#terraform (2018-12)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2018-12-28

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/reference-architectures

Get up and running quickly with one of our reference architecture using our fully automated cold-start process. - cloudposse/reference-architectures

:--1:5
bananadance3
:100:4
party_parrot4
pecigonzalo avatar
pecigonzalo

Awesome stuff! I have a 1 question you have identity and root account description both stating that is the place to add users and delegate or where users login. I guess “identity” is an optional account in case you dont want your users on root?

cloudposse/reference-architectures

Get up and running quickly with one of our reference architecture using our fully automated cold-start process. - cloudposse/reference-architectures

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, exactly!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We haven’t built out our examples to support identity yet (we’re using root), but this is the eventual goal.

pecigonzalo avatar
pecigonzalo

:–1: makes sense

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We’ve released the first version of our “reference architectures” cold start automation process.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This will get you setup with #geodesic starting with a fresh AWS account.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(just used this to provision the account infra for one of our customer)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jan @mcrowe @Dombo @daveyu @rohit.verma @rohit.verma @tamsky

mcrowe avatar
mcrowe
06:31:12 PM

@mcrowe has joined the channel

Jan avatar

Brilliant work mate!

2018-12-26

Gabe avatar

@mrwacky ^^

mrwacky avatar
mrwacky

fancy

Sanjay avatar
Sanjay

Question regarding https://github.com/cloudposse/terraform-aws-datadog-integration .. Once I run the code should I go to datadog console and fill the AWS integration form again to complete the integration install ? ExternalID is changing every time I open the AWS integration form under my datadog account

cloudposse/terraform-aws-datadog-integration

Terraform Module for integration DataDog with AWS. Contribute to cloudposse/terraform-aws-datadog-integration development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Sanjay - Its been a while since we set that up, so I cannot recall seeing that

maarten avatar
maarten

@Sanjay the Datadog page is confusing. From what I remember, first open the page, to get the external ID. Then run Terraform, then back to the Datadog page, find a way to Save. I made the mistake often to get a new id instead of just saving it.

Sanjay avatar
Sanjay

Thanks @maarten and @Erik Osterman (Cloud Posse).. Yes it is a 3 step process 1) Get external ID 2) Run TF code for integration which creates IAM role 3) Go back to Datadog console and input IAM role and AccountID to complete the integration. Was wondering if there is a way to do everything using TF code rather than using console ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I opened this issue to track the process

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Document Setup Process · Issue #7 · cloudposse/terraform-aws-datadog-integration

what Missing documentation describing setup process it is a 3 step process 1) Get external ID 2) Run TF code for integration which creates IAM role 3) Go back to Datadog console and input IAM role …

Sanjay avatar
Sanjay

Also one other question I had is about https://github.com/cloudposse/terraform-datadog-monitor . Do we need to run integration first or can we just run the monitors code independently without installing AWS integration.. Here it is using API KEY and APP KEY

cloudposse/terraform-datadog-monitor

Terraform module to provision Standard System Monitors (cpu, memory, swap, io, etc) in Datadog - cloudposse/terraform-datadog-monitor

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Sanjay from what I recall they are disjoint

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so the terraform-datadog-monitors module sets up the alerts, but the metrics themselves come from the datadog agents - of which are not covered by any of our modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the terraform-aws-datadog-integration enables datadog to scrape metrics from cloudwatch/rds, but I don’t think the terraform-datadog-monitor module is setup to work with it.

2018-12-25

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

TIL:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
09:12:08 PM

2018-12-24

kmcquade avatar
kmcquade

It shows as healthy. I did see that the Jenkins container exposes port 8080 but the ALB listener points to port 80. Do you think that’s the issue?

kmcquade avatar
kmcquade

Not sure if that’s just an elastic beanstalk thing. Haven’t worked with it before

Steven avatar
Steven

It is normal for the container port and alb port to be different

Kinnaird McQuade avatar
Kinnaird McQuade
06:51:52 PM

figured out the issue.

Kinnaird McQuade avatar
Kinnaird McQuade

i set “null” to the github_oauth_token parameter instead of actually leaving it blank

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks for reporting back! If you wouldn’t mind - maybe a good idea to open the issue against the repo in case others make the same mistake.

Kinnaird McQuade avatar
Kinnaird McQuade

sure thing. let me figure out the solution first and then i’ll happily open up an issue

2018-12-23

Kinnaird McQuade avatar
Kinnaird McQuade

Question about https://github.com/cloudposse/terraform-aws-jenkins. After setup, I navigated to the URL and saw the Elastic Beanstalk splash page - “Congratulations! Your Docker Container is now running in Elastic Beanstalk on your own dedicated environment in the AWS Cloud.” Am I doing something wrong here? Or is this a current bug? Any ideas?

cloudposse/terraform-aws-jenkins

Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack - cloudposse/terraform-aws-jenkins

Kinnaird McQuade avatar
Kinnaird McQuade

Love the terraform modules you guys put out, by the way

Jan avatar

Maybe in the aws console go look at the created elb and see if it’s target is set and shows as healthy

Jan avatar

I have not run that module myself though

2018-12-22

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

PSA don’t use boolean types in terraform.

https://github.com/cloudposse/docs/issues/342

How does terraform handle booleans? · Issue #342 · cloudposse/docs

What Document why in terraform booleans should be expressed as type string rather than type boolean. Why The boolean default value true does not work consistently as expected and will in some cases…

2018-12-21

Shane avatar
Shane

Someone want to go rewrite landscape in golang

:100:1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes, please!

davidvasandani avatar
davidvasandani

diff renderer changes are coming with 0.12 https://github.com/hashicorp/terraform/issues/15180#issuecomment-435241641

but 0.12 still leaves something to be desired:

  # aws_iam_role_policy.policy will be created
  + resource "aws_iam_role_policy" "policy" {
      + id     = (known after apply)
      + name   = "tf-example-policy"
      + policy = "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"kinesis:PutRecord\",\n        \"kinesis:PutRecords\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ],\n      \"Effect\": \"Allow\"\n    }\n  ]\n}\n"
      + role   = (known after apply)
    }

vs 0.11 w/ landscape

+ aws_iam_role_policy.policy
    id:       "<computed>"
    name:     "tf-example-policy"
    policy:   {
                "Statement": [
                  {
                    "Action": [
                      "kinesis:PutRecord",
                      "kinesis:PutRecords"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                      "*"
                    ]
                  }
                ],
                "Version": "2012-10-17"
              }
    role:     "${aws_iam_role.role.id}"
2
fiesta_parrot1
rohit avatar
rohit

Is it possible to apply selected changes from terraform plan ?

Shane avatar
Shane

No, you must do a targeted terraform plan

Shane avatar
Shane

At least I’m about 90% certain

rohit avatar
rohit

how does that work ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so for example, base on @davidvasandani text grab above, we could run

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
terraform apply -target aws_iam_role_policy.policy
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

to only apply that change

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the same is true for modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

or similarly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
terraform plan -out planfile
terraform apply planfile
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this will only apply the changes that are in the planfile

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and plan supports -target as well

rohit avatar
rohit

that’s awesome

rohit avatar
rohit

i am not aware of all the capabilities that terraform provides

rohit avatar
rohit

so whenever i need something, i go and check if terraform that specific feature

lvh avatar

hey; I got bit by https://github.com/cloudposse/terraform-aws-tfstate-backend/commit/86b17f16e0c95244e87c859c18e28afa4deb1783

in particular because terraform-aws-tfstate-backend doesn’t have an “environment”, we synthesized it:

module "terraform_state_backend" {
  source      = "git::<https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master>"
  # The terraform_state_backend module, unlike other CloudPosse modules, does
  # not have an "environment" argument, so we synthesize it.
  namespace   = "${var.namespace}-${var.client_codename}"
  # environment = ""
  stage       = "${var.stage}"
  name        = "${var.name}"
  region      = "${var.aws_region}"
}
Support latest version of terraform-null-label and its variables (#10) · cloudposse/[email protected]
  • Support latest version of terraform-null-label and its variables. Bumps veresion of terraform-null-label to 0.5.3 (latest at time of writing). Copies variable descriptions from new version. …
lvh avatar

the new version deletes te dashes

lvh avatar

there doesn’t seem to be an obvious workaround for that

lvh avatar

unless the new thing takes an environment? let’s see

lvh avatar

(I have other code that imports state so it cares p deeply about what the exact bucket name is – and because it’s importing state to bootstrap, it can’t just ask the current state what the bucket name is)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

sorry @lvh, we messed it up

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we’ll fix it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you pin to the previous release for now?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(don’t use master)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules

lvh avatar

sure no problem

lvh avatar

I was able to fix the naming issue by setitng the environment var though

lvh avatar

still can’t reach the module outputs? but not sure that has anything to do with the change

lvh avatar
    {
      "path": [
        "root",
        "terraform_state_backend"
      ],
      "outputs": {},
      "resources": {},
      "depends_on": []
    },

… weirdly

lvh avatar

nuking the env and starting over fixed it, oh well

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

don’t use master

lvh avatar

okiedokie this doesn’t really stirke me as a bug, but I’ll pin a tag anyway

2018-12-20

rohit avatar
rohit

I am facing weird issues with aws_launch_template resource where when we work with the same code on mac vs windows

rohit avatar
rohit

everytime my teammate or i run terraform plan it shows that there is a change in the launch template

rohit avatar
rohit

and i believe it is because of

  user_data = "${base64encode(data.template_file.user-data.rendered)}"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you are using file for template (not inline), the path will be different on diff systems

rohit avatar
rohit

is there a way to fix/avoid this issue?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but we did not test it on Windows, so don’t know if it will behave differently

rohit avatar
rohit

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s why it’s better to use containers for that (geodesic is a good example)

rohit avatar
rohit

Sorry i don’t understand how this issue is related to containers ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

reproducibility

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the same result on mac, windows and linux

rohit avatar
rohit

ohh i see

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

everybody uses the same container

rohit avatar
rohit

that makes sense

rohit avatar
rohit
data "template_file" "user-data" {
  template = "${file("${path.cwd}/modules/compute/frontend/user-data.sh.tpl")}"

  vars = {
    app_env               = "${terraform.workspace}"
  }
}
rohit avatar
rohit

@Andriy Knysh (Cloud Posse) above is how we use i am currently using remplate_file

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

maybe try path.module and see what happens

rohit avatar
rohit

@Andriy Knysh (Cloud Posse) i tried this and received the following error

no such file or directory in:

${file("${path.module}/modules/compute/tde/user-data.sh.tpl")}
rohit avatar
rohit

any other ideas ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what’s your folder structure?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

path.module will give you the root path, where you have [main.tf](http://main\.tf)

rohit avatar
rohit

i do have the full path

rohit avatar
rohit
template = "${file("${path.module}/modules/compute/frontend/user-data.sh.tpl")}"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit I don’t know your folder structure so it’s difficult to say anything, but you can test it by reading the file in the data template (as you showed above), and then output it as shown here https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/outputs.tf#L3

cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

play with the full path in template = "${file("${path.module}/modules/compute/frontend/user-data.sh.tpl")}" until TF could find the file

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Interpolation Syntax - Terraform by HashiCorp

Embedded within strings in Terraform, whether you’re using the Terraform syntax or JSON syntax, you can interpolate other values into strings. These interpolations are wrapped in ${}, such as ${var.foo}.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, you sure that the template files on mac and windows are 100% identical? (e.g. line breaks on windows differ from mac)

rohit avatar
rohit

yeah line breaks differ but we are running the same code

rohit avatar
rohit

i am not sure about the settings

rohit avatar
rohit

Different question, is it currently possible to launch an ec2 instance using launch template resource but not in an autoscaling group ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

launch template is just a metadata with diff params (stored somewhere in some AWS database). Autoscaling is a service that maintains the required number of running instances

rohit avatar
rohit

i mean using terraform

rohit avatar
rohit

i did not find an option to provide launch template id to aws_instance resource

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS: aws_instance - Terraform by HashiCorp

Provides an EC2 instance resource. This allows instances to be created, updated, and deleted. Instances also support provisioning.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

many attributes are the same as in launch template

rohit avatar
rohit

yes lot of the attributes are same

rohit avatar
rohit

i did not find any resources online to do this

rohit avatar
rohit

I am thinking of creating a feature request on github

rohit avatar
rohit

Looks like there is already one

loren avatar
loren

got a pr already too, a bit long in the tooth, maybe add a thumbs up in case they sort on reactions… https://github.com/terraform-providers/terraform-provider-aws/pull/4543

r/aws_instance: Add support for launch template by gordonbondon · Pull Request #4543 · terraform-providers/terraform-provider-aws

Fixes #4264 Changes proposed in this pull request: Add support for launch template in instance resource Output from acceptance testing: make testacc TEST=./aws TESTARGS=&#39;-run=TestAccAWSInstan…

:--1:3
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

still pending from May 15

2
rbadillo avatar
rbadillo

Team, does anybody know if it is possible to escape $ in template_file ?

rbadillo avatar
rbadillo

My template file has this:

$(kubectl config current-context)
rbadillo avatar
rbadillo

by not escaping the $ it results in an empty file because somehow it is being evaluated

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

$$

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
How to escape in data template_file · Issue #17899 · hashicorp/terraform

When using data &quot;template_file&quot; I have an Apache config which also unfortunately uses the ${} syntax which I don&#39;t want Terraform to do substitution. I tried escaping the $ with a bac…

rbadillo avatar
rbadillo

it doesn’t work

rbadillo avatar
rbadillo

it escapes the $ if it is follow by {

rbadillo avatar
rbadillo

but not $()

rbadillo avatar
rbadillo

the double $$ is to escape interpolation no to escape the dollar sign

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
escaping of ${ does not work · Issue #19462 · hashicorp/terraform

Terraform Version Terraform v0.11.10 + provider.azurerm v1.19.0 Terraform Configuration Files 4 variable &quot;foo&quot; { 5 default = &quot;foo$${bar&quot; 6 } Expected Behavior foo contains foo${…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we did something like this before: template = "${replace(var.storage_account_container_readonly_template, "$$$$", "$")}"

rbadillo avatar
rbadillo

yep, looks like that’s the workaround for now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-route53-cluster-zone

Terraform module to easily define consistent cluster domains on Route53 (e.g. [prod.ourcompany.com](http://prod\.ourcompany\.com)) - cloudposse/terraform-aws-route53-cluster-zone

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Document our Semver Strategy · Issue #335 · cloudposse/docs

what it&#39;s not clear how we currently do versioning old strategy Bump patch always unless there was a “known breaking change” Bump minor anytime there was a breaking change We never bumped major…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’ve documented our versioning strategy so it’s more clear for others.

mrwacky avatar
mrwacky

https://www.terraform.io/docs/providers/aws/r/route53_zone_association.html
NOTE: Unless explicit association ordering is required (e.g. a separate cross-account association authorization), usage of this resource is not recommended. Use the vpc configuration blocks available within the aws_route53_zone resource instead.

Yes, but when I create the zone, all the other VPCs might not yet exist

mrwacky avatar
mrwacky

so I shall not take your advice @hashicorp

rohit avatar
rohit

@Andriy Knysh (Cloud Posse) so after playing a bit i ended up with

  template = "${file("${path.module}/user-data.sh.tpl")}"
rohit avatar
rohit

that worked but when i ran terraform plan it says there is an update to the launch template

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit does the TF output show what part it wants to update?

rohit avatar
rohit

for that i will have to run terraform apply, correct ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

or plan

rohit avatar
rohit

plan doesn’t show anything

rohit avatar
rohit

it says

~ module.compute.module.frontend.aws_launch_template.frontend
      latest_version:                        "5" => "0"
      user_data:                             "encodeddata"
rohit avatar
rohit

i see it after refreshing

rohit avatar
rohit

it shows the entire userdata

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it looks like it wants to update the latest version

rohit avatar
rohit

yeah because it thinks that there is an update to launch template

jeffrey avatar
jeffrey

has anyone come across cloudwatch alarms created through terraform not being displayed in the elastic beanstalk console, but being correctly displayed in the cloudwatch console? i’ve checked all configurations to make sure they match up, including the dimensions; however any cloudwatch alarm created through the GUI still displays in both the EB console and cloudwatch console.

the only difference between the 2 are specifying the actions to be taken when the threshold is met

Jan avatar

Have we considered using terraform-landscape yet? https://github.com/coinbase/terraform-landscape

coinbase/terraform-landscape

Improve Terraform’s plan output to be easier to read and understand - coinbase/terraform-landscape

1
davidvasandani avatar
davidvasandani

I love landscape. It makes the output MUCH easier to read.

coinbase/terraform-landscape

Improve Terraform’s plan output to be easier to read and understand - coinbase/terraform-landscape

davidvasandani avatar
davidvasandani

Work with terragrunt too.

