#terraform-aws-modules (2024-03)

terraform Terraform Modules

Discussions related to https://github.com/terraform-aws-modules

Archive: https://archive.sweetops.com/terraform-aws-modules/

2024-03-01

Jonas Mellquist avatar
Jonas Mellquist

Greetings everyone. I’m using the cloudposse/vpn-connection/aws module and I’m facing some issues that I really don’t understand..

My module code is as follows

module "vpn_connection" {
  source  = "cloudposse/vpn-connection/aws"
  version = "1.0.0"

  namespace                                 = var.namespace
  stage                                     = var.env
  name                                      = var.vpn_connection_name
  vpc_id                                    = var.vpc_id
  vpn_gateway_amazon_side_asn               = var.amazon_asn
  customer_gateway_bgp_asn                  = var.customer_asn
  customer_gateway_ip_address               = var.customer_gateway_ip_address
  route_table_ids                           = var.route_table_ids
  vpn_connection_static_routes_only         = true
  vpn_connection_static_routes_destinations = [var.vpn_connection_static_routes_destinations]
  vpn_connection_local_ipv4_network_cidr    = var.vpn_connection_static_routes_destinations
  vpn_connection_remote_ipv4_network_cidr   = var.vpc_cidr
}

route_table_ids should contain a single element found using https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables and vpn_connection_static_routes_destinations is a simple ipv4 cidr coming in as a string

The ‘calling’ of the module

module "vpn-connection" {
  source = "../../modules/vpn-connection"

  namespace                                 = var.namespace
  env                                       = var.environment
  vpn_connection_name                       = var.vpn_connection_name
  vpc_id                                    = module.staging-vpc.vpc_id
  amazon_asn                                = var.amazon_asn
  customer_asn                              = var.customer_asn
  customer_gateway_ip_address               = var.customer_gateway_ip_address
  route_table_ids                           = data.aws_route_tables.route_tables_for_vpn_connection_to_public_subnets.ids
  vpn_connection_static_routes_destinations = var.vpn_connection_static_routes_destinations
  vpc_cidr                                  = var.vpc_cidr
}

Should I not in the route tables inside route_table_ids see a non-propagated / aka static route to the contents of var.vpn_connection_static_routes_destinations

I see Route propagation set to No under the Route table which is also what I want..

But where’s my static route?

Jonas Mellquist avatar
Jonas Mellquist

The VPN connection has the IPv4 cidr listed under Static routes

Also it has: Routing: Static

Jonas Mellquist avatar
Jonas Mellquist

I had hoped to see a route from my AWS resources going via the vgw?

Jonas Mellquist avatar
Jonas Mellquist

I had made an error in the filter of the data.aws_route_tables resource

By using terraform console and output I was able to confirm that I had messed up the filter..

Now the correct route tables has Propagation set to Yes, but still no routes via the vgw..

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.vpn-connection.module.vpn_connection.aws_vpn_gateway_route_propagation.default[0] will be created
  + resource "aws_vpn_gateway_route_propagation" "default" {
      + id             = (known after apply)
      + route_table_id = "rtb-0fae0f6417e87d686"
      + vpn_gateway_id = "vgw-021dbceb8be839911"
    }

  # module.vpn-connection.module.vpn_connection.aws_vpn_gateway_route_propagation.default[1] will be created
  + resource "aws_vpn_gateway_route_propagation" "default" {
      + id             = (known after apply)
      + route_table_id = "rtb-007080840322aad57"
      + vpn_gateway_id = "vgw-021dbceb8be839911"
    }

  # module.vpn-connection.module.vpn_connection.aws_vpn_gateway_route_propagation.default[2] will be created
  + resource "aws_vpn_gateway_route_propagation" "default" {
      + id             = (known after apply)
      + route_table_id = "rtb-09158b5ccf370c9e5"
      + vpn_gateway_id = "vgw-021dbceb8be839911"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Jonas Mellquist avatar
Jonas Mellquist

Found the answer

https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-configure-routing<i class="em em-~"</i>text=For%20static%20routing%2C%20the%20static%20IP%20prefixes%20that%20you%20specify%20for%20your%20VPN%20configuration%20are%20propagated%20to%20the%20route%20table%20when%20the%20status%20of%20the%20VPN%20connection%20is%20UP>.

