#terraform (2018-12)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2018-12-01

davidvasandani avatar
davidvasandani

Deploying cloudposse/terraform-aws-eks-cluster https://github.com/cloudposse/terraform-aws-eks-cluster/tree/master/examples/complete but running into the following errors:

module.eks_cluster.aws_security_group_rule.ingress_security_groups: aws_security_group_rule.ingress_security_groups: value of 'count' cannot be computed

module.eks_workers.module.autoscale_group.data.null_data_source.tags_as_list_of_maps: data.null_data_source.tags_as_list_of_maps: value of 'count' cannot be computed

I see that autoscale_group was updated https://github.com/cloudposse/terraform-aws-ec2-autoscale-group/pull/5 to use terraform-terraform-label which from searching the Slack history seemed to be an issue.

and eks_cluster is also failing at ingress_security_groups https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/main.tf#L69

I’m not passing in any tags or security group so the terraform-aws-eks-cluster module is just using the defaults.

davidvasandani avatar
davidvasandani

Yep. I’ve been going through that.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok :-)

davidvasandani avatar
davidvasandani

When targeting the eks_cluster module replacing: allowed_security_groups = ["${distinct(compact(concat(var.allowed_security_groups_cluster, list(module.eks_workers.security_group_id))))}"] with allowed_security_groups = ["sg-09264f5790c8e28e1"] resolves the issue.

So right now I’m trying to target the eks_workers module.

davidvasandani avatar
davidvasandani

How do you correctly format the tag variable?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) we should have a Makefile in that example

1
davidvasandani avatar
davidvasandani

tags="map('environment','operations')"

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

No you can pass tags just like normal

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

A map

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Some places show it written using interpolation because it used to be that way in older versions of terraform

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And that got copied and pasted everywhere

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I’ll have to check it again, when we tested a few months ago, we didn’t see those errors

davidvasandani avatar
davidvasandani

Passing in the tags while targeting the eks_workers module didn’t work.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Aside from the hard coding you did as a workaround, no other changes from the example?

davidvasandani avatar
davidvasandani

Commenting out the null_data_source all together when targeting the eks_workers module resolves the issue.

# data "null_data_source" "tags_as_list_of_maps" {
#   count = "${var.enabled == "true" ? length(keys(var.tags)) : 0}"
# 
#   inputs = "${map(
#     "key", "${element(keys(var.tags), count.index)}",
#     "value", "${element(values(var.tags), count.index)}",
#     "propagate_at_launch", true
#   )}"
# }

resource "aws_autoscaling_group" "default" {
  count = "${var.enabled == "true" ? 1 : 0}"

  name_prefix               = "${format("%s%s", module.label.id, var.delimiter)}"
  ...
  service_linked_role_arn   = "${var.service_linked_role_arn}"

  launch_template = {
    id      = "${join("", aws_launch_template.default.*.id)}"
    version = "${aws_launch_template.default.latest_version}"
  }

  # tags = ["${data.null_data_source.tags_as_list_of_maps.*.outputs}"]

  lifecycle {
    create_before_destroy = true
  }
}
davidvasandani avatar
davidvasandani

@Erik Osterman (Cloud Posse) no I tried to pass in minimal variables and use the eks module defaults.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

davidvasandani avatar
davidvasandani

With the null_data_source in eks_workers commented out I had hoped the full eks module would work (I reverted the eks_cluster allowed_security_groups back to the default) but eks_cluster still errors.

module.eks_cluster.aws_security_group_rule.ingress_security_groups: aws_security_group_rule.ingress_security_groups: value of 'count' cannot be computed
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Unfortunately don’t know what is causing this. Seems like something has changed in terraform recently that breaks it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

On a serious note, on AWS use kops for Kubernetes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We wrote these modules to evaluate the possibility of using EKS but consider terraform as not the right tool for the job

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

No automated rolling upgrades

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

No easy way to do drain and cordon

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So from a lifecycle management perspective we only use kops with our customers

davidvasandani avatar
davidvasandani

Ah. Ok. Easy enough. Thanks @Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There is also https://eksctl.io/

eksctl - a CLI for Amazon EKSattachment image

a CLI for Amazon EKS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But it doesn’t help with upgrades yet either

davidvasandani avatar
davidvasandani

I’ve heard lots of great things about kops so I’ll just roll with that. The goal is to deploy the statup app and test namespacing per PR.

davidvasandani avatar
davidvasandani

Thanks for your help @Erik Osterman (Cloud Posse) @Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

np, sorry the EKS module didn’t work for you. We tested it many times, but it was a few months ago and we didn’t touch it since then. Those count errors are really annoying. Maybe HCL 2.0 will solve those issues

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Kops works really good for us

1
rohit avatar

Hi. I am facing some sort of issue with dns cert validation using cloudflare provider

rohit avatar

it works perfectly fine in a different tf module

rohit avatar

but fails in my compute module

rohit avatar

i am not able to figure out what’s going on

rohit avatar
rohit
05:53:09 PM
davidvasandani avatar
davidvasandani

@rohit what error are you receiving?

rohit avatar
* aws_alb_listener.my_app-443: Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-1:011123456789:certificate/a7f83c2e-57c4-4046-b81a-f9a6fe153ad0' not found
	status code: 400, request id: 6c1234e8-f111-12e3-af9f-19f5bf9b2312
2018/12/01 11:41:44 [ERROR] root.compute.my_app: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* aws_alb_listener.my_app-443: Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-1:011123456789:certificate/a7f83c2e-57c4-4046-b81a-f9a6fe153ad0' not found
	status code: 400, request id: 6c1234e8-f111-12e3-af9f-19f5bf9b2312

Error: Error applying plan:

3 error(s) occurred:

* module.compute.module.my_app.cloudflare_record.my_app_cloudflare_public: 1 error(s) occurred:

* cloudflare_record.my_app_cloudflare_public: Error finding zone "crs.org": ListZones command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"
* module.compute.module.my_app.cloudflare_record.dns_cert_validation: 1 error(s) occurred:

* cloudflare_record.dns_cert_validation: Error finding zone "crs.org": ListZones command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"
* module.compute.module.my_app.aws_alb_listener.my_app-443: 1 error(s) occurred:

* aws_alb_listener.my_app-443: Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-1:011123456789:certificate/a7f83c2e-57c4-4046-b81a-f9a6fe153ad0' not found
	status code: 400, request id: 6c1234e8-f111-12e3-af9f-19f5bf9b2312
rohit avatar

i replaced original values with dummy values but that’s the error

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The certificate not found error for me has always been when I accidentally created it in one region but try to use it in a different region

rohit avatar

i will double check

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and also if DNS is not configured correctly

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

then AWS can’t read the record and validation fails

maarten avatar
maarten

Seems that authentication doesn’t work to cloudflare.

rohit avatar

i use similar code for dns validation in different module and it does work

maarten avatar
maarten
Failed to create CloudFlare Record: API Error: Zone does not exist. · Issue #1 · terraform-providers/terraform-provider-cloudflare

This issue was originally opened by @JorritSalverda as hashicorp/terraform#2551. It was migrated here as part of the provider split. The original body of the issue is below. In a CloudFlare multi-u…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit you sure that Cloudflare owns the zone [crs.org](http://crs.org)? Name servers point to

IN	ns13.dnsmadeeasy.com.	86400
IN	ns15.dnsmadeeasy.com.	86400
IN	ns11.dnsmadeeasy.com.	86400
IN	ns12.dnsmadeeasy.com.	86400
IN	ns10.dnsmadeeasy.com.	86400
IN	ns14.dnsmadeeasy.com.	86400
rohit avatar

i replaced the original zone with a different value

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

kk

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

check if DNS works for the zone (name servers, etc.)

rohit avatar

using nslookup ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

any tool to read the records from the zone

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

or it’s just what it says Invalid format for X-Auth-Key header

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
CloudFlare 6103: Invalid format for X-Auth-Key header · Issue #2219 · containous/traefik

Do you want to request a feature or report a bug? Reporting a bug What did you do? Ran traefik in a windows container and set cloudlfare to be the dnsProvider. What did you expect to see? I expecte…

rohit avatar

somehow it worked now

rohit avatar

cert validation does take forever

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it usually takes up to 5 minutes

rohit avatar

yeah it does

rohit avatar

how do you perform dns cert validation ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-acm-request-certificate

Terraform module to request an ACM certificate for a domain name and create a CNAME record in the DNS zone to complete certificate validation - cloudposse/terraform-aws-acm-request-certificate

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

same DNS validation

rohit avatar

basically use route53 instead of cloudflare

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We recommend 2 types of domains

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

One is for infrastructure and service discovery

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The other is for branded (aka vanity) domains

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Host vanity domains on CloudFlare

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And CNAME those to your infra domains

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ensure that Cloudflare is configured for end to end encryption

rohit avatar

@Erik Osterman (Cloud Posse) how can i ensure that it is configured for end to end encryption ?

rohit avatar

we do use https for all our connections and TLSv1.2

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s a flag in their UI presumably exposed via API

rohit avatar

Is it called Always Use HTTPS ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yup

rohit avatar

I am sure it is checked but i will double check

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am on my phone so can’t screenshot it

rohit avatar

no worries

rohit avatar

but i didn’t understand how it is important in this context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s relative to our suggestion of creating 2 levels of domains

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Use ACM with route53 for service discovery domain

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Use Cloudflare with vanity domains

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Use end to end encryption to ensure privacy

rohit avatar

we do use route53 for internal services and use cloudflare for publicly exposed endpoints

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Just red flags go up for me if using Cloudflare to validate acm certificates

rohit avatar

because the name on the cert matches with the endpoint we have to use cloudflare to do the validation

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok

rohit avatar

Just curious, if we create internal alb, then then the only way to is to do email validation, correct ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So I think that with Cloudflare things can work differently

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We are using route53 with acm on internal domain for docs.cloudposse.com

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Internal domain is .org

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use DNS validation

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Then we use Cloudflare to cname that to the origin

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am pretty certain we didn’t need the cert name to match because I don’t think CloudFlare is passthru

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Cloudflare requests the content from the origins and performs transformations on the content

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Which is only possible if it first decrypts the content MITM style

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

E.g. compression and minificarion

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It is not a simple reverse proxy

rohit avatar

after what you said, when i think about it i am not able to remember why we had to do it this way

rohit avatar

i will have to check with someone from OPS team

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

rohit avatar

did you see my above question ? because you are on phone i will paste it again

if we create internal alb, then then the only way to is to do email validation, correct ?
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ohhhhhhhh I see

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Internal alb, so non routable

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Good question. I have not tried acm dns validation with internal domains, but that would make the most sense since there is no way for AWS to reach it due to the network isolation.

rohit avatar

we currently use email validation for internal alb but was not sure if that can be automated in terraform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Perhaps there are some work arounds where you allow some kind of AWS managed vpc endpoint to reach it kind of like you can do with Private S3 buckets

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For example with classic ELBs we could allow some AWS managed security group access to the origin.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Now with this being a VPC not sure if they’ve done anything to accommodate it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Please let me know if you find a conclusive answer yes/no

rohit avatar

will do. I am trying to find more about this or any other alternative in terraform for internal alb

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
CloudFlare, SSL and unhealthy security absolutismattachment image

Let’s start with a quick quiz: Take a look at haveibeenpwned.com (HIBP) and tell me where the traffic is encrypted between: You see HTTPS which is good so you know it’s doing crypto things in your browser, but where’s the other end of the encryption? I mean at what

rohit avatar

we use full ssl option

10001
rohit avatar

@Erik Osterman (Cloud Posse) my google terraform search for anything now returns one of your modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Lol yes we tend to do that…

rohit avatar

that’s pretty awesome

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

As far as I know, there is no way to do email validation using TF. Maybe some third party tools exist

rohit avatar

@Andriy Knysh (Cloud Posse) that’s what i thought. so what happens when i pass validation_method = "EMAIL" to the aws_acm_certificate resource

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Aha you need to establish a private CA

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


Q: What are the benefits of using AWS Certificate Manager (ACM) and ACM Private Certificate Authority (CA)?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


ACM Private CA is a managed private CA service that helps you easily and securely manage the lifecycle of your private certificates. ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA.

rohit avatar

i think that would work

rohit avatar

i am assuming there is a terraform resource to create private cert

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea let me know!

maarten avatar
maarten

That’s a lot of effort for an internal network with SSL offloading by the ALB, meaning it ends up to be HTTP in the same network anyway.

maarten avatar
maarten

” curious, if we create internal alb, then then the only way to is to do email validation, correct ?”

That has nothing to do with it, as long as ACM can check if the CNAME resolves to the .aws-domain it will work out with creating the certificate.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Cool - are you doing this with #airship?

rohit avatar

@maarten so if i create a record for the internal alb in route53 private hosted zone then i don’t have to do any cert validation ?

maarten avatar
maarten

Cert validation is independent of any load balancer.

maarten avatar
maarten

For AWS it’s just a mechanism to know that you control that domain, either through E-mail or DNS.

rohit avatar

but i still need a cert for internal service for https, correct ?

maarten avatar
maarten

yes

maarten avatar
maarten

let me look it up for you

maarten avatar
maarten

AWS Certificate Manager (ACM) does not “currently” support SSL certificates for private hosted zones.

maarten avatar
maarten

Good to know… so your options are in fact then to

  1. create your own ssl authority or
  2. use a public domain instead
maarten avatar
maarten

Certificate creation is outside the scope of the module, as it’s more likely to have one wildcard cert for many services

maarten avatar
maarten

Let’s continue here Rohit, sub-threads confuse me

rohit avatar

i noticed that when i do terraform destory it destroys all the resources but the certificate manager still has the certs that were created by terraform. Is there flag that needs to be passed for it to destroy those certs ?

maarten avatar
maarten

That’s odd, are you 100% sure ?

rohit avatar

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I saw the cert gets destroyed

maarten avatar
maarten

maybe you can try and see if you can repeat that behaviour

rohit avatar

trying now

rohit avatar

Looks like it was just that one time

rohit avatar

when i tried again everything was destroyed gracefully

rohit avatar

i am trying to pass params to my userdata template,

data "template_file" "user-data" {
  template = "${file("${path.cwd}/modules/compute/user-data.sh.tpl")}"

  vars = {
    app_env               = "${terraform.workspace}"
    region_name           = "${local.aws_region}"
    chef_environment_name = "${local.get_chef_environment_name}"
  }
}
rohit avatar

and in my template, i have the following

export NODE_NAME="$$(app_env)app-$$(curl --silent --show-error --retry 3 <http://169.254.169.254/latest/meta-data/instance-id>)" # this uses the EC2 instance ID as the node name
rohit avatar

the app_env is not being evaluated

rohit avatar

it just stays as is

rohit avatar

is there anything wrong in my template ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit i think you need one $, not two, and curly braces

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the format is ${var}

rohit avatar

i tried that

rohit avatar
export NODE_NAME="$(app_env)app-$$(curl --silent --show-error --retry 3 <http://169.254.169.254/latest/meta-data/instance-id>)" # this uses the EC2 instance ID as the node name
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

curly braces

rohit avatar

yeah that was a silly mistake by me

rohit avatar

when i updated the template and ran terraform plan followed by terraform apply the userdata on the launch template did not get updated

rohit avatar

i am assuming it is because of the difference between tempalte vs resource

rohit avatar

@Andriy Knysh (Cloud Posse) is this true ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

template_file uses the format ${var}

rohit avatar

so i would have to wrap curl command in ${}

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ah wait

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not sure

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you use ${var} format in the template if you set the var in template_file

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

this $$(curl --silent --show-error --retry 3 <http://169.254.169.254/latest/meta-data/instance-id>) is not evaluated by TF I suppose

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

is it called when the file gets executed on the instance?