Jan avatar

Awesomeness, will be pining you next year!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:02:41 AM
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

trying not to depend on ruby

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it installs the world

Nikola Velkovski avatar
Nikola Velkovski

node takes the cake there

davidvasandani avatar
davidvasandani

@Erik Osterman (Cloud Posse) why not use a docker image? terraform plan ... | docker run -i --rm landscape

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we’re running in docker

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this will probably bloat the image by 25-40% just by adding ruby =P

davidvasandani avatar
davidvasandani

Yeah def don’t want to bloat the geodesic image.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

can someone please just rewrite this in go? =P

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@sarkis this can be your claim to fame

mrwacky avatar
mrwacky

then submit it as a PR to hashicorp

Jan avatar

Fair point

2018-12-19

antonbabenko avatar
antonbabenko

Did anyone use blue-green deployments with ECS&CodeDeploy? I am trying, but it is not so straightforward, it is more greenfield area then I wanted it to be… In case you will want to make it - https://gist.github.com/antonbabenko/632b54e8e488b9f48d016238792a9193

maarten avatar
maarten
silinternational/ecs-deploy

Simple shell script for initiating blue-green deployments on Amazon EC2 Container Service (ECS) - silinternational/ecs-deploy

antonbabenko avatar
antonbabenko
Support ECS deploy with CodeDeploy · Issue #168 · silinternational/ecs-deploy

Great project! Unfortunately, it does not work for my use case where I want to use it for blue-green deployments via CodeDeploy with ECS services (as described here). The error is like this: /usr/l…

rohit avatar
rohit

I am facing the same issue that is mentioned here https://github.com/hashicorp/terraform/issues/13012

aws_network_acl_rule with protocol "-1" always forces resource to be recreated · Issue #13012 · hashicorp/terraform

Terraform Version Terraform v0.9.1 Affected Resource(s) aws_network_acl_rule Terraform Configuration Files resource &quot;aws_network_acl&quot; &quot;network_acl&quot; { vpc_id = &quot;${aws_vpc.CI…

rohit avatar
rohit

any ideas why ?

Jan avatar

Do a create, then import it into another blank state (easy to do with a local test setup and remove state) and view the difference. I have seen these issues with how aws stores values vs how they are declared

rohit avatar
rohit

Do a create ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit, @Jan is correct that the issue happens when TF has some settings, but after apply AWS stores diff settings. Then TF reads them from AWS and sees they are different and tries to apply it again

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Module recreates all `settings` on each `terraform plan/apply` · Issue #43 · cloudposse/terraform-aws-elastic-beanstalk-environment

terraform-aws-elastic-beanstalk-environment recreates all settings on each terraform plan/apply setting.1039973377.name: &quot;InstancePort&quot; => &quot;InstancePort&quot; setting.1039973377.n…

:--1:1

2018-12-18

Trex avatar

Hi guys, I’m trying to setting cloudwatch-sns alarm via terraform. I come across with https://github.com/cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

However, once apply to a single RDS, the terraform record the “snapshot” in the tfstate file. When I try to apply to another RDS, it warn that it will delete the first setup and create new resources for second RDS.

Anyone has ideas on how to make the alarm reusable for multiple RDS instance?

cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic - cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ohhhhhhh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Trex you are correct - this is an oversight

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the resource names are not using labels (@jamie )

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic - cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we haven’t had a chance to get back to this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
alarm names should be unique · Issue #5 · cloudposse/terraform-aws-rds-cloudwatch-sns-alarms

terraform doesn’t complain about the conflict, but the alarms will constantly have their dimension overwritten with every deploy if the names aren’t unique.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Trex would you be open to contributing back a PR?

Trex avatar

yes, i will see what i can help

loren avatar
loren

grrr, hate this error so much…

value of 'count' cannot be computed
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Nikola Velkovski avatar
Nikola Velkovski

ah I’ve seen that one, when you use count in locals teffaform doesn’t compute it immediatelly

loren avatar
loren

i know why it’s happening, it’s just super frustrating

:--1:2
Nikola Velkovski avatar
Nikola Velkovski

yes it is

jeffrey avatar
jeffrey

hey guys, i’m currently using this module (https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/main.tf) or a slight variation of it given that I need to start multiple elastic beanstalk applications & environments with the same iam role and service roles. therefore i pulled out any IAM related resources out and use implicit dependencies to pass into the creation of the beanstalk apps and environments.

however, sometimes i’m getting an error about ELB health failing which is caused by the proper role and policy attachments not being attached in time. it seems like there’s a race condition going on because it succeeds about 25% of the time. have any of you encountered this before?

cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@jeffrey please share the complete code, we’ll take a look (difficult to say anything w/o seeing the code)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


it succeeds about 25% of the time

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

welcome to beanstalk!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

if you’re starting from scratch, highly recommend you move to ECS or other container based approach

jeffrey avatar
jeffrey

@Erik Osterman (Cloud Posse) 100% agree - however, we’re making our initial move into infrastructure-as-code and would like to first mimic our existing infrastructure before making any architectural changes. we have full intentions of moving off of beanstalk shortly after

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

fair enough….

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@jeffrey let us know if you need any help

jeffrey avatar
jeffrey

@Andriy Knysh (Cloud Posse) absolutely - i appreciate you reaching out. do you mind if I draw up a diagram tomorrow morning to explain my complication? perhaps i’m just not understanding terraform completely

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Yes let’s check it tomorrow

jeffrey avatar
jeffrey
05:27:01 PM

@Andriy Knysh (Cloud Posse) here’s a quick diagram i drew up of iam-related dependencies. this part should be identical to how they’re defined in the cloudposse repo, besides the fact that it’s been pulled out to a separate module so that it can be provided as a parameter so multiple beanstalk environments and apps can share the same service roles and instance profiles.

starting from the left, the Service AWS IAM role is created, which both the Enhanced Health and Beanstalk Service role policy attachments have a dependency on. on the right side, the EC2 AWS IAM role is created, which the Default role policy, Web tier Role Policy Attachment, Worker tier Role Policy Attachment, and EC2 instance profile all have a dependency on.

As for elastic beanstalk, the environment is dependent on the Service AWS IAM role, and the application is dependent on the Service AWS IAM role and EC2 instance profile. however, because there isn’t a strict dependency that the Enhanced Health role policy is attached to the Service AWS IAM role before the EB environment is created, oftentimes I’m noticing that the environment is being created immediately after the IAM role is created but before the enhanced health policy is attached. as a result of this, I get the “ELB health is failing” because the health can’t be communicated back yet. I can’t use depends_on in this case because I’m not using these as resources in the same file, but rather, the EB env and application are modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

is that during terraform apply?

davidvasandani avatar
davidvasandani

@jeffrey would it be alright if we helped you modify the existing module to accept an IAM role as a variable?

:point_up_2:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yep, and for backwards compatibility, we need to check if a role was provided and use it, otherwise fall back to creating a new one

:--1:1
jeffrey avatar
jeffrey

apologize for the delayed response!

here’s the module that calls elastic beanstalk application

module "api_server_app" {
  source                    = "../modules/app"
  beanstalk_app_description = "api server application"
  beanstalk_app_name        = "${var.stack_name}-api-server"
  iam_role_arn              = "${aws_iam_role.beanstalk_service.arn}"
}

where “../modules/app” contains the following:

resource "aws_elastic_beanstalk_application" "default" {
  description = "${var.beanstalk_app_description}"
  name        = "${var.beanstalk_app_name}"

  appversion_lifecycle {
    service_role          = "${var.iam_role_arn}"
    max_count             = 128
    delete_source_from_s3 = true
  }
}
jeffrey avatar
jeffrey

here’s the module that calls the elastic beanstalk enviroment:

module "poms_api_server" {
  source     = "../modules/beanstalk"
  app        = "${module.poms_api_server_app.app_name}"
  keypair    = "${module.key.key_name}"
  stack_name = "${var.stack_name}"
  subnets    = "${join(",","${module.vpc.beanstalk_subnets}")}"
  vpc_id     = "${module.vpc.vpc_id}"

  # IAM
  instance_profile_name = "${aws_iam_instance_profile.beanstalk_ec2.name}"

  # LB
  service_role_arn = "${aws_iam_role.beanstalk_service.name}"
}

where the “../modules/beanstalk” only contains the elastic beanstalk environment code from https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/main.tf (minus iam roles, security groups, s3 buckets, and the environment variables), and slight modifications in the variable naming

cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

jeffrey avatar
jeffrey

@davidvasandani thanks - the existing module currently accepts the IAM role as a variable already. however, this is what I believe - i’m creating the iam role, then creating additional role policy attachments onto it for enhanced health and beanstalk service. however, the application is dependent on just the iam role and begins creation immediately when it’s ready, but before the role policies have been fully created/attached

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Configuring Resources - Terraform by HashiCorp

The most important thing you’ll configure with Terraform are resources. Resources are a component of your infrastructure. It might be some low level component such as a physical server, virtual machine, or container. Or it can be a higher level component such as an email provider, DNS record, or database provider.

1
jeffrey avatar
jeffrey

thanks - i’ll see what i can do here. i was hoping there was another solution given that none of the elastic beanstalk examples i’ve seen actually used depends_on and only resources could have depends_on rather than modules

Configuring Resources - Terraform by HashiCorp

The most important thing you’ll configure with Terraform are resources. Resources are a component of your infrastructure. It might be some low level component such as a physical server, virtual machine, or container. Or it can be a higher level component such as an email provider, DNS record, or database provider.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

another thing you can try is this:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

here

instance_profile_name = "${aws_iam_instance_profile.beanstalk_ec2.name}"

  # LB
  service_role_arn = "${aws_iam_role.beanstalk_service.name}"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you use the names, but TF will calculate the names before the resources get created

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you use the IDs, then TF will wait for the resources to be created by AWS

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(and you prob need to use arn here, not name): service_role_arn = “${aws_iam_role.beanstalk_service.arn}”

jeffrey avatar
jeffrey

oh awesome, i’ll try those. so you suggest using ids in both these instances?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

well, in one

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the other needs arn, no?

jeffrey avatar
jeffrey

within the service role i’ve tried the arn and the name before, both ran succesfully so i’m assuming it does a lookup

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but those are diff things

jeffrey avatar
jeffrey

i’ll run through those again and make sure the resources being created are as expected. at the time, i was making sure the script was compiling correctly. appreciate the tips!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

any one pretty familiar with cross-across terrraform with assumed roles?

maarten avatar
maarten

think so yes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
provider "aws" {
  alias = "testing"
  assume_role {
    role_arn = "arn:aws:iam::126450723953:role/OrganizationAccountAccessRole"
  }
}

data "terraform_remote_state" "testing" {
  backend = "s3"
  provider = "aws.testing"

  config {
    bucket = "${var.namespace}-testing-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
}
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

should I be able to do something like this?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

…some context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am in our “root” aws account and want to read the tfstate from a child account

maarten avatar
maarten

I don’t see why not

maarten avatar
maarten

this wouldn’t work if you have the access

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Trick question:

Error: data.terraform_remote_state.testing: Provider doesn't support data source: terraform_remote_state
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sorry

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i think there’s something subtle i don’t understand….

maarten avatar
maarten

ah I do it differently yes, but you won’t like what I do

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

might help for perspective though

maarten avatar
maarten

One administrative account, here default role ( before switching to assume role ) has access to the state bucket and kms

maarten avatar
maarten

inside the same state bucket you then have different environments and stacks ( yep .. )

maarten avatar
maarten

then in say ‘provider.tf’ the provider does an assumerole into the testing/staging/production account

maarten avatar
maarten

where it does it’s operations

maarten avatar
maarten

is that more or less clear ?

maarten avatar
maarten

but can’t you just fix it on s3 access level ?

maarten avatar
maarten

@Erik Osterman (Cloud Posse) doesn’t it accept role_arn inside the config block?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ohhhhhhh right

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, that makes things easier for sure

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes that’s clear - i forget you mentioned that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

….still holding out from going down that path but maybe we need to consider it some day

loren avatar
loren

i think the error message is trying to say that the the data source terraform_remote_state does not support the provider argument?

loren avatar
loren

that data source does some odd stuff internally with the aws credential/provider to access the state file

maarten avatar
maarten

so does it work with role_arn in the terraform_remote_state config {} ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

got it working!!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
data "terraform_remote_state" "testing" {
  backend = "s3"
  config {
    role_arn = "arn:aws:iam::126450723953:role/OrganizationAccountAccessRole"
    bucket = "${var.namespace}-testing-terraform-state"
    key    = "account-dns/terraform.tfstate"
  }
}

output "testing_name_servers" {
  value = "${data.terraform_remote_state.testing.name_servers}"
}

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so I didn’t need to specify any aliases

loren avatar
loren

beauty

loren avatar
loren

yeah, that’s what i saw in the code, that state does the credential setup itself

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the key was to add the role_arn to the config section.

loren avatar
loren

makes sense now that you have it working

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, even easier than I thought it would be

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

can’t believe i’ve put it off for this long

loren avatar
loren

kinda related, i saw this comment earlier today, which i can’t believe works… https://github.com/terraform-providers/terraform-provider-aws/issues/571#issuecomment-448372889

Feature request: AWS Organizations support · Issue #571 · terraform-providers/terraform-provider-aws

This issue was originally opened by @bootswithdefer as hashicorp/terraform#12337. It was migrated here as part of the provider split. The original body of the issue is below. AWS Organizations has …

loren avatar
loren
provider "aws" {
  ...
}

resource "aws_organizations_account" "subaccount" {
  ...
  
