#terraform (2018-08)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2018-08-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
fix precedence when default value is non-empty by halberom · Pull Request #38 · cloudposse/terraform-null-label

This fixes the case where a module label is instantiated with a non-default delimiter, and then another label is generated based off the context but uses the default delimiter as the local var take…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie any insights?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

checking

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we can override delimiter for any label. If it’s not provided and context provided, it will be taken from the context. If nothing is provided, the default will be used

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’m reviewing the PR

jamie avatar
jamie

Its an easy fix

jamie avatar
jamie

I see that in the PR it has been broken out into less condense parts so that each step can be explained.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@mrwacky yea looks like it will be resolved in 0.12, thanks

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
HashiCorp Terraform 0.12 Preview: Conditional Operator Improvements and Conditionally Omitted Arguments

As part of the lead up to the release of Terraform 0.12, we are publishing a series of feature preview blog posts. The pos…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

no need for the slice pattern

mrwacky avatar
mrwacky

So much goodness in 0.12, they’re even addressing JSON warts: https://www.hashicorp.com/blog/terraform-0-12-reliable-json-syntax#comments-in-json

HashiCorp Terraform 0.12 Preview: Reliable JSON Syntax

As part of the lead up to the release of Terraform 0.12, we are publishing a series of feature preview blog posts. The pos…

krogebry avatar
krogebry

So does that mean TF will be one step closer to CloudFormation?

krogebry avatar
krogebry
07:47:29 PM

ducks for cover

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hopefully they won’t have too many issues in V2 and we don’t spend too much time on resolving them

stobiewankenobi avatar
stobiewankenobi

0.12 will be amazing.

stobiewankenobi avatar
stobiewankenobi

Literally doing zero work on new tf stuff until it drops

rms1000watt avatar
rms1000watt

lololol

rms1000watt avatar
rms1000watt

roll d20

stobiewankenobi avatar
stobiewankenobi

lolol

stobiewankenobi avatar
stobiewankenobi

got’em

mrwacky avatar
mrwacky

@Gabe

Gabe avatar
Gabe
09:37:53 PM

@Gabe has joined the channel

2018-08-29

2018-08-28

Andrew Jeffree avatar
Andrew Jeffree

So my customer wants to pay someone to fix that bug around Terraform and beanstalk settings, that we discussed here last week.

Andrew Jeffree avatar
Andrew Jeffree

I’m not sure that even if someone can figure out where the bug is and patch it they’ll be able to get it merged in a timely manner.

Andrew Jeffree avatar
Andrew Jeffree

comments/thoughts/suggestions appreciated.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Andrew Jeffree are you asking about this one https://sweetops.slack.com/archives/CB6GHNLG0/p1534814857000100

Greetings. I’ve been testing out your beanstalk-environment module and I’ve been having the problem that every-time I run terraform it plans to change everything, even immediately after the initial environment creation etc.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’ll take a look at it

pericdaniel avatar
pericdaniel

If you created a vpc in one tf file… How do you use another tf file to find that vpc and those subnets to deploy resources too

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel Terraform works per-folder, meaning everything in the folder will be used. So if you create a VPC in one file, you can use it in all other files in the same folder

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Here is an example

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

pericdaniel avatar
pericdaniel

Im using separate folders

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


Terraform also supports modules in local directories, identified by a relative path starting with either ./ or ../. Such local modules are useful to organize code in more complex repositories, and are described in more detail in Creating Modules. https://www.terraform.io/docs/modules/usage.html#source

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

^ one way of doing it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

another way is to look up the VPC using data sources - you create it in one folder and do terraform apply, then in another module in another folder you look it up

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

example:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-kops-metadata

Terraform module to lookup resources within a Kops cluster for easier integration with Terraform - cloudposse/terraform-aws-kops-metadata

pericdaniel avatar
pericdaniel

I’ll take a look thank you!

:--1:1
maarten avatar
maarten

Anyone ever used: aws_iam_account_alias ? What is the practical use of it ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s a friendly name for the account instead of account ID (which is not easy to remember)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so the URL where you login would be like this:

maarten avatar
maarten

hm that’s quite nice actually

maarten avatar
maarten

but also an information give-away in some cases

maarten avatar
maarten

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yep

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Here is a Terraform trick we used recently. Looks simple, but we really did not know how to do it before It might help somebody.

In some cases, you have a TF module and want to provide some settings in a list or map. And you have a conditional variable (let’s say var.condition1) which changes the settings for the module.

locals {

  settings1 = [
    {
      name = "1a"
      value = "1a"
    },
    {
      name = "1b"
      value = "1b"
    }
  ]

  settings2 = [
    {
      name = "2a"
      value = "2b"
    },
    {
      name = "1b"
      value = "1b"
    }
  ]
}

module "example" {
	settings = "${var.condition1 ? local.settings1 : local.settings2}"
}

won’t work because Terraform does not support list and map in conditional expressions (maybe V2 will do it better, but we don’t really know). So here is the slice pattern (for the lack of a better name)

locals {
	settings = [
	  [
	    {
	      name = "1a"
	      value = "1a"
	    },
	    {
	      name = "1b"
	      value = "1b"
	    }
	  ],
	  [
	    {
	      name = "2a"
	      value = "2b"
	    },
	    {
	      name = "1b"
	      value = "1b"
	    }
	  ]
  	]

  	from_index    = "${var.condition1 ? 0 : 1}"
  	to_index         = "${var.condition1 ? 1 : 2}"
  	settings_final = "${slice(local.settings, local.from_index, local.to_index)}"
}

module "example" {
	settings = "${local.settings_final}"
}
mrwacky avatar
mrwacky

I feel like this is one of the many warts that will be addressed in v0.12 https://www.hashicorp.com/blog/terraform-0-12-rich-value-types

HashiCorp Terraform 0.12 Preview: Rich Value Types

As part of the lead up to the release of Terraform 0.12, we are publishing a series of feature preview blog posts. The pos…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-dynamodb

Terraform module that implements AWS DynamoDB with support for AutoScaling - cloudposse/terraform-aws-dynamodb

loren avatar
loren

another way of doing this is to put the conditional eval in the index of the map… map[condition ? true : false]

loren avatar
loren

where true and false are the key in your lookup dictionary

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Yep, for maps it will work as well

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

The slice pattern works better if you need to remove some settings based on condition (and you can’t send empty or default values to the module)

maarten avatar
maarten

love it!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

pericdaniel avatar
pericdaniel
05:05:51 PM
pericdaniel avatar
pericdaniel

@Andriy Knysh (Cloud Posse) i cant get this to work^

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what’s the error?

pericdaniel avatar
pericdaniel
05:08:41 PM
pericdaniel avatar
pericdaniel
05:09:06 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so, since you are using data sources to lookup the VPC and subnets, two possible issues here:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
  1. Did you already provision those VPC and subnets
pericdaniel avatar
pericdaniel

^yes

pericdaniel avatar
pericdaniel

the tags match

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
  1. Did you specify the correct filters to look them up?
pericdaniel avatar
pericdaniel

the filter im not sure about

pericdaniel avatar
pericdaniel

this makes sense ot me

pericdaniel avatar
pericdaniel

filter { name = “tag:Name” Values = “${var.AD-Private-Subnet2}”

pericdaniel avatar
pericdaniel

filte for

pericdaniel avatar
pericdaniel

filter for

pericdaniel avatar
pericdaniel

tag name

pericdaniel avatar
pericdaniel

with the value of this variable

pericdaniel avatar
pericdaniel

oh i dont want the tag name tho i want the subnet

pericdaniel avatar
pericdaniel

hmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can use tags, but you need to create them with the same tags

pericdaniel avatar
pericdaniel

yes thats what i did

pericdaniel avatar
pericdaniel

the tags match whats in aws

pericdaniel avatar
pericdaniel

and match the other tf file thats creating them

pericdaniel avatar
pericdaniel

the other tf file is in sep folder

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I’ll take a look in 30 mins (in a meeting now)

pericdaniel avatar
pericdaniel

no rush

pericdaniel avatar
pericdaniel

thank you so much!