rohit avatar

yes, the userdata gets executed on the instance

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea those formats are different and often confusing, have to always look them up

rohit avatar

yeah. similarly, i always have to look up symlink syntax for source and destination

rohit avatar

I am using terraform-terraform-labeland terraform-aws-modules/vpc/aws module, i noticed that even though i have name = "VPC" in terraform-terraform-label it is converting it to lowercase

rohit avatar

and setting the Name as myapp-vpc instead of myapp-VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-terraform-label

Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes]) - cloudposse/terraform-terraform-label

rohit avatar

yeah i saw that, can i know why is it being converted to lowercase?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i believe for consistency. is it a problem for you? (it does not convert tags)

rohit avatar

yeah i was wanting to keep whatever was defined in the name if possible

rohit avatar

Is there anything i could do to achieve this ?

rohit avatar

i mean i could do the same thing in my module but without converting the tags to lowercase

rohit avatar
locals {
  enabled    = "${var.enabled == "true" ? true : false }"
  id         = "${local.enabled == true ? join(var.delimiter, compact(concat(list(var.namespace, var.stage, var.name), var.attributes))) : ""}"
  name       = "${local.enabled == true ? format("%v", var.name) : ""}"
  namespace  = "${local.enabled == true ? format("%v", var.namespace) : ""}"
  stage      = "${local.enabled == true ? format("%v", var.stage) : ""}"
  attributes = "${local.enabled == true ? format("%v", join(var.delimiter, compact(var.attributes))) : ""}"

  # Merge input tags with our tags.
  # Note: `Name` has a special meaning in AWS and we need to disamgiuate it by using the computed `id`
  tags = "${
      merge( 
        map(
          "Name", "${local.id}",
          "Namespace", "${local.namespace}",
          "Stage", "${local.stage}"
        ), var.tags
      )
    }"
}
rohit avatar

Do you have plans to do the same in your module ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we use it in many other modules and we convert to lower case. actually, we always specify lower-case names. So for backwards compatibility we would not change it to not convert. But you might want to open a PR against our repo with added flag to specify whether to convert or not (e.g. var.convert_case) with default true

rohit avatar

i can definitely do that

rohit avatar

i don’t think that would take a lot of effort

rohit avatar

i might be wrong

rohit avatar

i guess the tricky part would be to figure out nested conditional statements. I believe nested conditional statements will become easier in terraform v0.12

rohit avatar

i am not sure if this is a valid syntax in terraform

  id = "${local.enabled == true ? (local.convert_case == true ? lower(join(var.delimiter, compact(concat(list(var.namespace, var.stage, var.name), var.attributes)))) : join(var.delimiter, compact(concat(list(var.namespace, var.stage, var.name), var.attributes))))) : ""}"
rohit avatar

can anyone please confirm ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

more or less, but i would store the non-transformed value somewhere as a local

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

rather than duplicate it twice

rohit avatar

yeah that would make more sense

rohit avatar

how do i get access to push my git branch to your repository ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, start by creating a github fork of the repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then make your changes to the fork

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

from there, you can open up a PR against our upstream

rohit avatar

sorry, i thought that i can push my feature branch directly

rohit avatar

i opened a PR

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

can you paste the link

rohit avatar

PR link ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

reviewed

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, can you add your business use-case to the “why” of the description

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:28:29 AM
rohit avatar

i wanted to use convert_case variable but to make it match your variable naming convention i used convertcase but i took your suggestion and used i wanted to use convert_case variable but to make it match your variable naming convention i used convertcase`

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i think we use underscores everywhere

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

if we don’t it’s because the upstream resource did not (e.g. terraform)

rohit avatar

@Erik Osterman (Cloud Posse) thanks. Even though this was a small change it was fun working on it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, this will make it easier for you to contribute other changes

rohit avatar

yea

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks! we’ll get this merged tomorrow probably

rohit avatar

that would be great. when do you generally push to registry ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, registry picks up changes in real-time

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so as soon as we merge and tag a release it will be there.

rohit avatar

that is awesome

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

since it’s late, it’s best to have andriy review too

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i miss things

rohit avatar

no worries

rohit avatar

what tool do you use to automatically push to registry?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the registry actually is just a proxy for github

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

all we need to do is register a module with the registry

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it’s not like docker registry where you have to push

rohit avatar

ohh i thought it was similar to docker registry

rohit avatar

but this is better i guess, this may have it’s pros and cons

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i like that there’s zero overhead as a maintainer

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

nothing we need to remember to do

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

everytime i need to push a package to rubyforge i gotta dig up my notes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’m curious - is anyone else peeved by the TF_VAR_ prefix? I find us having to map a lot of envs. Plus, when using chamber they all get uppercased.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I want a simple cli that normalizes environment variables for terraform. it would work like the existing env cli, but support adding the TF_VAR_ prefix and auto-lower everything after it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

e.g.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

tfenv terraform plan

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

tfenv command

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this could be coupled with chamber.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

chamber exec foobar -- tfenv terraform plan

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(not to be confused with the rbenv cli logic)

2018-12-02

loren avatar

If case is the main complaint, I wonder if there’s been any discussion in making the env case insensitive in terraform core?

loren avatar

I’m not turning up any discussion around it, but I’m on my phone and not searching all that extensively

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i know i’ve tested it for case insensitivity and it does not work

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i have a prototype of the above that i’m about to push

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it supports whitelists and blacklists (regex) for security (e.g. exclude AWS_* credentials)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this is going to make interoperability between all of our components much cleaner and our documentation easier to write.

loren avatar

Oh, I know it’s case sensitive for sure, I mean something like a feature request to make it case insensitive so upper case works (which is more inline with env convention), without breaking backwards compatibility

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ah gotcha, yea can’t find any feature request for that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t see that getting approved though…

loren avatar

Might be worth having the conversation at least, since they really are going against env convention as it is…

antonbabenko avatar
antonbabenko

Not related to the main discussion, but still :) consider using direnv tool to automatically set env per directory. I use it with terragrunt to set correctly IAM role to assume per directory.

1
loren avatar

Do you use –terragrunt-working-dir with that? Or just change directory first?

antonbabenko avatar
antonbabenko

I just change directory

antonbabenko avatar
antonbabenko

never had a need to play with –terragrunt-working-dir

loren avatar

Ahhh ok, I only use the flag myself

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, direnv is nice for that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

my problem is that we use kops, gomplate, chamber, etc

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and the TF_VAR_ stuff makes it cumbersum

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

chamber upper cases everything

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

kops should not depend on TF_VAR_ envs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we end up duplicating a lot of envs (or reassigning them)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i want a canonical list of normal envs that we can map to terraform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@antonbabenko though i’ve not gone deep on direnv

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

do you see a way to achieve the same thing in a DRY manner?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

if so, i’d prefer to use direnv

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

basically, i’d like to normalize envs (lowercase) and add TF_VAR_ prefix without defining by hand for each env

loren avatar

Do kops and chamber not namespace the envs they read?

loren avatar

If not, I suppose where I’m going is, why not use the TF_VAR_ env in those configs? All the prefixing would be annoying, but at least the values would only be defined once

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t like making terraform the canonical source of truth

loren avatar

Oh chamber upper cases things. Blergh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea plus that

loren avatar

I guess I don’t see how to inform the different utilities which envs to use or which env namespaces/prefixes to apply per utility… I think it would require going down the road you started with a new wrapper utility with it’s own config file

antonbabenko avatar
antonbabenko

I once used a shell script which converted env vars for similar reason, but it was before I discovered direnv.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think I am going to combine what I have with direnv

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Per your tip :-)

loren avatar

Yeah, sometimes a little copy-paste is still the simplest abstraction…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@tamsky are you also using direnv?

tamsky avatar

just learning about it now :: https://direnv.net/

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we added support for this yesterday

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

0.41.0

2018-12-03

Jan avatar

The problem I found with using direnv previously on a large project was that users of the project started to expect a .envrc file anytime any thing could or needed to be set in env vars. Maybe worth thinking about if there is a clear cut separation between what IS in direnv and what is NOT

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jan true - and to your point that you raised earlier with me about having a clear cut delineation of what goes where

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t have a “best practice” in mind yet. i need to let this simmer for a bit.

Jan avatar

consistency is better than correctness

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

indeed.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jan going to move to #geodesic

rohit avatar

@Andriy Knysh (Cloud Posse) Did you get a chance to review my PR ?

rohit avatar

Is it possible to attach ASG to existing cloudwatch event using terraform ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes, that’s possible

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

are you using our autoscale group module?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-ec2-autoscale-group

Terraform module to provision Auto Scaling Group and Launch Template on AWS - cloudposse/terraform-aws-ec2-autoscale-group

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jake Lundberg (HashiCorp) it was just brought to our attention that the registry is mangling html entites: https://registry.terraform.io/modules/cloudposse/ansible/null/0.4.1

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:51:30 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

while on github we see

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:51:54 PM
Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

OK, I’d open an issue in Github.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I can’t find the appropriate repo to open it against.

rohit avatar

@Erik Osterman (Cloud Posse) i am using aws_autoscaling_group resource, so once an ASG is created i want to go and add the ASG name in cloudwatch event so that it will disassociate nodes from chef server

rohit avatar

makes sense ?

joshmyers avatar
joshmyers

@rohit I’m not sure on the question there

joshmyers avatar
joshmyers

I’ve seen those disassociation scripts put in as shutdown scripts

joshmyers avatar
joshmyers

Although that does need a clean shutdown event

rohit avatar

Let me explain this in a better way. When autoscaling event is triggered, the userdata script gets executed and it does associate the node with the chef server. When a node in this ASG is terminated, a cloudwatch event is triggered which inturn calls a lambda function to disassociate the node from the chef server

rohit avatar

i was planning to do this in terraform

rohit avatar

so i am using aws_autoscaling_group resource to create ASG

joshmyers avatar
joshmyers

OK, still not sure what the question is :D

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit as @Erik Osterman (Cloud Posse) pointed out, you can connect the ASG to CloudWatch alarms using Terraform https://github.com/cloudposse/terraform-aws-ec2-autoscale-group/blob/master/autoscaling.tf#L27

cloudposse/terraform-aws-ec2-autoscale-group

Terraform module to provision Auto Scaling Group and Launch Template on AWS - cloudposse/terraform-aws-ec2-autoscale-group

rohit avatar

i want to connect the ASG to cloudwatch event rule

rohit avatar
{

  "source": [
    "aws.autoscaling"
  ],
  "detail-type": [
    "EC2 Instance Terminate Successful"
  ],
  "detail": {
    "AutoScalingGroupName": [
      "MY-ASG"
    ]
  }
}
joshmyers avatar
joshmyers

Looks like you are on the right track for that. I’m still not seeing a question or explanation of what problem you are having. Have you looked at what @Andriy Knysh (Cloud Posse) posted?

rohit avatar

I think what i need is aws_cloudwatch_event_rule and not aws_cloudwatch_metric_alarm

rohit avatar

i am struggling to figure out how to add my asg name to cloudwatch event rule

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Event Patterns in CloudWatch Events - Amazon CloudWatch Events

Events in Amazon CloudWatch Events are represented as JSON objects. For more information about JSON objects, see RFC 7159 . The following is an example event:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
resource "aws_cloudwatch_event_rule" "console" {
  name        = "name"
  description = "....."

  event_pattern = <<PATTERN
{
  "detail-type": [
    "..."
  ]
 ,
 "resources": [
   "${aws_autoscaling_group.default.name}"
]
}
PATTERN
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

try this ^

rohit avatar

Step 7: Add a CloudWatch rule to trigger the Lambda function on instance termination

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
CloudWatch Event Notifications Using AWS Lambda - via @codeshipattachment image

In this article, we will see how we can set up an AWS Lambda function to consume events from CloudWatch. By the end of this article, we will have an AWS Lambda function that will post a notification to a Slack channel. However, since the mechanism will be generic, you should be able to customize it to your use cases.

rohit avatar

will do. Thanks

rohit avatar

i am really struggling with this today

joshmyers avatar
joshmyers
brantburnett/terraform-aws-autoscaling-route53-srv

Manages a Route 53 DNS SRV record to refer to all servers in a set of auto scaling groups - brantburnett/terraform-aws-autoscaling-route53-srv

rohit avatar

this is helpful

joshmyers avatar
joshmyers

You don’t want "${join("\",\"", var.autoscaling_group_names)}" though, right

rohit avatar

I think i will still have to add my ASG name to the cloudwatch event

rohit avatar

i am not thinking straight today

rohit avatar

so pardon me

joshmyers avatar
joshmyers

Yup, you should do that

pablo avatar

has anyone used the resource aws_mq_broker https://www.terraform.io/docs/providers/aws/r/mq_broker.html in conjunction Hashicorp vault to store the users as a list?

AWS: aws_mq_broker - Terraform by HashiCorp

Provides an MQ Broker Resource

pablo avatar

I have tried to use them together to display a list a users from Vault but I think the Terraform resource checks for its dependancies before anything is ran against the API

pablo avatar

I have tried the following:

Serving Individual users with attributes
user                = [
  {
      username       = "${data.vault_generic_secret.amq.data["username"]}"
      password       = "${data.vault_generic_secret.amq.data["password"]}"
      console_access = true
  }
]
pablo avatar

&

Sending a dictionary of users
user = [${data.vault_generic_secret.amq.data["users"]}]
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what’s the problem you’re having?

pablo avatar

the issue is that in order to use this resources you would have to keep user login information in version control

pablo avatar

what I want to do is keep the user information in Vault separate of the source code

pablo avatar

is this possible

pablo avatar

I am currently having to manually replace the user credentials with REDACTED with every change to Terraform

pablo avatar

I hope I am explaining my issue accurately

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i am a confused because from the example, it looks like to me they are omnig from vault?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
      username       = "${data.vault_generic_secret.amq.data["username"]}"
      password       = "${data.vault_generic_secret.amq.data["password"]}"
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and not form source control

pablo avatar

those are my examples of what I have tried (or close to that)

pablo avatar

but they don not work

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha, i see

pablo avatar

it fails before it makes an API call

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, so what you’re trying to do looks good more or less. now we need to figure out why it’s failing.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

can you share the invocation of vault_generic_secret?

pablo avatar

which leads me to believe that it does some sort of dependency check for required attributes

pablo avatar

well I have gone as far as checking to make sure Terraform is getting the secret which it is

pablo avatar

but Terraform fails even before it queries Vault

pablo avatar

I have verified this by outputting the invocation of the secret. Which works when I do not use the AMQ Resource but does not when I include the AMQ resource in the Terraform config

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

can you share the precise error?

pablo avatar

lemme see if I can create a quick mock

pablo avatar

I thought I saved my work in a branch but didn’t

pablo avatar

ok here is the error with some trace

pablo avatar
pablo
12:58:33 AM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, please share the invocation of module.amq

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and the invocation of data.vault_generic_secret

pablo avatar

sorry but what do you mean by invocation? do you want to see how I am executing it our do you want the entire stack trace?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, yes, that’s ambiguous

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i mean the HCL code

pablo avatar
pablo
01:42:13 AM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t see data.vault_generic_secret

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and I don’t see module.amq

pablo avatar

wasn’t done, I keep getting distracted

pablo avatar
pablo
01:48:17 AM
pablo avatar

this one is the root config and the former was the module I created

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I would explore the data structures.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Error: module.amq.aws_mq_broker.amq_broker: "user.0.password": required field is not set

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this gives me a hint that perhaps the input data structure is wrong