  // More about this below
  provisioner "local-exec" {
    command = "sleep 120"
  }
}

locals {
   role_arn = "arn:aws:iam::${ aws_organizations_account.subaccount.id }:role/OrganizationsAccountAccessRole"
}

provider "aws" {
  alias = "subaccount"

  assume_role {
    role_arn = "${local.role_arn}"
  }
}

resource "aws_dynamodb_table" "lock_table" {
  provider  = "aws.subaccount"
  name      = "terraform-lock-table"
  ...
}
2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha, check this out

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
data "terraform_remote_state" "root" {
  backend = "s3"
  config {
    bucket = "${var.namespace}-root-terraform-state"
    key    = "accounts/terraform.tfstate"
  }
}


data "terraform_remote_state" "testing" {
  backend = "s3"
  config {
    role_arn = "${data.terraform_remote_state.root.testing_organization_account_access_role}"
    bucket = "${var.namespace}-testing-terraform-state"
    key    = "account-dns/terraform.tfstate"
  }
}

locals {
  testing_name_servers = "${data.terraform_remote_state.testing.name_servers}"
}

resource "aws_route53_record" "testing_dns_zone_ns" {

\#  count   = "${signum(length(local.testing_name_servers))}"
  zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}"
  name    = "testing"
  type    = "NS"
  ttl     = "30"
  records = ["${local.testing_name_servers}"]
}

output "testing_name_servers" {
  value = "${local.testing_name_servers}"
}

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

getting the organization account access role for a subaccount from the state of one module in our root account

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then using that to assume role into the subaccount and read the state from a module in that account

:--1:4
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, and it even works with that count enabled

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and no “count of cannot be computed” bs

2
maarten avatar
maarten

oh nice one doing the same, but not so automated

maarten avatar
maarten

this or brute forcing the creation of a new domain until the ns-servers match

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Erik Osterman (Cloud Posse) @Andriy Knysh (Cloud Posse) any reason why this uses the AZ as the count as opposed to the subnets?

resource "aws_efs_mount_target" "default" {
  count           = "${length(var.availability_zones)}"
  file_system_id  = "${aws_efs_file_system.default.id}"
  subnet_id       = "${element(var.subnets, count.index)}"
  security_groups = ["${aws_security_group.default.id}"]
}

https://github.com/cloudposse/terraform-aws-efs/blob/master/main.tf#L18-L23

johncblandii/terraform-aws-efs

Terraform Module to define an EFS Filesystem (aka NFS) - johncblandii/terraform-aws-efs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think the rule is you only need one per az and not one per subnet

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

but if it is per az and there are public/private subnets, will the one’s left out not get access?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

when I used the private subnets, my eks cluster couldn’t talk to efs

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

well…it still can’t use it. lol. but using public got beyond the “can’t connect” phase

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
04:14:22 AM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t recall the details off the top of my head

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Just remembered this requirement for some reaon…

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ha…just found it.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)


You can create one mount target in each Availability Zone.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

interesting.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrmmm haven’t tried to use it yet with EKS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s been a LONG time since we touched EFS for client engagements. Not that there is anything wrong just memory of it fading.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

All good. I’ve never used it so it is new to me.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

trying to get my nfs setup on the cluster

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Dec has been a month of “here’s something new…get it in production”

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@johncblandii (Cloud Posse) the assumption was one subnet per AZ. Actually it’s two subnets per AZ (private and public), but you use either private or public to place the EFS

:--1:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-jenkins

Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack - cloudposse/terraform-aws-jenkins

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it does not cover all possible use cases I agree

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and you have to provide the same number of subnets as you have AZs

2018-12-17

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Support case sensitivity for a few commands by acaire · Pull Request #162 · segmentio/chamber

This will add a –case-sensitive switch to the following commands: * delete * history * import * read Notably changing the import behaviour to fail an import payload with mixed case keys This foll…

samant.maharaj avatar
samant.maharaj

Hi everyone. I’m trying to use https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment but I need to use a network load balancer.

cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

samant.maharaj avatar
samant.maharaj
cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

samant.maharaj avatar
samant.maharaj

Is there any way to override these values from my main.tf given I’m importing the module with the source pointing at GitHub?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Hi @samant.maharaj welcome

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

looks like those are hardcoded

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so if you want to add support to other values, they needs to be converted to variables

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can clone/fork the repo and test with your values, then open a PR against the cloudposse repo

samant.maharaj avatar
samant.maharaj

OK thanks. Still a little new to Terraform so I wasn’t sure if it was possible to override them after importing the module.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so yea, if you clone the repo to your computer, you can set the values to whatever you want for testing - the fastest way to test it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you cd to examples/complete, you could run terraform init/plan/apply to test from the example

samant.maharaj avatar
samant.maharaj

:–1:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
source    = "../../"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

to use the module’s code from your computer

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@samant.maharaj does it not work when you pass in loadbalancer_type?

samant.maharaj avatar
samant.maharaj

Sadly no. Network load balancers must have listener protocol set to TCP among other issues. It seems it’s not enough to disable the listener. AWS will still complain about the listener protocol being unsupported.

samant.maharaj avatar
samant.maharaj

At this point it seems it might be easier to copy the module and modify it to suit.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

They accept pull requests. If you make it support the NLB, commit it back to the community.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
General Options for All Environments - AWS Elastic Beanstalk

Configure globally available options for your Elastic Beanstalk environment.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
cloudposse/terraform-aws-elastic-beanstalk-environment

Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment

2018-12-16

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

published https://github.com/cloudposse/terraform-external-module-artifact to download binary artifacts from http(s) endpoints (e.g. useful for public lambda zips)

cloudposse/terraform-external-module-artifact

Terraform module to fetch any kind of artifacts using curl (binary and text okay) - cloudposse/terraform-external-module-artifact

:--1:4

2018-12-15

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i thought there was a magic variable (like path.module) which referred to the module name itself (e.g. github repo)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

anyone have a tip to get it?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

e.g. inside the terraform-aws-eks-cluster module, is it possible to know I’m inside terraform-aws-eks-cluster?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Would path.cwd work?

loren avatar
loren

Do you actually want to know the directory name, which could change if someone cloned into a custom directory, or do you want it to always be a specific value for a given module? If the latter, probably a local would be needed?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

in this case, the wanting to publish artifacts (zips of lambdas) to [artifacts.cloudposse.com/<module-name>/<git> hash](http://artifacts\.cloudposse\.com/<module\-name>/<git)/lambda.zip

loren avatar
loren

Maybe split path.module on / and take the last element?

loren avatar
loren

Oh, or just dirname(path.module), better for cross-platform support too

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but modules are checked out to hashed folders

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(probably git hash)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

turns out it is not the git hash

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

..checked out by terraform init

loren avatar
loren

Then back to a local you define in each module :p

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, that may be the best bet

antonbabenko avatar
antonbabenko

I really like this one - https://github.com/cloudposse/terraform-aws-ecs-container-definition , because I was missing some properties like secrets in this one - https://github.com/blinkist/terraform-aws-airship-ecs-service/tree/master/modules/ecs_container_definition . Good job with all this ECS pieces.

cloudposse/terraform-aws-ecs-container-definition

Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource - cloudposse/terraform-aws-ecs-container-definition

blinkist/terraform-aws-airship-ecs-service

Terraform module which creates an ECS Service, IAM roles, Scaling, ALB listener rules.. Fargate & AWSVPC compatible - blinkist/terraform-aws-airship-ecs-service

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, someone just contributed the secrets piece last week (i think)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks

loren avatar
loren

At the very least, you can get unblocked using a local, and then if someone figures out the magic sauce you can just adjust the local

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yep, easy peasy to update local

maarten avatar
maarten

@antonbabenko you can also just use my module in your atlantis one

antonbabenko avatar
antonbabenko

I am really-really trying to use parts of your ECS modules in my current project. Some pieces fit well, but some I have to copy-paste.

maarten avatar
maarten

That’s fine

maarten avatar
maarten

Ask in the #airship channel in case you have questions

antonbabenko avatar
antonbabenko

I will, but my case is rather straightforward. I really recommend to add documentation and working examples. Working examples with just single terraform apply is critical to get people on board.

maarten avatar
maarten

That’s work in progress at the moment, almost there.

:--1:1
maarten avatar
maarten

Finishing the Per Module Guides now, after that I’ll work out some use-cases.

SweetOps avatar
SweetOps
08:00:45 PM
Are you using some of our [terraform-modules> in your projects? Maybe you could <https://cpco.io/leave-testimonial leave us a testimonial](https://cpco.io/terraform-modules)! It means a lot to us to hear from people like you.
antonbabenko avatar
antonbabenko

“Thank you for your testimonial!“

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks anton!!!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
HTTP Data Source - Terraform by HashiCorp

Retrieves the content at an HTTP or HTTPS URL.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ugh - devil is in the details

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


The given URL may be either an http or https URL. At present this resource can only retrieve data from URLs that respond with text/* or application/json content types, and expects the result to be UTF-8 encoded regardless of the returned content type header.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we cannot use it to download zips

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

unless we do something retarded and base64 encode them

loren avatar
loren

Yep, I made an external module to create a local filecache to work around that, but it’s less than ideal for sure

loren avatar
loren
plus3it/terraform-external-file-cache

Terraform module to retrieve and cache files. Contribute to plus3it/terraform-external-file-cache development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha, so you ended up writing an a script in python that you call from terraform

loren avatar
loren

Yup

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

though the dependency on external pip modules makes it more difficult to use as a drop-in module

loren avatar
loren

The requirements aren’t gonna change, you can pip install six and boto3 any way you like

loren avatar
loren

I use a terragrunt hook myself, but any task runner could do it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks for this! you gave me an idea for how I’m going to attempt it

loren avatar
loren

:–1:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
09:09:03 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
data "external" "curl" {
  program = ["curl", "-sSL", "--write-out", "{\"success\": \"true\"}", "-o", "${local.output_file}", "${local.url}"]
}
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

while this still requires an external app (curl), it’s installed by default on many systems.

loren avatar
loren

Haha nice! Yeah, I had a hard req on s3 support and cross-platform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

s3:// urls?

loren avatar
loren

Yep

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ah, yea, that makes it harder.

loren avatar
loren

And I had already written the python module for another project, soooo

loren avatar
loren

I should probably just publish that as its own package, I’ve reused it so many times now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i kind of wish terraform would support more escape hatches

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it will reduce some of the pressure on them

loren avatar
loren

Agreed

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i wish there was a simple interpolation of exec

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the expectation that data.external needs JSON output should be loosened to text or json

loren avatar
loren

A return format argument would be handy

:--1:1

2018-12-14

Shane avatar
Shane

You are about 3 days late on that

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Question: when moving state (due to a refactor of my files/approach), what’s the proper format? I’m trying to automate it with a simple ruby script.

Inside is basically the efs, eks_cluster, and eks_workers module in the modules/cluster and the route53 module in modules/route53. Previously I ran the whole thing from the modules folder as it wasn’t expected to grow in the way it did, but it continues to grow so I moved them to modules with a root level project to kick it all off.

Any thoughts would be appreciated.

New structure:

├── modules
│   ├── cluster
│   │   ├── [efs.tf](http://efs\.tf)
│   │   ├── [kubectl.tf](http://kubectl\.tf)
│   │   ├── [main.tf](http://main\.tf)
│   │   ├── [outputs.tf](http://outputs\.tf)
│   │   └── [variables.tf](http://variables\.tf)
│   └── route53
│       ├── [main.tf](http://main\.tf)
│       ├── [outputs.tf](http://outputs\.tf)
│       └── [variables.tf](http://variables\.tf)
 | [main.tf](http://main\.tf)

Old structure:

├── cluster
│   ├── [efs.tf](http://efs\.tf)
│   ├── [kubectl.tf](http://kubectl\.tf)
│   ├── [main.tf](http://main\.tf)
│   ├── [outputs.tf](http://outputs\.tf)
│   └── [variables.tf](http://variables\.tf)
└── route53
|   ├── [main.tf](http://main\.tf)
|   ├── [outputs.tf](http://outputs\.tf)
|   └── [variables.tf](http://variables\.tf)
joshmyers avatar
joshmyers

argh, moving state en mass is a pain if you have lots of resources

joshmyers avatar
joshmyers

What do you mean by proper format?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

the mv format

joshmyers avatar
joshmyers

Still not sure I follow. The format is as defined when you do a terraform state list

joshmyers avatar
joshmyers
05:07:46 PM
joshmyers avatar
joshmyers

terraform state mv module.certificate.aws_route53_zone.default module.MY_RENAMED_MODULE.aws_route53_zone.default

:--1:1
loren avatar
loren

just moving the files doesn’t necessarily mean they will move in the state…

joshmyers avatar
joshmyers

Indeed

joshmyers avatar
joshmyers

The statefile has no idea how your files are ogranised. If you have changed resource names and don’t want Terraform to throw the old ones away and create your new ones, use state mv for example

loren avatar
loren

yeah, renaming resources or modules inside your terraform config is when state mv comes into play. avoid that, and you should still be golden, regardless of how you organize the files

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

so I’m moving the state as well

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

state was in cluster/. I’m moving it to the root

loren avatar
loren

local state, just a file in the repo? (i.e. no backend?)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

correct. just working locally right now

loren avatar
loren

then you ought to be able to just move the file and it should still work

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

I did and it wanted to create 60+ things

loren avatar
loren

then you renamed modules or nested them or something

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

right

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s why I’m looking for the proper syntax to move the state

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

specifically when it is nested

loren avatar
loren

yep, i hit this issue before too, struggled for a long time to figure out the nested address… hmm….

loren avatar
loren

what i think i did before is build it one time using the new layout in a new account, then used state list to get the new state addresses, then i was able to map those to the old state addresses and use state mv to move everything

loren avatar
loren

but the general format for the nested module is something like this:

module.<module_name>.module.<nested_module_name>.<resource_type>.<resource_name>
loren avatar
loren

you might be able to move whole modules, which mostly worked for me but still left a couple cleanup items…

terraform state mv module.<module_name> module.<module_name>.module.<nested_module_name>
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ok cool. i’ll give it a whirl after this meeting and report back. thx

joshmyers avatar
joshmyers

Have you renamed any of your resources? e.g. aws_instance.foo -> aws_instance.bar ?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

nah, resources are the same except the root now has a module wrapping the module/cluster

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

so module cluster -> modules/cluster -> eks, efs, etc

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

module route53 -> modules/route53 -> route53

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie I noticed that “test kitchen” is by new context. Have you used it much over there?

1
jamie avatar
jamie

Sadly no. The companies I’m working currently with are not coming from a test driven design background. So it’s not come up. But I read through the docs for this. And found a few others that were recommended through reddit threads.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes - precisely

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We want to have a standard test-suite (plan, apply restroy), in addition to eventually custom functional tests

jamie avatar
jamie

Have you touched on it yet? Do you want to wrap it into the modules we are creating?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think the common tests will be external

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but be seemlessly integrated using the build-harness

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Here’s an example of what tests might look like

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/test-harness

Collection of Makefiles and test scripts to facilitate testing Terraform modules, Kubernetes resources, Helm charts, and more - cloudposse/test-harness

rbadillo avatar
rbadillo

Team, I have a question, do you guys know if it is possible to create a file in a terraform run and in the same run, execute it ?

rbadillo avatar
rbadillo

I’m using null_resource and local-exec

rbadillo avatar
rbadillo

but looks like it is not working

rbadillo avatar
rbadillo
resource "null_resource" "test_file" {
  provisioner "local-exec" {
    command = <<EOT
      cat > test.sh << EOF
echo "Success"
EOF
EOT
  }

}

resource "null_resource" "run_file" {
  provisioner "local-exec" {
    command = "bash test.sh"
  }

  depends_on = [
    "null_resource.test_file",
  ]
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rbadillo do you mean that when run_file gets executed, it could not find test.sh (depends_on = [“null_resource.test_file”,] not working)? or some other errors?

rbadillo avatar
rbadillo

it can’t find it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the file?

rbadillo avatar
rbadillo

correct

rbadillo avatar
rbadillo

can you try it on your side, please?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

to create local files, better to use https://www.terraform.io/docs/providers/local/r/file.html

Local: local_file - Terraform by HashiCorp

Generates a local file from content.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

rbadillo avatar
rbadillo

amazing

rbadillo avatar
rbadillo

exactly what I’m doing

rbadillo avatar
rbadillo

EKS stuff

rbadillo avatar
rbadillo

thanks a lot

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

I can vouch for the EKS stuff

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

:--1:1
1

2018-12-13

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

somewhat, yeah. it is to deploy our new jenkins setup and a way to open eyes to using k8s

deftunix avatar
deftunix

hi everyone, I am developing a terraform provider for Ansible AWX (a.k.a. Tower).

deftunix avatar
deftunix

if anyone is interested or wants contribute to the project, it is warmed welcome

deftunix avatar
deftunix
mauromedda/terraform-provider-awx

Terraform provider plugin for AWX/Tower - API v2. Contribute to mauromedda/terraform-provider-awx development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@deftunix looks interesting, thanks for sharing. I’ll take a look in more details

pericdaniel avatar
pericdaniel

what are people using instead of beanstalk? are you just creating web instances on a docker cluster and then using api gatway or somthing

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel so depending on your requirements and many other considerations, and speaking only about AWS, it could be Beanstalk (but it’s like creating a cluster for each app), ECS, EKS, or kops. You can deploy any web app on a Kubernetes cluster, no need to use API gateway (although it could be used, but serves diff purpose). You deploy the app containers on k8s, use nginx-ingress for ingress, and ELB/ALB and Route53 for routing/DNS

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for ECS, take a look at the very nice implementation here https://airship.tf (thanks to @maarten)

.. ECS made easy

Home of Terraform Airship

maarten avatar
maarten

This is work in progress people don’t refer to it yet

.. ECS made easy

Home of Terraform Airship

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

1
pericdaniel avatar
pericdaniel

interesting

pericdaniel avatar
pericdaniel

thank you!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, Fargate could be a nice solution in some cases

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so it’s one of Beanstalk, ECS, Fargate (currently just for ECS), EKS, kops - each has pros and cons

pericdaniel avatar
pericdaniel

yea that makes sense

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Andriy Knysh (Cloud Posse) do you know why workers would not have access to the cluster when running terraform-aws-eks-cluster/workers?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

“No resources found.” has none found

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yeah

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

EKS currently does not support for the master to join the cluster automatically

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you have to apply the config

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i did

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

the configmap, right?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it could be done manually, or automatically

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


If you want to automatically apply the Kubernetes configuration, set var.apply_config_map_aws_auth to “true”