pericdaniel avatar
pericdaniel

sorry im still learning!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel to lookup VPC, you can use id and filters https://www.terraform.io/docs/providers/aws/d/vpc.html

AWS: aws_vpc - Terraform by HashiCorp

Provides details about a specific VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS: aws_subnet_ids - Terraform by HashiCorp

Provides a list of subnet Ids for a VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and vpc_id is required

pericdaniel avatar
pericdaniel

yea i was tyring to avoid the id due to the fact it changes each time a vpc is created

pericdaniel avatar
pericdaniel

i was looking for a way to have it pass through the current environment

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can use the id from the VPC you look up data.vpc.my_vpc.id

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


All of the argument attributes except filter blocks are also exported as result attributes

pericdaniel avatar
pericdaniel

without inputing the varibale

pericdaniel avatar
pericdaniel

variable

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for subnets:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

vpc_id = “${data.aws_vpc.my_vpc.id}”

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it will first lookup the VPC and then use its ID (and tags if you want) to lookup the subnets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(you prob don’t need the tags, you can get all subnets from the VPC by its ID)

pericdaniel avatar
pericdaniel

will i need this variable “AD-Private-Subnet1” {}

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(nitpick, consider using all lower case and and underscores - it’s the most common convention for terraform resource names)

pericdaniel avatar
pericdaniel

sorry!

1
pericdaniel avatar
pericdaniel

is there a way to do it without inputing the variable?

pericdaniel avatar
pericdaniel

im missing somthing here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel you can explain what you want to achieve and paste your complete code here (or DM me). (sorry, don’t want it to be http://xyproblem.info :))

The XY Problem

Asking about your attempted solution rather than your actual problem

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I love how you always have the term to describe something

The XY Problem

Asking about your attempted solution rather than your actual problem

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we made it working with @pericdaniel

pericdaniel avatar
pericdaniel

thumbsup_all

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Andrew Jeffree so I tested terraform-aws-elastic-beanstalk-environment and yes, it does re-create all settings on each plan/apply

      setting.1039973377.name:               "InstancePort" => "InstancePort"
      setting.1039973377.namespace:          "aws:elb:listener:22" => "aws:elb:listener:22"
      setting.1039973377.resource:           "" => ""
      setting.1039973377.value:              "22" => "22"
      setting.1119692372.name:               "" => "ListenerEnabled"
      setting.1119692372.namespace:          "" => "aws:elbv2:listener:443"
      setting.1119692372.resource:           "" => ""
      setting.1119692372.value:              "" => "false"
      setting.1136119684.name:               "RootVolumeSize" => "RootVolumeSize"
      setting.1136119684.namespace:          "aws:autoscaling:launchconfiguration" => "aws:autoscaling:launchconfiguration"
      setting.1136119684.resource:           "" => ""
      setting.1136119684.value:              "8" => "8"
      setting.1201312680.name:               "ListenerEnabled" => "ListenerEnabled"
      setting.1201312680.namespace:          "aws:elb:listener:443" => "aws:elb:listener:443"
      setting.1201312680.resource:           "" => ""
      setting.1201312680.value:              "false" => "false"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

nobody is sure who’s bug it is, Terraform or AWS

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(i tested some ideas from the links above, nothing worked)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the only possible solution is to add this:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
lifecycle {
	ignore_changes = ["setting"]
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but it’s a hack since it will not update the env if you update any of the settings

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) can you open a new issue here: https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/issues

cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

with all your research above?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that way we can track it since this comes up quite frequently

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hate for you to have to explain it everytime

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

:--1:1
Andrew Jeffree avatar
Andrew Jeffree

@Andriy Knysh (Cloud Posse) yep, am aware it’s an open issue in multiple places. For now we’re ignoring changes to settings in the lifecycle but as you mentioned it’s a hack. The customer wants to pay someone to fix it, but I don’t like their odds.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sounds like it would be a difficult thing to give an estimate on, so it would probably need to be T&E

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

is anyone using private submodules with codebuild?

loren avatar
loren

i use codebuild a fair bit… do you mean git submodules? or terraform modules that themselves have modules?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

git submodules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Regarding terraform-aws-elastic-beanstalk-environment recreating the settings all the time, here what I think is happening:

  • Terraform sends all settings to AWS, but some of them are not relevant to the environment you are deploying
  • Elastic Beanstalk accepts all settings, applies the relevant ones, and throws away the rest
  • Next time Terraform asks about the settings, Elastic Beanstalk returns a subset of the values and probably in different order
  • Terraform can’t decide/calculate if the settings are the same - they sure look different (and would require an advanced algorithm to determine if they are the same)
  • Terraform assigns new ID to the entire array of settings and tries to recreate all of them
  • Elastic Beanstalk accepts the settings, applies the relevant ones, and throws away the rest - the cycle repeats

What’s a possible solution? Introduce var.settings (list of maps) to be able to provide all the required settings from outside of the module. It might work, but in practice would be very difficult to know all the needed settings and tedious to implement.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Andrew Jeffree ^

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
`terraform-aws-elastic-beanstalk-environment` recreates all `settings` on each `terraform plan/apply` · Issue #43 · cloudposse/terraform-aws-elastic-beanstalk-environment

terraform-aws-elastic-beanstalk-environment recreates all settings on each terraform plan/apply setting.1039973377.name: "InstancePort" => "InstancePort" setting.1039973377.n…

Andrew Jeffree avatar
Andrew Jeffree

interesting

2018-08-27

pecigonzalo avatar
pecigonzalo

Broad topic, but how are you guys handling multi account AWS deployments?

  • Creds per account (interpolated somehow in CI)
  • Cred with assume roles?
  • some other?

Im just curious to see how others are doing this

loren avatar
loren

we use assume role

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pecigonzalo we use separate AWS accounts per stage (prod, staging, dev) and also a separate account (we call it root, although a better name might be identity) where we provision all IAM users and roles. We then use roles to login to the member accounts

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

take a look at our reference architectures https://docs.cloudposse.com/reference-architectures/

loren avatar
loren

what @Andriy Knysh (Cloud Posse) said

loren avatar
loren

the terraform provider looks something like this:

provider "aws" {
  profile = "<profile with credential allowed to assume role>"

  assume_role {
    role_arn = "<role arn in target account>"
  }
}
pecigonzalo avatar
pecigonzalo

@Andriy Knysh (Cloud Posse) we use something similar for our users and assume roles for entering the accounts

:--1:1
pecigonzalo avatar
pecigonzalo

but for CI I was unsure, we are going the way of per AWS Account->CI User

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think I saw this in the AWS reinvent talk

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

At 38 minutes in…

:--1:1
pecigonzalo avatar
pecigonzalo

so we are sure that we limit the scope of the blast

pecigonzalo avatar
pecigonzalo

but at the end of the day we have to interpolate the correct CI User for each stage of the deployment

pecigonzalo avatar
pecigonzalo

which is meh

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

oh, we are working on that now too

pecigonzalo avatar
pecigonzalo

and CI has all users, so the blast could be really big

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so we are going to assume roles with MFA by using this tool https://piotrkazmierczak.com/2016/mfa-tokens-in-your-terminal/

pecigonzalo avatar
pecigonzalo

Also for CI?

pecigonzalo avatar
pecigonzalo

I saw your [prod.name.com> <http://this.name.com|this.name.com](http://prod\.name\.com) structure for the AWS Accounts and think its great for the accounts, but I dont think it translates to app deployment

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So each app corresponds to a stage