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

perhaps ${data.vault_generic_secret.amq.data["users"]} is not in the right structure.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

is users a list of maps?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
[{ username: "foo", password: "bar"}, {username: "a", password: "b"}]
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, I have seen problem with this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
amq_users = ["${data.vault_generic_secret.amq.data["users"]}"]
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

where in ["${...}"] the content of the ${...} interpolation returns a list.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we get a list of lists.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform is supposed to flatten this, however, I have found this not the case when working with various providers.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

my guess is that the authors don’t properly handle the inputs.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

perhaps try this too

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
amq_users = "${data.vault_generic_secret.amq.data["users"]}"
pablo avatar

thanks I’ll give that a shot

pablo avatar

do you know if Terraform first tries to validate the resource dependancies before actually executing the resource? During the plan or pre-apply stages?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


validate the resource dependancies

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not from what i’ve seen. there’s very little “schema” style validation

rohit avatar

I noticed that my change for convert_case to terraform-terraform-label defaults the value "true" but in [main.tf](http://main.tf) i am using it as boolean

rohit avatar
cloudposse/terraform-terraform-label

Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes]) - cloudposse/terraform-terraform-label

rohit avatar
cloudposse/terraform-terraform-label

Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes]) - cloudposse/terraform-terraform-label

rohit avatar

so i am going to submit another PR to fix this issue

rohit avatar

sorry about that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit wait

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

everything is ok

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you convert it to boolean in the locals

rohit avatar

i feel something is wrong

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and you need to add it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

sorry, we missed it

rohit avatar

instead of using var.convert_case i used local.convert_case

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
locals {
  convert_case = "${var.convert_case == "true" ? true : false }"
 }
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

add this ^

rohit avatar

yeah that’s what i am doing now

rohit avatar

i found this when i was trying to use it in my project

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and use one locals, no need to make multiple

rohit avatar

will do

rohit avatar

@Andriy Knysh (Cloud Posse) i am sorry about not noticing that earlier

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, we did not notice it either

rohit avatar

submitted another PR

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

tested this time?

rohit avatar

what is the recommended way to test it ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-terraform-label

Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes]) - cloudposse/terraform-terraform-label

rohit avatar

Looks good to me

rohit avatar

didn’t realize that formatting would cause The Travis CI build to fail

rohit avatar

pushed the change

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks, merged

rohit avatar

awesome

rohit avatar

which tool do you use for secrets management ?

davidvasandani avatar
davidvasandani

my 2¢, I love credstash works really well with Terraform.

davidvasandani avatar
davidvasandani

if you can use KMS in AWS

rohit avatar

is there an API for credstash ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
segmentio/chamber

CLI for managing secrets. Contribute to segmentio/chamber development by creating an account on GitHub.

rohit avatar

any thoughts about using hashicorp vault ?

davidvasandani avatar
davidvasandani

Valut is really cool but is a higher barrier to start using (setting up servers) vs credstash is serverless.

rohit avatar

that is great

rohit avatar

what about chamber ?

davidvasandani avatar
davidvasandani

chamber uses AWS Systems Manager Parameter Store also serverless.

davidvasandani avatar
davidvasandani

I’m reading https://segment.com/blog/the-right-way-to-manage-secrets/ and probably would have picked chamber if it was available when I started using credstash

rohit avatar

good to know. will read about it

rohit avatar

I am looking for something that will play nicely with Chef

Andrew Jeffree avatar
Andrew Jeffree

I’m looking at implementing vault at my work but that’s to cover multiple requirements not just terraform secrets.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, it’s pretty sweet!

rohit avatar

i am looking at something that is not limited to terraform secrets as well

rohit avatar

but something that works with AWS + Chef

davidvasandani avatar
davidvasandani

I use credstash for .env in our rails app, terraform secrets, and secrets in Salt. Having said that after reading more about chamber I probably would have gone with that instead.

1

2018-12-04

btai avatar

anyone here use terraform to spin up EKS/AKS/GKE and use the kubernetes/helm providers

Matthew avatar
Matthew

Yes I spin up EKS and Helm as well as Concourse using Terraform @btai

btai avatar

@Matthew do you have RBAC enabled? if so, when you spin up your EKS cluster are you automatically running a helm install in the same terraform apply?

Matthew avatar
Matthew

Yes to both of those

btai avatar

scenario being, running a helm install to provision the cluster with roles, role bindings, cluster role bindings, possibly cluster wide services, etc.

btai avatar

so im not using EKS, im using AKS so im not sure if you run into this issue

btai avatar

but im attempting to create some very basic clusterrolebindings

btai avatar
provider "kubernetes" {
  host                   = "${module.aks_cluster.host}"
  client_certificate     = "${base64decode(module.aks_cluster.client_cert)}"
  client_key             = "${base64decode(module.aks_cluster.client_key)}"
  cluster_ca_certificate = "${base64decode(module.aks_cluster.ca_cert)}"
}
Matthew avatar
Matthew

Give me a moment and we can discuss

Gabe avatar

anyone here have experience with terraform enterprise? is it worth the cost in your opinion?

btai avatar

i didnt do too much digging, but i wasnt a fan of having to have a git repo per module. they do this because they use git tags for versioning modules, but i didnt want to have that many repos

pericdaniel avatar
pericdaniel

i have no clue why this wont work

pericdaniel avatar
pericdaniel
03:38:14 AM
davidvasandani avatar
davidvasandani

-> this should fix it owners = ["137112412989"]

also you can simplify your filters

  filter {
    name   = "name"
    values = ["amzn-ami-hvm-*-x86_64-gp2"]
  }
davidvasandani avatar
davidvasandani
# Grab most recent linux ami
data "aws_ami" "linux_ami" {
  most_recent      = true
  owners = ["137112412989"]
  executable_users = ["self"]

   filter {
    name   = "name"
    values = ["amzn-ami-hvm-*-x86_64-gp2"]
  }
}

also I’m not sure if values = ["amzn-ami-hvm-*"] is enough so I’ve updated it to values = ["amzn-ami-hvm-*-x86_64-gp2"]

davidvasandani avatar
davidvasandani

cc @pericdaniel

pericdaniel avatar
pericdaniel

Thank you so much!!

pericdaniel avatar
pericdaniel

Seems like owners is the key component

Steven avatar

@pericdaniel Always use owner for Amazon AMIs. Otherwise you could get anyone’s AMI with a similar name. And there are many of those. Same thing for other vendor AMIs. Here is a terraform module that handles a number of vendors https://github.com/devops-workflow/terraform-aws-ami-ids

devops-workflow/terraform-aws-ami-ids

Terraform module to lookup AMI IDs. Contribute to devops-workflow/terraform-aws-ami-ids development by creating an account on GitHub.

1
pericdaniel avatar
pericdaniel

Thank you!!!

2018-12-05

inactive avatar
inactive

hello! i have a problem with terraform and cloudfront, wondering if someone has seen this issue

inactive avatar
inactive

I have a website hosted statically on S3 with Private ACL. I am using Cloudfront to serve the content

inactive avatar
inactive

I am using an S3 origin identity, which requires an access identity resource

inactive avatar
inactive

and I see that it creates the access identity successfully, but the problem is that it does not attach it to the cloudfront distro

inactive avatar
inactive

when I go back to the AWS console, the access id is listed in the dropdown but not selected

inactive avatar
inactive

i suspect the problem has to do with this section of the code:

inactive avatar
inactive

any tips?

inactive avatar
inactive
02:46:37 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@inactive here is what we have and it’s working, take a look https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

inactive avatar
inactive

mmm… you have the same code as i do. the s3_origin_config snippet references the access_id, which I expected would set it

inactive avatar
inactive

not sure why its not doing in my case

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can share your complete code, we’ll take a look (maybe something else is missing)

inactive avatar
inactive

ok

inactive avatar
inactive
02:57:18 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@inactive try deleting this

  website {
    index_document = "${var.webui_root_object}"
  }
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it prob creates the bucket as website (need to verify if that statement is enough for that), but anyway, if it creates a website, it does not use origin access identity - cloudfront distribution just points to the public website URL

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we also have this module to create CloudFront distribution for a website (which could be an S3 bucket or a custom origin) https://github.com/cloudposse/terraform-aws-cloudfront-cdn

cloudposse/terraform-aws-cloudfront-cdn

Terraform Module that implements a CloudFront Distribution (CDN) for a custom origin. - cloudposse/terraform-aws-cloudfront-cdn

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and here is how to create a website from S3 bucket https://github.com/cloudposse/terraform-aws-s3-website

cloudposse/terraform-aws-s3-website

Terraform Module for Creating S3 backed Websites and Route53 DNS - cloudposse/terraform-aws-s3-website

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in short, CloudFront could be pointed to an S3 bucket as origin (in which case you need origin access identity) AND also to an S3 bucket as a website - they have completely diff URLs in these two cases

inactive avatar
inactive

ok let me try that

pericdaniel avatar
pericdaniel

i get this error Resource ‘aws_security_group.dbsg’ not found for variable ‘aws_security_group.dbsg.id’ even tho i created the sg… hmmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel need help or found the solution?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@inactive how it goes?

pericdaniel avatar
pericdaniel

i found a new solution! thank you tho!

pericdaniel avatar
pericdaniel

i think i did a local and an outpiut

pericdaniel avatar
pericdaniel

to make it work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Creating a Terraform Provider for Just About Anything

Learn about the inner workings of Terraform and examine all the elements of a provider, from the documentation to the test suite. You’ll also see how to create and contribute to them.

2
pericdaniel avatar
pericdaniel

my favorite is the first word in the first sentence

pericdaniel avatar
pericdaniel

Terrafom is an amazing tool that lets you define your infrastructure as code. Under the hood it’s an incredibly powerful state machine that makes API requests and marshals resources.

pericdaniel avatar
pericdaniel

ill have to watch this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Quick question to @here does the Cloudtrail Module support setting the SNS settings? and is that really needed, just have not used it….

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Our terraform-aws-cloudtrail does not current have any code for that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this module created by Jamie does something similar

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms

Terraform module for creating alarms for tracking important changes and occurances from cloudtrail. - cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

with SNS alarms

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I have not personally deployed it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@davidvasandani someone else reported the exact same EKS problem you ran into

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Getting error when trying to run initial plan · Issue #5 · cloudposse/terraform-aws-eks-cluster
  • module.eks_workers.module.autoscale_group.data.null_data_source.tags_as_list_of_maps: data.null_data_source.tags_as_list_of_maps: value of ‘count’ cannot be computed
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@patrickleet is trying it right now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

maybe you can compare notes

patrickleet avatar
patrickleet
02:06:19 AM

@patrickleet has joined the channel

davidvasandani avatar
davidvasandani

Good to know I’m not alone.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

or let him know what you tried

davidvasandani avatar
davidvasandani

Lets see if I kept my notes after moving to kops

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

kops is pretty easy/peasy right?

davidvasandani avatar
davidvasandani

So easy.

davidvasandani avatar
davidvasandani

I was up and running in no time and have started learning to deploy statup.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

nice! let me know if you get stuck - i can unblock you

1
patrickleet avatar
patrickleet

haha ok so you moved to kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

kops is much easier to manage the full SDLC of a kubernetes cluster

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

rolling updates, drain+cordon

patrickleet avatar
patrickleet

yea I have a couple of kops clusters

patrickleet avatar
patrickleet

and a gke one

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, yea, so you know the lay of the land

patrickleet avatar
patrickleet

I was specifically trying to play with eks using terraform and came across your modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we rolled out EKS ~2 months ago for the same reason

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

these modules were the byproduct of that. @Andriy Knysh (Cloud Posse) is not sure what changed. we always leave things in a working state.

patrickleet avatar
patrickleet

yea - I’m able to plan the vpc

patrickleet avatar
patrickleet

which has tags calculated

patrickleet avatar
patrickleet

which is where it’s choking

patrickleet avatar
patrickleet

it’s not able to get the count

davidvasandani avatar
davidvasandani

Same here.

patrickleet avatar
patrickleet

haven’t actually tried applying the vpc plan and moving further though

davidvasandani avatar
davidvasandani

@patrickleet I think we ran into the same issue.

davidvasandani avatar
davidvasandani

With the null_data_source in eks_workers commented out I had hoped the full eks module would work (I reverted the eks_cluster allowed_security_groups back to the default) but eks_cluster still errors.

module.eks_cluster.aws_security_group_rule.ingress_security_groups: aws_security_group_rule.ingress_security_groups: value of 'count' cannot be computed
davidvasandani avatar
davidvasandani

Wait.

davidvasandani avatar
davidvasandani

I was able to plan the VPC just fine.

davidvasandani avatar
davidvasandani

make your enabled var false

davidvasandani avatar
davidvasandani

it will plan the VPC with the tags count just fine.

davidvasandani avatar
davidvasandani

but then errors out when I set it to true, see the Slack link above.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I’ll take a look at the EKS module tomorrow. Not good to have it in that state :(

rohit avatar

Is there a comprehensive gitignore file for any terraform project ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-null-label

Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes]) - cloudposse/terraform-null-label

rohit avatar

that’s what i was using

rohit avatar

do you generally state the plan files somewhere if not in your repo ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you mean to add the plan files to .gitignore?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
github/gitignore

A collection of useful .gitignore templates. Contribute to github/gitignore development by creating an account on GitHub.

rohit avatar

i mean do you store the generated plan somewhere

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you do it on your local computer, the state is stored locally. We use S3 state backend with DynamoDB table for state locking, which is a recommended way of doing things https://github.com/cloudposse/terraform-aws-tfstate-backend

cloudposse/terraform-aws-tfstate-backend

Provision an S3 bucket to store terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption - cloudposse/terraform-aws-tfstate-backend

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

are you asking about the TF state or about the files that terraform plan can generate and then use for terraform apply?

rohit avatar

i was asking about the later. when you run terraform plan --var-file="config/app.tfvars" --out=app.storage.plan and then terraform apply app.storage.plan

rohit avatar

do you store the generated plan file somewhere or just ignore it ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

since we store TF state in S3, we don’t use the plan files, you can say we ignore them

rohit avatar

cool

rohit avatar

if i have tfvars inside a config dir, ex: config/app1.tfvars, config/app2.tfvars, i think including *.tfvars in gitignore will restrict both these files to be checkedin in my code repo, correct ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

maybe **/*.tfvars?

rohit avatar

i thought *.tfvars would be enough, maybe i was wrong

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

should be enough

rohit avatar

will try that

rohit avatar
cloudposse/terraform-aws-tfstate-backend

Provision an S3 bucket to store terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption - cloudposse/terraform-aws-tfstate-backend

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in this case it’s not actually needed. but if you use https://github.com/cloudposse/terraform-aws-dynamodb-autoscaler, then it will help to prevent TF from recreating everything when the auto-scaler changes the read/write capacity

cloudposse/terraform-aws-dynamodb-autoscaler

Terraform module to provision DynamoDB autoscaler. Contribute to cloudposse/terraform-aws-dynamodb-autoscaler development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-dynamodb

Terraform module that implements AWS DynamoDB with support for AutoScaling - cloudposse/terraform-aws-dynamodb

2018-12-06

Jan avatar

Life cycle hooks can also be super useful for doing X when Y happens. A common case I have is when destroying a Cassandra cluster I need to unmount the ebs volumes from the instances so I can do a fast snapshot and then terminate

1
loren avatar

Nifty idea!