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes configmap

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

configmap/aws-auth unchanged

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

still no nodes found

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

do i need to restart the workers after?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i did not restart them

rohit avatar
rohit

Does anyone here use cloudflare for dns cert validation ?

rohit avatar
rohit

Everytime i run a plan i see that it wants to update in-place the entry in cloudflare

cloudflare_record.dns_cert_validation
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so it doesn’t make sense to me why you do the DNS validation for ACM with cloudflare

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

cloudflare has it’s own TLS certificates

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and cloudflare works like MITM not passthru

rohit avatar
rohit

when we generate a cert in aws we want to do dns validation

rohit avatar
rohit

for which we are using cloudflare

rohit avatar
rohit

@Erik Osterman (Cloud Posse) The issue i am facing is mentioned here https://github.com/terraform-providers/terraform-provider-cloudflare/issues/154

cloudflare_record used with aws_acm_certificate always thinks it has to update · Issue #154 · terraform-providers/terraform-provider-cloudflare

Terraform Version 0.11.10 Affected Resource(s) Please list the resources as a list, for example: cloudflare_record aws_acm_certificate Terraform Configuration Files variable &quot;domain&quot; {} v…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@johncblandii (Cloud Posse) when you run kubectl get nodes using the generated kubeconfig file, what do you see?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

no nodes

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

No resources found.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

and when i tried to add nginx i get:

Warning FailedScheduling 25m (x4 over 25m) default-scheduler no nodes available to schedule pods

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, i need to find my records how i did it, will ping you

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ok

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

I’m a relative noob on k8s so I def’ appreciate the help

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

recreating my workers with a key so i can ssh and muck around

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@johncblandii (Cloud Posse) from my notes:

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

first, run aws-iam-authenticator token -i cpco-testing-eks-cluster to check if aws-iam-authenticator token works

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

then I think your configmap was not applied for some reason. You can manually do it by executing kubectl apply -f config-map-aws-auth-cpco-testing-eks-cluster.yaml --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

got json back on the token

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

looks good

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i did the apply

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

configmap/aws-auth unchanged

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

finally, kubectl get nodes --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml to see the nodes

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

still a no go

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you try to delete the config map from the cluster, and then exec kubectl apply -f config-map-aws-auth-cpco-testing-eks-cluster.yaml --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

kubectl get configmaps --all-namespaces --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

run the command and show the output

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
NAMESPACE       NAME                                 DATA      AGE
ingress-nginx   nginx-configuration                  1         2h
ingress-nginx   tcp-services                         0         2h
ingress-nginx   udp-services                         0         2h
kube-system     aws-auth                             1         18s
kube-system     coredns                              1         10h
kube-system     extension-apiserver-authentication   5         10h
kube-system     kube-proxy                           1         10h
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

what can i run on a worker to verify it can communicate w/ the controlplane?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you go to the AWS console and check if the worker instances are OK?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

they are

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

all 3 running

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, when you run kubectl apply -f config-map-aws-auth-cpco-testing-eks-cluster.yaml --kubeconfig kubeconfig-cpco-testing-eks-cluster.yaml, what’s the output?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

configmap/aws-auth created

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(you need to use your file name, but you know that )

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmm, out of ideas for now, will have to spawn a cluster and check it. @Erik Osterman (Cloud Posse) any ideas here?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ever work from the worker to test config?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

\# kubectl cluster-info dump
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when testing, i applied the map, nodes joined, and i deployed some app

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you need to use --kubeconfig for all commands

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

dang. that’s weird

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

here’s the TF…1 sec

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
module "eks_cluster" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master>"

  namespace = "${local.namespace}"
  name      = "${var.application_name}"
  stage     = "${var.stage}"
  tags      = "${var.tags}"

  subnet_ids = ["${module.vpc.public_subnets}"]
  vpc_id     = "${module.vpc.vpc_id}"

  # `workers_security_group_count` is needed to prevent `count can't be computed` errors
  workers_security_group_ids   = ["${module.eks_workers.security_group_id}"]
  workers_security_group_count = 1
}

module "eks_workers" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master>"

  namespace = "${local.namespace}"
  stage     = "${var.stage}"
  name      = "${var.application_name}"
  tags      = "${var.tags}"
  key_name  = "jcbii-ops-prod"

  instance_type               = "m5.xlarge"
  associate_public_ip_address = true

  vpc_id            = "${module.vpc.vpc_id}"
  subnet_ids        = ["${module.vpc.public_subnets}"]
  health_check_type = "EC2"

  min_size                  = 3
  max_size                  = 5
  wait_for_capacity_timeout = "10m"

  cluster_name                       = "${local.full_name}"
  cluster_endpoint                   = "${module.eks_cluster.eks_cluster_endpoint}"
  cluster_certificate_authority_data = "${module.eks_cluster.eks_cluster_certificate_authority_data}"
  cluster_security_group_id          = "${module.eks_cluster.security_group_id}"

  # Auto-scaling policies and CloudWatch metric alarms
  autoscaling_policies_enabled           = "true"
  cpu_utilization_high_threshold_percent = "80"
  cpu_utilization_low_threshold_percent  = "20"
}
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

do i need a different config here?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

no, that worked

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’ll spawn a cluster little bit later and see what happens

:--1:1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

/usr/bin/aws-iam-authenticator token -i /var/lib/kubelet/kubeconfig

this shows the json output w/ a token as well

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

\# kubectl get pods --kubeconfig /var/lib/kubelet/kubeconfig 
Error from server (Forbidden): pods is forbidden: User "system:node:" cannot list pods in the namespace "default": unknown node for user "system:node:"
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

is that the same kubeconfig that was generated?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

no, i’m on the worker

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Amazon EKS Troubleshooting - Amazon EKS

This chapter covers some common errors that you may see while using Amazon EKS and how to work around them.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

checking

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

arn is valid

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

…for the IAM role in the configmap

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

cluster name matches on worker

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

this is going to be something really stupid

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

take a look here https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#worker-node-access-to-eks-master-cluster and please go to the AWS console and confirm that you have two SGs, one for the cluster and another for the workers, and that they both allow the other group to access

EKS Getting Started Guide - Terraform by HashiCorp

Using Terraform to configure AWS EKS.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that sg is in your module already, right?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but i want you to confirm that the rules are ok (and there was no regression when we updated the modules)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

checking

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

it is set to all->all

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

both directions?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

from cluster to workers and from workers to cluster?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

outbound is all->all 0.0.0.0

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

maybe a vpc issue. 1 sec

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

they are in the same VPC?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

cluster and workers?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yeah

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i used a custom module built off the public one (not the one in your example)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

going to use the setup from your complete

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, please test it, if still issues, let me know and I’ll spawn a cluster and go through everything again

:--1:1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ok…it is recreated with essentially the same TF as your complete example

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
module "vpc" {
  source     = "git::<https://github.com/cloudposse/terraform-aws-vpc.git?ref=master>"
  namespace  = "${local.namespace}"
  stage      = "${var.stage}"
  name       = "${var.application_name}"
  tags       = "${local.tags}"
  cidr_block = "${var.cidr_block}"
}

module "subnets" {
  source              = "git::<https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master>"
  availability_zones  = "${data.aws_availability_zones.available.names}"
  namespace           = "${local.namespace}"
  stage               = "${var.stage}"
  name                = "${var.application_name}"
  tags                = "${local.tags}"
  region              = "${data.aws_region.current.name}"
  vpc_id              = "${module.vpc.vpc_id}"
  igw_id              = "${module.vpc.igw_id}"
  cidr_block          = "${module.vpc.vpc_cidr_block}"
  nat_gateway_enabled = "true"
}

module "eks_cluster" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master>"

  namespace = "${local.namespace}"
  name      = "${var.application_name}"
  stage     = "${var.stage}"
  tags      = "${var.tags}"

  subnet_ids = ["${module.subnets.public_subnet_ids}"]
  vpc_id     = "${module.vpc.vpc_id}"

  # `workers_security_group_count` is needed to prevent `count can't be computed` errors
  workers_security_group_ids   = ["${module.eks_workers.security_group_id}"]
  workers_security_group_count = 1
}

module "eks_workers" {
  source = "git::<https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master>"

  namespace = "${local.namespace}"
  stage     = "${var.stage}"
  name      = "${var.application_name}"
  tags      = "${var.tags}"
  key_name  = "jcbii-ops-prod"

  instance_type               = "m5.xlarge"
  associate_public_ip_address = true

  vpc_id            = "${module.vpc.vpc_id}"
  subnet_ids        = ["${module.subnets.public_subnet_ids}"]
  health_check_type = "EC2"

  min_size                  = 3
  max_size                  = 5
  wait_for_capacity_timeout = "10m"

  cluster_name                       = "${local.full_name}"
  cluster_endpoint                   = "${module.eks_cluster.eks_cluster_endpoint}"
  cluster_certificate_authority_data = "${module.eks_cluster.eks_cluster_certificate_authority_data}"
  cluster_security_group_id          = "${module.eks_cluster.security_group_id}"

  # Auto-scaling policies and CloudWatch metric alarms
  autoscaling_policies_enabled           = "true"
  cpu_utilization_high_threshold_percent = "80"
  cpu_utilization_low_threshold_percent  = "20"
}
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

converting to a closer usage of complete by using the labels

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

weird. using complete directly resulted in:

Apply complete! Resources: 35 added, 0 changed, 0 destroyed.

Outputs:

config_map_aws_auth = 
eks_cluster_arn = 
eks_cluster_certificate_authority_data = 
eks_cluster_endpoint = 
eks_cluster_id = 
eks_cluster_security_group_arn = 
eks_cluster_security_group_id = 
eks_cluster_security_group_name = 
eks_cluster_version = 
kubeconfig = 
workers_autoscaling_group_arn = 
workers_autoscaling_group_default_cooldown = 
workers_autoscaling_group_desired_capacity = 
workers_autoscaling_group_health_check_grace_period = 
workers_autoscaling_group_health_check_type = 
workers_autoscaling_group_id = 
workers_autoscaling_group_max_size = 
workers_autoscaling_group_min_size = 
workers_autoscaling_group_name = 
workers_launch_template_arn = 
workers_launch_template_id = 
workers_security_group_arn = 
workers_security_group_id = 
workers_security_group_name =
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Andriy Knysh (Cloud Posse) any idea why it doesn’t even attempt to run the eks cluster?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i copied example/complete, created a tfvars file with customizations, and ran it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmmm…. when you run the example, it should create everything, tested it many times

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what do you mean by “it doesn’t even attempt to run the eks cluster”?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i downloaded files, created tfvars, ran apply, and it only did the vpc parts

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

the only change was the path to the eks_cluster module

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

plan is empty (no changes) and output has no value

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

this is weird

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, can you clone the repo to your computer, go to the example/complete folder, update [variables.tf](http://variables\.tf) with your values, and run terraform plan from the example folder

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

pretty much exactly what i did, but i’ll do it from a clone

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(the example uses the cluster module itself, which is in the repo)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Plan: 35 to add, 1 to change, 0 to destroy.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

no eks cluster in there

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

too big to post. 1 sec

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
  + module.subnets.aws_eip.default[0]
  + module.subnets.aws_eip.default[1]
  + module.subnets.aws_eip.default[2]
  + module.subnets.aws_nat_gateway.default[0]
  + module.subnets.aws_nat_gateway.default[1]
  + module.subnets.aws_nat_gateway.default[2]
  + module.subnets.aws_network_acl.private
  + module.subnets.aws_network_acl.public
  + module.subnets.aws_route.default[0]
  + module.subnets.aws_route.default[1]
  + module.subnets.aws_route.default[2]
  + module.subnets.aws_route_table.private[0]
  + module.subnets.aws_route_table.private[1]
  + module.subnets.aws_route_table.private[2]
  + module.subnets.aws_route_table.public
  + module.subnets.aws_route_table_association.private[0]
  + module.subnets.aws_route_table_association.private[1]
  + module.subnets.aws_route_table_association.private[2]
  + module.subnets.aws_route_table_association.public[0]
  + module.subnets.aws_route_table_association.public[1]
  + module.subnets.aws_route_table_association.public[2]
  + module.subnets.aws_subnet.private[0]
  + module.subnets.aws_subnet.private[1]
  + module.subnets.aws_subnet.private[2]
  + module.subnets.aws_subnet.public[0]
  + module.subnets.aws_subnet.public[1]
  + module.subnets.aws_subnet.public[2]
  + module.vpc.aws_internet_gateway.default
  + module.vpc.aws_vpc.default
  + module.subnets.module.nat_label.null_resource.default
  + module.subnets.module.private_label.null_resource.default
  + module.subnets.module.private_subnet_label.null_resource.default
  + module.subnets.module.public_label.null_resource.default
  + module.subnets.module.public_subnet_label.null_resource.default
  + module.vpc.module.label.null_resource.default
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

and ~ module.subnets.data.aws_vpc.default

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s from the clone

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

providers:

├── provider.aws
├── provider.local
├── provider.null
├── module.cluster_label
├── module.eks_cluster
│   ├── provider.aws (inherited)
│   ├── provider.template
│   └── module.label
├── module.eks_workers
│   ├── provider.aws (inherited)
│   ├── provider.template
│   ├── module.autoscale_group
│       ├── provider.aws (inherited)
│       ├── provider.null
│       └── module.label
│   └── module.label
├── module.label
├── module.subnets
│   ├── provider.aws (inherited)
│   ├── module.nat_label
│       └── provider.null
│   ├── module.private_label
│       └── provider.null
│   ├── module.private_subnet_label
│       └── provider.null
│   ├── module.public_label
│       └── provider.null
│   └── module.public_subnet_label
│       └── provider.null
└── module.vpc
    ├── provider.aws (inherited)
    └── module.label
        └── provider.null
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

true vs “true”

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

applying again

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

this has been a rough 24 hours. eks is not my friend right now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’ll direct message you my test repo, which is exact copy of the cloudposse example

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just ran terraform plan on it: Plan: 65 to add, 1 to change, 0 to destroy.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hope it will work for you

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

it worked. map didn’t run because of “true” vs true again, but doing that now

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

so will verify the cluster in a sec

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

NODES!!!!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

wow you got NODES!!!

party_parrot1
jeffrey avatar
jeffrey

Has anyone here experienced an issue with permissions after generating an aws key pair through terraform? I have an elastic beanstalk environment and application that needs an ssh key attached. everything runs smoothly if i generate the key pair through the console and specify the hard-coded name to EC2KeyName. however, if I generate the aws key pair using https://github.com/cloudposse/terraform-aws-key-pair, i get an error about the role policy not having the proper permissions

cloudposse/terraform-aws-key-pair

Terraform Module to Automatically Generate SSH Key Pairs (Public/Private Keys) - cloudposse/terraform-aws-key-pair

jeffrey avatar
jeffrey

here’s the error message:

Environment health has transitioned from Pending to Severe. ELB processes are not healthy on all instances. Initialization in progress (running for 11 minutes). None of the instances are sending data. Access denied while accessing Auto Scaling and Elastic Load Balancing using role "arn:aws:iam::<>:role/aws-elasticbeanstalk-service-role". Verify the role policy. ELB health is failing or not available for all instances.
cloudposse/terraform-aws-key-pair

Terraform Module to Automatically Generate SSH Key Pairs (Public/Private Keys) - cloudposse/terraform-aws-key-pair

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrm… that’s really odd

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

my gut tells me the relationship is a red herring

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

could the key be getting generated in a region other than the beanstalk environment?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@johncblandii (Cloud Posse) are you using our terraform-aws-key-pair module with yoru beanstalk environments?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

No. We lock down our instances.

jeffrey avatar
jeffrey

appreciate the quick response guys. the region is definitely the same, and I can see it in the console after it’s created

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

is this a depends_on issue? the key is generated after the beanstalk env?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

…basically a race issue

jeffrey avatar
jeffrey

i reference the name of the key from the module, so that doesn’t seem to be the case. i also generated the graph using terraform graph, it looks correct that way

jeffrey avatar
jeffrey

let me try depends_on to be 100% sure though

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

if you gen the key first then the beanstalk, does it work

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

depends_on won’t work on modules until .12

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

< and by “gen key” i mean with tf apply -target

jeffrey avatar
jeffrey

let me give that a shot

jeffrey avatar
jeffrey

@johncblandii (Cloud Posse) ah yes, explicitly generating the key with tf apply -target beforehand, then running tf apply succeeds. any recommendations on creating module dependencies? i thought implicit dependencies came from any variable references

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

@Erik Osterman (Cloud Posse) has a link he has to share with us all who hit this problem.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

.12 can’t come fast enough

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, seriously

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s more about “count of cannot be computed”, but the two-phased approach is mentioned there

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We often have a Makefile in our projects

jeffrey avatar
jeffrey

awesome, thanks for the link

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

why do the Makefile’s download a tf version? why not use my local one?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)
/Library/Developer/CommandLineTools/usr/bin/make terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate
Installing Terraform 0.10.7 (darwin) from <https://releases.hashicorp.com/terraform/0.10.7/terraform_0.10.7_darwin_amd64.zip>

\######################################################################## 100.0%
/Users/john.bland/Work/terraform-aws-efs/build-harness/vendor/terraform version
Terraform v0.10.7

Your version of Terraform is out of date! The latest version
is 0.11.10. You can update by downloading from [www.terraform.io/downloads.html](http://www\.terraform\.io/downloads\.html)
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we sandbox everything in the build-harness

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

only way to have a chance of escaping the “works on my machine” syndrome

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

coolio

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what command were you trying to run?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

any reason it isn’t using the latest version?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@solairerove is helping us keep packages up to date until we can automate it

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

coolio

solairerove avatar
solairerove

ready to approve

solairerove avatar
solairerove
cloudposse/build-harness

Collection of Makefiles to facilitate building Golang projects, Dockerfiles, Helm charts, and more - cloudposse/build-harness

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

make init

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrm

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

surprised we install terraform on make init

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

sorry…lint

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha, ok that make more sense.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we don’t have an automated process yet for opening PRs to bump versions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I want to add it to our cloudposse/packages

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for now, i’ll open an issue and we’ll get that version bumped

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

gotcha

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

what’s the secret sauce to run before pushing?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, for the docs?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

make readme

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(assumes at some point you’ve run make readme/deps)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

yup. got that one

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

thought there was another too, but seems that did ok

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

fmt?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform fmt

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

clear there

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

check the .travis.yml for all the steps

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

cool. just don’t want to waste your time when I put the PR up

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ah, good to know

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha, appreciated it!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
make init
make readme/deps
make readme
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

cool

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

thoughts?