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But you’re right app specific cicd does not belong in this repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For that we use a build pipeline defined in each app repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use Codefresh for cicd

pecigonzalo avatar
pecigonzalo

Yeah, i was not asking so much about the tool, but more about the how do you pass different creds/etc for AWS app deployment, as you can see further on, I commented how we plan to do it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Install `oath-toolkit` by aknysh · Pull Request #248 · cloudposse/geodesic

what Install oath-toolkit why Easy build one-time password authentication systems (including for AWS with MFA) Required for Terraform CI/CD install Step 65/74 : RUN echo &quot;http://dl-cdn.alp…

pecigonzalo avatar
pecigonzalo

Interesting

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

geodesic is our container which we use to login to the accounts and provision resources

pecigonzalo avatar
pecigonzalo

Yep

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so we create a CI/CD user per stage (prod, staging, dev, etc) and then use oath-toolkit to get the MFA token and then assume role to login to the account

pecigonzalo avatar
pecigonzalo

but doesnt generating the token on your computer defy the objective of MFA? as you have the MFA gen and AWS creds on the same place

pecigonzalo avatar
pecigonzalo

In any case, I believe that might be a different converesation

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, it’s a long conversation

pecigonzalo avatar
pecigonzalo

My original quesiton was more about, how do you deploy apps to the different environments with multiple AWS accounts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Codefresh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We define a pipeline file in each codebase

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Then use staged Codefresh accounts. So a production account executed production pipelines

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

A staging account executed staging pipelines

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Staging account also executed production pipeline to preproduction account in staging environment so we get to test that too

pecigonzalo avatar
pecigonzalo

Different Codefresh accounts all together or different stages in the pipeline?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So with codefresh enterprise, we can create as many accounts as necessary, just like AWS accounts. So the idea is to use a different codefresh account for each aws account that needs CI/CD

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We can reuse the pipeline, or create new ones, but they are all stored in git

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we register the pipeline we want to use in the account that has the integrations

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so the production account will have integrations to production kubernetes cluster, production ECR, etc

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

while the staging account will only have integrations to the staging kubenretes cluster, and a pre-production ECR registry where we test the production pipeline, but in a staging context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the key is the pipelines are reusable across accounts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we can test/use them in any account

pecigonzalo avatar
pecigonzalo

I did not know that was a feature of CF enterprise, interesting!

pecigonzalo avatar
pecigonzalo

We do the same for pipelines, but I think having a complete separate account, where you can register separate integrations could be really interesting.

pecigonzalo avatar
pecigonzalo

In any case, thanks for sharing!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For sure… let me know if you’d like an introduction to someone over there.

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We work a lot with them and I can vouch for their support being top notch.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(they also use slack)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ah, it’s easy let me show

pecigonzalo avatar
pecigonzalo

In your case its Kube, so you have to pass the kube endpoint and creds for each env

pecigonzalo avatar
pecigonzalo

depending on the branch or stage in the pipeline

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so we have a collection of TF modules which we use for all stages/environments. The modules have no identity (you can say they are just templates) https://github.com/cloudposse/terraform-root-modules

cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

then in the geodesic shell for a member account, we pull the resources we need

pecigonzalo avatar
pecigonzalo

1 moment, that part I follow

pecigonzalo avatar
pecigonzalo

As I follow your cloudposse project, thanks a lot btw for some of the ideas/concepts

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/prod.cloudposse.co

Example Terraform/Kubernetes Reference Infrastructure for Cloud Posse Production Organization in AWS - cloudposse/prod.cloudposse.co

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/prod.cloudposse.co

Example Terraform/Kubernetes Reference Infrastructure for Cloud Posse Production Organization in AWS - cloudposse/prod.cloudposse.co

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

no problem

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so the identity comes into play in the accounts repos

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which we use from geodesic shells per account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and we store all credentials in AWS SSM and use chamber to read them

pecigonzalo avatar
pecigonzalo

Yeah we use a similar workflow for that part

pecigonzalo avatar
pecigonzalo

with chamber

pecigonzalo avatar
pecigonzalo

But those are a repo per env, so those are a bit different I guess. After you have KOPS and you your PaaS in a way, lets say now you have app1 how do you deploy it?

pecigonzalo avatar
pecigonzalo

EG: some people have a var set (all fake vars, just used as an example) KOPS_ENDPOINT KOPS_USER KOPS_PASS then on each stage of the pipeline, or branch depending on how you deploy, they interpolate the right values there.

pecigonzalo avatar
pecigonzalo

even if they are on chamber, you have to store either 3 AWS accounts for chamber, or 1 AWS account for chamber, with multiple secrets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we use CodeFresh pipelines to deploy apps to k8s clusters

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and we use geodesic which has ` chamber` inside

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in the pipelines (per account/stage) we read the ENV vars from SSM and CodeFresh applies them

pecigonzalo avatar
pecigonzalo

so CodeFresh has permissions to access each SSM for each env?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Codefresh uses containers per step, so it’s easy to use geodesic there

pecigonzalo avatar
pecigonzalo

Ah right

pecigonzalo avatar
pecigonzalo

and you have the creds on each container

pecigonzalo avatar
pecigonzalo

Nice

pecigonzalo avatar
pecigonzalo

Thanks for your answer, It gave me some ideas

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you welcome. I believe @Erik Osterman (Cloud Posse) has a lot more to add to this

pecigonzalo avatar
pecigonzalo

We are going a different way right now, we will a have a CI AWS Account, whith a CI chamber, that we can get the envs for each environment on each stage of the deploy

pecigonzalo avatar
pecigonzalo

But was looking for alternatives/improvements

pecigonzalo avatar
pecigonzalo

BTW Im trying to fix https://github.com/segmentio/chamber/pull/70 so it finally merges and we get per env/custom paths

Make the service path support variable depths by imjoshholloway · Pull Request #70 · segmentio/chamber

This PR makes it possible to have the service have a variable depth for the service (<path>/<service>). The default &quot;.&quot; separator is also supported e.g chamber write some/path…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

interesting

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

since chamber can accept multiple services when reading (e.g. chamber read service1 service2 key) we use multiple services to override the default values (if needed)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

e.g. chamber read kops app1 db_password

pecigonzalo avatar
pecigonzalo

Yeah, we use something like chamber exec ci-development ci-app1

pecigonzalo avatar
pecigonzalo

But I want to have a cleaner SSM, as the interface sucks a bit

pecigonzalo avatar
pecigonzalo

so having /devel/ci or similar will be ideal

pecigonzalo avatar
pecigonzalo

or something like /external/thisprovider for any sahred keys we want to actually share

pecigonzalo avatar
pecigonzalo

for CI of apps we are currently moving to something like:

(CI has CI AWS Account creds)
chamber exec aws-development -- 
(CI AWS Account is overwritten by Dev AWS Account)
chamber exec ci-app1 -- example command
pecigonzalo avatar
pecigonzalo

aws-development secret lives in CI Acccount ci-app1 secret lives in Dev Account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

That’s nice

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

We use the same secret names for all accounts since SSM is per account, and this way all our code remains the same

pecigonzalo avatar
pecigonzalo

yeah we would only interpolate the first chamber for the same reason, after that all SSM secerts are the same across environments. we thought about moving ci-app1 to the CI Account and changing it to something like /dev/ci-app1 or so, so we can use the fact that chamber can read multiple secrets at once, but ultimately we prefer to have less interpolation of environment names etc

2018-08-26

alex.somesan avatar
alex.somesan
08:25:54 PM

@alex.somesan has joined the channel

2018-08-24

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Some nice modules here: https://github.com/devops-workflow

devops-workflow

Full Automated, DevOps type, Workflow Project

:--1:2

2018-08-23

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@michal.matyjek @Daren

tamsky avatar
tamsky

that’s amazing – it’s merged already

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, he’s fast!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’ve heard many-a-times a developer say “i have some free time, let me implement that today”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and 2 mo later it’s not done.

tamsky avatar
tamsky

even more impressive is the non-trivial nature and volume of code. agree on all points

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea… i thought so too

2018-08-22

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
[terraform/upgrade-modules] Update all module sources to latest version by osterman · Pull Request #95 · cloudposse/build-harness

what Add new target to upgrade all module sources why Keep modules up to date demo Processing ./test/test.tf… [SKIPPED]: ../ Processing ./test/cloud-provider.tf… Processing ./examples/wordp…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@tamsky