Jan avatar

Need to see if I can publish that

Jan avatar

actually this is self explanatory

  provisioner "remote-exec" {
    inline = [
      "sudo systemctl stop cassandra",
      "sudo umount /cassandra/data",
      "sudo umount /cassandra/commitlog",
    ]

    when = "destroy"
  }
}


Jan avatar

On Event terminate remote-exec umount

Jan avatar

Also great for zero downtime changes, create before destroy

Jan avatar

In the case you posted I would expect its to let terraform know that it doesn’t need to care about any. Changes of the values

Jan avatar

lifecycle { ignore_changes = [“read_capacity”, “write_capacity”] }

rohit avatar

makes sense

rohit avatar

never use lifecycle hooks so it is new to me

rohit avatar

In general, where are the lifecycle hooks used ?

joshmyers avatar
joshmyers

Can be used under different conditions. A common one could be where Terraform isn’t the only thing managing a resource, or element of resources.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

or if a resource could change outside of TF state like in the example with DynamoDB auto-scaler, which can update the provisioned capacity and TF would see different values and try to recreate it

1
loren avatar

Seems like this could be considered a bug…. If the table is enabled for autoscaling, then TF shouldb automatically ignore changes to provisioned capacity values…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, but auto-scaling is a separate AWS resource and TF would have know how to reconcile two resources, which is not easy

loren avatar

Oh it’s two resources? I see… Hmmm… Maybe it could be handled in one, kind of like rules in a security group have two modes, inline or attached…

inactive avatar
inactive

@Andriy Knysh (Cloud Posse) I am happy to report that your suggestion fixed my problem, re: CloudFront

inactive avatar
inactive

I still don’t quite understand how it’s still able to pull the default html page, since I thought that I had to explicitly define it under the index_document parameter

inactive avatar
inactive

but it somehow works

inactive avatar
inactive

tyvm for your help

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

glad it worked for you @inactive

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you deploy the S3 bucket as a website?

inactive avatar
inactive

i assume no, since I removed the whole website {…} section

inactive avatar
inactive

but CF doesn’t seem to care, as it serves the content without that designation

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

2
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which fixes value of 'count' cannot be computed errors

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@davidvasandani @patrickleet

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

davidvasandani avatar
davidvasandani

Thanks @Andriy Knysh (Cloud Posse) and @Erik Osterman (Cloud Posse)

davidvasandani avatar
davidvasandani

While this module works y’all still prefer kops though right?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea…

davidvasandani avatar
davidvasandani

This is more a proof of concept or looking for folks to ask/add additional features?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It lacks a story for managing rolling upgrades

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Since we don’t have a story for that, we aren’t pushing it. It’s mostly there on standby pending customer request to use EKS over Kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Then we will invest in the upgrade story.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I really like the architecture of the modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And the way we decomposed it makes it easy to have different kinds of node pools

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The upgrade story would probably use that story to spin up multiple node pools and move workloads around and then then scale down the old node pool

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Almost like replicating the Kubernetes strategy for deployments and replica sets

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But for auto scale groups instead

2018-12-07

sohel2020 avatar
sohel2020
cloudposse/terraform-aws-elasticsearch

Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash. - cloudposse/terraform-aws-elasticsearch

sohel2020 avatar
sohel2020

it sets a router53 record for me but it’s not working

sohel2020 avatar
sohel2020
dig production-kibana.infra.mytonic.com                                                                              

;; QUESTION SECTION:
;production-kibana.infra.mytonic.com. IN	A

;; ANSWER SECTION:
production-kibana.infra.mytost.com. 59	IN CNAME vpc-fluentd-production-elastic-43nbkjmxhatoajegdhyxekul3a.ap-southeast-1.es.amazonaws.com/_plugin/kibana/.

;; AUTHORITY SECTION:
.			86398	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018120700 1800 900 604800 86400

;; Query time: 333 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
sohel2020 avatar
sohel2020

but if I hit <http://production-kibana.infra.mytost.com> it’s not working.

sohel2020 avatar
sohel2020

I have to add <http://production-kibana.infra.mytost.com/_plugin/kibana/> manually

sohel2020 avatar
sohel2020

@Andriy Knysh (Cloud Posse)

Jan avatar

I have a generalish terraform / geodesic question so not sure if I should ask in here or #geodesic

Jan avatar

I’d like to spin up . 4 accounts with 4 identical vpc’s (with the exception of name and cidr) in which 3 will have kops managed k8s clusters

Jan avatar

2 of those 3 the k8s cluster would be launched after the vpc needs to be around for some time

Jan avatar

What I have not quite yet under stood is how the two different flows will look.

1.a) create vpc b) create resources in that vpc c) create k8s cluster with kops in existing vpc 2.a) create vpc using kops b) create resources in the vpc created by kops

Jan avatar

for flow 1 in a geodesig way

Jan avatar

im not sure I understand how or if it is supported to launch into and EXISTING vpc

Jan avatar
cloudposse/terraform-aws-kops-vpc-peering

Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops - cloudposse/terraform-aws-kops-vpc-peering

Jan avatar

terraform-aws-kops-vpc-peering - Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops

Jan avatar

So is it expected that any geodesic kops created k8s cluster will run in its own vpc?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan i’ll help you

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so yes, you can deploy kops cluster into an existing VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but we don’t do that for a few reason

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you don’t want to manage CIDR overlaps for example

Jan avatar

I know I can and how to, its the pattern I have followed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so we deploy kops into a separate VPC

Jan avatar

Not sure I understand the rational there

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and then deploy a backing-services VPC for all other stuff like Aurora, Elasticsearch, Redis etc.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

then we do VPC peering

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we don’t want to manage CIDR overlaps

Jan avatar

there is no overlap

Jan avatar

the k8s cluster uses the vpc cidr

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but you can deploy kops into an existing VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is no diff, but just more separation

Jan avatar

IP’s are still managed by the dhcp optionset in the vpc

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and we have TF modules that do it already

Jan avatar

interesting

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i can show you the complete flow for that (just deployed it for a client)

Jan avatar

Alright I think I will write a TF module to do k8s via kops into an existing and make a pr

Jan avatar

Yea I have seen the flow for creating a backing VPC + kops (k8s)vpc with peering

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when we tried to deploy kops into existing VPC, we ran into a few issues, but i don’t remember exactly which ones

Jan avatar

I recall there being weirdness and cidr overlaps if you dont use the subnet =ids and stuff

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

deploying into a separate VPC, did not see any issues

Jan avatar

so for example I have some thing like this

Jan avatar

corporate network === AWS DirectConnect ==> [shared service-vpc(k8s)] /22 cidr —> peering –> [{prod,pre-prod}-vpc(k8s)] /16 cidr

Jan avatar

where we run shared monitoring and logging and ci/cd services in the shared-services vpc (mostly inside k8s)

Jan avatar

k8s also has ingress rules that expose services in the peered prod and pre prod accounts tot he corp network

Jan avatar

overhead on the corp network is just the routing of the /22

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you already using vpc peering?

Jan avatar

I am busy setting this all up

Jan avatar

corp network will have direct connect to a /22 vpc

Jan avatar

the /22 with have peering to many vpcs within a /16

Jan avatar

that /16 we will split as many times as we need, probably into /24’s

Jan avatar

or 23’s

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan your question was how to deploy kops into an existing VPC?

Jan avatar

My question was more if there is geodesic support for that flow or if i should add a module to do so

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we deploy kops (from geodesic, but it’s not related) from a template, which is here https://github.com/cloudposse/geodesic/blob/master/rootfs/templates/kops/default.yaml

cloudposse/geodesic

Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. https://slack.cloudposse.com/ - cloudposse/geodesic

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the template deploys it into a separate vpc

Jan avatar

Yep this I used to do having terraform render a go templated

Jan avatar

ok I will play with a module and see where the overlap/handover is

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if we want to deploy into an existing vpc using the template, it should be modified

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is no TF module for that

Jan avatar

Yep, I will create one

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

TF module comes into play when we need to do vpc peering

Jan avatar

just figured Id ask before I made one

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you thinking about a TF module to deploy kops?

Jan avatar

a new tf module to fetch vpc metadatas (maybe), and deploy k8s via kops into the existing vpc

Jan avatar

vpc metadata would not be needed if it vpc was created in tf

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-kops-metadata

Terraform module to lookup resources within a Kops cluster for easier integration with Terraform - cloudposse/terraform-aws-kops-metadata

Jan avatar

yea so this is that flow in reverse

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan not sure if it answers your questions :disappointed: but what we have is 1) kops template to deploy kops into a separate VPC; 2) TF modules for VPC peering and kops metadata lookup

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we played with deploying kops into an existing vpc, but abandoned it for a few reasons

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@sohel2020 you have to manually add _plugin/kibana/ to <http://production-kibana.infra.mytost.com> because URL paths are not supported for CNAMEs (and [production-kibana.infra.mytost.com](http://production-kibana.infra.mytost.com) is a CNAME to the Elasticsearch URL generated by AWS)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Using DNS to redirect to another URL with a path

I’m trying to redirect a domain to another via DNS. I know that using IN CNAME it’s posible. www.proof.com IN CNAME www.proof-two.com. What i need is a redirection with a path. When someone type…

Is it possible to have a CNAME DNS record point to a URL with a path?

I’ve registered several domains for my nieces and nephews, the idea being to create small static webpages for them, so they can say ‘look at my website!’. In terms of hosting it, I’m using expres…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

even if you do it in the Route53 console, you get the error

The record set could not be saved because:
- The Value field contains invalid characters or is in an invalid format.
Jan avatar

Its all good bro, thanks. I will make a module to support my use case

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea you want to inject kops into a vpc. We don’t have that but I do like it and we have a customer that did that but without modularizing it.

Jan avatar

I have done it in several ways in tf

Jan avatar

I will look to make a module and contribute it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We would like to have a module for it, so that would be awesome

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks @Jan

Ryan Ryke avatar
Ryan Ryke

just a quick sanity check. when was the last time someone used the terraform-aws-vpc module… i copy pasta’d the example

module "vpc" {
  source    = "git::<https://github.com/cloudposse/terraform-aws-vpc.git?ref=master>"
  namespace = "cp"
  stage     = "prod"
  name      = "app"
}

and it gave me Error: module "vpc": missing required argument "vpc_id"

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use it all the time

Ryan Ryke avatar
Ryan Ryke

sorta funny when thats what im trying to create

Ryan Ryke avatar
Ryan Ryke

perhaps the sample is messed

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Last week most recently. @Andriy Knysh (Cloud Posse) any ideas?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Most current examples are in our root modules folder

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Sec

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@solairerove will be adding and testing all examples starting next week probably

1
solairerove avatar
solairerove
05:05:01 PM

@solairerove has joined the channel

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just used it yesterday on the EKS modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

used the example that pulled the master branch

Ryan Ryke avatar
Ryan Ryke

maybe im an idiot

Ryan Ryke avatar
Ryan Ryke

let me go back and check

Ryan Ryke avatar
Ryan Ryke

nm nothing to see here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Ryan Ryke avatar
Ryan Ryke

i musta gotten my pasta messed up

Ryan Ryke avatar
Ryan Ryke

confirmed <- idiot

1
Ryan Ryke avatar
Ryan Ryke

at least it didnt take me all day

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the error must have been from another module?

Ryan Ryke avatar
Ryan Ryke

yeah

Ryan Ryke avatar
Ryan Ryke
cloudposse/terraform-aws-cloudwatch-flow-logs

Terraform module for enabling flow logs for vpc and subnets. - cloudposse/terraform-aws-cloudwatch-flow-logs

Ryan Ryke avatar
Ryan Ryke

whats kinesis in there for.

Ryan Ryke avatar
Ryan Ryke

shipping somewhere is suppose

joshmyers avatar
joshmyers

Could have lambda slurp off the Kinesis stream, for example

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This module was done more for checking a compliance checkbox

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

All logs stored in s3, but nothing immediately actionable

Ryan Ryke avatar
Ryan Ryke

ahh cool. they have shipping to cwl now, was just wondering if there was a specific purpose

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, unfortunately not.

2018-12-08

rohit avatar

how to know the best value for max_item_size for memcache aws_elasticache_parameter_group ?

rohit avatar

does it depend on the instance type ?

2018-12-09

joshmyers avatar
joshmyers

@rohit Are you hitting a problem caused by the default max item size?

rohit avatar

@joshmyers no. i just want to know how the max_item_size works

joshmyers avatar
joshmyers
memcached/memcached

memcached development tree. Contribute to memcached/memcached development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Max item size is the length of the longest value stored. If you are serializing data structures or session data, this could get quite large. If you are just storing simple key value pairs a smaller number is probably fine. This is a hint to memcache for how to organize the data and the size of slabs for storing objects.

joshmyers avatar
joshmyers

What kinda things are you storing in there?

rohit avatar

we are using memcache for tomcat session storage

rohit avatar

so basically session information

joshmyers avatar
joshmyers

Is 1mb object storage enough for you?

rohit avatar

I think so but i will have to check

rohit avatar

Looks like availability_zones option is deprecated in favor of preferred_availability_zones https://github.com/cloudposse/terraform-aws-elasticache-memcached/blob/65a0655e8bde7fb177516bbcdd394eddc8cfcc88/main.tf#L76

cloudposse/terraform-aws-elasticache-memcached

Terraform Module for ElastiCache Memcached Cluster - cloudposse/terraform-aws-elasticache-memcached

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Could you add an issue for this?

cloudposse/terraform-aws-elasticache-memcached

Terraform Module for ElastiCache Memcached Cluster - cloudposse/terraform-aws-elasticache-memcached

rohit avatar

sure can

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks!

rohit avatar

I think i also know how to fix it

rohit avatar

so will probably submit a PR sometime tomorrow

rohit avatar

Is there a way to view what is stored in dynamodb table ? I was not able to find anything but empty table

Steven avatar

The Dynamodb table can be viewed and modified via the DynamoDB UI. There is nothing hiding it Once a Terraform config is setup correctly to write to S3 with locking and applied successfully, it will write to that table. Utill then it will be empty

rohit avatar

ohh ok

rohit avatar

I am using the terraform-aws-vpc module https://github.com/terraform-aws-modules/terraform-aws-vpc

terraform-aws-modules/terraform-aws-vpc

Terraform module which creates VPC resources on AWS - terraform-aws-modules/terraform-aws-vpc

rohit avatar

is it possible to update openvpn configuration,after a vpc is created using this module ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

openvpn? <– not related to vpc

rohit avatar

Is there a way to provide subnet information instead of cidr_blocks in resource aws_security_group ingress and egress ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Can you share an example? Pseudo code

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am on my phone

rohit avatar
# create efs resource for storing media
resource "aws_efs_file_system" "media" {
  tags             = "${merge(var.global_tags, map("Owner","${var.app_owner}"))}"
  encrypted        = "${var.encrypted}"
  performance_mode = "${var.performance_mode}"
  throughput_mode  = "${var.throughput_mode}"
  kms_key_id       = "${var.kms_key_id}"
}

resource "aws_efs_mount_target" "media" {
  count           = "${length(var.aws_azs)}"
  file_system_id  = "${aws_efs_file_system.media.id}"
  subnet_id       = "${element(var.vpc_private_subnets, count.index)}"
  security_groups = ["${aws_security_group.media.id}"]
  depends_on      = ["aws_efs_file_system.media", "aws_security_group.media"]
}

# security group for media
resource "aws_security_group" "media" {
  name        = "${terraform.workspace}-media"
  description = "EFS"
  vpc_id      = "${var.vpc_id}"

  lifecycle {
    create_before_destroy = true
  }

  ingress {
    from_port   = "2049"                         # NFS
    to_port     = "2049"
    protocol    = "tcp"
    cidr_blocks = ["${element(var.vpc_private_subnets,0)}","${element(var.vpc_private_subnets,1)}","${element(var.vpc_private_subnets,2)}"]
    description = "vpc private subnet"
  }

  ingress {
    from_port   = "2049"                         # NFS
    to_port     = "2049"
    protocol    = "tcp"
    cidr_blocks = ["${element(var.vpc_public_subnets,0)}","${element(var.vpc_public_subnets,1)}","${element(var.vpc_public_subnets,2)}"]
    description = "vpc public subnet"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = "${merge(var.global_tags, map("Owner","${var.app_owner}"))}"
}
rohit avatar

i am getting the following error

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

any reason you’re not using our module? …just b/c our goal is to make the modules rock solid, rather than manage multiple bespoke setups

rohit avatar

It’s just that some of the parameters were not being passed in your module

rohit avatar

for example, kms_key_id,throughput_mode

Steven avatar
AWS: aws_security_group - Terraform by HashiCorp

Provides a security group resource.

rohit avatar

yes, i can but i want to know if it is possible to directly pass subnet info

AWS: aws_security_group - Terraform by HashiCorp

Provides a security group resource.

rohit avatar

or vpc id

Steven avatar

You can pass cidr, security group, or prefix. VPC doesn’t make sense in this context. But I gave you an example of how to get subnets from the vpc in other thread

rohit avatar

I don’t think we can pass subnet groups in cidr_blocks

Steven avatar

You can pass a list of cidrs. How do you mean subnet group differently?