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

pushed a quick update on the readme

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

btw, example might need some work

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

let me actually make those changes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Thanks

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

np

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

pushed

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

ran it within my eks work and it worked

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:28:10 PM
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

All facts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Dombo thanks!

pericdaniel avatar
pericdaniel

Okay I’m going crazy

pericdaniel avatar
pericdaniel

Why isn’t this working

pericdaniel avatar
pericdaniel

variable “allowed_ports” { type = “list” description = “List of allowed ingress ports” default = [“22”,”88”] }

pericdaniel avatar
pericdaniel

from_port = “${element(var.allowed_ports, count.index)}” to_port = “${element(var.allowed_ports, count.index)}”

pericdaniel avatar
pericdaniel

It only adds port 22 to sg

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

use count

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

show the whole module where you have

from_port         = "${element(var.allowed_ports, count.index)}"
 to_port           = "${element(var.allowed_ports, count.index)}"
pericdaniel avatar
pericdaniel

Ah let me add thay

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you use count in the resource, and then you can use count.index

pericdaniel avatar
pericdaniel

I think I got it!

pericdaniel avatar
pericdaniel

Having some other route table shennigans now

pericdaniel avatar
pericdaniel

I know what’s up

pericdaniel avatar
pericdaniel

Do you have an example of running a bunch of Linux commands on a box through a tpl file?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers

pericdaniel avatar
pericdaniel

Thank you!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-user-data-cloud

Contribute to cloudposse/terraform-aws-user-data-cloud development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-user-data-assets

Contribute to cloudposse/terraform-aws-user-data-assets development by creating an account on GitHub.

pericdaniel avatar
pericdaniel

How do you know when to base64encode?

pericdaniel avatar
pericdaniel

@Andriy Knysh (Cloud Posse) I want to usersata this

pericdaniel avatar
pericdaniel

###Gitlab bootstrap ​

#!/bin/bash ​

# Install GitLab sudo apt-get update sudo apt-get install -y curl openssh-server ca-certificates apt-get update echo ‘postfix postfix/mailname string ${1}’ | debconf-set-selections echo ‘postfix postfix/main_mailer_type string "Internet Site"’ | debconf-set-selections ​ ​ ​

# Get Repository curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash sudo EXTERNAL_URL=”http://gitlabtest.com” apt-get install gitlab-ee

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

anyone here send EC2 instance status events (cloudwatch + sns +lambda) to slack?

loren avatar
loren

maybe checkout this aws-to-slack lambda… it supports the AWS Health Dashboard, https://github.com/arabold/aws-to-slack#what-is-it

arabold/aws-to-slack

Forward AWS CloudWatch Alarms and other notifications from Amazon SNS to Slack. - arabold/aws-to-slack

loren avatar
loren

wrote a tf module based around that lambda function… https://github.com/plus3it/terraform-aws-slack-notifier

plus3it/terraform-aws-slack-notifier

Terraform module that builds and deploys a lamdbda function for the aws-to-slack package. - plus3it/terraform-aws-slack-notifier

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

like those hardware failure notices, scheduled maintenance, etc

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we have the module for sns<->slack

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’re missing the cloudwatch side

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Erik Osterman (Cloud Posse) have you setup an EC2 health check feed into slack before?

jamie avatar
jamie

No, nothing handy.

@Erik Osterman (Cloud Posse) have you setup an EC2 health check feed into slack before?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jamie or @maarten might have something

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/tfenv

Transform environment variables for use with Terraform (e.g. TF_VAR_lower_case) - cloudposse/tfenv

:--1:1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

nice!

cloudposse/tfenv

Transform environment variables for use with Terraform (e.g. TF_VAR_lower_case) - cloudposse/tfenv

rohit avatar
rohit

Is there a way to define the order in which output variables display ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not really

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i think that if you put them all in the same file, they will output in that order they appear (but just a hunch)

rohit avatar
rohit

they don’t appear in the same order

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrm…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then I don’t think there is a way “out of the box”

rohit avatar
rohit

not a big deal, thought there would be something already available to do this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you can emit them in json and then do what ever you want (E.g. with jq)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform output -format=json | jq ...

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(or something like that)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/test-harness

Collection of Makefiles and test scripts to facilitate testing Terraform modules, Kubernetes resources, Helm charts, and more - cloudposse/test-harness

rohit avatar
rohit

nice

rohit avatar
rohit

that works for me

rohit avatar
rohit

thanks

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

isn’t it just in alphabetical order?

1
rohit avatar
rohit

yes it is

2018-12-12

ikar avatar

Hi there, I’m new to terraform (used it to make ec2 instace ). I’m trying to use this module: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn …well to create cloudfront with s3 source we don’t have any domain and with this code:

module "cdn" {
  source = "cloudposse/cloudfront-s3-cdn/aws"
  version = "0.3.5"
  stage = "dev"
  name = "app"
  namespace = "pg"
}

I get this error:

...
module.cdn.data.aws_iam_policy_document.origin: Refreshing state...
module.cdn.module.logs.aws_s3_bucket.default: Creation complete after 4s (ID: pg-dev-pg-app-logs)

Error: Error applying plan:

1 error(s) occurred:

* module.cdn.aws_s3_bucket.origin: 1 error(s) occurred:

* aws_s3_bucket.origin: Error putting S3 CORS: MalformedXML: The XML you provided was not well-formed or did not validate against our published schema
        status code: 400, request id: 8E821E105B6852CA, host id: F+zK01RI/I3BcuzlnK+nRLEdvLz4G4bRkJgGutEYI8fS4iBNTGw7UGLWik+GtLcCyvqXQxMcecU=

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

this sounds quite cryptic to me, any idea where to start digging?

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

joshmyers avatar
joshmyers

@ikar have you run this with debug logging turned on?

ikar avatar

nope, didn’t know about the possibility, thanks! But it seems the module requires at least cors_allowed_origins = ["*"]. Though hit another problem which probly can’t be solved using that module, will write s3+cdn by myself from scratch.

joshmyers avatar
joshmyers
cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

joshmyers avatar
joshmyers
cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

ikar avatar

yes, that is way more complicated than what I need (no route 53). also don’t need logging

joshmyers avatar
joshmyers

you probably do want logging…

joshmyers avatar
joshmyers

but I’m thinking https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf#L64 maybe breaking if nothing at all is set

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

ikar avatar

not at this point. yes, it says it is optional, but ends with the error above

joshmyers avatar
joshmyers

Turn on debug logging and see if there is a broken looking cors config

ikar avatar

how to do that?

joshmyers avatar
joshmyers
Debugging - Terraform by HashiCorp

Terraform has detailed logs which can be enabled by setting the TF_LOG environment variable to any value. This will cause detailed logs to appear on stderr

ikar avatar

holy cow! that’s a lot of debug info

Jan avatar

hahah yea debug is brutal

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@ikar if you still having the issue, paste your complete code here and we’ll take a look

:--1:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Welcome to the community btw :)

ikar avatar

thanks @Andriy Knysh (Cloud Posse)! creating custom module, but thanks

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Are you creating Cloudfront with plain S3 bucket as origin, or as a website?

ikar avatar

Cloudfront with plain S3 bucket as origin

davidvasandani avatar
davidvasandani

@ikar it’ll be easier for the community to help you modify one of the existing modules (and more useful to the community as a whole) vs writing a brand new module from scratch. Good luck either way though!!

:--1:3
ikar avatar

I wanted to try custom solution to learn about terraform. The thing is I wasn’t able to setup CDN behaviour correctly using this: <https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn>

ikar avatar

by “correctly” I mean as requested by a project manager

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
04:57:48 PM
3
3
davidvasandani avatar
davidvasandani

@ikar if you can go into more detail of what the module is failing to configure maybe we can help you. Possibly by turning a current static configuration into something more dynamic for your and others needs.

:100:1
ikar avatar

thanks @davidvasandani, already achieved what I needed with using pure resources. Next time, I’ll try to be more patient. I’m in EU timezone so I’m usually exhausted when the community is waking up

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this combined with atlantis would be a great way to allow community to contribute new modules

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

literally open up a PR for the terraform module repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

get it approved, merged

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then contribute your changes

loren avatar
loren

nifty idea!

sarkis avatar
sarkis

or even providers…

:100:2
loren avatar
loren

i’d dearly love an official okta provider…

:--1:1
Jan avatar
Stretch96/terraform-aws-permissions-generator

Terraform AWS Permissions Generator. Contribute to Stretch96/terraform-aws-permissions-generator development by creating an account on GitHub.

Jan avatar

Interesting idea

Jan avatar

“Introducing Aardvark and Repokid” by Netflix Technology Blog https://link.medium.com/ZoHsIudfBS

“Introducing Aardvark and Repokid” attachment image

A place where words matter

Jan avatar

Along with Netflix Aardvark and Repokid could prove to be a sweet trio

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


access profiling and automated and ongoing right-sizing. We allow developers to deploy their applications with a basic set of permissions and then use profiling data to remove permissions that are demonstrably not used.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’ve wanted to do exactly this!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I was thinking it would be nice to run terraform through an AWS API proxy and then turn parse the requests to figure out the canned permissions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

terraform-aws-permissions-generator seems kind of like that

Jan avatar

https://github.com/duo-labs/cloudmapper has a super interesting feature with audit usage

duo-labs/cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments. - duo-labs/cloudmapper

Jan avatar

Being some one that has always understood infrastructure sets in a visual and conceptual way it pretty cool

jamie avatar
jamie

I have written a TF module for cloudmapperto run in Fargate for a client.

jamie avatar
jamie

So I can provide that if you want something to start on?

Jan avatar

Would absolutely love to take a look!

Jan avatar

Still exploring it

Jan avatar
28mm/blast-radius

Interactive visualizations of Terraform dependency graphs using d3.js - 28mm/blast-radius

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

love the authors bio: “Tool-using primate, proficient typist, and Seattle-resident Systems Administrator.”

28mm/blast-radius

Interactive visualizations of Terraform dependency graphs using d3.js - 28mm/blast-radius

Jan avatar

Hahahaha, my kids dude

Jan avatar

Is also pretty neat

Shane avatar
Shane

@Jan oh, that’s interesting we just had someone last week run… terraform destroy --force on our folder that contains all of our dev infrastructure

1
Shane avatar
Shane

Anyone have any recommendations for making that as least destructive as possible . It stopped them when the IAM role they were using was deleted.

Shane avatar
Shane

Took us 30 mins to recover so it was a good exercise

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not really… maybe more sandbox accounts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


terraform destroy --force on our folder that contains all of our dev infrastructure

Shane avatar
Shane

ya, one option is to seperate the dev folders by teams

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, teams and/or projects

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

though wait, you have the entire dev infra defined in one project?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, exactly, more projects ~ states

Shane avatar
Shane

it’s a single terraform project with about 2 dozen modules

Shane avatar
Shane

terraform state list | wc 571

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’ve moved away from large projects mostly because they (a) take FOREVER to plan (b) have a huge blast radius

3
Shane avatar
Shane

we have basically been waiting for it to get slow to plan/apply, but it has been fine so we had no reason to split it out.

Shane avatar
Shane

but after the deletion that might give us a good reason

Shane avatar
Shane

and it will also improve atlantis locks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, exactly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

here’s roughly how we organize everything

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this will vary from company to company, team to team

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

each one of those folders in aws corresponds to a project

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

coldstart is pretty painful. we go into each folder and plan/apply

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
uber/astro

Astro is a tool for managing multiple Terraform executions as a single command - uber/astro

davidvasandani avatar
davidvasandani

Have you played with terragrunt?I’d be curious to hear how it compares with astro. I’m a big terragrunt fan

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i like what terragrunt achieves

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’m not particularly fond with how it achieves it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t like the overloading of tfvar

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t like the “transparent” wrapper

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

….

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i do like task runners. i use those all the time

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

make, rake, etc.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i don’t like that make isn’t very “pipeline” oriented. it’s too close to a language, so people abuse it (us included!)

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what i like about astro is it presents a pipeline like a build pipeline. do this, then do that. and it does it in YAML, which all my other pipelines are in.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for the record, haven’t used astro yet. just been pondering the approach almost everyday for the past few weeks.

davidvasandani avatar
davidvasandani

re: astro, ditto.

Shane avatar
Shane

ya, we essentially group our “projects/services” as modules unto themselves in their own git repo.

Shane avatar
Shane

So the main state just references modules with their variables.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, that’s nice

Shane avatar
Shane

we use that setup to have CI tests that test out the modules on changes.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

are you using plain terraform for everything?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Shane avatar
Shane

Correct, no terragrunt

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Command: init - Terraform by HashiCorp

The terraform init command is used to initialize a Terraform configuration. This is the first command that should be run for any new or existing Terraform configuration. It is safe to run this command multiple times.

Shane avatar
Shane

I have never been overly fond of terragrunt.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

same

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but this terraform init -from-module=.... is top of mind

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(incidentally, something terragrunt does use under the hood)

Shane avatar
Shane

ya, that’s interesting functionality

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i’d like to be able to define an architecture more or less without writing a line of terraform code

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

assuming all the modules already exist

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

anyways, that’s what I think I want. not sure yet.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i have a call with Dans @ Uber next tuesday to learn more about how they use Astro at uber.

1
Shane avatar
Shane

nice

Shane avatar
Shane

Got ya, so define the modules and make them more resuable with a simple abstraction on top.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea… and since we’re both helmfilers, basically something like #helmfile

:--1:1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Take your time reviewing this monster PR: https://github.com/cloudposse/terraform-aws-eks-cluster/pull/7

Fix the README example by johncblandii · Pull Request #7 · cloudposse/terraform-aws-eks-cluster

There was a small tweak needed in the README for it to work. // CC @osterman @aknysh

1
sahil avatar
sahil

Hi guys, do we have a terraform module for cognito user pool? If not, do we have any plans for it in the future?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ah, bummer! no not yet.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

sorry…that’s data.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

that’s a lot of args. LOL. I can see where a module would help.

sahil avatar
sahil

Yes!

