#terraform-aws-modules (2024-02)
Terraform Modules
Discussions related to https://github.com/terraform-aws-modules
Archive: https://archive.sweetops.com/terraform-aws-modules/
2024-02-01
@Andriy Knysh (Cloud Posse), can you please review this PR - https://github.com/cloudposse/terraform-aws-components/pull/971 ?
@Aayush Harwani what error are you seeing? Asking b/c what you added in the PR is already implemented here https://github.com/cloudposse/terraform-aws-components/blob/main/modules/vpc/main.tf#L5
@Andriy Knysh (Cloud Posse), my bad, i was getting error due to this,, here in remote-state.tf var is used instead of local. - https://github.com/cloudposse/terraform-aws-components/pull/972
I faced this issue, while trying out atmos.
thanks @Aayush Harwani https://github.com/cloudposse/terraform-aws-components/releases/tag/1.398.0
@Andriy Knysh (Cloud Posse), can you help me with this - https://github.com/cloudposse/terraform-aws-components/pull/973
@Aayush Harwani this is not related to Atmos, this is pure Terraform. The component uses a local module https://github.com/cloudposse/terraform-aws-components/blob/main/modules/sqs-queue/main.tf#L6
the module is defined in the modules folder https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sqs-queue/modules/terraform-aws-sqs-queue
This is a correct and used Terraform pattern. Why do you think it’s a problem?
whenever i am pulling this module using vendor pull, modules folder is not getting pulled and it is giving error.
included_paths:
- "**/**"
# The glob library does not treat the ** above as including the sub-folders if the sub-folders is not also explicitly included
- "**/modules/**"
please add this to the included_paths in vendor.yaml
(the Go lib that Atmos uses to download the sources does not create sub-folders automatically, they need to be specified in included_paths)
2024-02-02
2024-02-03
Hi all - I’m trying to use this beanstalk module to spin up some infra https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment My requirement is that the beanstalk environment attaches itself to port 443 so that it’s on SSL.
Here is my configuration:
module "alb" {
source = "cloudposse/alb/aws"
version = "1.10.0"
namespace = "tpo"
name = "elastic-beanstalk"
vpc_id = data.aws_vpc.default.id
subnet_ids = data.aws_subnets.private.ids
internal = true
certificate_arn = data.aws_acm_certificate.cert.arn
security_group_ids = [module.security_groups.alb_sg]
http_enabled = false
https_enabled = true
enabled = true
stage = "prod"
access_logs_enabled = true
access_logs_prefix = "tpo-prod"
alb_access_logs_s3_bucket_force_destroy = true
# This additional attribute is required since both the `alb` module and `elastic_beanstalk_environment` module
# create Security Groups with the names derived from the context (this would conflict without this additional attribute)
attributes = ["shared"]
}
module "elastic_beanstalk_application" {
source = "cloudposse/elastic-beanstalk-application/aws"
version = "0.11.1"
enabled = true
for_each = toset(var.EB_APPS)
name = each.value
}
module "elastic_beanstalk_environment" {
source = "cloudposse/elastic-beanstalk-environment/aws"
for_each = toset(var.EB_APPS)
enabled = true
region = var.REGION
elastic_beanstalk_application_name = each.value
name = "prod-${each.value}-tpo"
environment_type = "LoadBalanced"
loadbalancer_type = "application"
loadbalancer_is_shared = true
shared_loadbalancer_arn = module.alb.alb_arn
loadbalancer_certificate_arn = data.aws_acm_certificate.cert.arn
tier = "WebServer"
force_destroy = true
instance_type = "t4g.xlarge"
vpc_id = data.aws_vpc.default.id
loadbalancer_subnets = data.aws_subnets.private.ids
application_subnets = data.aws_subnets.private.ids
application_port = 443
allow_all_egress = true
additional_security_group_rules = [
{
type = "ingress"
from_port = 0
to_port = 65535
protocol = "-1"
source_security_group_id = data.aws_security_group.vpc_default.id
description = "Allow all inbound traffic from trusted Security Groups"
}
]
solution_stack_name = "64bit Amazon Linux 2 v5.8.10 running Node.js 14"
additional_settings = [
{
namespace = "aws:elasticbeanstalk:application:environment"
name = "NODE_ENV"
value = "prod"
},
{
namespace = "aws:elbv2:listenerrule:${each.value}"
name = "HostHeaders"
value = "prod-${each.value}-taxdev.io"
}
]
env_vars = {
"NODE_ENV" = "prod"
}
enable_stream_logs = true
extended_ec2_policy_document = data.aws_iam_policy_document.minimal_s3_permissions.json
prefer_legacy_ssm_policy = false
prefer_legacy_service_policy = false
}
What ends up happening is that the beanstalk application tries to map to port 80 rather than 443, and the whole thing errors out
The only way I can get it to finish successfully is if I set http_enabled = true but then my beanstalk app ends up on the wrong listener port
Does anybody have any ideas how I can get this working on listener port 443 instead of 80?
Can you show the error?