Steven avatar

But it is not hard to use data to look up the cidr blocks

rohit avatar

@Steven could you please share an example ?

rohit avatar

I am using terraform-aws-modules/vpc/aws module

Steven avatar

For the VPC, you are creating the subnets. So, there is no other option than providing the cidrs you want. But once the subnets have been created, you can query for them instead of hard coding them into other code.

Steven avatar

data “aws_vpc” “vpc” { tags { Environment = “${var.environment}” } }

data “aws_subnet_ids” “private_subnet_ids” { vpc_id = “${data.aws_vpc.vpc.id}”

tags { Network = “private” } }

data “aws_subnet” “private_subnets” { count = “${length(data.aws_subnet_ids.private_subnet_ids.ids)}” id = “${data.aws_subnet_ids.private_subnet_ids.ids[count.index]}” }

Steven avatar

Example of using data from above def:

Steven avatar

vpc_id = “${data.aws_vpc.vpc.id}” subnets = “${data.aws_subnet_ids.private_subnet_ids.ids}” ingress_cidr = “${data.aws_subnet.private_subnets.*.cidr_block}”

rohit avatar

@Erik Osterman (Cloud Posse) i am using cloudposse/terraform-aws-efs module https://github.com/cloudposse/terraform-aws-efs/blob/1ad219e482eba444eb31b6091ecb6827a0395644/main.tf#L38

cloudposse/terraform-aws-efs

Terraform Module to define an EFS Filesystem (aka NFS) - cloudposse/terraform-aws-efs

rohit avatar

and i have to pass security_groups

rohit avatar

when i execute the following code

rohit avatar
rohit
06:43:46 AM
rohit avatar

i get the following error

rohit avatar
rohit
06:44:23 AM
rohit avatar

any ideas why ?

2018-12-10

joshmyers avatar
joshmyers

@rohit does it work without the aws_efs_mount_target resource? Does it create the security group?

joshmyers avatar
joshmyers

It looks legit on first inspection (under caffeinated at the mo)

Jan avatar

yea I would agree, nothing jumps out as being wrong

joshmyers avatar
joshmyers
Resource missing errors propagating over validation errors during plan · Issue #18129 · hashicorp/terraform

Seemingly, when a validation error occurs in a resource (due to a failing ValidateFunc), terraform plan returns missing resource errors over returning the original validation error that caused the …

joshmyers avatar
joshmyers

Also, you shouldn’t need that explicit depends_on, unless that was you testing the graph

rohit avatar

i thought it was dependency error so added depends_on

rohit avatar

without aws_efs_mount_target, i get the following error

* module.storage.module.kitemedia.aws_security_group.media: "ingress.0.cidr_blocks.0" must contain a valid CIDR, got error parsing: invalid CIDR address: subnet-012345d8ce0d89dbc
joshmyers avatar
joshmyers

So that is the problem. The error when wanting to create the SG is not bubbling up through the code and the SG isn’t actually created because of above error parsing the CIDR address which is actually a subnet

joshmyers avatar
joshmyers

and the error you are receiving instead is just saying I can’t find that SG id

joshmyers avatar
joshmyers

fix the ^^ error with CIDR and try re running without the depends_on and with aws_efs_mount_target uncommented

rohit avatar

i think that fixed the issue

rohit avatar

@joshmyers thanks

rohit avatar

also, i am not able to view output variables

joshmyers avatar
joshmyers

Are you outputting the variables?

rohit avatar

yes

rohit avatar

for efs, i am now facing the following issue

rohit avatar
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[0]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.0: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: 74cdca17-fc8a-11e8-bdb0-d7feddd82bcc
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[11]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.11: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: 7eca3ec0-fc8a-11e8-b0cb-e76fd688df15
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[4]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.4: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: 755597d2-fc8a-11e8-a0c5-25395ed55c14
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[24]: 1 error(s) occurred:
joshmyers avatar
joshmyers

What is var.aws_azs set to?

joshmyers avatar
joshmyers

It looks like that count is way higher than I’d imagine the number of AZs available…

rohit avatar

@joshmyers you were correct

rohit avatar

i updated the count to use the length

rohit avatar

` count = “${length(split(“,”, var.aws_azs))}”`

rohit avatar

but i still get 2 errors

rohit avatar
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[2]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.2: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: c11d8b5d-fc8c-11e8-a6ac-03687caf52eb
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[0]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.0: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: c11db25f-fc8c-11e8-adc4-b7e10e019ae2
joshmyers avatar
joshmyers

Any reason not to declare aws_azs as a list, rather than csv?

joshmyers avatar
joshmyers

and have they actually been created already but not written to the Terraform state?

joshmyers avatar
joshmyers

If so, manually delete the EFS mount targets and re run TF

rohit avatar

that worked

rohit avatar

@joshmyers thanks

1
rohit avatar

i am still not able to view the outputs

rohit avatar

i have them in outputs.tf

rohit avatar
output "kitemedia_dns_name" {
  value = "${aws_efs_file_system.kitemedia.id}.efs.${var.aws_region}.amazonaws.com"
}
rohit avatar

when i run terraform output kitemedia_dns_name

rohit avatar
The state file either has no outputs defined, or all the defined
outputs are empty. Please define an output in your configuration
with the `output` keyword and run `terraform refresh` for it to
become available. If you are using interpolation, please verify
the interpolated value is not empty. You can use the
`terraform console` command to assist.
rohit avatar

this is what i am seeing

joshmyers avatar
joshmyers

Inspect the statefile - is ^^ correct and there are no outputs defined in there?

joshmyers avatar
joshmyers

and is that output in the module that you are calling?

rohit avatar

do i have to use fully qualified name ?

joshmyers avatar
joshmyers
04:15:29 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit try just terraform output from the correct folder and see what it outputs

rohit avatar

when i navigate to the correct folder, i get

The module root could not be found. There is nothing to output.
rohit avatar

i am able to see them in the state file

rohit avatar

but not on the command line using terraform output

joshmyers avatar
joshmyers

@rohit again, are you outputting the value in the module, and then also in the thing which calls the module as my example above?

rohit avatar

yeah tried that

rohit avatar

still same issue

joshmyers avatar
joshmyers

Without being able to see any code

joshmyers avatar
joshmyers

¯_(ツ)_/¯

rohit avatar

this is what i have inside [outputs.tf](http://outputs.tf) under kitemedia module

output "kitemedia_dns_name" {
  value = "${aws_efs_file_system.kitemedia.id}.efs.${var.aws_region}.amazonaws.com"
}
rohit avatar

and then this is what i have inside [outputs.tf](http://outputs.tf) that calls kitemedia module

output "kitemedia_dns_name" {
  value = "${module.storage.kitemedia.kitemedia_dns_name}"
}
joshmyers avatar
joshmyers

Where has “storage” come from in module.storage.kitemedia.kitemedia_dns_name

joshmyers avatar
joshmyers

Please post full configs including all vars and outputs for both the module and the code calling the module in a gist

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit what IDE/Editor are you using?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

suggest to try https://www.jetbrains.com/idea/, it has a VERY nice Terraform plugin, shows and highlights all errors, warning, and other inconsistencies like wrong names, missing vars, etc.

IntelliJ IDEA: The Java IDE for Professional Developers by JetBrainsattachment image

Capable and Ergonomic Java IDE for Enterprise Java, Scala, Kotlin and much more…

joshmyers avatar
joshmyers

vscode is actually quite nice too - never thought I’d say that about an MS product but times are a changin’

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, i tried it, it’s nice

joshmyers avatar
joshmyers

Also has good TF support

rohit avatar

i am using vscode

Jan avatar

im using vscode too, works well enough

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yep

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just tried to understand where storage comes from in module.storage.kitemedia.kitemedia_dns_name as @joshmyers pointed out

rohit avatar

It’s actually module.kitemedia.kitemedia_dns_name

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Working now?

rohit avatar

nope

rohit avatar

i am not sure what’s wrong

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you post the full code?

rohit avatar

i will try

rohit avatar

i have another question

rohit avatar

so i have the following structure,

modules/compute/app1/main.tf, modules/compute/app2/main.tf, modules/compute/app3/main.tf
rohit avatar

i want to use an output variable from modules/compute/app1/main.tf in modules/compute/app2/main.tf

rohit avatar

so i am writing my variable to outputs.tf

rohit avatar

now, how do i access the variable in modules/compute/app2/main.tf ?

rohit avatar

does this makes sense ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s easy if all of those folders are modules, then you use a relative path to access the module and use its outputs, e.g. https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/examples/complete/main.tf#L62

cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

rohit avatar

I was not aware that something like this can be done

cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

rohit avatar

i am sure there are many more features like this

rohit avatar

@Andriy Knysh (Cloud Posse) i tried what you suggested but i am still facing problems

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit post here your code and the problems you are having

rohit avatar

It is hard to paste the entire code but i will try my best

rohit avatar

In my modules/compute/app1/outputs.tf i have

output "ec2_instance_security_group" {
  value = "${aws_security_group.instance.id}"
}
rohit avatar

In my modules/compute/app2/main.tf i am trying to do something like this

rohit avatar
data "terraform_remote_state" "instance" {
  backend = "s3"

  config {
    bucket = "${var.namespace}-${var.stage}-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
}

security_groups = ["${data.terraform_remote_state.instance.app1.ec2_instance_security_group}"]
rohit avatar

i feel that i am missing something here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you did not configure your remote state, you just using ours

rohit avatar

I looked at the state file and it is listed under

            "path": [
                "root",
                "compute",
                "app1"
            ],
            "outputs": {
                "ec2_instance_security_group": {
                    "sensitive": false,
                    "type": "string",
                    "value": "REDACTRED"
                }
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
config {
    bucket = "${var.namespace}-${var.stage}-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

^ needs to be updated to reflect your bucket and your folder path

rohit avatar

yes i did that

rohit avatar

i did not wanted to paste the actual values

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is no secrets here

config {
    bucket = "${var.namespace}-${var.stage}-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
rohit avatar

Is the output from my state file helpful ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

update and paste the code

rohit avatar
data "terraform_remote_state" "compute" {
  backend   = "s3"
  workspace = "${terraform.workspace}"

  config {
    bucket               = "bucketname"
    workspace_key_prefix = "tf-state"
    key                  = "terraform.tfstate"
    region               = "us-east-1"
    encrypt              = true
  }
}
rohit avatar

is that helpful ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you look at the state bucket, do you see the file under terraform.tfstate?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s probably under one of the app subfolders

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

e.g. app1 or app2

rohit avatar

the state file is under, bucketname/tf-state/eakk/terraform.tfstate

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

key = "tf-state/eakk/terraform.tfstate"

rohit avatar

ohh

rohit avatar

security_groups = ["${data.terraform_remote_state.instance.app1.ec2_instance_security_group}"]

rohit avatar

is this correct then ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

rohit avatar

what is the significance of account_settings here ?

rohit avatar

should it match with any of my resource names ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

security_groups = [“${data.terraform_remote_state.compute.ec2_instance_security_group}“] something like this

rohit avatar
 Resource 'data.terraform_remote_state.compute' does not have attribute 'ec2_instance_security_group' for variable 'data.terraform_remote_state.compute.ec2_instance_security_group'

`

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit here is a working example on how we define the outputs in one module https://github.com/cloudposse/terraform-root-modules/blob/master/aws/account-settings/outputs.tf

cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and then reference the output from another module (in different folder) using remote state https://github.com/cloudposse/terraform-root-modules/blob/master/aws/users/main.tf#L32

cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

rohit avatar

is there any significance of root_iam in your data block ? or can it be anything ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s a module to provision IAM on the root account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the folder name could be different (if that’s what you are asking )

rohit avatar

Still did not work

rohit avatar

so i decided to take a different approach

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you first provision aws_security_group.instance before accessing its state?

rohit avatar

yes i did

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in what folder?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

please cd to that folder and run terraform output (and paste the result here)

rohit avatar
The module root.app1 could not be found. There is nothing to output.
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Looks like you didn’t provision anything in that folder

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Direct message me with all the files, I’ll take a look. Remove all the secrets if any

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if those apps are just resources, then you can use https://www.terraform.io/docs/providers/terraform/d/remote_state.html

Terraform: terraform_remote_state - Terraform by HashiCorp

Accesses state meta data from a remote backend.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

pericdaniel avatar
pericdaniel

anyone installing gitlab omnibus with terraform?

Jan avatar
Terraform creation of Gitlab-CE installed with Omnibus in AWS

Terraform creation of Gitlab-CE installed with Omnibus in AWS Is anyone else doing this? How are you doing your backup and restore when you need to replace the gitlab instance for some reason? I recently needed to up the disk size of my instance so when I made the change in TF I needed to terminate my currently running instance and then apply the new TF plan which included the new disk size. Once the new instance comes up I have a template file in TF which is parsed into the user data for the i…

Jan avatar

Im running gitlab form within k8s

Jan avatar
GitLab Helm Chart | GitLab

Documentation for GitLab Community Edition, GitLab Enterprise Edition, Omnibus GitLab, and GitLab Runner.

Jan avatar

oh thats the ee

Jan avatar
GitLab Helm Chart | GitLab

Documentation for GitLab Community Edition, GitLab Enterprise Edition, Omnibus GitLab, and GitLab Runner.

pericdaniel avatar
pericdaniel

yea i saw the forum on

pericdaniel avatar
pericdaniel

one

pericdaniel avatar
pericdaniel

i didnt know if someone had the full stack

pericdaniel avatar
pericdaniel

the vpc and subnets and everthing is easy

pericdaniel avatar
pericdaniel

is that piece he has all i need hten?

Jan avatar

Im not sure sorry, just found that

Jan avatar

as much as possible I try to do things in k8s

pericdaniel avatar
pericdaniel

yea i need to do that too!

pericdaniel avatar
pericdaniel

do you have it for k8? @Jan

rohit avatar

In launch template, is it possible to set latest version to default ?

davidvasandani avatar
davidvasandani

do you have it for k8? @Jan

pericdaniel avatar
pericdaniel

@davidvasandani I’m looking for terraform that autocreates gitlab omnibus… if its not out there i just thought about writing it

davidvasandani avatar
davidvasandani

@pericdaniel and you’re looking for AWS? I just checked Gitlab’s website and found they have a Terraform bootstart for GCE but it hasn’t be updated in a year.

pericdaniel avatar
pericdaniel

yea for aws

pericdaniel avatar
pericdaniel

i was thinking about converting the gce one

davidvasandani avatar
davidvasandani
A Comprehensive Guide to Running GitLab on AWS – Alois Barreras – Mediumattachment image

A series of posts that will examine why we chose GitLab at Alchemy and teach you how to automate your own installation on AWS using…

fiesta_parrot1
pericdaniel avatar
pericdaniel

thank you!

