#terraform-aws-modules (2024-08)

terraform Terraform Modules

Discussions related to https://github.com/terraform-aws-modules

Archive: https://archive.sweetops.com/terraform-aws-modules/

2024-08-17

RB avatar
RB
06:16:40 PM

How come the terraform aws ec2 instance module ignores changes on ami changes ? What if you want to rotate a singleton and don’t mind the downtime ?

https://github.com/cloudposse/terraform-aws-ec2-instance/blob/cb7559596b69d0b4ca31942ca2eda59a1e5bb18e/main.tf#L171-L175

Came from PR https://github.com/cloudposse/terraform-aws-ec2-instance/pull/145 but wasn’t called out explicitly

#145 feature/disable-alarm-action
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:37:00 PM

Agree, this was probably not deliberate

#145 feature/disable-alarm-action
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:37:04 PM

We can walk it back

RB avatar
RB
10:05:25 PM

Great, thanks for considering

https://github.com/cloudposse/terraform-aws-ec2-instance/pull/205

1
1

2024-08-24

RB avatar
RB
08:19:01 PM

What do you folks think about defaulting these inputs in the s3 bucket module ?

  # Recommended by aws to use BucketOwnerEnforced
  # ObjectWriter is used for backwards compatibility and documented here in PR
  # <https://github.com/cloudposse/terraform-aws-s3-bucket/pull/127>
  s3_object_ownership = "BucketOwnerEnforced"
  # most s3 buckets do not need to enable versioning
  # This was toggled to false due to a compliance PR 
  # <https://github.com/cloudposse/terraform-aws-s3-bucket/pull/70>
  versioning_enabled  = false
RB avatar
RB
08:23:01 PM

The versioning_enabled seems a bit extreme on every bucket as a default

RB avatar
RB
08:23:46 PM

I can understand the s3_object_ownership if users are trying to import their buckets to use the cp module

Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)
09:43:49 PM

@Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
01:16:54 AM

i agree that we don’t need to enable versioning by default and can set

versioning_enabled  = false
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
01:17:20 AM

the PR was merged b/c BridgeCrew was complaining about versioning not enabled

2024-08-26

nnsense avatar
nnsense
08:37:09 PM

Hi there, what’s cloudposse point of view on policy passed as variable? Is it preferred to pass the whole policy as json, or use a datasource and partially pass part of the policy or create an object representing the policy and set the variable for the policy as object.. what’s the preferred way? I’m not talking about assumerole, which is quite standard and easy to set without passing the whole object, I’m talking for example about a resource policy. I cannot find an example of your repo, it seems all of the above ways have been used, I just wanted to check if there’s a preference.

Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)
09:44:58 PM

@Ben Smith (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
02:51:35 PM

Can you elaborate on what type of policy and where? Policy is such a broad term used in many constructs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
02:51:50 PM

Ideally, link to an example

1
Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)
05:45:08 PM

Dan replied here: https://sweetops.slack.com/archives/CUJPCP1K6/p1724855942135149?thread_ts=1724779372.721239&cid=CUJPCP1K6

@nnsense left a comment. Same idea as yesterday where we added test coverage for any new resource

nnsense avatar
nnsense
07:20:23 PM

Thanks Gabriela, that was just a reference to this question, I didn’t get a reply there. I will get back to this with a few examples

2024-08-27

2024-08-28

    keyboard_arrow_up