:--1:1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

#homerdisappear

1
johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

anyone k8s with EKS? trying to get my bearings and the auth is winning right now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I saw your PR

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

have you looked at the examples/complete

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that was tested as of a couple of days ago

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i didn’t. checking

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

just pushed a fix, btw

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thx!

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

i have it running. it worked flawlessly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) is most familiar with it

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

Unauthorized is my life right now. i will go back through the setup steps

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

got it. def’ was a config thing from the yaml output. i needed to use the AWS_PROFILE env var or update the config yaml to pass it into aws-iam-authenticator

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

awesome!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

is this a skunkworks project to get off of beanstalk?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2018-12-11

maarten avatar
maarten

@rohit Passing the baton to @jamie who worked with launch templates earlier, maybe he knows a bit more. What do you mean with “not able to set newly created version on the launch template as default”. Did you get a kind of error or you didn’t notice a change ? When updating a launch config of an autoscaling group the launch config has been changed but you won’t see immediate effect. AWS does not do the replacement of the instances itself. Best way to tackle that is either a separate blue/green deployment deployment process or to something like step functions together with a lambda which takes care of that.

1
jamie avatar
jamie

you can actually configure the autoscaling group to do a graceful replacement of the instances without using lambda

maarten avatar
maarten

this thread isn’t readable, is this the thread with the cloudformation resource ?

jamie avatar
jamie

Haha. No it’s one of the lead terraform devs talking about how they do it for their own servers

jamie avatar
jamie

resource "aws_launch_configuration" "someapp" {
  lifecycle { create_before_destroy = true }

  image_id       = "${var.ami}"
  instance_type  = "${var.instance_type}"
  key_name       = "${var.key_name}"
  security_group = ["${var.security_group}"]
  
}

resource "aws_autoscaling_group" "someapp" {
  lifecycle { create_before_destroy = true }

  name                 = "someapp - ${aws_launch_configuration.someapp.name}"
  launch_configuration = "${aws_launch_configuration.someapp.name}"
  desired_capacity     = "${var.nodes}"
  min_size             = "${var.nodes}"
  max_size             = "${var.nodes}"
  min_elb_capacity     = "${var.nodes}"
  availability_zones   = ["${split(",", var.azs)}"]
  vpc_zone_identifier  = ["${split(",", var.subnet_ids)}"]
  load_balancers       = ["${aws_elb.someapp.id}"]
}

The important bits are:

  • Both LC and ASG have create_before_destroy set
  • The LC omits the “name” attribute to allow Terraform to auto-generate a random one, which prevent collisions
  • The ASG interpolates the launch configuration name into its name, so LC changes always force replacement of the ASG (and not just an ASG update).
  • The ASG sets “min_elb_capacity” which means Terraform will wait for instances in the new ASG to show up as InService in the ELB before considering the ASG successfully created.

The behavior when “var.ami” changes is:

(1) New “someapp” LC is created with the fresh AMI (2) New “someapp” ASG is created with the fresh LC (3) Terraform waits for the new ASG’s instances to spin up and attach to the “someapp” ELB (4) Once all new instances are InService, Terraform begins destroy of old ASG (5) Once old ASG is destroyed, Terraform destroys old LC

If Terraform hits its 10m timeout during (3), the new ASG will be marked as “tainted” and the apply will halt, leaving the old ASG in service.

jamie avatar
jamie

I know this isn’t answering rohits question.

maarten avatar
maarten

Doesn’t this also imply that all dependencies of the asg also need to have create_before_destroy then ?

jamie avatar
jamie

I expect so.

Jan avatar

that is how create_before_destroy works isnt it

Jan avatar

fort a 3az, 2 tier vpc

Jan avatar
cloudposse/terraform-aws-multi-az-subnets

Terraform module for multi-AZ public and private subnets provisioning - cloudposse/terraform-aws-multi-az-subnets

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Jan avatar

ideally I will not have the same size public / private subnets

Jan avatar

but have say 2/3 of the cidr for the vpc in private

joshmyers avatar
joshmyers

The above method of blue/green TF deploys of new AMIs works well, fails safe :–1:

Nikola Velkovski avatar
Nikola Velkovski

Only if you use ami baking and no docker though.

joshmyers avatar
joshmyers

ASG events can trigger deploys of app code so the new AMIs pass ELB health checks, so as new instances come in and healthy, old are rolled out. you don’t need to bake your app into AMI, I generally wouldn’t suggest that

:--1:1
Jan avatar

So the max_subnets as a way to calculate subnets used in https://github.com/cloudposse/terraform-aws-multi-az-subnets has an interesting side effect

cloudposse/terraform-aws-multi-az-subnets

Terraform module for multi-AZ public and private subnets provisioning - cloudposse/terraform-aws-multi-az-subnets

Jan avatar

a /22 sent to a 3az vpc would by default create subnets with /26 rather than /25

Jan avatar

this is because the max_subnets default of 6 means that the /22 need to fit 6*(number of tiers)

Jan avatar

so its in fact max_subnets_per tier

Jan avatar

not max per vpc

Jan avatar

so max_subnets = 3 nets 8 subnets so 6x /25’s

Jan avatar

much less waste

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan the two subnet modules were created to divide a VPC into private and public subnets according to some set of rules (different for the two modules). It was already brought to attention that they ‘waste’ IP space and in general don’t provide all possible solutions. We mostly use https://github.com/cloudposse/terraform-aws-dynamic-subnets for all our deployments and it works well

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you have some specific requirements on how to divide a VPC not covered by any of the modules, then a new module needs to be created

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is a million ways to divide a vpc

Jan avatar

Im already all sorted thanks

Jan avatar

I just call it with max_subnets = 3

:--1:1
Jan avatar

cheers for following up though

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which module did you end up using?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-named-subnets

Terraform module for named subnets provisioning. Contribute to cloudposse/terraform-aws-named-subnets development by creating an account on GitHub.

Jan avatar

Have you got an example of using https://github.com/cloudposse/terraform-aws-dynamic-subnets to do a two tier 3az vpc?

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

two tier means private and public subnets?

Jan avatar

yes

Jan avatar

spanning 3 availability zones

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but that’s what we use everywhere

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Jan avatar

maybe I missed something then

Jan avatar

right

Jan avatar

I see

Jan avatar

cool thanks, will switch over to that one

Jan avatar

and test

rohit avatar
rohit

@maarten I am able to use newly created launch template version to create autoscaling group but on the launch template there is an option to set the default version which i am not able to do for the latest version using terraform

rohit avatar
rohit

and no, i don’t get an error

rohit avatar
rohit

I just don’t see an option to do it in terraform

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-ec2-autoscale-group

Terraform module to provision Auto Scaling Group and Launch Template on AWS - cloudposse/terraform-aws-ec2-autoscale-group

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not sure if that’s the correct way of doing it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(and that’s not suited for green/blue deployments as @jamie and @maarten discussed)

rohit avatar
rohit

@Andriy Knysh (Cloud Posse) i saw this but this will only set the autoscaling group to use the latest version

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS: aws_autoscaling_group - Terraform by HashiCorp

Provides an AutoScaling Group resource.

rohit avatar
rohit

yes, that is on the autoscaling group

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so i guess it should be version = "$$Default"

rohit avatar
rohit

but i am talking about setting the default version on launch_template

rohit avatar
rohit

which has nothing to do with autoscaling group

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS: aws_launch_template - Terraform by HashiCorp

Provides an EC2 launch template resource. Can be used to create instances or auto scaling groups.

maarten avatar
maarten

Maybe it’s not configurable, but something the WEBUI team came up with after smoking something. Just deep dive here https://github.com/aws/aws-sdk-go to see if it’s in their api.

aws/aws-sdk-go

AWS SDK for the Go programming language. Contribute to aws/aws-sdk-go development by creating an account on GitHub.

maarten avatar
maarten

aws ec2 modify-launch-template –launch-template-id “lt-0444afefe36b9f2c0” –default-version “1” –region eu-central-1

maarten avatar
maarten

ok, so there is a command line for it, that helps

maarten avatar
maarten

ok, so you can set the default version with it, meaning that if you launch a template without giving the version it will take the default one. I’m not so sure why you would want that with Terraform as you control the whole chain with Terraform anyway and thus can pick the launch configuration you made with Terraform.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea thanks @maarten

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the default version will be used if you don’t specify any version

rohit avatar
rohit

makes sense

rohit avatar
rohit

thanks

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

anyway it’s better to recreate the template and ASG if any changes

Jan avatar
cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

cloudposse/terraform-aws-dynamic-subnets

Terraform module for public and private subnets provisioning in existing VPC - cloudposse/terraform-aws-dynamic-subnets

Jan avatar

ending up with x-xx-subnet-private-eu-central-1b & x-xx-xxx-public-eu-central-1b

Jan avatar

x, xx, xxx brin vars im setting namespace, stage, name

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

no, it’s a bug (regression after the last updates to the module)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks for finding it

Jan avatar

:–1:

Jan avatar

just looked out of place

Jan avatar

Far nicer subnet module btw

Jan avatar

still passing ` max_subnet_count = 3`

Jan avatar

also decided on ` availability_zones = [”${slice(data.aws_availability_zones.available.names, 0, 3)}”]`

Jan avatar

for now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea

Jan avatar

but im getting expected results

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it was designed to take all AZs into account

Jan avatar

yea I saw

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s why it divides into smaller subnets

Jan avatar

which I guess makes sense

Jan avatar

so I mean thats 100% valid in that context

Jan avatar

though I dont use any region with less than 3az and build my k8s clusters around that choice

Jan avatar

will explroe that later

Jan avatar

an easy change

Jan avatar

Just got a vpn gw and cgw working

Jan avatar

So I guess new module incoming soon then

:--1:2
2
rohit avatar
rohit

Is it possible to create a target group without creating elb ?

2018-12-10

Jan avatar

mmm

joshmyers avatar
joshmyers

@rohit does it work without the aws_efs_mount_target resource? Does it create the security group?

joshmyers avatar
joshmyers

It looks legit on first inspection (under caffeinated at the mo)

Jan avatar

yea I would agree, nothing jumps out as being wrong

joshmyers avatar
joshmyers
Resource missing errors propagating over validation errors during plan · Issue #18129 · hashicorp/terraform

Seemingly, when a validation error occurs in a resource (due to a failing ValidateFunc), terraform plan returns missing resource errors over returning the original validation error that caused the …

joshmyers avatar
joshmyers

Also, you shouldn’t need that explicit depends_on, unless that was you testing the graph

rohit avatar
rohit

i thought it was dependency error so added depends_on

rohit avatar
rohit

without aws_efs_mount_target, i get the following error

* module.storage.module.kitemedia.aws_security_group.media: "ingress.0.cidr_blocks.0" must contain a valid CIDR, got error parsing: invalid CIDR address: subnet-012345d8ce0d89dbc
joshmyers avatar
joshmyers

So that is the problem. The error when wanting to create the SG is not bubbling up through the code and the SG isn’t actually created because of above error parsing the CIDR address which is actually a subnet

joshmyers avatar
joshmyers

and the error you are receiving instead is just saying I can’t find that SG id

joshmyers avatar
joshmyers

fix the ^^ error with CIDR and try re running without the depends_on and with aws_efs_mount_target uncommented

rohit avatar
rohit

i think that fixed the issue

rohit avatar
rohit

@joshmyers thanks

rohit avatar
rohit

also, i am not able to view output variables

joshmyers avatar
joshmyers

Are you outputting the variables?

rohit avatar
rohit

yes

rohit avatar
rohit

for efs, i am now facing the following issue

rohit avatar
rohit
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[0]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.0: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: 74cdca17-fc8a-11e8-bdb0-d7feddd82bcc
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[11]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.11: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: 7eca3ec0-fc8a-11e8-b0cb-e76fd688df15
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[4]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.4: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: 755597d2-fc8a-11e8-a0c5-25395ed55c14
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[24]: 1 error(s) occurred:
joshmyers avatar
joshmyers

What is var.aws_azs set to?

joshmyers avatar
joshmyers

It looks like that count is way higher than I’d imagine the number of AZs available…

rohit avatar
rohit

@joshmyers you were correct

rohit avatar
rohit

i updated the count to use the length

rohit avatar
rohit

count = "${length(split(",", var.aws_azs))}"

rohit avatar
rohit

but i still get 2 errors

rohit avatar
rohit
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[2]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.2: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: c11d8b5d-fc8c-11e8-a6ac-03687caf52eb
* module.storage.module.kitemedia.aws_efs_mount_target.kitemedia[0]: 1 error(s) occurred:

* aws_efs_mount_target.kitemedia.0: MountTargetConflict: mount target already exists in this AZ
	status code: 409, request id: c11db25f-fc8c-11e8-adc4-b7e10e019ae2
joshmyers avatar
joshmyers

Any reason not to declare aws_azs as a list, rather than csv?

joshmyers avatar
joshmyers

and have they actually been created already but not written to the Terraform state?

joshmyers avatar
joshmyers

If so, manually delete the EFS mount targets and re run TF

rohit avatar
rohit

that worked

rohit avatar
rohit

@joshmyers thanks

1
rohit avatar
rohit

i am still not able to view the outputs

rohit avatar
rohit

i have them in outputs.tf

rohit avatar
rohit
output "kitemedia_dns_name" {
  value = "${aws_efs_file_system.kitemedia.id}.efs.${var.aws_region}.[amazonaws.com](http://amazonaws\.com)"
}
rohit avatar
rohit

when i run terraform output kitemedia_dns_name

rohit avatar
rohit
The state file either has no outputs defined, or all the defined
outputs are empty. Please define an output in your configuration
with the `output` keyword and run `terraform refresh` for it to
become available. If you are using interpolation, please verify
the interpolated value is not empty. You can use the
`terraform console` command to assist.
rohit avatar
rohit

this is what i am seeing

joshmyers avatar
joshmyers

Inspect the statefile - is ^^ correct and there are no outputs defined in there?

joshmyers avatar
joshmyers

and is that output in the module that you are calling?

rohit avatar
rohit

do i have to use fully qualified name ?

joshmyers avatar
joshmyers
04:15:29 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit try just terraform output from the correct folder and see what it outputs

rohit avatar
rohit

when i navigate to the correct folder, i get

The module root could not be found. There is nothing to output.
rohit avatar
rohit

i am able to see them in the state file

rohit avatar
rohit

but not on the command line using terraform output

joshmyers avatar
joshmyers

@rohit again, are you outputting the value in the module, and then also in the thing which calls the module as my example above?

rohit avatar
rohit

yeah tried that

rohit avatar
rohit

still same issue

joshmyers avatar
joshmyers

Without being able to see any code

joshmyers avatar
joshmyers

¯_(ツ)_/¯

rohit avatar
rohit

this is what i have inside [outputs.tf](http://outputs\.tf) under kitemedia module

output "kitemedia_dns_name" {
  value = "${aws_efs_file_system.kitemedia.id}.efs.${var.aws_region}.[amazonaws.com](http://amazonaws\.com)"
}
rohit avatar
rohit

and then this is what i have inside [outputs.tf](http://outputs\.tf) that calls kitemedia module

output "kitemedia_dns_name" {
  value = "${module.storage.kitemedia.kitemedia_dns_name}"
}
joshmyers avatar
joshmyers

Where has “storage” come from in module.storage.kitemedia.kitemedia_dns_name

joshmyers avatar
joshmyers

Please post full configs including all vars and outputs for both the module and the code calling the module in a gist

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit what IDE/Editor are you using?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

suggest to try https://www.jetbrains.com/idea/, it has a VERY nice Terraform plugin, shows and highlights all errors, warning, and other inconsistencies like wrong names, missing vars, etc.