1
rohit avatar

In launch template, is it possible to set latest version to default ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

probably using that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


latest_version - The latest version of the launch template.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(haven’t personally dealt with it lately)

rohit avatar

i was able to use latest_version in autoscalinggroup but i was not able to set newly created version on the launch template as default

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrm… @maarten might have some ideas

2018-12-11

maarten avatar
maarten

@rohit Passing the baton to @jamie who worked with launch templates earlier, maybe he knows a bit more. What do you mean with “not able to set newly created version on the launch template as default”. Did you get a kind of error or you didn’t notice a change ? When updating a launch config of an autoscaling group the launch config has been changed but you won’t see immediate effect. AWS does not do the replacement of the instances itself. Best way to tackle that is either a separate blue/green deployment deployment process or to something like step functions together with a lambda which takes care of that.

1
jamie avatar

you can actually configure the autoscaling group to do a graceful replacement of the instances without using lambda

maarten avatar
maarten

this thread isn’t readable, is this the thread with the cloudformation resource ?

jamie avatar

Haha. No it’s one of the lead terraform devs talking about how they do it for their own servers

jamie avatar

resource "aws_launch_configuration" "someapp" {
  lifecycle { create_before_destroy = true }

  image_id       = "${var.ami}"
  instance_type  = "${var.instance_type}"
  key_name       = "${var.key_name}"
  security_group = ["${var.security_group}"]
  
}

resource "aws_autoscaling_group" "someapp" {
  lifecycle { create_before_destroy = true }

  name                 = "someapp - ${aws_launch_configuration.someapp.name}"
  launch_configuration = "${aws_launch_configuration.someapp.name}"
  desired_capacity     = "${var.nodes}"
  min_size             = "${var.nodes}"
  max_size             = "${var.nodes}"
  min_elb_capacity     = "${var.nodes}"
  availability_zones   = ["${split(",", var.azs)}"]
  vpc_zone_identifier  = ["${split(",", var.subnet_ids)}"]
  load_balancers       = ["${aws_elb.someapp.id}"]
}

The important bits are:

  • Both LC and ASG have create_before_destroy set
  • The LC omits the “name” attribute to allow Terraform to auto-generate a random one, which prevent collisions
  • The ASG interpolates the launch configuration name into its name, so LC changes always force replacement of the ASG (and not just an ASG update).
  • The ASG sets “min_elb_capacity” which means Terraform will wait for instances in the new ASG to show up as InService in the ELB before considering the ASG successfully created.

The behavior when “var.ami” changes is:

(1) New “someapp” LC is created with the fresh AMI (2) New “someapp” ASG is created with the fresh LC (3) Terraform waits for the new ASG’s instances to spin up and attach to the “someapp” ELB (4) Once all new instances are InService, Terraform begins destroy of old ASG (5) Once old ASG is destroyed, Terraform destroys old LC

If Terraform hits its 10m timeout during (3), the new ASG will be marked as “tainted” and the apply will halt, leaving the old ASG in service.

jamie avatar

I know this isn’t answering rohits question.

maarten avatar
maarten

Doesn’t this also imply that all dependencies of the asg also need to have create_before_destroy then ?

jamie avatar

I expect so.

Jan avatar

that is how create_before_destroy works isnt it

Jan avatar

fort a 3az, 2 tier vpc

Jan avatar
cloudposse/terraform-aws-multi-az-subnets

Terraform module for multi-AZ public and private subnets provisioning - cloudposse/terraform-aws-multi-az-subnets

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Jan avatar

ideally I will not have the same size public / private subnets

Jan avatar

but have say 2/3 of the cidr for the vpc in private

joshmyers avatar
joshmyers

The above method of blue/green TF deploys of new AMIs works well, fails safe

Nikola Velkovski avatar
Nikola Velkovski

Only if you use ami baking and no docker though.

joshmyers avatar
joshmyers

ASG events can trigger deploys of app code so the new AMIs pass ELB health checks, so as new instances come in and healthy, old are rolled out. you don’t need to bake your app into AMI, I generally wouldn’t suggest that

1
Jan avatar

So the max_subnets as a way to calculate subnets used in https://github.com/cloudposse/terraform-aws-multi-az-subnets has an interesting side effect

cloudposse/terraform-aws-multi-az-subnets

Terraform module for multi-AZ public and private subnets provisioning - cloudposse/terraform-aws-multi-az-subnets

Jan avatar

a /22 sent to a 3az vpc would by default create subnets with /26 rather than /25

Jan avatar

this is because the max_subnets default of 6 means that the /22 need to fit 6*(number of tiers)

Jan avatar

so its in fact max_subnets_per tier

Jan avatar

not max per vpc

Jan avatar

so max_subnets = 3 nets 8 subnets so 6x /25’s

Jan avatar

much less waste

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan the two subnet modules were created to divide a VPC into private and public subnets according to some set of rules (different for the two modules). It was already brought to attention that they ‘waste’ IP space and in general don’t provide all possible solutions. We mostly use https://github.com/cloudposse/terraform-aws-dynamic-subnets for all our deployments and it works well

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you have some specific requirements on how to divide a VPC not covered by any of the modules, then a new module needs to be created

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is a million ways to divide a vpc

Jan avatar

Im already all sorted thanks

Jan avatar

I just call it with max_subnets = 3

1
Jan avatar

cheers for following up though

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which module did you end up using?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-named-subnets

Terraform module for named subnets provisioning. Contribute to cloudposse/terraform-aws-named-subnets development by creating an account on GitHub.

Jan avatar

Have you got an example of using https://github.com/cloudposse/terraform-aws-dynamic-subnets to do a two tier 3az vpc?

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

two tier means private and public subnets?

Jan avatar

spanning 3 availability zones

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but that’s what we use everywhere

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Jan avatar

maybe I missed something then

Jan avatar

right

Jan avatar

I see

Jan avatar

cool thanks, will switch over to that one

Jan avatar

and test

rohit avatar

@maarten I am able to use newly created launch template version to create autoscaling group but on the launch template there is an option to set the default version which i am not able to do for the latest version using terraform

rohit avatar

and no, i don’t get an error

rohit avatar

I just don’t see an option to do it in terraform

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-ec2-autoscale-group

Terraform module to provision Auto Scaling Group and Launch Template on AWS - cloudposse/terraform-aws-ec2-autoscale-group

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not sure if that’s the correct way of doing it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(and that’s not suited for green/blue deployments as @jamie and @maarten discussed)

rohit avatar

@Andriy Knysh (Cloud Posse) i saw this but this will only set the autoscaling group to use the latest version

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS: aws_autoscaling_group - Terraform by HashiCorp

Provides an AutoScaling Group resource.

rohit avatar

yes, that is on the autoscaling group

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so i guess it should be version = "$$Default"

rohit avatar

but i am talking about setting the default version on launch_template

rohit avatar

which has nothing to do with autoscaling group

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS: aws_launch_template - Terraform by HashiCorp

Provides an EC2 launch template resource. Can be used to create instances or auto scaling groups.

maarten avatar
maarten

Maybe it’s not configurable, but something the WEBUI team came up with after smoking something. Just deep dive here https://github.com/aws/aws-sdk-go to see if it’s in their api.

aws/aws-sdk-go

AWS SDK for the Go programming language. Contribute to aws/aws-sdk-go development by creating an account on GitHub.

maarten avatar
maarten

aws ec2 modify-launch-template –launch-template-id “lt-0444afefe36b9f2c0” –default-version “1” –region eu-central-1

maarten avatar
maarten

ok, so there is a command line for it, that helps

maarten avatar
maarten

ok, so you can set the default version with it, meaning that if you launch a template without giving the version it will take the default one. I’m not so sure why you would want that with Terraform as you control the whole chain with Terraform anyway and thus can pick the launch configuration you made with Terraform.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea thanks @maarten

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the default version will be used if you don’t specify any version

rohit avatar

makes sense

rohit avatar

thanks

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

anyway it’s better to recreate the template and ASG if any changes

Jan avatar
cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Jan avatar

ending up with x-xx-subnet-private-eu-central-1b & x-xx-xxx-public-eu-central-1b

Jan avatar

x, xx, xxx brin vars im setting namespace, stage, name

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

no, it’s a bug (regression after the last updates to the module)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks for finding it

Jan avatar

just looked out of place

Jan avatar

Far nicer subnet module btw

Jan avatar

still passing ` max_subnet_count = 3`

Jan avatar

also decided on ` availability_zones = [”${slice(data.aws_availability_zones.available.names, 0, 3)}”]`

Jan avatar

for now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea

Jan avatar

but im getting expected results

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it was designed to take all AZs into account

Jan avatar

yea I saw

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s why it divides into smaller subnets

Jan avatar

which I guess makes sense

Jan avatar

so I mean thats 100% valid in that context

Jan avatar

though I dont use any region with less than 3az and build my k8s clusters around that choice

Jan avatar

will explroe that later

Jan avatar

an easy change

Jan avatar

Just got a vpn gw and cgw working

Jan avatar

So I guess new module incoming soon then

2
2
rohit avatar

Is it possible to create a target group without creating elb ?

2018-12-12

ikar avatar

Hi there, I’m new to terraform (used it to make ec2 instace ). I’m trying to use this module: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn …well to create cloudfront with s3 source we don’t have any domain and with this code:

module "cdn" {
  source = "cloudposse/cloudfront-s3-cdn/aws"
  version = "0.3.5"
  stage = "dev"
  name = "app"
  namespace = "pg"
}

I get this error:

...
module.cdn.data.aws_iam_policy_document.origin: Refreshing state...
module.cdn.module.logs.aws_s3_bucket.default: Creation complete after 4s (ID: pg-dev-pg-app-logs)

Error: Error applying plan:

1 error(s) occurred:

* module.cdn.aws_s3_bucket.origin: 1 error(s) occurred:

* aws_s3_bucket.origin: Error putting S3 CORS: MalformedXML: The XML you provided was not well-formed or did not validate against our published schema
        status code: 400, request id: 8E821E105B6852CA, host id: F+zK01RI/I3BcuzlnK+nRLEdvLz4G4bRkJgGutEYI8fS4iBNTGw7UGLWik+GtLcCyvqXQxMcecU=

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

this sounds quite cryptic to me, any idea where to start digging?

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

joshmyers avatar
joshmyers

@ikar have you run this with debug logging turned on?

ikar avatar

nope, didn’t know about the possibility, thanks! But it seems the module requires at least cors_allowed_origins = ["*"]. Though hit another problem which probly can’t be solved using that module, will write s3+cdn by myself from scratch.

joshmyers avatar
joshmyers
cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

joshmyers avatar
joshmyers
cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

ikar avatar

yes, that is way more complicated than what I need (no route 53). also don’t need logging

joshmyers avatar
joshmyers

you probably do want logging…

joshmyers avatar
joshmyers

but I’m thinking https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf#L64 maybe breaking if nothing at all is set

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

ikar avatar

not at this point. yes, it says it is optional, but ends with the error above

joshmyers avatar
joshmyers

Turn on debug logging and see if there is a broken looking cors config

ikar avatar

how to do that?

joshmyers avatar
joshmyers
Debugging - Terraform by HashiCorp

Terraform has detailed logs which can be enabled by setting the TF_LOG environment variable to any value. This will cause detailed logs to appear on stderr

ikar avatar

holy cow! that’s a lot of debug info

Jan avatar

hahah yea debug is brutal

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@ikar if you still having the issue, paste your complete code here and we’ll take a look

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Welcome to the community btw :)

ikar avatar

thanks @Andriy Knysh (Cloud Posse)! creating custom module, but thanks

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Are you creating Cloudfront with plain S3 bucket as origin, or as a website?

ikar avatar

Cloudfront with plain S3 bucket as origin

davidvasandani avatar
davidvasandani

@ikar it’ll be easier for the community to help you modify one of the existing modules (and more useful to the community as a whole) vs writing a brand new module from scratch. Good luck either way though!!

3
ikar avatar

I wanted to try custom solution to learn about terraform. The thing is I wasn’t able to setup CDN behaviour correctly using this: <https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn>

ikar avatar

by “correctly” I mean as requested by a project manager

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
04:57:48 PM
3
3
davidvasandani avatar
davidvasandani

@ikar if you can go into more detail of what the module is failing to configure maybe we can help you. Possibly by turning a current static configuration into something more dynamic for your and others needs.

1
ikar avatar

thanks @davidvasandani, already achieved what I needed with using pure resources. Next time, I’ll try to be more patient. I’m in EU timezone so I’m usually exhausted when the community is waking up

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this combined with atlantis would be a great way to allow community to contribute new modules

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

literally open up a PR for the terraform module repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

get it approved, merged

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then contribute your changes

loren avatar

nifty idea!

sarkis avatar

or even providers…

2
loren avatar

i’d dearly love an official okta provider…

1
Jan avatar
Stretch96/terraform-aws-permissions-generator

Terraform AWS Permissions Generator. Contribute to Stretch96/terraform-aws-permissions-generator development by creating an account on GitHub.

Jan avatar

Interesting idea

Jan avatar

“Introducing Aardvark and Repokid” by Netflix Technology Blog https://link.medium.com/ZoHsIudfBS

“Introducing Aardvark and Repokid”attachment image

A place where words matter

Jan avatar

Along with Netflix Aardvark and Repokid could prove to be a sweet trio

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


access profiling and automated and ongoing right-sizing. We allow developers to deploy their applications with a basic set of permissions and then use profiling data to remove permissions that are demonstrably not used.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’ve wanted to do exactly this!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I was thinking it would be nice to run terraform through an AWS API proxy and then turn parse the requests to figure out the canned permissions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform-aws-permissions-generator seems kind of like that

Jan avatar

https://github.com/duo-labs/cloudmapper has a super interesting feature with audit usage

duo-labs/cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments. - duo-labs/cloudmapper

Jan avatar

Being some one that has always understood infrastructure sets in a visual and conceptual way it pretty cool

jamie avatar

I have written a TF module for cloudmapperto run in Fargate for a client.

jamie avatar

So I can provide that if you want something to start on?

Jan avatar

Would absolutely love to take a look!

Jan avatar

Still exploring it

Jan avatar
28mm/blast-radius

Interactive visualizations of Terraform dependency graphs using d3.js - 28mm/blast-radius

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

love the authors bio: “Tool-using primate, proficient typist, and Seattle-resident Systems Administrator.”

28mm/blast-radius

Interactive visualizations of Terraform dependency graphs using d3.js - 28mm/blast-radius

Jan avatar

Hahahaha, my kids dude

Jan avatar

Is also pretty neat

Shane avatar

@Jan oh, that’s interesting we just had someone last week run… terraform destroy --force on our folder that contains all of our dev infrastructure

1
Shane avatar

Anyone have any recommendations for making that as least destructive as possible . It stopped them when the IAM role they were using was deleted.

Shane avatar

Took us 30 mins to recover so it was a good exercise

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not really… maybe more sandbox accounts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


terraform destroy --force on our folder that contains all of our dev infrastructure

Shane avatar

ya, one option is to seperate the dev folders by teams

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, teams and/or projects

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

though wait, you have the entire dev infra defined in one project?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, exactly, more projects ~ states

Shane avatar

it’s a single terraform project with about 2 dozen modules

Shane avatar

terraform state list | wc 571

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’ve moved away from large projects mostly because they (a) take FOREVER to plan (b) have a huge blast radius

3
Shane avatar

we have basically been waiting for it to get slow to plan/apply, but it has been fine so we had no reason to split it out.

Shane avatar

but after the deletion that might give us a good reason

Shane avatar

and it will also improve atlantis locks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, exactly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

here’s roughly how we organize everything

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this will vary from company to company, team to team

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

each one of those folders in aws corresponds to a project

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

coldstart is pretty painful. we go into each folder and plan/apply

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
uber/astro

Astro is a tool for managing multiple Terraform executions as a single command - uber/astro

davidvasandani avatar
davidvasandani

~Have you played with terragrunt?~ I’d be curious to hear how it compares with astro. I’m a big terragrunt fan

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i like what terragrunt achieves

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’m not particularly fond with how it achieves it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t like the overloading of tfvar

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t like the “transparent” wrapper

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

….