[terraform/upgrade-modules] Update all module sources to latest version by osterman · Pull Request #95 · cloudposse/build-harness

what Add new target to upgrade all module sources why Keep modules up to date demo Processing ./test/test.tf… [SKIPPED]: ../ Processing ./test/cloud-provider.tf… Processing ./examples/wordp…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@sarkis want to turn this into a go app?

sarkis avatar
sarkis

Yes! Awesome work on this @tamsky /bow, I’d be able to get some time to get an initial commit at least this Sunday.

tamsky avatar
tamsky

@sarkis I get zero credit for this PR – it was all Erik

sarkis avatar
sarkis

Well then Erik /bow

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Added make target to upgrade all terraform module sources to latest version

1

2018-08-21

pericdaniel avatar
pericdaniel

So for the ssm parameters piece. If I have the ssm stored in AWS and just want to pull that. Do i just use data AWS ssm parameters to get the keys?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel after you store params in SSM, you can read their values from another TF module: https://github.com/cloudposse/terraform-aws-ssm-parameter-store#simple-read-parameter-example

cloudposse/terraform-aws-ssm-parameter-store

terraform-aws-ssm-parameter-store - Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you need to know the names of the params when you write them and then when you read them from other modules

2018-08-20

Andrew Jeffree avatar
Andrew Jeffree

Greetings. I’ve been testing out your beanstalk-environment module and I’ve been having the problem that every-time I run terraform it plans to change everything, even immediately after the initial environment creation etc.

Andrew Jeffree avatar
Andrew Jeffree

I haven’t updated anything or changed any values and from the output I’m seeing Terraform wants to change values from their current value to the exact same value.

Andrew Jeffree avatar
Andrew Jeffree

In some cases it’s removing a setting and then re-adding it later on

Andrew Jeffree avatar
Andrew Jeffree
      setting.3926968379.name:                                                                              "" => "SSHSourceRestriction"
      setting.3926968379.namespace:                                                                         "" => "aws:autoscaling:launchconfiguration"
      setting.3926968379.resource:                                                                          "" => ""
      setting.3926968379.value:                                                                             "" => "tcp, 22, 22, 0.0.0.0/0"
      setting.502734328.name:                                                                               "SSHSourceRestriction" => ""
      setting.502734328.namespace:                                                                          "aws:autoscaling:launchconfiguration" => ""
      setting.502734328.resource:                                                                           "" => ""
      setting.502734328.value:                                                                              "tcp,22,22,0.0.0.0/0" => ""
Andrew Jeffree avatar
Andrew Jeffree

in other cases it’s the below:

Andrew Jeffree avatar
Andrew Jeffree
      setting.3402994671.name:                                                                              "Statistic" => "Statistic"
      setting.3402994671.namespace:                                                                         "aws:autoscaling:trigger" => "aws:autoscaling:trigger"
      setting.3402994671.resource:                                                                          "" => ""
      setting.3402994671.value:                                                                             "Average" => "Average"
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrm… don’t believe that should be the case.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@i5okie are you seeing this behavior?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, what version of terraform and aws provider are you using?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Andrew Jeffree please show the output from terraform init and terraform plan, and also the code how you instantiate the module

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for reference, this is how we deployed it before https://github.com/cloudposse/terraform-aws-jenkins/blob/master/main.tf#L14

cloudposse/terraform-aws-jenkins

terraform-aws-jenkins - Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(although it probably was tested with older TF version)

Andrew Jeffree avatar
Andrew Jeffree

Sure gimme a min

Andrew Jeffree avatar
Andrew Jeffree

So I think at least with the first snippet I pasted it’s an issue between how terraform provides the string to beanstalk and how beanstalk returns it.

i5okie avatar
i5okie

@Erik Osterman (Cloud Posse) I’m seeing terraform re-do almost every setting. Very similar behaviour to re-setting the Tags even if they were not changed.

i5okie avatar
i5okie

it doesn’t replace any environment, or instances. just the setting.xxxxxxxxx.xxxx stuff.

Andrew Jeffree avatar
Andrew Jeffree

using terraform 0.11.8

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrmmm my guess is it’s a regression in terraform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We didn’t see this behavior in earlier versions but sounds like it’s a problem now.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s probably because maps in golang aren’t stable

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Stable in the sense they are not ordered the same between executions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t know how to fix this but will gladly accept any PRs

Andrew Jeffree avatar
Andrew Jeffree

Haha

Andrew Jeffree avatar
Andrew Jeffree

Yeah I figure it’s either terraform or the beanstalk api.

Andrew Jeffree avatar
Andrew Jeffree

I’ve had to hassle AWS to fix a few bugs in the beanstalk api recently

Andrew Jeffree avatar
Andrew Jeffree

so I wouldn’t be surprised if it has further issues.

Andrew Jeffree avatar
Andrew Jeffree

If I figure it out I’ll certainly submit a PR

Andrew Jeffree avatar
Andrew Jeffree

Thanks for at least confirming I’m not going insane and missing something super obvious

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ahhh yea…. you’re not going insane

Andrew Jeffree avatar
Andrew Jeffree

not yet at least

2018-08-17

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@maarten is var.allowed_read_principals a list?

maarten avatar
maarten

I should have deleted the question

maarten avatar
maarten

no it was not in the end

maarten avatar
maarten

all fixed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

:–1:

2018-08-16

maarten avatar
maarten

Funny thing I just found out.

It is possible to chain aws_iam_policy_documents by taking the .json-output of one aws_iam_policy_document’s as input with the parameter source_json for another aws_iam_policy_document. This way it’s possible to conditionally add statements to a single policy. Context is that not all sources support multiple policies ecr_repo is one of them.

loren avatar
loren

yeah, it’s a great feature, but can still use some improvements, https://github.com/terraform-providers/terraform-provider-aws/issues/5047

better AWS policy layering · Issue #5047 · terraform-providers/terraform-provider-aws

Community Note Please vote on this issue by adding a :–1: reaction to the original issue to help the community and maintainers prioritize this request Please do not leave &quot;+1&quot; or &quot;me to…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s a nice trick!

maarten avatar
maarten

Anyone figured out how to add multiple principles using aws_iam_policy_document ?

 principals {
        identifiers = ["${var.allowed_read_principals}"]
        type        = "AWS"
      }

gets rendered to this json: “Principal”: { “AWS”: “arnawsiam:root”, “arnawsiam:root”, “arnawsiam:root”, “arnawsiam:root” }

maarten avatar
maarten

nevermind, it’s something else, replacing var.allowed_read_principals with a self-made list does work

2018-08-13

i5okie avatar
i5okie

wow. all the time i was pulling my hair out.

i5okie avatar
i5okie

just to find the “elb-logs-makeshift” in .ebextensions of the app code itself.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

well, glad you found the issue @i5okie

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

how the other 4 env were deployed? without ` .ebextensions`?

i5okie avatar
i5okie

different applications

2018-08-10

paul avatar

I spent a bit of time on the issue with event_selector this afternoon but haven’t got it working for all use cases (no event_selectors, a single event selector, multiple event selectors). I’m going to return to it towards the end of next week.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks @paul

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(agree, not easy to make it working in all cases)

paul avatar

No problem. I found lots of github issues around Terraform asking for it to support exactly this kind of thing but no concrete solutions have materialised.

paul avatar

I’m going to see if I can get a colleague or two of mine to have a look next week to see if we can think of a way around it.