IntelliJ IDEA: The Java IDE for Professional Developers by JetBrains attachment image

Capable and Ergonomic Java IDE for Enterprise Java, Scala, Kotlin and much more…

joshmyers avatar
joshmyers

vscode is actually quite nice too - never thought I’d say that about an MS product but times are a changin’

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, i tried it, it’s nice

joshmyers avatar
joshmyers

Also has good TF support

rohit avatar
rohit

i am using vscode

Jan avatar

im using vscode too, works well enough

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yep

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just tried to understand where storage comes from in module.storage.kitemedia.kitemedia_dns_name as @joshmyers pointed out

rohit avatar
rohit

It’s actually module.kitemedia.kitemedia_dns_name

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Working now?

rohit avatar
rohit

nope

rohit avatar
rohit

i am not sure what’s wrong

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you post the full code?

rohit avatar
rohit

i will try

rohit avatar
rohit

i have another question

rohit avatar
rohit

so i have the following structure,

modules/compute/app1/main.tf, modules/compute/app2/main.tf, modules/compute/app3/main.tf
rohit avatar
rohit

i want to use an output variable from modules/compute/app1/main.tf in modules/compute/app2/main.tf

rohit avatar
rohit

so i am writing my variable to outputs.tf

rohit avatar
rohit

now, how do i access the variable in modules/compute/app2/main.tf ?

rohit avatar
rohit

does this makes sense ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s easy if all of those folders are modules, then you use a relative path to access the module and use its outputs, e.g. https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/examples/complete/main.tf#L62

cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

rohit avatar
rohit

I was not aware that something like this can be done

cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

rohit avatar
rohit

i am sure there are many more features like this

rohit avatar
rohit

@Andriy Knysh (Cloud Posse) i tried what you suggested but i am still facing problems

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit post here your code and the problems you are having

rohit avatar
rohit

It is hard to paste the entire code but i will try my best

rohit avatar
rohit

In my modules/compute/app1/outputs.tf i have

output "ec2_instance_security_group" {
  value = "${aws_security_group.instance.id}"
}
rohit avatar
rohit

In my modules/compute/app2/main.tf i am trying to do something like this

rohit avatar
rohit
data "terraform_remote_state" "instance" {
  backend = "s3"

  config {
    bucket = "${var.namespace}-${var.stage}-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
}

security_groups = ["${data.terraform_remote_state.instance.app1.ec2_instance_security_group}"]
rohit avatar
rohit

i feel that i am missing something here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you did not configure your remote state, you just using ours

rohit avatar
rohit

I looked at the state file and it is listed under

            "path": [
                "root",
                "compute",
                "app1"
            ],
            "outputs": {
                "ec2_instance_security_group": {
                    "sensitive": false,
                    "type": "string",
                    "value": "REDACTRED"
                }
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
config {
    bucket = "${var.namespace}-${var.stage}-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

^ needs to be updated to reflect your bucket and your folder path

rohit avatar
rohit

yes i did that

rohit avatar
rohit

i did not wanted to paste the actual values

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is no secrets here

config {
    bucket = "${var.namespace}-${var.stage}-terraform-state"
    key    = "account-settings/terraform.tfstate"
  }
rohit avatar
rohit

Is the output from my state file helpful ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

update and paste the code

rohit avatar
rohit
data "terraform_remote_state" "compute" {
  backend   = "s3"
  workspace = "${terraform.workspace}"

  config {
    bucket               = "bucketname"
    workspace_key_prefix = "tf-state"
    key                  = "terraform.tfstate"
    region               = "us-east-1"
    encrypt              = true
  }
}
rohit avatar
rohit

is that helpful ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you look at the state bucket, do you see the file under terraform.tfstate?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s probably under one of the app subfolders

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

e.g. app1 or app2

rohit avatar
rohit

the state file is under, bucketname/tf-state/eakk/terraform.tfstate

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

key = "tf-state/eakk/terraform.tfstate"

rohit avatar
rohit

ohh

rohit avatar
rohit

security_groups = ["${data.terraform_remote_state.instance.app1.ec2_instance_security_group}"]

rohit avatar
rohit

is this correct then ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

rohit avatar
rohit

what is the significance of account_settings here ?

rohit avatar
rohit

should it match with any of my resource names ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

security_groups = [“${data.terraform_remote_state.compute.ec2_instance_security_group}“] something like this

rohit avatar
rohit
 Resource 'data.terraform_remote_state.compute' does not have attribute 'ec2_instance_security_group' for variable 'data.terraform_remote_state.compute.ec2_instance_security_group'

`

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@rohit here is a working example on how we define the outputs in one module https://github.com/cloudposse/terraform-root-modules/blob/master/aws/account-settings/outputs.tf

cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and then reference the output from another module (in different folder) using remote state https://github.com/cloudposse/terraform-root-modules/blob/master/aws/users/main.tf#L32

cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

rohit avatar
rohit

is there any significance of root_iam in your data block ? or can it be anything ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s a module to provision IAM on the root account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the folder name could be different (if that’s what you are asking )

rohit avatar
rohit

Still did not work

rohit avatar
rohit

so i decided to take a different approach

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you first provision aws_security_group.instance before accessing its state?

rohit avatar
rohit

yes i did

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in what folder?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

please cd to that folder and run terraform output (and paste the result here)

rohit avatar
rohit
The module root.app1 could not be found. There is nothing to output.
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Looks like you didn’t provision anything in that folder

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Direct message me with all the files, I’ll take a look. Remove all the secrets if any

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if those apps are just resources, then you can use https://www.terraform.io/docs/providers/terraform/d/remote_state.html

Terraform: terraform_remote_state - Terraform by HashiCorp

Accesses state meta data from a remote backend.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

pericdaniel avatar
pericdaniel

anyone installing gitlab omnibus with terraform?

Jan avatar
Terraform creation of Gitlab-CE installed with Omnibus in AWS

Terraform creation of Gitlab-CE installed with Omnibus in AWS Is anyone else doing this? How are you doing your backup and restore when you need to replace the gitlab instance for some reason? I recently needed to up the disk size of my instance so when I made the change in TF I needed to terminate my currently running instance and then apply the new TF plan which included the new disk size. Once the new instance comes up I have a template file in TF which is parsed into the user data for the i…

Jan avatar

Im running gitlab form within k8s

Jan avatar
GitLab Helm Chart | GitLab

Documentation for GitLab Community Edition, GitLab Enterprise Edition, Omnibus GitLab, and GitLab Runner.

Jan avatar

oh thats the ee

Jan avatar

sec

Jan avatar
GitLab Helm Chart | GitLab

Documentation for GitLab Community Edition, GitLab Enterprise Edition, Omnibus GitLab, and GitLab Runner.

pericdaniel avatar
pericdaniel

yea i saw the forum on

pericdaniel avatar
pericdaniel

one

pericdaniel avatar
pericdaniel

i didnt know if someone had the full stack

pericdaniel avatar
pericdaniel

the vpc and subnets and everthing is easy

pericdaniel avatar
pericdaniel

is that piece he has all i need hten?

Jan avatar

Im not sure sorry, just found that

Jan avatar

as much as possible I try to do things in k8s

pericdaniel avatar
pericdaniel

yea i need to do that too!

pericdaniel avatar
pericdaniel

do you have it for k8? @Jan

rohit avatar
rohit

In launch template, is it possible to set latest version to default ?

davidvasandani avatar
davidvasandani

do you have it for k8? @Jan

pericdaniel avatar
pericdaniel

@davidvasandani I’m looking for terraform that autocreates gitlab omnibus… if its not out there i just thought about writing it

davidvasandani avatar
davidvasandani

@pericdaniel and you’re looking for AWS? I just checked Gitlab’s website and found they have a Terraform bootstart for GCE but it hasn’t be updated in a year.

pericdaniel avatar
pericdaniel

yea for aws

pericdaniel avatar
pericdaniel

i was thinking about converting the gce one

davidvasandani avatar
davidvasandani
A Comprehensive Guide to Running GitLab on AWS – Alois Barreras – Medium attachment image

A series of posts that will examine why we chose GitLab at Alchemy and teach you how to automate your own installation on AWS using…

fiesta_parrot1
pericdaniel avatar
pericdaniel

thank you!

:--1:1
rohit avatar
rohit

In launch template, is it possible to set latest version to default ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

probably using that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


latest_version - The latest version of the launch template.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(haven’t personally dealt with it lately)

rohit avatar
rohit

i was able to use latest_version in autoscalinggroup but i was not able to set newly created version on the launch template as default

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrm… @maarten might have some ideas

2018-12-09

joshmyers avatar
joshmyers

@rohit Are you hitting a problem caused by the default max item size?

rohit avatar
rohit

@joshmyers no. i just want to know how the max_item_size works

joshmyers avatar
joshmyers
memcached/memcached

memcached development tree. Contribute to memcached/memcached development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Max item size is the length of the longest value stored. If you are serializing data structures or session data, this could get quite large. If you are just storing simple key value pairs a smaller number is probably fine. This is a hint to memcache for how to organize the data and the size of slabs for storing objects.

joshmyers avatar
joshmyers

What kinda things are you storing in there?

rohit avatar
rohit

we are using memcache for tomcat session storage

rohit avatar
rohit

so basically session information

joshmyers avatar
joshmyers

Is 1mb object storage enough for you?

rohit avatar
rohit

I think so but i will have to check

rohit avatar
rohit

Looks like availability_zones option is deprecated in favor of preferred_availability_zones https://github.com/cloudposse/terraform-aws-elasticache-memcached/blob/65a0655e8bde7fb177516bbcdd394eddc8cfcc88/main.tf#L76

cloudposse/terraform-aws-elasticache-memcached

Terraform Module for ElastiCache Memcached Cluster - cloudposse/terraform-aws-elasticache-memcached

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Could you add an issue for this?

cloudposse/terraform-aws-elasticache-memcached

Terraform Module for ElastiCache Memcached Cluster - cloudposse/terraform-aws-elasticache-memcached

rohit avatar
rohit

sure can

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks!

rohit avatar
rohit

I think i also know how to fix it

rohit avatar
rohit

so will probably submit a PR sometime tomorrow

rohit avatar
rohit

Is there a way to view what is stored in dynamodb table ? I was not able to find anything but empty table

Steven avatar
Steven

The Dynamodb table can be viewed and modified via the DynamoDB UI. There is nothing hiding it Once a Terraform config is setup correctly to write to S3 with locking and applied successfully, it will write to that table. Utill then it will be empty

rohit avatar
rohit

ohh ok

rohit avatar
rohit

I am using the terraform-aws-vpc module https://github.com/terraform-aws-modules/terraform-aws-vpc

terraform-aws-modules/terraform-aws-vpc

Terraform module which creates VPC resources on AWS - terraform-aws-modules/terraform-aws-vpc

rohit avatar
rohit

is it possible to update openvpn configuration,after a vpc is created using this module ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

openvpn? <– not related to vpc

rohit avatar
rohit

Is there a way to provide subnet information instead of cidr_blocks in resource aws_security_group ingress and egress ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Can you share an example? Pseudo code

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am on my phone

rohit avatar
rohit

\# create efs resource for storing media
resource "aws_efs_file_system" "media" {
  tags             = "${merge(var.global_tags, map("Owner","${var.app_owner}"))}"
  encrypted        = "${var.encrypted}"
  performance_mode = "${var.performance_mode}"
  throughput_mode  = "${var.throughput_mode}"
  kms_key_id       = "${var.kms_key_id}"
}

resource "aws_efs_mount_target" "media" {
  count           = "${length(var.aws_azs)}"
  file_system_id  = "${aws_efs_file_system.media.id}"
  subnet_id       = "${element(var.vpc_private_subnets, count.index)}"
  security_groups = ["${aws_security_group.media.id}"]
  depends_on      = ["aws_efs_file_system.media", "aws_security_group.media"]
}


\# security group for media
resource "aws_security_group" "media" {
  name        = "${terraform.workspace}-media"
  description = "EFS"
  vpc_id      = "${var.vpc_id}"

  lifecycle {
    create_before_destroy = true
  }

  ingress {
    from_port   = "2049"                         # NFS
    to_port     = "2049"
    protocol    = "tcp"
    cidr_blocks = ["${element(var.vpc_private_subnets,0)}","${element(var.vpc_private_subnets,1)}","${element(var.vpc_private_subnets,2)}"]
    description = "vpc private subnet"
  }

  ingress {
    from_port   = "2049"                         # NFS
    to_port     = "2049"
    protocol    = "tcp"
    cidr_blocks = ["${element(var.vpc_public_subnets,0)}","${element(var.vpc_public_subnets,1)}","${element(var.vpc_public_subnets,2)}"]
    description = "vpc public subnet"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = "${merge(var.global_tags, map("Owner","${var.app_owner}"))}"
}
rohit avatar
rohit

i am getting the following error

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

any reason you’re not using our module? …just b/c our goal is to make the modules rock solid, rather than manage multiple bespoke setups

rohit avatar
rohit

It’s just that some of the parameters were not being passed in your module

rohit avatar
rohit

for example, kms_key_id,throughput_mode

Steven avatar
Steven
AWS: aws_security_group - Terraform by HashiCorp

Provides a security group resource.

rohit avatar
rohit

yes, i can but i want to know if it is possible to directly pass subnet info

AWS: aws_security_group - Terraform by HashiCorp

Provides a security group resource.

rohit avatar
rohit

or vpc id

Steven avatar
Steven

You can pass cidr, security group, or prefix. VPC doesn’t make sense in this context. But I gave you an example of how to get subnets from the vpc in other thread

rohit avatar
rohit

I don’t think we can pass subnet groups in cidr_blocks

Steven avatar
Steven

You can pass a list of cidrs. How do you mean subnet group differently?

Steven avatar
Steven

But it is not hard to use data to look up the cidr blocks

rohit avatar
rohit

@Steven could you please share an example ?

rohit avatar
rohit

I am using terraform-aws-modules/vpc/aws module

Steven avatar
Steven

For the VPC, you are creating the subnets. So, there is no other option than providing the cidrs you want. But once the subnets have been created, you can query for them instead of hard coding them into other code.

Steven avatar
Steven

data “aws_vpc” “vpc” { tags { Environment = “${var.environment}” } }

data “aws_subnet_ids” “private_subnet_ids” { vpc_id = “${data.aws_vpc.vpc.id}”

tags { Network = “private” } }

data “aws_subnet” “private_subnets” { count = “${length(data.aws_subnet_ids.private_subnet_ids.ids)}” id = “${data.aws_subnet_ids.private_subnet_ids.ids[count.index]}” }

Steven avatar
Steven

Example of using data from above def:

Steven avatar
Steven

vpc_id = “${data.aws_vpc.vpc.id}” subnets = “${data.aws_subnet_ids.private_subnet_ids.ids}” ingress_cidr = “${data.aws_subnet.private_subnets.*.cidr_block}”

rohit avatar
rohit

@Erik Osterman (Cloud Posse) i am using cloudposse/terraform-aws-efs module https://github.com/cloudposse/terraform-aws-efs/blob/1ad219e482eba444eb31b6091ecb6827a0395644/main.tf#L38

cloudposse/terraform-aws-efs

Terraform Module to define an EFS Filesystem (aka NFS) - cloudposse/terraform-aws-efs

rohit avatar
rohit

and i have to pass security_groups

rohit avatar
rohit

when i execute the following code

rohit avatar
rohit
06:43:46 AM
rohit avatar
rohit

i get the following error

rohit avatar
rohit
06:44:23 AM
rohit avatar
rohit

any ideas why ?

2018-12-08

rohit avatar
rohit

how to know the best value for max_item_size for memcache aws_elasticache_parameter_group ?

rohit avatar
rohit

does it depend on the instance type ?

2018-12-07

sohel2020 avatar
sohel2020
cloudposse/terraform-aws-elasticsearch

Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash. - cloudposse/terraform-aws-elasticsearch

sohel2020 avatar
sohel2020

it sets a router53 record for me but it’s not working

sohel2020 avatar
sohel2020
dig [production-kibana.infra.mytonic.com](http://production\-kibana\.infra\.mytonic\.com)                                                                              

;; QUESTION SECTION:
;production-kibana.infra.mytonic.com. IN	A

;; ANSWER SECTION:
[production-kibana.infra.mytost.com>. 59	IN CNAME <http://vpc-fluentd-production-elastic-43nbkjmxhatoajegdhyxekul3a.ap-southeast-1.es.amazonaws.com/_plugin/kibana/|vpc-fluentd-production-elastic-43nbkjmxhatoajegdhyxekul3a.ap-southeast-1.es.amazonaws.com/_plugin/kibana/](http://production\-kibana\.infra\.mytost\.com).