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i do like task runners. i use those all the time

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

make, rake, etc.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t like that make isn’t very “pipeline” oriented. it’s too close to a language, so people abuse it (us included!)

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what i like about astro is it presents a pipeline like a build pipeline. do this, then do that. and it does it in YAML, which all my other pipelines are in.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for the record, haven’t used astro yet. just been pondering the approach almost everyday for the past few weeks.

davidvasandani avatar
davidvasandani

re: astro, ditto.

Shane avatar

ya, we essentially group our “projects/services” as modules unto themselves in their own git repo.

Shane avatar

So the main state just references modules with their variables.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, that’s nice

Shane avatar

we use that setup to have CI tests that test out the modules on changes.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

are you using plain terraform for everything?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Shane avatar

Correct, no terragrunt

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Command: init - Terraform by HashiCorp

The terraform init command is used to initialize a Terraform configuration. This is the first command that should be run for any new or existing Terraform configuration. It is safe to run this command multiple times.

Shane avatar

I have never been overly fond of terragrunt.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

same

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but this terraform init -from-module=.... is top of mind

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(incidentally, something terragrunt does use under the hood)

Shane avatar

ya, that’s interesting functionality

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i’d like to be able to define an architecture more or less without writing a line of terraform code

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

assuming all the modules already exist

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

anyways, that’s what I think I want. not sure yet.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i have a call with Dans @ Uber next tuesday to learn more about how they use Astro at uber.

1
Shane avatar

nice

Shane avatar

Got ya, so define the modules and make them more resuable with a simple abstraction on top.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea… and since we’re both helmfilers, basically something like #helmfile

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Take your time reviewing this monster PR: https://github.com/cloudposse/terraform-aws-eks-cluster/pull/7

Fix the README example by johncblandii · Pull Request #7 · cloudposse/terraform-aws-eks-cluster

There was a small tweak needed in the README for it to work. // CC @osterman @aknysh

1
sahil avatar

Hi guys, do we have a terraform module for cognito user pool? If not, do we have any plans for it in the future?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ah, bummer! no not yet.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

sorry…that’s data.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s a lot of args. LOL. I can see where a module would help.

sahil avatar

Yes!

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

#homerdisappear

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

anyone k8s with EKS? trying to get my bearings and the auth is winning right now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I saw your PR

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

have you looked at the examples/complete

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that was tested as of a couple of days ago

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i didn’t. checking

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

just pushed a fix, btw

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thx!

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i have it running. it worked flawlessly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) is most familiar with it

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Unauthorized is my life right now. i will go back through the setup steps

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

got it. def’ was a config thing from the yaml output. i needed to use the AWS_PROFILE env var or update the config yaml to pass it into aws-iam-authenticator

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

awesome!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

is this a skunkworks project to get off of beanstalk?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2018-12-13

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

somewhat, yeah. it is to deploy our new jenkins setup and a way to open eyes to using k8s

deftunix avatar
deftunix

hi everyone, I am developing a terraform provider for Ansible AWX (a.k.a. Tower).

deftunix avatar
deftunix

if anyone is interested or wants contribute to the project, it is warmed welcome

deftunix avatar
deftunix
mauromedda/terraform-provider-awx

Terraform provider plugin for AWX/Tower - API v2. Contribute to mauromedda/terraform-provider-awx development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@deftunix looks interesting, thanks for sharing. I’ll take a look in more details

pericdaniel avatar
pericdaniel

what are people using instead of beanstalk? are you just creating web instances on a docker cluster and then using api gatway or somthing

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel so depending on your requirements and many other considerations, and speaking only about AWS, it could be Beanstalk (but it’s like creating a cluster for each app), ECS, EKS, or kops. You can deploy any web app on a Kubernetes cluster, no need to use API gateway (although it could be used, but serves diff purpose). You deploy the app containers on k8s, use nginx-ingress for ingress, and ELB/ALB and Route53 for routing/DNS

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for ECS, take a look at the very nice implementation here https://airship.tf (thanks to @maarten)

.. ECS made easy

Home of Terraform Airship

maarten avatar
maarten

This is work in progress people don’t refer to it yet

.. ECS made easy

Home of Terraform Airship

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

1
pericdaniel avatar
pericdaniel

interesting

pericdaniel avatar
pericdaniel

thank you!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, Fargate could be a nice solution in some cases

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so it’s one of Beanstalk, ECS, Fargate (currently just for ECS), EKS, kops - each has pros and cons

pericdaniel avatar
pericdaniel

yea that makes sense

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Andriy Knysh (Cloud Posse) do you know why workers would not have access to the cluster when running terraform-aws-eks-cluster/workers?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

“No resources found.” has none found

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yeah

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

EKS currently does not support for the master to join the cluster automatically

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you have to apply the config

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i did

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

the configmap, right?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it could be done manually, or automatically

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


If you want to automatically apply the Kubernetes configuration, set var.apply_config_map_aws_auth to “true”

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes configmap

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

configmap/aws-auth unchanged

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

still no nodes found

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

do i need to restart the workers after?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i did not restart them

rohit avatar

Does anyone here use cloudflare for dns cert validation ?

rohit avatar

Everytime i run a plan i see that it wants to update in-place the entry in cloudflare

cloudflare_record.dns_cert_validation
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so it doesn’t make sense to me why you do the DNS validation for ACM with cloudflare

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

cloudflare has it’s own TLS certificates

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and cloudflare works like MITM not passthru

rohit avatar

when we generate a cert in aws we want to do dns validation

rohit avatar

for which we are using cloudflare

rohit avatar

@Erik Osterman (Cloud Posse) The issue i am facing is mentioned here https://github.com/terraform-providers/terraform-provider-cloudflare/issues/154

cloudflare_record used with aws_acm_certificate always thinks it has to update · Issue #154 · terraform-providers/terraform-provider-cloudflare

Terraform Version 0.11.10 Affected Resource(s) Please list the resources as a list, for example: cloudflare_record aws_acm_certificate Terraform Configuration Files variable &quot;domain&quot; {} v…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@johncblandii (Cloud Posse) when you run kubectl get nodes using the generated kubeconfig file, what do you see?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

no nodes

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

No resources found.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

and when i tried to add nginx i get:

Warning FailedScheduling 25m (x4 over 25m) default-scheduler no nodes available to schedule pods

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, i need to find my records how i did it, will ping you

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ok

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

I’m a relative noob on k8s so I def’ appreciate the help

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

recreating my workers with a key so i can ssh and muck around

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@johncblandii (Cloud Posse) from my notes:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

first, run aws-iam-authenticator token -i cpco-testing-eks-cluster to check if aws-iam-authenticator token works

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

then I think your configmap was not applied for some reason. You can manually do it by executing kubectl apply -f config-map-aws-auth-cpco-testing-eks-cluster.yaml --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

got json back on the token

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

looks good

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i did the apply

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

configmap/aws-auth unchanged

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

finally, kubectl get nodes --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml to see the nodes

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

still a no go

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you try to delete the config map from the cluster, and then exec kubectl apply -f config-map-aws-auth-cpco-testing-eks-cluster.yaml --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

kubectl get configmaps --all-namespaces --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

run the command and show the output

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
NAMESPACE       NAME                                 DATA      AGE
ingress-nginx   nginx-configuration                  1         2h
ingress-nginx   tcp-services                         0         2h
ingress-nginx   udp-services                         0         2h
kube-system     aws-auth                             1         18s
kube-system     coredns                              1         10h
kube-system     extension-apiserver-authentication   5         10h
kube-system     kube-proxy                           1         10h
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

what can i run on a worker to verify it can communicate w/ the controlplane?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you go to the AWS console and check if the worker instances are OK?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

they are

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

all 3 running

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, when you run kubectl apply -f config-map-aws-auth-cpco-testing-eks-cluster.yaml --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml, what’s the output?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

configmap/aws-auth created

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(you need to use your file name, but you know that )

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmm, out of ideas for now, will have to spawn a cluster and check it. @Erik Osterman (Cloud Posse) any ideas here?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ever work from the worker to test config?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
# kubectl cluster-info dump
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when testing, i applied the map, nodes joined, and i deployed some app

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you need to use --kubeconfig for all commands

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

dang. that’s weird

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

here’s the TF…1 sec

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
module "eks_cluster" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master>"

  namespace = "${local.namespace}"
  name      = "${var.application_name}"
  stage     = "${var.stage}"
  tags      = "${var.tags}"

  subnet_ids = ["${module.vpc.public_subnets}"]
  vpc_id     = "${module.vpc.vpc_id}"

  # `workers_security_group_count` is needed to prevent `count can't be computed` errors
  workers_security_group_ids   = ["${module.eks_workers.security_group_id}"]
  workers_security_group_count = 1
}

module "eks_workers" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master>"

  namespace = "${local.namespace}"
  stage     = "${var.stage}"
  name      = "${var.application_name}"
  tags      = "${var.tags}"
  key_name  = "jcbii-ops-prod"

  instance_type               = "m5.xlarge"
  associate_public_ip_address = true

  vpc_id            = "${module.vpc.vpc_id}"
  subnet_ids        = ["${module.vpc.public_subnets}"]
  health_check_type = "EC2"

  min_size                  = 3
  max_size                  = 5
  wait_for_capacity_timeout = "10m"

  cluster_name                       = "${local.full_name}"
  cluster_endpoint                   = "${module.eks_cluster.eks_cluster_endpoint}"
  cluster_certificate_authority_data = "${module.eks_cluster.eks_cluster_certificate_authority_data}"
  cluster_security_group_id          = "${module.eks_cluster.security_group_id}"

  # Auto-scaling policies and CloudWatch metric alarms
  autoscaling_policies_enabled           = "true"
  cpu_utilization_high_threshold_percent = "80"
  cpu_utilization_low_threshold_percent  = "20"
}
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

do i need a different config here?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

no, that worked

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’ll spawn a cluster little bit later and see what happens

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

/usr/bin/aws-iam-authenticator token -i /var/lib/kubelet/kubeconfig

this shows the json output w/ a token as well

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
# kubectl get pods --kubeconfig /var/lib/kubelet/kubeconfig 
Error from server (Forbidden): pods is forbidden: User "system:node:" cannot list pods in the namespace "default": unknown node for user "system:node:"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

is that the same kubeconfig that was generated?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

no, i’m on the worker

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Amazon EKS Troubleshooting - Amazon EKS

This chapter covers some common errors that you may see while using Amazon EKS and how to work around them.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

checking

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

arn is valid

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

…for the IAM role in the configmap

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

cluster name matches on worker

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

this is going to be something really stupid

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

take a look here https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#worker-node-access-to-eks-master-cluster and please go to the AWS console and confirm that you have two SGs, one for the cluster and another for the workers, and that they both allow the other group to access

EKS Getting Started Guide - Terraform by HashiCorp

Using Terraform to configure AWS EKS.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that sg is in your module already, right?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but i want you to confirm that the rules are ok (and there was no regression when we updated the modules)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

checking

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

it is set to all->all

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

both directions?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

from cluster to workers and from workers to cluster?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

outbound is all->all 0.0.0.0

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

maybe a vpc issue. 1 sec

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

they are in the same VPC?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

cluster and workers?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yeah

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i used a custom module built off the public one (not the one in your example)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

going to use the setup from your complete

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, please test it, if still issues, let me know and I’ll spawn a cluster and go through everything again

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ok…it is recreated with essentially the same TF as your complete example

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
module "vpc" {
  source     = "git::<https://github.com/cloudposse/terraform-aws-vpc.git?ref=master>"
  namespace  = "${local.namespace}"
  stage      = "${var.stage}"
  name       = "${var.application_name}"
  tags       = "${local.tags}"
  cidr_block = "${var.cidr_block}"
}

module "subnets" {
  source              = "git::<https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master>"
  availability_zones  = "${data.aws_availability_zones.available.names}"
  namespace           = "${local.namespace}"
  stage               = "${var.stage}"
  name                = "${var.application_name}"
  tags                = "${local.tags}"
  region              = "${data.aws_region.current.name}"
  vpc_id              = "${module.vpc.vpc_id}"
  igw_id              = "${module.vpc.igw_id}"
  cidr_block          = "${module.vpc.vpc_cidr_block}"
  nat_gateway_enabled = "true"
}

module "eks_cluster" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master>"

  namespace = "${local.namespace}"
  name      = "${var.application_name}"
  stage     = "${var.stage}"
  tags      = "${var.tags}"

  subnet_ids = ["${module.subnets.public_subnet_ids}"]
  vpc_id     = "${module.vpc.vpc_id}"

  # `workers_security_group_count` is needed to prevent `count can't be computed` errors
  workers_security_group_ids   = ["${module.eks_workers.security_group_id}"]
  workers_security_group_count = 1
}

module "eks_workers" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master>"

  namespace = "${local.namespace}"
  stage     = "${var.stage}"
  name      = "${var.application_name}"
  tags      = "${var.tags}"
  key_name  = "jcbii-ops-prod"

  instance_type               = "m5.xlarge"
  associate_public_ip_address = true

  vpc_id            = "${module.vpc.vpc_id}"
  subnet_ids        = ["${module.subnets.public_subnet_ids}"]
  health_check_type = "EC2"

  min_size                  = 3
  max_size                  = 5
  wait_for_capacity_timeout = "10m"

  cluster_name                       = "${local.full_name}"
  cluster_endpoint                   = "${module.eks_cluster.eks_cluster_endpoint}"
  cluster_certificate_authority_data = "${module.eks_cluster.eks_cluster_certificate_authority_data}"
  cluster_security_group_id          = "${module.eks_cluster.security_group_id}"

  # Auto-scaling policies and CloudWatch metric alarms
  autoscaling_policies_enabled           = "true"
  cpu_utilization_high_threshold_percent = "80"
  cpu_utilization_low_threshold_percent  = "20"
}
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

converting to a closer usage of complete by using the labels

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

weird. using complete directly resulted in:

Apply complete! Resources: 35 added, 0 changed, 0 destroyed.