:--1:2
i5okie avatar
i5okie

hi again

i5okie avatar
i5okie

I’ve just ran into a head-scratcher issue with terraform..beanstalk module i think.

i5okie avatar
i5okie
05:59:14 PM
i5okie avatar
i5okie

I’ve got 5 environments. it created 4. but this last one its got this issue. and I can’t figure out for the life of me where its picking up “elb-logs-makeshift” bucket name from.

i5okie avatar
i5okie

in the main.tf of the module, this is the only reference:

i5okie avatar
i5okie
06:01:35 PM
i5okie avatar
i5okie
06:01:57 PM
i5okie avatar
i5okie
06:05:20 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s really odd! haven’t seen elb-logs-makeshift before. I grepped through all of our modules and don’t see it and it doesn’t appear in any of our code. https://github.com/search?q=org%3Acloudposse+makeshift&type=Code

Build software better, together

GitHub is where people build software. More than 28 million people use GitHub to discover, fork, and contribute to over 85 million projects.

i5okie avatar
i5okie

ikr

i5okie avatar
i5okie

and terraform plan, grepped for elb, also doesn’t produce it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what about your ENV?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

export | grep makeshift

i5okie avatar
i5okie

makeshift is a known name. but “elb-logs-makeshift” in that combination is not

i5okie avatar
i5okie

uhm

i5okie avatar
i5okie

export locally yes, but that’d affect other environments tho..

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

in this case, looks like namespace=elb, stage=logs, name=makeshift (if you’re using our label module)

i5okie avatar
i5okie

not explicitly no. just using your beanstalk environment module

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok

i5okie avatar
i5okie

we had this environment up before too. this is so bizarre. we used an older module, and im now rewriting with the new one. but then even in your module, the way you define it, it’d be elb-logs ending.. not elb-logs+string

i5okie avatar
i5okie

#killmenow

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, makes no sense. must be some silly error somewhere.

i5okie avatar
i5okie

this has to be some bug with aws or something. because the rest of the environments just use a normal elb-logs-<random_digits> s3 bucket.

i5okie avatar
i5okie

Don’t think i like EB anymore. So high maintenance

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And very slow to iterate

i5okie avatar
i5okie

i’d ask amazon but don’t have support subscription yet

i5okie avatar
i5okie

and funny thing is, aws cli says that s3 bucket doesn’t exist.

i5okie avatar
i5okie

but when trying to create it, it says “$ aws s3 mb <s3://elb-logs-makeshift> makeshift2.3.7 make_bucket failed: <s3://elb-logs-makeshift> An error occurred (BucketAlreadyExists) when calling the CreateBucket operation: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.”

i5okie avatar
i5okie

“$ aws s3 ls elb-logs-makeshift makeshift2.3.7

An error occurred (NoSuchBucket) when calling the ListObjects operation: The specified bucket does not exist”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, maybe someone else on AWS owns that bucket.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that would explain why you cannot list it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@i5okie we suggest using label or a similar naming pattern for consistency and to eliminate naming contention

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes, all buckets are global

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

except when you do aws s3 ls, it shows only your account

i5okie avatar
i5okie

yeah that makes sense.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you said elb-logs-<randomstring>

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

could makeshift be generated as one of the random strings ?

i5okie avatar
i5okie

but why would it try to create/use a bucket that nothing asked it to use. and the other environments created with the exact same module and config essentially, just use the standard elb-logs-3434343434 thing that aws picks by default.

i5okie avatar
i5okie

no, because other environments go into elb-logs-<randomdigits>

i5okie avatar
i5okie

the same one

i5okie avatar
i5okie

without that being explicitly specified anywhere in the config files.

i5okie avatar
i5okie

oh i see. its actually elb-logs-<accountnumber>

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-null-label

terraform-null-label - Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-terraform-label

terraform-terraform-label - Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])

i5okie avatar
i5okie

it makes no sense that from scratch I’ve just created other environments with this module and it went fine, and used the normal per-account elb-logs bucket. and this one odd-ball decides not to. I’m using this: https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment

cloudposse/terraform-aws-elastic-beanstalk-environment

terraform-aws-elastic-beanstalk-environment - Terraform module to provision an AWS Elastic Beanstalk Environment

i5okie avatar
i5okie

for all of our environments.

i5okie avatar
i5okie

so why would i use label separetly?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not sure how it relates to the <accountnumber>

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you share your code?

i5okie avatar
i5okie

thats just what EB does naturally creates per-account elb-logs s3 bucket, and uses it for all environments. terraform no terraform, its just what it does

i5okie avatar
i5okie

which code

i5okie avatar
i5okie
06:32:10 PM
i5okie avatar
i5okie

i have to use local copy of the module because to modify the healthchec url varriable a bit.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what’s the diff between those 5 envs? stage?

i5okie avatar
i5okie

no. app names

i5okie avatar
i5okie

5 applications, 3 stages each

i5okie avatar
i5okie

but im only re-doing the staging env for now

i5okie avatar
i5okie

which is in its own vpc, etc etc

i5okie avatar
i5okie

so “name” variable would be different between the 5. plus app versions, and env vars.

i5okie avatar
i5okie
06:39:20 PM

terraform plan, or apply output does not mention “elb-logs-makeshift”. in fact here’s a line

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-elastic-beanstalk-environment

terraform-aws-elastic-beanstalk-environment - Terraform module to provision an AWS Elastic Beanstalk Environment

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but @i5okie still, how all of this relates to what you said about elb-logs-<randomdigits>?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what is randomdigits here and where they from?

i5okie avatar
i5okie

its actually account number.

i5okie avatar
i5okie

ELB doesn’t use these buckets that are created.

i5okie avatar
i5okie

it ends up using the account-default elb-logs-<accountnumber> bucket instead.

i5okie avatar
i5okie

don’t know why

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s not in the image above

i5okie avatar
i5okie

im thinking this is a bug at AWS side.

i5okie avatar
i5okie

because I could let you read all of my terraform files, and you wouldn’t find anything that would put the strings together to say “elb-logs-makeshift”

i5okie avatar
i5okie

oh i have an idea. i’ll delete the .terraform folder and try again

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea try that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you show all bucket names from the 5 env that EB created?

i5okie avatar
i5okie
06:51:46 PM
i5okie avatar
i5okie

there is in fact 5th one

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but where is randomdigits in there?

i5okie avatar
i5okie

but they are all empty. and all elb logs go to the elb-logs-<accountnumber> bucket instead.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it should not add any random things

i5okie avatar
i5okie

your module doesn’t

i5okie avatar
i5okie

its just what elb does

i5okie avatar
i5okie
06:53:08 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i think you have naming collision somewhere

i5okie avatar
i5okie

we used an older module of yourse for this. all names were the same. in fact the only difference i noticed between the versions of modules is the order of names/namespace/stage is different.

i5okie avatar
i5okie

not that it matters

i5okie avatar
i5okie

ok deleting terraform folder and re-starting didn’t help

i5okie avatar
i5okie

and its lying

i5okie avatar
i5okie

it did create the load balancer

i5okie avatar
i5okie

but it quits on actions and doesn’t add instances

i5okie avatar
i5okie

i’ll have to wait an hour before the “(terminated)” envs dissapear from console, and create the env manually. then try to import it into the terraform.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@i5okie just to confirm. The bucket that terraform-aws-elastic-beanstalk-environment creates, is for Load balancer logs https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbv2

General Options for All Environments - AWS Elastic Beanstalk

Configure globally available options for your Elastic Beanstalk environment.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

they have the names as you showed in the images above

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

at the same time, EB creates a bucket per region where it stores all EB stuff (e.g. app versions)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and that bucket name looks like this elasticbeanstalk-us-east-1-<accountId>

i5okie avatar
i5okie

i have both

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s the only thing with Account ID there

i5okie avatar
i5okie

i have the buckets that you specify in the terraform module for elb logs, the elb-logs-<accountnumber> bucket that elb spits elb logs into when i enable those. and the elastic-beanstalk-<region>-<accountnumber> buckets

i5okie avatar
i5okie

i don’t ask it to change which buckets to put logs into. i’m just going with what it does.

i5okie avatar
i5okie

it probably does it when i say to forward logs to cloudwatch

i5okie avatar
i5okie

in web console

i5okie avatar
i5okie

its aws

i5okie avatar
i5okie

just created environment from scratch by manually on web console. same error.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what’s the error?