;; AUTHORITY SECTION:
.			86398	IN	SOA	[a.root-servers.net>. <http://nstld.verisign-grs.com|nstld.verisign-grs.com](http://a\.root\-servers\.net). 2018120700 1800 900 604800 86400

;; Query time: 333 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
sohel2020 avatar
sohel2020

but if I hit <http://production-kibana.infra.mytost.com> it’s not working.

sohel2020 avatar
sohel2020

I have to add <http://production-kibana.infra.mytost.com/_plugin/kibana/> manually

sohel2020 avatar
sohel2020

@Andriy Knysh (Cloud Posse)

Jan avatar

I have a generalish terraform / geodesic question so not sure if I should ask in here or #geodesic

Jan avatar

I’d like to spin up . 4 accounts with 4 identical vpc’s (with the exception of name and cidr) in which 3 will have kops managed k8s clusters

Jan avatar

2 of those 3 the k8s cluster would be launched after the vpc needs to be around for some time

Jan avatar

What I have not quite yet under stood is how the two different flows will look.

1.a) create vpc b) create resources in that vpc c) create k8s cluster with kops in existing vpc 2.a) create vpc using kops b) create resources in the vpc created by kops

Jan avatar

for flow 1 in a geodesig way

Jan avatar

im not sure I understand how or if it is supported to launch into and EXISTING vpc

Jan avatar
cloudposse/terraform-aws-kops-vpc-peering

Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops - cloudposse/terraform-aws-kops-vpc-peering

Jan avatar

terraform-aws-kops-vpc-peering - Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops

Jan avatar

So is it expected that any geodesic kops created k8s cluster will run in its own vpc?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan i’ll help you

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so yes, you can deploy kops cluster into an existing VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but we don’t do that for a few reason

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you don’t want to manage CIDR overlaps for example

Jan avatar

I know I can and how to, its the pattern I have followed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so we deploy kops into a separate VPC

Jan avatar

mmm

Jan avatar

Not sure I understand the rational there

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and then deploy a backing-services VPC for all other stuff like Aurora, Elasticsearch, Redis etc.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

then we do VPC peering

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we don’t want to manage CIDR overlaps

Jan avatar

there is no overlap

Jan avatar

the k8s cluster uses the vpc cidr

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but you can deploy kops into an existing VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is no diff, but just more separation

Jan avatar

IP’s are still managed by the dhcp optionset in the vpc

Jan avatar

mmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and we have TF modules that do it already

Jan avatar

interesting

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i can show you the complete flow for that (just deployed it for a client)

Jan avatar

Alright I think I will write a TF module to do k8s via kops into an existing and make a pr

Jan avatar

Yea I have seen the flow for creating a backing VPC + kops (k8s)vpc with peering

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when we tried to deploy kops into existing VPC, we ran into a few issues, but i don’t remember exactly which ones

Jan avatar

I recall there being weirdness and cidr overlaps if you dont use the subnet =ids and stuff

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

deploying into a separate VPC, did not see any issues

Jan avatar

so for example I have some thing like this

Jan avatar

corporate network === AWS DirectConnect ==> [shared service-vpc(k8s)] /22 cidr —> peering –> [{prod,pre-prod}-vpc(k8s)] /16 cidr

Jan avatar

where we run shared monitoring and logging and ci/cd services in the shared-services vpc (mostly inside k8s)

Jan avatar

k8s also has ingress rules that expose services in the peered prod and pre prod accounts tot he corp network

Jan avatar

overhead on the corp network is just the routing of the /22

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you already using vpc peering?

Jan avatar

I am busy setting this all up

Jan avatar

corp network will have direct connect to a /22 vpc

Jan avatar

the /22 with have peering to many vpcs within a /16

Jan avatar

that /16 we will split as many times as we need, probably into /24’s

Jan avatar

or 23’s

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan your question was how to deploy kops into an existing VPC?

Jan avatar

My question was more if there is geodesic support for that flow or if i should add a module to do so

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we deploy kops (from geodesic, but it’s not related) from a template, which is here https://github.com/cloudposse/geodesic/blob/master/rootfs/templates/kops/default.yaml

cloudposse/geodesic

Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. https://slack.cloudposse.com/ - cloudposse/geodesic

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the template deploys it into a separate vpc

Jan avatar

Yep this I used to do having terraform render a go templated

Jan avatar

ok I will play with a module and see where the overlap/handover is

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if we want to deploy into an existing vpc using the template, it should be modified

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there is no TF module for that

Jan avatar

Yep, I will create one

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

TF module comes into play when we need to do vpc peering

Jan avatar

just figured Id ask before I made one

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you thinking about a TF module to deploy kops?

Jan avatar

a new tf module to fetch vpc metadatas (maybe), and deploy k8s via kops into the existing vpc

Jan avatar

vpc metadata would not be needed if it vpc was created in tf

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-kops-metadata

Terraform module to lookup resources within a Kops cluster for easier integration with Terraform - cloudposse/terraform-aws-kops-metadata

Jan avatar

yea so this is that flow in reverse

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jan not sure if it answers your questions :disappointed: but what we have is 1) kops template to deploy kops into a separate VPC; 2) TF modules for VPC peering and kops metadata lookup

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we played with deploying kops into an existing vpc, but abandoned it for a few reasons

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@sohel2020 you have to manually add _plugin/kibana/ to <http://production-kibana.infra.mytost.com> because URL paths are not supported for CNAMEs (and [production-kibana.infra.mytost.com](http://production\-kibana\.infra\.mytost\.com) is a CNAME to the Elasticsearch URL generated by AWS)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Using DNS to redirect to another URL with a path
I’m trying to redirect a domain to another via DNS. I know that using IN CNAME it’s posible. [www.proof.com> IN CNAME <http://www.proof-two.com www.proof-two.com](http://www.proof.com). What i need is a redirection with a path. When someone type…
Is it possible to have a CNAME DNS record point to a URL with a path?

I’ve registered several domains for my nieces and nephews, the idea being to create small static webpages for them, so they can say ‘look at my website!’. In terms of hosting it, I’m using expres…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

even if you do it in the Route53 console, you get the error

The record set could not be saved because:
- The Value field contains invalid characters or is in an invalid format.
Jan avatar

Its all good bro, thanks. I will make a module to support my use case

:--1:2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea you want to inject kops into a vpc. We don’t have that but I do like it and we have a customer that did that but without modularizing it.

Jan avatar

I have done it in several ways in tf

Jan avatar

I will look to make a module and contribute it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We would like to have a module for it, so that would be awesome

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

thanks @Jan

Ryan Ryke avatar
Ryan Ryke

just a quick sanity check. when was the last time someone used the terraform-aws-vpc module… i copy pasta’d the example

module "vpc" {
  source    = "git::<https://github.com/cloudposse/terraform-aws-vpc.git?ref=master>"
  namespace = "cp"
  stage     = "prod"
  name      = "app"
}

and it gave me Error: module "vpc": missing required argument "vpc_id"

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use it all the time

Ryan Ryke avatar
Ryan Ryke

sorta funny when thats what im trying to create

Ryan Ryke avatar
Ryan Ryke

perhaps the sample is messed

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Last week most recently. @Andriy Knysh (Cloud Posse) any ideas?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Most current examples are in our root modules folder

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Sec

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@solairerove will be adding and testing all examples starting next week probably

1
solairerove avatar
solairerove
05:05:01 PM

@solairerove has joined the channel

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just used it yesterday on the EKS modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

used the example that pulled the master branch

Ryan Ryke avatar
Ryan Ryke

maybe im an idiot

Ryan Ryke avatar
Ryan Ryke

let me go back and check

Ryan Ryke avatar
Ryan Ryke

nm nothing to see here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Ryan Ryke avatar
Ryan Ryke

i musta gotten my pasta messed up

Ryan Ryke avatar
Ryan Ryke

confirmed <- idiot

1
Ryan Ryke avatar
Ryan Ryke

at least it didnt take me all day

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the error must have been from another module?

Ryan Ryke avatar
Ryan Ryke

yeah

Ryan Ryke avatar
Ryan Ryke
cloudposse/terraform-aws-cloudwatch-flow-logs

Terraform module for enabling flow logs for vpc and subnets. - cloudposse/terraform-aws-cloudwatch-flow-logs

Ryan Ryke avatar
Ryan Ryke

whats kinesis in there for.

Ryan Ryke avatar
Ryan Ryke

shipping somewhere is suppose

joshmyers avatar
joshmyers

Could have lambda slurp off the Kinesis stream, for example

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This module was done more for checking a compliance checkbox

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

All logs stored in s3, but nothing immediately actionable

Ryan Ryke avatar
Ryan Ryke

ahh cool. they have shipping to cwl now, was just wondering if there was a specific purpose

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, unfortunately not.

2018-12-06

Jan avatar

Life cycle hooks can also be super useful for doing X when Y happens. A common case I have is when destroying a Cassandra cluster I need to unmount the ebs volumes from the instances so I can do a fast snapshot and then terminate

:--1:1
loren avatar
loren

Nifty idea!

Jan avatar

Need to see if I can publish that

Jan avatar

actually this is self explanatory

  provisioner "remote-exec" {
    inline = [
      "sudo systemctl stop cassandra",
      "sudo umount /cassandra/data",
      "sudo umount /cassandra/commitlog",
    ]

    when = "destroy"
  }
}


Jan avatar

On Event terminate remote-exec umount

Jan avatar

Also great for zero downtime changes, create before destroy

Jan avatar

Etc

Jan avatar

In the case you posted I would expect its to let terraform know that it doesn’t need to care about any. Changes of the values

Jan avatar

lifecycle { ignore_changes = [“read_capacity”, “write_capacity”] }

rohit avatar
rohit

makes sense

rohit avatar
rohit

never use lifecycle hooks so it is new to me

rohit avatar
rohit

In general, where are the lifecycle hooks used ?

joshmyers avatar
joshmyers

Can be used under different conditions. A common one could be where Terraform isn’t the only thing managing a resource, or element of resources.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

or if a resource could change outside of TF state like in the example with DynamoDB auto-scaler, which can update the provisioned capacity and TF would see different values and try to recreate it

:point_up_2:1
loren avatar
loren

Seems like this could be considered a bug…. If the table is enabled for autoscaling, then TF shouldb automatically ignore changes to provisioned capacity values…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, but auto-scaling is a separate AWS resource and TF would have know how to reconcile two resources, which is not easy

loren avatar
loren

Oh it’s two resources? I see… Hmmm… Maybe it could be handled in one, kind of like rules in a security group have two modes, inline or attached…

inactive avatar
inactive

@Andriy Knysh (Cloud Posse) I am happy to report that your suggestion fixed my problem, re: CloudFront

inactive avatar
inactive

I still don’t quite understand how it’s still able to pull the default html page, since I thought that I had to explicitly define it under the index_document parameter

inactive avatar
inactive

but it somehow works

inactive avatar
inactive

tyvm for your help

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

glad it worked for you @inactive

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you deploy the S3 bucket as a website?

inactive avatar
inactive

i assume no, since I removed the whole website {…} section

inactive avatar
inactive

but CF doesn’t seem to care, as it serves the content without that designation

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

2
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which fixes value of 'count' cannot be computed errors

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@davidvasandani @patrickleet

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

davidvasandani avatar
davidvasandani

Thanks @Andriy Knysh (Cloud Posse) and @Erik Osterman (Cloud Posse)

davidvasandani avatar
davidvasandani

While this module works y’all still prefer kops though right?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea…

davidvasandani avatar
davidvasandani

This is more a proof of concept or looking for folks to ask/add additional features?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It lacks a story for managing rolling upgrades

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Since we don’t have a story for that, we aren’t pushing it. It’s mostly there on standby pending customer request to use EKS over Kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Then we will invest in the upgrade story.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I really like the architecture of the modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And the way we decomposed it makes it easy to have different kinds of node pools

:--1:2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The upgrade story would probably use that story to spin up multiple node pools and move workloads around and then then scale down the old node pool

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Almost like replicating the Kubernetes strategy for deployments and replica sets

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But for auto scale groups instead

2018-12-05

inactive avatar
inactive

hello! i have a problem with terraform and cloudfront, wondering if someone has seen this issue

inactive avatar
inactive

I have a website hosted statically on S3 with Private ACL. I am using Cloudfront to serve the content

inactive avatar
inactive

I am using an S3 origin identity, which requires an access identity resource

inactive avatar
inactive

and I see that it creates the access identity successfully, but the problem is that it does not attach it to the cloudfront distro

inactive avatar
inactive

when I go back to the AWS console, the access id is listed in the dropdown but not selected

inactive avatar
inactive

i suspect the problem has to do with this section of the code:

inactive avatar
inactive

any tips?

inactive avatar
inactive
02:46:37 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@inactive here is what we have and it’s working, take a look https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

inactive avatar
inactive

mmm… you have the same code as i do. the s3_origin_config snippet references the access_id, which I expected would set it

inactive avatar
inactive

not sure why its not doing in my case

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can share your complete code, we’ll take a look (maybe something else is missing)

inactive avatar
inactive

ok

inactive avatar
inactive
02:57:18 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@inactive try deleting this

  website {
    index_document = "${var.webui_root_object}"
  }
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it prob creates the bucket as website (need to verify if that statement is enough for that), but anyway, if it creates a website, it does not use origin access identity - cloudfront distribution just points to the public website URL

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we also have this module to create CloudFront distribution for a website (which could be an S3 bucket or a custom origin) https://github.com/cloudposse/terraform-aws-cloudfront-cdn

cloudposse/terraform-aws-cloudfront-cdn

Terraform Module that implements a CloudFront Distribution (CDN) for a custom origin. - cloudposse/terraform-aws-cloudfront-cdn

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and here is how to create a website from S3 bucket https://github.com/cloudposse/terraform-aws-s3-website

cloudposse/terraform-aws-s3-website

Terraform Module for Creating S3 backed Websites and Route53 DNS - cloudposse/terraform-aws-s3-website

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in short, CloudFront could be pointed to an S3 bucket as origin (in which case you need origin access identity) AND also to an S3 bucket as a website - they have completely diff URLs in these two cases

inactive avatar
inactive

ok let me try that

pericdaniel avatar
pericdaniel

i get this error Resource ‘aws_security_group.dbsg’ not found for variable ‘aws_security_group.dbsg.id’ even tho i created the sg… hmmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@pericdaniel need help or found the solution?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@inactive how it goes?

pericdaniel avatar
pericdaniel

i found a new solution! thank you tho!

pericdaniel avatar
pericdaniel

i think i did a local and an outpiut

pericdaniel avatar
pericdaniel

to make it work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Creating a Terraform Provider for Just About Anything

Learn about the inner workings of Terraform and examine all the elements of a provider, from the documentation to the test suite. You’ll also see how to create and contribute to them.

2
pericdaniel avatar
pericdaniel

my favorite is the first word in the first sentence

pericdaniel avatar
pericdaniel

Terrafom is an amazing tool that lets you define your infrastructure as code. Under the hood it’s an incredibly powerful state machine that makes API requests and marshals resources.

pericdaniel avatar
pericdaniel

ill have to watch this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Quick question to @here does the Cloudtrail Module support setting the SNS settings? and is that really needed, just have not used it….

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Our terraform-aws-cloudtrail does not current have any code for that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this module created by Jamie does something similar

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms

Terraform module for creating alarms for tracking important changes and occurances from cloudtrail. - cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

with SNS alarms

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I have not personally deployed it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@davidvasandani someone else reported the exact same EKS problem you ran into

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Getting error when trying to run initial plan · Issue #5 · cloudposse/terraform-aws-eks-cluster
  • module.eks_workers.module.autoscale_group.data.null_data_source.tags_as_list_of_maps: data.null_data_source.tags_as_list_of_maps: value of ‘count’ cannot be computed
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@patrickleet is trying it right now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

maybe you can compare notes

patrickleet avatar
patrickleet
02:06:19 AM

@patrickleet has joined the channel

davidvasandani avatar
davidvasandani

Good to know I’m not alone.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

or let him know what you tried

davidvasandani avatar
davidvasandani

Lets see if I kept my notes after moving to kops

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

kops is pretty easy/peasy right?

davidvasandani avatar
davidvasandani

So easy.

davidvasandani avatar
davidvasandani

I was up and running in no time and have started learning to deploy statup.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

nice! let me know if you get stuck - i can unblock you

1
patrickleet avatar
patrickleet

haha ok so you moved to kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

kops is much easier to manage the full SDLC of a kubernetes cluster

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

rolling updates, drain+cordon

patrickleet avatar
patrickleet

yea I have a couple of kops clusters

patrickleet avatar
patrickleet

and a gke one

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, yea, so you know the lay of the land

patrickleet avatar