Getting started with AWS Site-to-Site VPN - AWS Site-to-Site VPN

Create and configure the components for a Site-to-Site VPN connection.

Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

@Andriy Knysh (Cloud Posse) FYI

2024-03-03

2024-03-04

2024-03-05

2024-03-06

Matthew Reggler avatar
Matthew Reggler

Found a bit of a weird situation with the recent updates to the Spacelift components as of 1.400.0. Was the addition of space_name_pattern intended to be a breaking change? Using it is a hard requirement of the new release https://github.com/cloudposse/terraform-aws-components/issues/996

Hans D avatar

was having the issue as well and notified @Andriy Knysh (Cloud Posse) and @Erik Osterman (Cloud Posse). Currently pinned my version on pre 400 and also awaiting a fix for this (I’m not in a hurry yet and involved with some other prs)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we have a fix, but have not upstreamed it yet. You can pin the component to pre 400, or just add space_name_pattern: “” to the component config. It’s set to null now by default, and the null breaks other code

2024-03-07

2024-03-10

Hans D avatar

Trying to get default_route_enabled working with the tgw/spoke module. Currently stuck at

│ Error: creating Route in Route Table (rtb-0b999f9d3ccb0f9c7) with destination (10.14.4.0/23): InvalidTransitGatewayID.NotFound: The transitGateway ID 'tgw-019c1d8199bc68916' does not exist.
│ 	status code: 400, request id: 53725870-12b1-4ae8-b5f6-61bc927222ae
│
│   with aws_route.back_route[0],
│   on main.tf line 71, in resource "aws_route" "back_route":
│   71: resource "aws_route" "back_route" {

The mentioned TGW does exist (it’s a shared resource). Currently not spotting the obvious of why its not working. Anybody has this working?

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

could it be a race condition? I’ve seen that before when referencing a shared resource, since it may not have been fully available in AWS yet

Hans D avatar

The resource is there, and a long time. As soon as I use the other parts of the module (which also refers to this tgw) it works without issues.

2024-03-11

2024-03-12

Zing avatar

I have a question about the aws_ecr module. I’ve been using it for a while now, but just recently, the scenario came up where I need to update the prefix for the tag used for retention. Updating the value for the input variable for the prefix does not seem to trigger any changes from terraforms perspective when calling the existing module? Any thoughts?

Originally I was using a data call for the jsonencoded policy rules

Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)

@Ben Smith (Cloud Posse) @Dan Miller (Cloud Posse)

Ben Smith (Cloud Posse) avatar
Ben Smith (Cloud Posse)

Do you have a link to the variable that doesn’t appear to be changing anything?

Zing avatar

Im sure its related to my use of a data call, but im trying to switch over to passing in a locals block outside of the module, to the input variable to “update” it

2024-03-20

Saichovsky avatar
Saichovsky

Hey people,

I’m not sure if this is the right channel for this question. My apologies if it’s not.

I have an EC2 instance that was created using a terraform module. I am creating an autoscaling group for it so that there is no downtime when there is a change to the instance. I have already written the code for the ASG, but terraform docs do not mention how to attach the existing instance to the ASG. AWS docs show that it is possible to do this using aws autoscaling attach-instances

Is this something that can be done using terraform and if it is, kindly show an example of how to go about it.

Thanks!

Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)

@Dan Miller (Cloud Posse)

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

If you already have the ASG in AWS, then you can import that ASG into Terraform

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)
Import | Terraform | HashiCorp Developerattachment image

Terraform can import and manage existing infrastructure. This can help you transition your infrastructure to Terraform.

Saichovsky avatar
Saichovsky

I didn’t have the ASG, but I figured out what to do - create the ASG and then manually attach the instance (having removed it from state), the remove the instance tf code and kill the instance after verifying that the ASG is spinning up instances correct

1
Quentin BERTRAND avatar
Quentin BERTRAND

Hello @Erik Osterman (Cloud Posse), I saw this repo has been created ; https://github.com/cloudposse/terraform-aws-batch

Is the CloudPosse team working on it, or do you need help getting started?