i5okie avatar
i5okie
08:33:45 PM
i5okie avatar
i5okie

the reference shows up in cloudformation template

i5okie avatar
i5okie
08:34:09 PM
i5okie avatar
i5okie

how it gets to that template, i have no friggin idea

i5okie avatar
i5okie

im going to delete the stack and try creating it manually again

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea sounds like you need to delete everything first

i5okie avatar
i5okie

which is odd. i deleted the environment, waited for it to disappear from the console, then manually created it. and it ran into the same error. I guess it kept the cloudformation stack template and kept trying to re-create the stack from template? so odd

i5okie avatar
i5okie

ok, time for aws support. deleted environment. deleted cf template. applied terraform. same error

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can try to create a new EB application and deploy the env into it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(it’s actually a good idea to deploy each env into its own application)

i5okie avatar
i5okie

hmm

i5okie avatar
i5okie

a new application for each stage?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes

i5okie avatar
i5okie

hmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s better for many reasons

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Since each stage should be in a separate AWS account to ensure isolation.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Which then necessitates using a separate app.

i5okie avatar
i5okie

yeah separate account makes sense

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for now each stage could/should be in a separate app

i5okie avatar
i5okie

not using EB is probably also a good idea

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not really It’s good at what it does. Never seen the issues like you are having

i5okie avatar
i5okie

no not like this. But the hours I’ve spent “trying” to make things work with EB.. i probably could have learned how to use ECS properly.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

maybe

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but EB is actually much simpler in many cases

i5okie avatar
i5okie

true very much so

i5okie avatar
i5okie

guess what

i5okie avatar
i5okie

new application, manual environment setup in web console.

i5okie avatar
i5okie

same issue

i5okie avatar
i5okie
10:09:16 PM
1
i5okie avatar
i5okie

lol. alright i’ll see what amazon says.

2018-08-09

dominic avatar
dominic

@jamie I ended up forking the slack lambda, https://github.com/SevereOverfl0w/terraform-aws-notify-slack it’s not really in a pull-requestable state, but if you’re hacking on this it might serve as inspiration.

SevereOverfl0w/terraform-aws-notify-slack

terraform-aws-notify-slack - Terraform module which creates SNS topic and Lambda function which sends notifications to Slack

jamie avatar
jamie

Thank you

jamie avatar
jamie

I’m on them now

dominic avatar
dominic

I’m now onto monitoring our autoscaling groups I see you’re also responsible for ec2

jamie avatar
jamie

FYI team, this environment variable isn;t in the documentation last time i checked, but can get you around some annoying errors when destroying resources.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks, I’ve added an inssue to document this.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Document Terraform Triage Tip · Issue #204 · cloudposse/docs

what This environment variable isn&#39;t in the documentation, but can get you around some annoying errors when destroying resources. export TF_WARN_OUTPUT_ERRORS=1 why It converts the errors that …

jamie avatar
jamie

export TF_WARN_OUTPUT_ERRORS=1

jamie avatar
jamie

It converts the errors that would normally halt the destruction of resources from a module

jamie avatar
jamie

into warnings

jamie avatar
jamie

and therefore allows you to complete the destruction of a TF template

maarten avatar
maarten

For terraformers, who like dirty hacks, and who are encountering issues with count.index inside a conditionally created resource with count to length(var.of_a_list).. here’s something that worked for me

create a data “template_file” with count of the length of the list with no conditions.

data "template_file" "custom_listen_host" {
  count = "${length(var.custom_listen_hosts)}"
...

And refer to the template_file from the resource with the condition..

resource "aws_lb_listener_rule" 
"host_based_routing_custom_listen_host" {
....
  count = "${local.create && length(var.custom_listen_hosts) > 0 ? length(var.custom_listen_hosts) : 0 }"

    values = ["${data.template_file.custom_listen_host.*.rendered[count.index]}"]
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks @maarten for the example

maarten avatar
maarten

Until 0.12 is there, everything is allowed I thought @Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not every hack I guess, but if it looks good, why not

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

this count = "${local.create && length(var.custom_listen_hosts) > 0 ? length(var.custom_listen_hosts) : 0 }" could be simplified to count = "${local.create ? length(var.custom_listen_hosts) : 0 }"

maarten avatar
maarten

hey, that’s true

maarten avatar
maarten

thanks

:--1:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@paul
I think I’m leaning towards the changing to a list solution. It’s far cleaner solution than slicing and the AWS provider is expecting a list anyway

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

want to test and open a PR?

paul avatar

Yeah, happy to give that a go tomorrow afternoon. Off the clock now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

perfect

Igor Rodionov avatar
Igor Rodionov
05:44:30 AM

@Igor Rodionov has joined the channel

2018-08-08

dominic avatar
dominic
cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

terraform-aws-rds-cloudwatch-sns-alarms - Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic

cloudposse/terraform-aws-sns-lambda-notify-slack

terraform-aws-sns-lambda-notify-slack - Terraform module to provision a lambda function that subscribes to SNS and notifies to Slack.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie can maybe provide an example for this. I am afk this week. @sarkis also might have a similar example ready that we are using for ECS.

cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

terraform-aws-rds-cloudwatch-sns-alarms - Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic

cloudposse/terraform-aws-sns-lambda-notify-slack

terraform-aws-sns-lambda-notify-slack - Terraform module to provision a lambda function that subscribes to SNS and notifies to Slack.

dominic avatar
dominic

Thank you

dominic avatar
dominic
cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms

terraform-aws-ecs-cloudwatch-sns-alarms - Terraform module to create CloudWatch Alarms on ECS Service level metrics.

dominic avatar
dominic

That would work with the slack tf then.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Great! Hope that unblocks you.

sarkis avatar
sarkis

Put a TODO for myself to get some better example in the repos for how they work together..

dominic avatar
dominic

ah, I think I see! You can provide a topic name to the slack integration to use, and set create_sns_topic to false. That’s not super clean, as you end up with a lambda per sns topic, and if I need one for each module of alarms I use (i.e. one per rds, one per asg) that’s going to rack up a count very quickly.

It would be nice if they composed.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Terraform as a language is pretty limited. To reduce complexity of of an individual module we like to keep them logically separated. This reduces the scope and easier to test. We also like to think this makes them even more composable. Users can mix and match as they see fit without being overly opinionated.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For example, look at our ecs web app module. This is a great example of how many modules are composed to implement a powerful opinionated module.

dominic avatar
dominic

In this case I think the problem is that the slack lambda expects a one-to-one mapping, and reality is a many-to-one. It should take a list of sns topics to subscribe to.

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you want to extend it, we’ll prompt review the the PR :-)

dominic avatar
dominic

Thinking about it. Part of the problem is that Cloudposse is delegating to another terraform module altogether. So that would mean taking maintenance of that module.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That other module is by @antonbabenko

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Check with him - he maintains a lot of great modules and would probably accept the PR or provide insights

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie started a Cloudposse slack notification module, but don’t think he has had the time to finish it.

jamie avatar
jamie

Where is my sense of completion

jamie avatar
jamie

I’ll get to sorting that tomorrow for you!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Haha you certainly set off on an ambitious path. Think you wrote (or started) like 20 modules in a month.

dominic avatar
dominic

I suspect policies are part of all this, but I’m not sure. Policies in AWS don’t ever compose nicely, you end up centralizing your SNS because you need an RDS policy and you can’t just append that to an existing one. I feel like Terraform should let you “append” to resources defined elsewhere, but that’s a very hard set of constraints to match I accept.

dominic avatar
dominic

yeah, that’s it. The RDS module creates it’s own SNS topic because it doesn’t just do CloudWatch it also configures RDS event notifications to the topic. This means the policy isn’t just CloudWatch, but CloudWatch + RDS. (Although the description is wrong - typo-level PR incoming)

paul avatar

:wave: Hello! :slightly_smiling_face: I’m attempting to use terraform-aws-cloudtrail for the first time and just hitting an issue with the event_selector. It defaults to {} but this causes aws_cloudtrail to create an event selector anyway.

paul avatar

We then get this on every apply:

  ~ module.cloudtrail.module.cloudtrail.aws_cloudtrail.default
      event_selector.#:                           "0" => "1"
      event_selector.0.include_management_events: "" => "true"
      event_selector.0.read_write_type:           "" => "All"
paul avatar