Error: creating Elastic Beanstalk Environment (prod-adjustments-tpo): ConfigurationValidationException: Configuration validation exception: Invalid option value: 'default' (Namespace: 'aws:elbv2:listener:80', OptionName: 'Rules'): The load balancer you specified doesn't have a listener on port 80. Specify listener options only for existing listeners.
│ status code: 400, request id: c06c4cab-f781-445b-8bc4-2158de99f923
│
│ with module.elastic_beanstalk_environment["adjustments"].aws_elastic_beanstalk_environment.default[0],
│ on .terraform/modules/elastic_beanstalk_environment/main.tf line 602, in resource "aws_elastic_beanstalk_environment" "default":
│ 602: resource "aws_elastic_beanstalk_environment" "default" {
There you go @Joe Niland
Would you happen to know how to add multiple “Rules” in the configuration, like this?
I’m finding that the following rule is required to avoid the error shown above…
{
namespace = "aws:elbv2:listener:443"
name = "Rules"
value = "default"
},
However, when I use that rule, I am unable to add a secondary rule as shown in the screenshot.
2024-02-04
2024-02-10
https://github.com/cloudposse/terraform-aws-iam-account-settings/blob/78e9718eabbeca8e8c66bcf387e09b3c3333d411/main.tf#L3-L7 I don’t believe the account alias is used anywhere in the Cloud Posse components. But wanted to double-check if there could be any unforeseen issues if we update these with different values.
i believe if you didn’t use it before, it should not affect you (but you have to test it)
2024-02-12
Quick question about the lambda component. The version of the cloudposse/lambda-function/aws module listed in the repo (https://github.com/cloudposse/terraform-aws-components) is 0.4.1. The current version of 0.5.3 and importantly contains the fixes to the names of function log groups from 0.5.1 .
The lambda component is still regularly updated (e.g. v1.396.0, two weeks ago). Is there a reason for the listed version of the module being behind? I’m not clear why the module version used here in the main repo has drifted behind its source — as in most cases bumping the version after the atmos vendor causes no problems
There isnt any particular reason that the module version hasnt been updated. It was likely the case of pushing a quick fix for a requirement and neglecting to upgrade the module version at the same time.
If you do upgrade that version and everything works as expected, please feel free to submit a PR to the component!
(this is more a refarch question, as it’s components)
We do not automatically update dependencies in terraform-aws-components right now because we lack automated testing. We want/need these to be vetted & working modules. They there’re will lag behind because we upgrade them mostly when we need to to retrieve new functionality.
We’re in parallel in the early stages of building out refarch v2 components. These will add terratests (we’re adding a helper for terratest to support atmos). All v2 components will have tests out-of-the-box. This means we can accept more contributions, automatically update component dependencies, and ensure everything continues to work.
1
2024-02-14
2024-02-15
We have been eagerly anticipating the day when we could manage EKS cluster authentication via AWS APIs rather than the Kubernetes ConfigMap. That day is here, but there are still some bugs to be worked out. Please upvote this issue that, when resolved, will make upgrading to the new APIs significantly easier.
I was going to ask for this, and found your message… I think this will simplify things
Yes, this is actively under development. In fact, the coding is mostly done, but the upgrade path is complicated and there is a lot of testing to do and documentation to write. I plan to release a pre-release version next week to get feedback.
@Luis Longo Please try eks-cluster v4.0.0-rc1 (PR 206) and let us know what you think. It (finally!) ditches all the hacks needed to update the aws-auth ConfigMap and uses the new AWS API for access control. Be sure to read the migration doc, as there a few manual steps needed to upgrade, and a lot of deprecated features finally removed.
Note: at present, v4.0.0-rc1 is not available via the Terraform registry. Use a git ref instead:
source = "github.com/cloudposse/terraform-aws-eks-cluster?ref=v4.0.0-rc1"
@Jeremy G (Cloud Posse) Hi !
Thanks for the work.
I’m testing it and I have this error during terraform plan:
│ Error: Get “<http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth>”: dial tcp [::1]:80: connect: connection refused
I can’t figure why
My values comply with the migration guide
@Quentin BERTRAND Verify that you really are on v4.0.0-rc1. (It is now available via the Terraform Registry.) That error comes from settings that have been removed. If you are on the right version, and have removed the auth-map as detailed in the migration guide, and are still having this issue, then you may need to manually remove ...null_resource.wait_for_cluster[0] the way you removed the auth-map resource. Please let me know if this helps, and if it does not, please let me know what settings you previously had for all the inputs that start with “kube”.