Outputs:

config_map_aws_auth = 
eks_cluster_arn = 
eks_cluster_certificate_authority_data = 
eks_cluster_endpoint = 
eks_cluster_id = 
eks_cluster_security_group_arn = 
eks_cluster_security_group_id = 
eks_cluster_security_group_name = 
eks_cluster_version = 
kubeconfig = 
workers_autoscaling_group_arn = 
workers_autoscaling_group_default_cooldown = 
workers_autoscaling_group_desired_capacity = 
workers_autoscaling_group_health_check_grace_period = 
workers_autoscaling_group_health_check_type = 
workers_autoscaling_group_id = 
workers_autoscaling_group_max_size = 
workers_autoscaling_group_min_size = 
workers_autoscaling_group_name = 
workers_launch_template_arn = 
workers_launch_template_id = 
workers_security_group_arn = 
workers_security_group_id = 
workers_security_group_name =
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Andriy Knysh (Cloud Posse) any idea why it doesn’t even attempt to run the eks cluster?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i copied example/complete, created a tfvars file with customizations, and ran it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmmm…. when you run the example, it should create everything, tested it many times

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what do you mean by “it doesn’t even attempt to run the eks cluster”?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i downloaded files, created tfvars, ran apply, and it only did the vpc parts

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

the only change was the path to the eks_cluster module

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

plan is empty (no changes) and output has no value

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

this is weird

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, can you clone the repo to your computer, go to the example/complete folder, update [variables.tf](http://variables.tf) with your values, and run terraform plan from the example folder

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

pretty much exactly what i did, but i’ll do it from a clone

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(the example uses the cluster module itself, which is in the repo)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Plan: 35 to add, 1 to change, 0 to destroy.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

no eks cluster in there

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

too big to post. 1 sec

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
  + module.subnets.aws_eip.default[0]
  + module.subnets.aws_eip.default[1]
  + module.subnets.aws_eip.default[2]
  + module.subnets.aws_nat_gateway.default[0]
  + module.subnets.aws_nat_gateway.default[1]
  + module.subnets.aws_nat_gateway.default[2]
  + module.subnets.aws_network_acl.private
  + module.subnets.aws_network_acl.public
  + module.subnets.aws_route.default[0]
  + module.subnets.aws_route.default[1]
  + module.subnets.aws_route.default[2]
  + module.subnets.aws_route_table.private[0]
  + module.subnets.aws_route_table.private[1]
  + module.subnets.aws_route_table.private[2]
  + module.subnets.aws_route_table.public
  + module.subnets.aws_route_table_association.private[0]
  + module.subnets.aws_route_table_association.private[1]
  + module.subnets.aws_route_table_association.private[2]
  + module.subnets.aws_route_table_association.public[0]
  + module.subnets.aws_route_table_association.public[1]
  + module.subnets.aws_route_table_association.public[2]
  + module.subnets.aws_subnet.private[0]
  + module.subnets.aws_subnet.private[1]
  + module.subnets.aws_subnet.private[2]
  + module.subnets.aws_subnet.public[0]
  + module.subnets.aws_subnet.public[1]
  + module.subnets.aws_subnet.public[2]
  + module.vpc.aws_internet_gateway.default
  + module.vpc.aws_vpc.default
  + module.subnets.module.nat_label.null_resource.default
  + module.subnets.module.private_label.null_resource.default
  + module.subnets.module.private_subnet_label.null_resource.default
  + module.subnets.module.public_label.null_resource.default
  + module.subnets.module.public_subnet_label.null_resource.default
  + module.vpc.module.label.null_resource.default
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

and ~ module.subnets.data.aws_vpc.default

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s from the clone

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

providers:

├── provider.aws
├── provider.local
├── provider.null
├── module.cluster_label
├── module.eks_cluster
│   ├── provider.aws (inherited)
│   ├── provider.template
│   └── module.label
├── module.eks_workers
│   ├── provider.aws (inherited)
│   ├── provider.template
│   ├── module.autoscale_group
│       ├── provider.aws (inherited)
│       ├── provider.null
│       └── module.label
│   └── module.label
├── module.label
├── module.subnets
│   ├── provider.aws (inherited)
│   ├── module.nat_label
│       └── provider.null
│   ├── module.private_label
│       └── provider.null
│   ├── module.private_subnet_label
│       └── provider.null
│   ├── module.public_label
│       └── provider.null
│   └── module.public_subnet_label
│       └── provider.null
└── module.vpc
    ├── provider.aws (inherited)
    └── module.label
        └── provider.null
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

true vs “true”

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

applying again

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

this has been a rough 24 hours. eks is not my friend right now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’ll direct message you my test repo, which is exact copy of the cloudposse example

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just ran terraform plan on it: Plan: 65 to add, 1 to change, 0 to destroy.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hope it will work for you

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

it worked. map didn’t run because of “true” vs true again, but doing that now

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

so will verify the cluster in a sec

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

NODES!!!!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

wow you got NODES!!!

party_parrot1
jeffrey avatar
jeffrey

Has anyone here experienced an issue with permissions after generating an aws key pair through terraform? I have an elastic beanstalk environment and application that needs an ssh key attached. everything runs smoothly if i generate the key pair through the console and specify the hard-coded name to EC2KeyName. however, if I generate the aws key pair using https://github.com/cloudposse/terraform-aws-key-pair, i get an error about the role policy not having the proper permissions

cloudposse/terraform-aws-key-pair

Terraform Module to Automatically Generate SSH Key Pairs (Public/Private Keys) - cloudposse/terraform-aws-key-pair

jeffrey avatar
jeffrey

here’s the error message:

Environment health has transitioned from Pending to Severe. ELB processes are not healthy on all instances. Initialization in progress (running for 11 minutes). None of the instances are sending data. Access denied while accessing Auto Scaling and Elastic Load Balancing using role "arn:aws:iam::<>:role/aws-elasticbeanstalk-service-role". Verify the role policy. ELB health is failing or not available for all instances.
cloudposse/terraform-aws-key-pair

Terraform Module to Automatically Generate SSH Key Pairs (Public/Private Keys) - cloudposse/terraform-aws-key-pair

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrm… that’s really odd

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

my gut tells me the relationship is a red herring

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

could the key be getting generated in a region other than the beanstalk environment?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@johncblandii (Cloud Posse) are you using our terraform-aws-key-pair module with yoru beanstalk environments?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

No. We lock down our instances.

jeffrey avatar
jeffrey

appreciate the quick response guys. the region is definitely the same, and I can see it in the console after it’s created

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

is this a depends_on issue? the key is generated after the beanstalk env?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

…basically a race issue

jeffrey avatar
jeffrey

i reference the name of the key from the module, so that doesn’t seem to be the case. i also generated the graph using terraform graph, it looks correct that way

jeffrey avatar
jeffrey

let me try depends_on to be 100% sure though

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

if you gen the key first then the beanstalk, does it work

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

depends_on won’t work on modules until .12

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

< and by “gen key” i mean with tf apply -target

jeffrey avatar
jeffrey

let me give that a shot

jeffrey avatar
jeffrey

@johncblandii (Cloud Posse) ah yes, explicitly generating the key with tf apply -target beforehand, then running tf apply succeeds. any recommendations on creating module dependencies? i thought implicit dependencies came from any variable references

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Erik Osterman (Cloud Posse) has a link he has to share with us all who hit this problem.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

.12 can’t come fast enough

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, seriously

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s more about “count of cannot be computed”, but the two-phased approach is mentioned there

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We often have a Makefile in our projects

jeffrey avatar
jeffrey

awesome, thanks for the link

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

why do the Makefile’s download a tf version? why not use my local one?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
/Library/Developer/CommandLineTools/usr/bin/make terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate
Installing Terraform 0.10.7 (darwin) from <https://releases.hashicorp.com/terraform/0.10.7/terraform_0.10.7_darwin_amd64.zip>
######################################################################## 100.0%
/Users/john.bland/Work/terraform-aws-efs/build-harness/vendor/terraform version
Terraform v0.10.7

Your version of Terraform is out of date! The latest version
is 0.11.10. You can update by downloading from www.terraform.io/downloads.html
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we sandbox everything in the build-harness

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

only way to have a chance of escaping the “works on my machine” syndrome

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

coolio

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what command were you trying to run?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

any reason it isn’t using the latest version?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@solairerove is helping us keep packages up to date until we can automate it

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

coolio

solairerove avatar
solairerove

ready to approve

solairerove avatar
solairerove
cloudposse/build-harness

Collection of Makefiles to facilitate building Golang projects, Dockerfiles, Helm charts, and more - cloudposse/build-harness

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

make init

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrm

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

surprised we install terraform on make init

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

sorry…lint

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha, ok that make more sense.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we don’t have an automated process yet for opening PRs to bump versions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I want to add it to our cloudposse/packages

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for now, i’ll open an issue and we’ll get that version bumped

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

gotcha

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

what’s the secret sauce to run before pushing?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, for the docs?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

make readme

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(assumes at some point you’ve run make readme/deps)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup. got that one

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

thought there was another too, but seems that did ok

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

fmt?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform fmt

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

clear there

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

check the .travis.yml for all the steps

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

cool. just don’t want to waste your time when I put the PR up

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ah, good to know

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha, appreciated it!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
make init
make readme/deps
make readme
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

cool

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

thoughts?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

pushed a quick update on the readme

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

btw, example might need some work

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

let me actually make those changes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Thanks

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

np

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

pushed

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ran it within my eks work and it worked

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:28:10 PM
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

All facts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Dombo thanks!

pericdaniel avatar
pericdaniel

Okay I’m going crazy

pericdaniel avatar
pericdaniel

Why isn’t this working

pericdaniel avatar
pericdaniel

variable “allowed_ports” { type = “list” description = “List of allowed ingress ports” default = [“22”,”88”] }

pericdaniel avatar
pericdaniel

from_port = “${element(var.allowed_ports, count.index)}” to_port = “${element(var.allowed_ports, count.index)}”

pericdaniel avatar
pericdaniel

It only adds port 22 to sg

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

use count

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

show the whole module where you have

from_port         = "${element(var.allowed_ports, count.index)}"
 to_port           = "${element(var.allowed_ports, count.index)}"
pericdaniel avatar
pericdaniel

Ah let me add thay

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you use count in the resource, and then you can use count.index

pericdaniel avatar
pericdaniel

I think I got it!

pericdaniel avatar
pericdaniel

Having some other route table shennigans now

pericdaniel avatar
pericdaniel

I know what’s up

pericdaniel avatar
pericdaniel

Do you have an example of running a bunch of Linux commands on a box through a tpl file?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers

pericdaniel avatar
pericdaniel

Thank you!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-user-data-cloud

Contribute to cloudposse/terraform-aws-user-data-cloud development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-user-data-assets

Contribute to cloudposse/terraform-aws-user-data-assets development by creating an account on GitHub.

pericdaniel avatar
pericdaniel

How do you know when to base64encode?

pericdaniel avatar
pericdaniel

@Andriy Knysh (Cloud Posse) I want to usersata this

pericdaniel avatar
pericdaniel

###Gitlab bootstrap ​

#!/bin/bash ​

# Install GitLab sudo apt-get update sudo apt-get install -y curl openssh-server ca-certificates apt-get update echo ‘postfix postfix/mailname string ${1}’ | debconf-set-selections echo ‘postfix postfix/main_mailer_type string "Internet Site"’ | debconf-set-selections ​ ​ ​

# Get Repository curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash sudo EXTERNAL_URL=”http://gitlabtest.com” apt-get install gitlab-ee

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

anyone here send EC2 instance status events (cloudwatch + sns +lambda) to slack?

loren avatar

maybe checkout this aws-to-slack lambda… it supports the AWS Health Dashboard, https://github.com/arabold/aws-to-slack#what-is-it

arabold/aws-to-slack

Forward AWS CloudWatch Alarms and other notifications from Amazon SNS to Slack. - arabold/aws-to-slack

loren avatar

wrote a tf module based around that lambda function… https://github.com/plus3it/terraform-aws-slack-notifier

plus3it/terraform-aws-slack-notifier

Terraform module that builds and deploys a lamdbda function for the aws-to-slack package. - plus3it/terraform-aws-slack-notifier

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

like those hardware failure notices, scheduled maintenance, etc

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we have the module for sns<->slack

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’re missing the cloudwatch side

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Erik Osterman (Cloud Posse) have you setup an EC2 health check feed into slack before?

jamie avatar

No, nothing handy.

@Erik Osterman (Cloud Posse) have you setup an EC2 health check feed into slack before?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie or @maarten might have something

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/tfenv

Transform environment variables for use with Terraform (e.g. TF_VAR_lower_case) - cloudposse/tfenv

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

nice!

cloudposse/tfenv

Transform environment variables for use with Terraform (e.g. TF_VAR_lower_case) - cloudposse/tfenv

rohit avatar

Is there a way to define the order in which output variables display ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not really

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i think that if you put them all in the same file, they will output in that order they appear (but just a hunch)

rohit avatar

they don’t appear in the same order

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrm…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then I don’t think there is a way “out of the box”

rohit avatar

not a big deal, thought there would be something already available to do this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you can emit them in json and then do what ever you want (E.g. with jq)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform output -format=json | jq ...

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(or something like that)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/test-harness

Collection of Makefiles and test scripts to facilitate testing Terraform modules, Kubernetes resources, Helm charts, and more - cloudposse/test-harness

rohit avatar

nice

rohit avatar

that works for me

rohit avatar

thanks

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

isn’t it just in alphabetical order?

1
rohit avatar

yes it is

2018-12-14

Shane avatar

You are about 3 days late on that

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Question: when moving state (due to a refactor of my files/approach), what’s the proper format? I’m trying to automate it with a simple ruby script.

Inside is basically the efs, eks_cluster, and eks_workers module in the modules/cluster and the route53 module in modules/route53. Previously I ran the whole thing from the modules folder as it wasn’t expected to grow in the way it did, but it continues to grow so I moved them to modules with a root level project to kick it all off.

Any thoughts would be appreciated.

New structure:

├── modules
│   ├── cluster
│   │   ├── efs.tf
│   │   ├── kubectl.tf
│   │   ├── main.tf
│   │   ├── outputs.tf
│   │   └── variables.tf
│   └── route53
│       ├── main.tf
│       ├── outputs.tf
│       └── variables.tf
 | main.tf

Old structure:

├── cluster
│   ├── efs.tf
│   ├── kubectl.tf
│   ├── main.tf
│   ├── outputs.tf
│   └── variables.tf
└── route53
|   ├── main.tf
|   ├── outputs.tf
|   └── variables.tf
joshmyers avatar
joshmyers

argh, moving state en mass is a pain if you have lots of resources

joshmyers avatar
joshmyers

What do you mean by proper format?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

the mv format

joshmyers avatar
joshmyers

Still not sure I follow. The format is as defined when you do a terraform state list

joshmyers avatar
joshmyers
05:07:46 PM
joshmyers avatar
joshmyers

terraform state mv module.certificate.aws_route53_zone.default module.MY_RENAMED_MODULE.aws_route53_zone.default

1
loren avatar

just moving the files doesn’t necessarily mean they will move in the state…

joshmyers avatar
joshmyers

Indeed

joshmyers avatar
joshmyers

The statefile has no idea how your files are ogranised. If you have changed resource names and don’t want Terraform to throw the old ones away and create your new ones, use state mv for example

loren avatar

yeah, renaming resources or modules inside your terraform config is when state mv comes into play. avoid that, and you should still be golden, regardless of how you organize the files

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

so I’m moving the state as well

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

state was in cluster/. I’m moving it to the root

loren avatar

local state, just a file in the repo? (i.e. no backend?)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

correct. just working locally right now

loren avatar

then you ought to be able to just move the file and it should still work

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

I did and it wanted to create 60+ things

loren avatar

then you renamed modules or nested them or something

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

right

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s why I’m looking for the proper syntax to move the state

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

specifically when it is nested

loren avatar

yep, i hit this issue before too, struggled for a long time to figure out the nested address… hmm….

loren avatar

what i think i did before is build it one time using the new layout in a new account, then used state list to get the new state addresses, then i was able to map those to the old state addresses and use state mv to move everything

loren avatar

but the general format for the nested module is something like this:

module.<module_name>.module.<nested_module_name>.<resource_type>.<resource_name>
loren avatar

you might be able to move whole modules, which mostly worked for me but still left a couple cleanup items…

terraform state mv module.<module_name> module.<module_name>.module.<nested_module_name>
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ok cool. i’ll give it a whirl after this meeting and report back. thx

joshmyers avatar
joshmyers

Have you renamed any of your resources? e.g. aws_instance.foo -> aws_instance.bar ?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

nah, resources are the same except the root now has a module wrapping the module/cluster

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

so module cluster -> modules/cluster -> eks, efs, etc

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

module route53 -> modules/route53 -> route53

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie I noticed that “test kitchen” is by new context. Have you used it much over there?

1
jamie avatar

Sadly no. The companies I’m working currently with are not coming from a test driven design background. So it’s not come up. But I read through the docs for this. And found a few others that were recommended through reddit threads.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes - precisely

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We want to have a standard test-suite (plan, apply restroy), in addition to eventually custom functional tests

jamie avatar
<