Removing the event_selector variable/parameter from terraform-aws-cloudtrail ‘fixes’ the issue.

paul avatar

Looks like null / undefined parameters will be coming in HCL2 but until then I’m not sure what the answer is.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrmmm I am not sure off the top of my head. @Andriy Knysh (Cloud Posse) might have some suggestions. He originally implemented it.

antonbabenko avatar
antonbabenko
02:13:32 PM

@antonbabenko has joined the channel

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @paul, give me some time, I’ll look into terraform-aws-cloudtrail event_selector. You can open a PR with your fixes so it’d be easier to review and test

paul avatar

@Andriy Knysh (Cloud Posse) :wave: At the moment I don’t have a fix, other than commenting out the event_selector. We’re discussing it internally at the moment, if we think of a neat way around it then I’ll PR it.

dominic avatar
dominic

@Andriy Knysh (Cloud Posse) @paul out of curiosity, does the string "" work as blank? Or maybe doing event_selector = []?

paul avatar

I’ll give it a go, let’s find out.

paul avatar

Actually, the variable type is set to a maplist.

dominic avatar
dominic

hehe I hit something similar this morning.

paul avatar

of maps.

paul avatar

Giving it a go.

dominic avatar
dominic

Yep. It’s the same for launch_configuration root_block_device, for no particular reason, perhaps for nicer syntax as:

event_selector {
  …
}

Rather than

event_select = {
  …
}
dominic avatar
dominic

tbh, the pain of this goes away with terraform 12 if you can wait, now that conditionals can return lists you can do:

event_selector = "${var.event_selector == {} ? [] : [var.event_selector]}"
dominic avatar
dominic

https://github.com/hashicorp/terraform/issues/12453#issuecomment-327266951 you could try this though if you’re a masochist.

dominic avatar
dominic

(Basically join the k/vs of the event_selector with a separator, and then split it outside the conditional)

:--1:1
paul avatar

So if I do this..

variable "event_selector" {
  type        = "list"
  description = "Specifies an event selector for enabling data event logging. See: <https://www.terraform.io/docs/providers/aws/r/cloudtrail.html> for details on this map variable"
  default     = []
}
paul avatar

It then works correctly.

paul avatar

It would then require people to supply a list of maps though, so it wouldn’t be backwards compatible.

paul avatar

I think.

dominic avatar
dominic

You could also do that, which is what I decided to do internally. However, I think that changes usage slightly. It might be as simple as changing event_selector = {} to event_selector { }

paul avatar

Where would I make that change?

dominic avatar
dominic

when using the module, that would be, so still a breaking change.

paul avatar

Ah.

paul avatar

Fiddling with different combinations.

pericdaniel avatar
pericdaniel

Anyone have experience deploying AWS AD service with terraform?(includes creating vpc, subnets, jumpboxes etc)

paul avatar

bah. No joy.

dominic avatar
dominic

A map() function would make this so much easier (in the fp sense), as you could use compact & map.

dominic avatar
dominic

@paul how about slice(list(var.event_selector), 0, length(var.event_selector) > 0 ? 1 : 0)

dominic avatar
dominic

that took way too much fiddling to discover. Nice trick once you know it though

paul avatar

Oh, interesting. I’ll give that a try later this evening. (BST timezone)

paul avatar

Thanks.

dominic avatar
dominic

Fellow brit?

jamie avatar
jamie

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-cloudtrail

terraform-aws-cloudtrail - Terraform module to provision an AWS CloudTrail and an encrypted S3 bucket with versioning to store CloudTrail logs

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when event_selector = [] (empty list), Terraform never tries to recreate resources

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if we put a map inside a list, it always tries to recreate regardless if the map is empty or populated

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

event_selector = [{}]

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
  event_selector = [{
    read_write_type           = "All"
    include_management_events = true
  }]
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in both cases

  ~ module.cloudtrail.aws_cloudtrail.default
      event_selector.#:                           "0" => "1"
      event_selector.0.include_management_events: "" => "true"
      event_selector.0.read_write_type:           "" => "All"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

looks like a feature/bug

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also in the docs, it does not mention at all that event_selector should be a list, it looks like a map

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so we can change it to

variable "event_selector" {
  type        = "list"
  description = "Specifies an event selector for enabling data event logging. See: <https://www.terraform.io/docs/providers/aws/r/cloudtrail.html> for details on this map variable"
  default     = []
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which will silence it in the case when we don’t need any event selectors

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but will not help in other cases

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@jamie any ideas on that?

jamie avatar
jamie

I’ll have to look soon. I’m out with people

:--1:1
dominic avatar
dominic

@Andriy Knysh (Cloud Posse) I think we can have the best of both worlds using the slice() trick above. The other being that we don’t break backwards compatibility.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

don’t worry about backwards compatibility, we use tags in all modules like here https://github.com/cloudposse/terraform-root-modules/blob/master/aws/cloudtrail/main.tf#L34

cloudposse/terraform-root-modules

terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so if we need to update to the new version, we update the tag and update the top-level module

dominic avatar
dominic

I think backwards compatibility is always important, regardless of pinned versions. I imagine this is something that differs across programming communities. I also think the current interface is the most idiomatic.

dominic avatar
dominic

@jamie Regarding SNS, RDS etc. I just after much hacking around terraform, managed to create a “terraform-sns-claims”. Essentially modules like the RDS alarms module export a variable of claims with a value like ["cloudwatch", "rds"]. Internally, the sns module stores a statement relating to that claim. It then generates a policy from the set of claims. I need to find out if anything else actually pushes to SNS (e.g. autoscaling events perhaps), but this is a fairly tidy system for allowing the sns policy to be dictated by the alarms you want.

If you’re hacking on the slack sns stuff tomorrow, I can probably publish my SNS work, and you can bring it into cloudposse if you wish (whatever license I need to use, I will). I’d love to not have to fork slack too I’ll probably look into contributing RDS event support at the same time.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks @dominic ! Definitely ping feel free to ping me directly as well

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Both @jamie @Andriy Knysh (Cloud Posse) @Igor Rodionov and @maarten can create repos under the Cloud Posse org.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Generally, we use the APACHE2 license. Just copy it from any one of our other repos.

dominic avatar
dominic

Will do Of course it’s dependent on you guys liking the approach, my thinking it has merit means little

jamie avatar
jamie

I’ll do it tomorrow then. Please push any suggestions you want and I’ll merge them as needed! Please and thank you!

paul avatar

Apologies, I didn’t get chance to try out the suggested solutions this evening. It’s in my diary for the morning.

paul avatar

I think I’m leaning towards the changing to a list solution. It’s far cleaner solution than slicing and the AWS provider is expecting a list anyway.

dominic avatar
dominic
SevereOverfl0w/terraform-aws-rds-cloudwatch-sns-alarms

terraform-aws-rds-cloudwatch-sns-alarms - Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic

SevereOverfl0w/terraform-aws-sns-claims

terraform-aws-sns-claims - Create an SNS topic based on a list of claims

dominic avatar
dominic

https://github.com/cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms/blob/master/main.tf#L8 might be a better approach overall, uncertain of how multiple policies apply to an sns.

cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms

terraform-aws-cloudtrail-cloudwatch-alarms - Terraform module for creating alarms for tracking important changes and occurances from cloudtrail.

2018-08-07

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Add support for a sub-provider to roles by ArdaXi · Pull Request #7 · cloudposse/terraform-aws-iam-assumed-roles

What Add an option to use a sub-provider for roles, so they can be created in a different account than the users who can assume it. Why We have a use-case where we need admin and readonly roles in …

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-efs-cloudwatch-sns-alarms

terraform-aws-efs-cloudwatch-sns-alarms - Terraform module that configures CloudWatch SNS alerts for EFS

jamie avatar
jamie

Yes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok, I’ll log an issue

jamie avatar
jamie

All of the modules need to have a revision to handle context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

how are you doing man?

jamie avatar
jamie

Exhausted!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

from vacation?

jamie avatar
jamie

Yeah

jamie avatar
jamie

Way behind from vacation so playing hard catchup

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

My ticket is up tomorrow! Tulum, MX

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@jamie some of your changes to terraform-null-label do not respect the enabled flag. So when I test it with var.enabled=false, Terraform still wants to recreate some resources

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when you change the module, you might want to take a look at that too

jamie avatar
jamie

I will address that. Sorry that should have been picked up at review. But it was pushed through quickly.