I’m very interested in a Terraform module for AWS batch

cloudposse/terraform-aws-batch
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Ben Smith (Cloud Posse)

cloudposse/terraform-aws-batch
Ben Smith (Cloud Posse) avatar
Ben Smith (Cloud Posse)

Hey @Quentin BERTRAND I have some work towards this, I’ll need to upstream it. My one concern with the module, is it needs to handle environments, job definitions, and queues individually, my thought was to have these as separate submodules, as I do not want them tightly coupled. Do you have thoughts on this? The use case we had for this we ended up switching to just scheduled ECS tasks.

Quentin BERTRAND avatar
Quentin BERTRAND

Hello @Ben Smith (Cloud Posse), Sorry for this late response.
my thought was to have these as separate submodules
Like with endpoints in the “global-accelerator” module?
Do you have thoughts on this? The use case we had for this we ended up switching to just scheduled ECS tasks.
We are currently considering whether AWS Batch can meet our needs. It is possible that ECS tasks will suffice.

I will come back in a few weeks, hopefully with some feedback on the subject.

Quentin BERTRAND avatar
Quentin BERTRAND

Hello! I’m working on AWS Batch modules. Like you thought, I’ve split into several submodules ;

• compute_environment

• job_definition

• job_queue

• scheduling_policy I will try it in local, then I will open a PR on the repository to push all the code

1

2024-03-22

2024-03-27

2024-03-28

Craig avatar

wave I’m trying to deploy an elasticache memcached cluster using the https://github.com/cloudposse/terraform-aws-elasticache-memcached

I’ve got it mostly working, but now I’m attempting to spin a 10 node cluster in a VPC where I have 3 availability zones available and am getting an error:

│ Error: length of preferred_availability_zones (3) must match num_cache_nodes (10)
│ 
│   with module.app_cache_memcached.aws_elasticache_cluster.default[0],
│   on .terraform/modules/app_cache_memcached/main.tf line 101, in resource "aws_elasticache_cluster" "default":
│  101: resource "aws_elasticache_cluster" "default" {

Am I correct in understanding that I simply always have to pass in a list of availability zones, and just ensure the number of elements in that list matches the number of cache nodes being requested?

cloudposse/terraform-aws-elasticache-memcached

Terraform Module for ElastiCache Memcached Cluster

Craig avatar

ah nm I seem to have found a workaround. I was not relying on passing a list of availability zones in from variables, but rather finding specific availability zones with a data source. Once I’m absolutely happy with how I have it working I’ll post something here

Craig avatar

Since I was relying on a data source (instead of variables) to discover my private subnets/AZs, I just ended up doing something like this

data "aws_subnets" "private" {
  filter {
    name   = "tag:Attributes"
    values = ["private"]
  }
}

data "aws_subnet" "selected" {
  for_each = toset(data.aws_subnets.private.ids)
  id = each.value
}

module "app_cache_memcached" {
  source  = "cloudposse/elasticache-memcached/aws"
  version = "0.19.1"

  availability_zones = [for i in range(var.app_cache_node_count) : values(data.aws_subnet.selected)[i % length(data.aws_subnet.selected)].availability_zone]
  az_mode            = "cross-az"
  vpc_id             = values(data.aws_subnet.selected)[0].vpc_id
  subnets            = [for s in data.aws_subnet.selected : s.id]

  cluster_size  = var.app_cache_node_count
  instance_type = var.app_cache_instance_type

  engine_version    = var.app_cache_engine_version
  apply_immediately = true

  elasticache_parameter_group_family = var.app_cache_parameter_group_family
  max_item_size                      = var.app_cache_max_item_size

  context = module.app_cache.context
}

This…probably isn’t ideal since I literally just repeat the list of availability_zone id’s until that = the number of cache nodes being requested, however it seems to work just fine

    keyboard_arrow_up