement? (please provide an example of that)

Giorgio Conte avatar
Giorgio Conte
Giorgio Conte avatar
Giorgio Conte

the terraform aws provider (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) can optionally use the scope down statment of a rule

Giorgio Conte avatar
Giorgio Conte
scope_down_statement 
Giorgio Conte avatar
Giorgio Conte

In this topic https://github.com/cloudposse/terraform-aws-waf/issues/33, there’s a work around only for rate_based_statement rule.

#33 Support scope-down statements

Describe the Feature

Update the module so that is supports scope-down statements for managed rule groups and rate-based rules.

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-scope-down-statements.html

Expected Behavior

Accept scope_down_statement within rate_based_statement_rules and managed_rule_group_statement_rules, like the following:

module "waf" {
  source = "../.."
  
  rate_based_statement_rules = [
    {
      name     = "rule-40"
      action   = "block"
      priority = 40

      statement = {
        limit              = 100
        aggregate_key_type = "IP"
      }

      scope_down_statement = {
        matches = {
          request_components = {
            uri_path = "/path"
          }
        }
      }

      visibility_config = {
        cloudwatch_metrics_enabled = false
        sampled_requests_enabled   = false
        metric_name                = "rule-40-metric"
      }
    }
  ]
}

Use Case

We would like the module to support more WAFv2 functionality so we can continue to use it.

Describe Ideal Solution

It would be great if this module supported scope-down statements.

Alternatives Considered

No response

Additional Context

No response

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

scope_down_statement is not currently supported by the module

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can be added to managed_rule_group_statement and rate_based_statement

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you open a PR and we’ll review it?

Giorgio Conte avatar
Giorgio Conte

yes thanls

Giorgio Conte avatar
Giorgio Conte

thanks

    keyboard_arrow_up