@Jeremy G (Cloud Posse) Hello,
Verify that you really are on v4.0.0-rc1 I use
source = "[github.com/cloudposse/terraform-aws-eks-cluster?ref=v4.0.0-rc1](http://github.com/cloudposse/terraform-aws-eks-cluster?ref=v4.0.0-rc1)"on my terragrunt.hcl :white_check_mark:
I removed manually ...null_resource.wait_for_cluster[0]
Now I have these states;
❯ terragrunt state list
data.aws_iam_policy_document.assume_role[0]
data.aws_iam_policy_document.cluster_elb_service_role[0]
data.aws_partition.current[0]
data.tls_certificate.cluster[0]
aws_eks_cluster.default[0]
aws_iam_openid_connect_provider.default[0]
aws_iam_policy.cluster_elb_service_role[0]
aws_iam_role.default[0]
aws_iam_role_policy_attachment.amazon_eks_cluster_policy[0]
aws_iam_role_policy_attachment.amazon_eks_service_policy[0]
aws_iam_role_policy_attachment.cluster_elb_service_role[0]
aws_security_group_rule.managed_ingress_cidr_blocks[0]
aws_security_group_rule.managed_ingress_security_groups[0]
kubernetes_config_map.aws_auth_ignore_changes[0]
I keep getting the error during terraform plan/apply;
Error: Get "<http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth>": dial tcp 127.0.0.1:80: connect: connection refused
```
Do I have to delete kubernetes_config_map.aws_auth_ignore_changes[0] ?
:face_palm: Yes, of course, my mistake. You need to delete (terraform state rm):
kubernetes_config_map.aws_auth_ignore_changes[0]
@Quentin BERTRAND Also, if you have kubernetes in your required_providers block (usually in [versions.tf](http://versions.tf)) and/or have provider "kubernetes" in your [providers.tf](http://providers.tf) you need to remove those, too.
@Quentin BERTRAND Did you not get this error:
│ Error: Provider configuration not present
│
│ To work with module.eks_cluster.kubernetes_config_map.aws_auth_ignore_changes[0] (orphan) its original provider configuration at
│ module.eks_cluster.provider["registry.terraform.io/hashicorp/kubernetes"] is required, but it has been removed. This occurs when a provider
│ configuration is removed while objects created by that provider still exist in the state. Re-add the provider configuration to destroy
│ module.eks_cluster.kubernetes_config_map.aws_auth_ignore_changes[0] (orphan), after which you can remove the provider configuration again.
or something almost exactly like it? If not, I’m curious how, because I cannot reproduce the case where that error does not show up.
@Jeremy G (Cloud Posse) Hello
It’s better after deleting kubernetes_config_map.aws_auth_ignore_changes[0]
Thank you
2024-02-19
Hey! Any chance this could be looked into https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/194? It even has a proposed fix done as a PR
if that isn’t a good solution, I could take a stab at it
@Erik Osterman (Cloud Posse) Who is our best resource for ElastiCache?
Maybe @Dan Miller (Cloud Posse)
unfortunately no. I’ve not worked on elasticache more than the basics of setting it up
I should have raised my hand sooner, but missed the DM’s about this till now
reading the PR
so, from what I’ve gathered, our module doesn’t use random_password. In fact, the code explicitly requests a variable. This means that the behavior is out of scope.
To be clear, I empathize with the issue. I would recommend using the -target flag, which lets you apply the state of just one resource in a stack. If you need to rotate the password, just use something like taint, and then run another -target apply.
here’s more on the -target argument in Terraform
2024-02-20
I am adding support for latest Karpenter. I noticed the IAM role for nodes provisioned or managed by Karpenter is created by the eks/cluster component instead of eks/karpenter. I also noticed this is the “recommend” configuration. I cannot understand why, though. Can someone help me understand?
The tl;dr is that we want to ensure that when you destroy an EKS cluster via terraform destroy it does not leave orphaned resources like the Karpenter IAM role. If eks/karpenter creates the role, and then you destroy the EKS cluster, you then don’t have a good way to destroy the Karpenter IAM role. You cannot terraform destroy the eks/karpenter component at that point because the cluster is gone and you get errors.
Previously, we ran into even greater issues with bringing up a new cluster with the orphaned role still lying around, the exact details of which I don’t recall, but it had something to do with the special relationship between IAM roles and EC2 instance profiles.
Anyway, it just works out better for eks/cluster to be responsible for all the IAM roles in the cluster that are part of the cluster infrastructure (rather than the applications).
Also, updated Karpenter support is high on our to-do list. It has been held up by our work on updating eks/cluster to use the new AWS API for access control, but now that we have a release candidate for that, we hope to have updated Karpenter support “real soon now”
Thank you @Jeremy G (Cloud Posse)! I did not think about race-condition or sudo circular dependency between eks/karpenter and its IAM role.
Also, updated Karpenter support is high on our to-do list. It has been held up by our work on updating eks/cluster to use the new AWS API for access control, but now that we have a release candidate for that, we hope to have updated Karpenter support “real soon now”
I would love to see this support too. I am hopeful that EKS Pod Identity can improve EKS deployment, upgrade, and management experiences.
@Brian I encourage you to try out eks-cluster v4.0.0-rc1 to validate our approach to migrating to the new AWS API for EKS access control, and give us any feedback before we release a production version.
Okay. Ill check it out. I am in the process of upgrading eks k8s clusters from v1.27 to v1.29 using the blue-green upgrade pattern, so this is probably good timing.
One-line bug in the CloudPosse terraform-aws-cloudwatch-logs module:
https://github.com/cloudposse/terraform-aws-cloudwatch-logs/issues/52
This bug affects how this module is called by the lambda (and in fact any other) modules for a AWS resource where an underscore is a valid character in the resource name.