:--1:1
jamie avatar
jamie

Thank you for testing.

2018-08-06

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Add support for a sub-provider to roles by ArdaXi · Pull Request #7 · cloudposse/terraform-aws-iam-assumed-roles

What Add an option to use a sub-provider for roles, so they can be created in a different account than the users who can assume it. Why We have a use-case where we need admin and readonly roles in …

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

any opinions on taking this approach?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@sarkis @Andriy Knysh (Cloud Posse)

2018-08-03

i5okie avatar
i5okie

hey so for terraform-aws-elasticsearch module. its saying that EBS storage must be selected for t2.small.elasticsearch.

i5okie avatar
i5okie

is that not what’s used by default?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse)

i5okie avatar
i5okie

i’m gonna do more research into ES for now

i5okie avatar
i5okie

well apparently i fail it setting up ES from this tf module. i’ve got a route53 domain, that all worked, the vpc endpoint is in public subnets.. but I cannot access ES or Kibana endpoints at all.

i5okie avatar
i5okie

and security group allows all traffic from 0.0.0.0/0

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you deployed it in the public subnets and opened up the security groups?

i5okie avatar
i5okie

i believe so. I’ve just added the default security group just to try. will see if that helps

i5okie avatar
i5okie

i have iam access policy configured. im thinking thats the issue

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-root-modules

terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

here’s an example of how andriy deployed it

i5okie avatar
i5okie

tnx

i5okie avatar
i5okie

might be a dump question. but what is the purpose of this:

i5okie avatar
i5okie
06:07:31 PM

in terraform-aws-elastic-beanstalk-environment

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s part of this horible/nasty hack to make it easy to pass envs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-elastic-beanstalk-environment

terraform-aws-elastic-beanstalk-environment - Terraform module to provision an AWS Elastic Beanstalk Environment

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

perhaps there’s a better way of doing it now adays in HCL

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We had a more elegant way using null_resource, but it would lead to frequent errors like cannot compute count of dynamic variable (or something like that)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So basically, the module always defines N fixed environment variables

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If the user provides it, it uses it, other wise you see something like DEFAULT_ENV_20=UNSET in your beanstalk environment

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(which is just a place holder)

i5okie avatar
i5okie

odd

i5okie avatar
i5okie

I was looking at an existing platform. I wonder why they’re not showing how to use their container config in examples.

i5okie avatar
i5okie

with a custom platform, they just say here, specify :environment settings, and bam you got a platform. but then for example, looking at Ruby / passenger platform they have :container config as well, with nicely defined json for settings and what not.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Change custom ENV vars key/value calculation by aknysh · Pull Request #14 · cloudposse/terraform-aws-elastic-beanstalk-environment

What Changed the way the custom ENV vars are calculated in awsapplication:environment setting Why Using null_resource to generate key/value pairs for ENV vars like this: resou…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Here is more context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Support Empty Env List and Return Stable Values by goruha · Pull Request #11 · cloudposse/terraform-aws-elastic-beanstalk-environment

What Fix element() for empty list workaround Fix key-value association Why For empty env_vars there was error element() may not be used with an empty list in: hashicorp/terraform#9858 keys() ret…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@pmuller I still think we should consider this//github.com/cloudposse/terraform-aws-rds-cluster/issues/26>

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It would be a nice security enhancement

pmuller avatar
pmuller

hehe, love this approach!

pmuller avatar
pmuller
juliosueiras/vim-terraform-completion

vim-terraform-completion - A (Neo)Vim Autocompletion and linter for Terraform, a HashiCorp tool

2018-08-02

i5okie avatar
i5okie

hey, cloudposse/terraform-aws-cloudwatch-logs in description says … for use with fluentd. Do you guys have an example of how you use it with fluentd?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use it with Kubernetes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I can share how we do that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hey @Ziad Hilal! Glad you signed up

Ziad Hilal avatar
Ziad Hilal
08:30:56 PM

@Ziad Hilal has joined the channel

maarten avatar
maarten

Not Terraform, but .. should be here I think.. I had a fight with a daemon which was running inside a wrapper. It is sidekiq, and it’s important that sidekiq receives the SIGTERM. The wrapper script was necessary as it does a few other things.

Having this inside the dispatch.sh

   SIDEKIQ_COUNT=3 SIDEKIQ_MAXMEM_MB=2000 SIDEKIQ_PRELOAD=sidekiq_swarm exec sidekiqswarm -t 25 -C config/sidekiq.yml

is not enough as it would still be a child of the entrypoint.

So in the Dockerfile this is what did the trick.

CMD exec /$APP_DIR/bin/dispatch.sh
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@maarten was that meant for this channel?

maarten avatar
maarten

yeah,.. I just wanted to share something others might stumble upon at one moment.. Unsuited ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Oh, just maybe don’t get the full context.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Aha, adding the exec part

maarten avatar
maarten

exactly.. on 2 places

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so basically, it’s running /bin/sh -c 'exec /$APP_DIR/bin/dispatch.sh', which then replaces PID1 with dispatch.sh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’ve also run into problems with signal handling and shell scripts with docker.

maarten avatar
maarten

and then inside dispatch sidekiq replaces it

maarten avatar
maarten

we can also have a docker channel

maarten avatar
maarten

haha

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, probably a good idea.

maarten avatar
maarten

I’ll remove my stuff here then

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

#docker created

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s fine - we’ll start new ones there.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2018-08-01

pmuller avatar
pmuller

wow, thanks, those projects look great!

pmuller avatar
pmuller

something related I would like to implement: https://github.com/mozilla-services/pytest-services

mozilla-services/pytest-services

pytest-services - Unit testing framework for test driven security of AWS configurations, and more.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @pmuller

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for security testing on AWS, take a look at this tool https://github.com/dowjones/hammer

dowjones/hammer

hammer - Dow Jones Hammer : Protect the cloud with the power of the cloud(AWS)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Dow Jones Develops Automated Security Tool attachment image

The new tool, called Hammer, was developed partly in response to the growing need for automation amid talent shortages and the fast-paced nature of software development, said Dow Jones CISO Jaswinder Hayre.

i5okie avatar
i5okie

hi again

2
i5okie avatar
i5okie

so im looking at terraform-aws-s3-log-storage module. looks awesome. Here’s a loaded question.. I’ve a got a custom elastic beanstalk platform, using your terraform-aws-elasticbeanstalk module..

Is there a way you’d recommend to make that bucket name exposed to eb instances? (not manually).

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrmm… so basically, how to pass the bucket name from the log storage module to the beanstalk module?

i5okie avatar
i5okie

I think I’ll be using fluentd to push logs, and I’ve ran into a bit of head scratcher, the config file for td-agent doesn’t support environmental vars so

i5okie avatar
i5okie

yes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

td-agent ~ fluentd?

i5okie avatar
i5okie

yes

i5okie avatar
i5okie

just a non-gem version

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, so taking a further step back

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you’re running fluentd on the beanstalk instances to forward logs

i5okie avatar
i5okie

yep

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, gotcha. sec

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok, so the tf-agent config should get parameterized

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We typically use gomplate for that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then using gomplate, you can consume env variables

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then pass the bucket name as an env to the beanstalk

i5okie avatar
i5okie

I haven’t completely settled on fluentd. but it leaves a bit of flexibility instead of marrying to data firehose..

i5okie avatar
i5okie

hm

i5okie avatar
i5okie

thanks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
gomplate documentation

gomplate documentation

i5okie avatar
i5okie

okay that just looks like magic

i5okie avatar
i5okie

lol

    keyboard_arrow_up