#terraform (2019-03)
Discussions related to Terraform or Terraform Modules
Archive: https://archive.sweetops.com/terraform/
2019-03-01
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Can someone list their workflow please for deploying a terraform project to dev and then to, say, sandbox. My understanding of CP’s tools is this:
Switch to Dev
- Use TFENV to switch AWS account w/ aws-vault + backend configuration (S3 for state and DynamoDB for lock) && run terraform init every time doing a deploy
- Run
tfenv terraform apply
Switch to Sandbox/Staging/Prod
- Use TFENV to switch AWS account w/ aws-vault + backend configuration (S3 for state and DynamoDB for lock) && run terraform init every time doing a deploy
- Run
tfenv terraform apply
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we don’t use it as a wrapper
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
though it does support being called as a wrapper
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we use it with direnv
which has a stdlib
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
our direnv configuration is here: https://github.com/cloudposse/geodesic/tree/master/rootfs/etc/direnv
Geodesic is a cloud automation shell. It's the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
And do you have multiple .envrc’s to switch between envs (staging/dev/prod) to set hte bucket name for instance?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yeh that direnv seems to do that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have one repo per stage.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
that’s a lot of code to maintain
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
nope
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
that’s what I’ve been avoiding this whole time
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-root-modules
is our service catalog
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(do read the README.md
on that repo though b/c it’s often misunderstood)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So we can call a module with very few lines of code
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
# Import the remote module
export TF_CLI_INIT_FROM_MODULE="git::<https://github.com/cloudposse/terraform-root-modules.git//aws/acm?ref=tags/0.35.1>"
export TF_CLI_PLAN_PARALLELISM=2
use terraform
use atlantis
use tfenv
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So when calling terraform init
, it will download the remote module and initialize it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We exploit: https://www.terraform.io/docs/commands/environment-variables.html#tf_cli_args-and-tf_cli_args_name
Terraform uses environment variables to configure various aspects of its behavior.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
using tfenv
, we pass all parameters via the TF_CLI_ARGS_init
environment variable
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this allows us to call all terraform commands without a wrapper
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
however, all this stuff is a PIA to implement if you don’t use a preconfigured shell
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s why we have geodesic
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
The readme for geodisc
is even more confusing and doesn’t really articulate workflows
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s 1000 things
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
there’s no one workflow
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
IMO documentation MUST show how one can use it. It might seem like spoonfeeding but knowledge bases should assume that existing knowledge has gaps etc.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I look at geodisc
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
see an amazing product
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yup, we need to add more docs.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
but as with many CP products am left with: 1) Where does this fit into my workflow 2) How do people use it in their workflow w/ CLI commands spelled out in an example etc. 3) How do I start using it
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
2 and 3 being the most critical, as 1 an engineer can usually work out
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
if I download geodisc I’d have 0 idea how to start using it
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Also I’m seeing a not github link now
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
to docs
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So I’ll review those :]
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s far from complete.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
https://docs.cloudposse.com/local-dev-environments/quickstart/
When you assume I’m using mac
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
note it calls out OSX
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
The whole doc is just OSX
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
AWS VAULT is a sub header of OSX
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
How can I do a PR for docs Erik?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Cloud Posse Developer Hub. Complete documentation for the Cloud Posse solution. https://docs.cloudposse.com - cloudposse/docs
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have hundreds of issues no shortage
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
No PR template
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
A vault for securely storing and accessing AWS credentials in development environments - 99designs/aws-vault
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ok that’s two PRs for you
![Erik Weber avatar](https://secure.gravatar.com/avatar/9eb2f4ab6d4950bac3e9b3d9775ab07d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Does anyone know of a good way to check whether or not a lot of terraform configurations are up to date? Basically I’d like to run terraform plan
on $x amount of services/environments and get some sort of alterting if the plan isn’t empty
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Pop it in a CI pipeline?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Or a bash script that iterates
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
as for the process it depends on what you have
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
e.g. if you have jenkins then you will do a bash scripts that runs in a CI pipeline
![Erik Weber avatar](https://secure.gravatar.com/avatar/9eb2f4ab6d4950bac3e9b3d9775ab07d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
The plan was to use atlantis rather than pipelines for terraform, but I guess I could do both (where the pipeline only does a plan)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
this is what i do, yes, terraform plan -detailed-exitcode
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
have scheduled jobs in CI with read-only privs that runs that every day for all tf configs
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
@Erik Weber both both!
![Erik Weber avatar](https://secure.gravatar.com/avatar/9eb2f4ab6d4950bac3e9b3d9775ab07d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Cheers
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
how can I show the state of a single resource instance?
$ terraform state list | grep aws_subnet.public
module.subnets.aws_subnet.public[0]
module.subnets.aws_subnet.public[1]
module.subnets.aws_subnet.public[2]
module.subnets.aws_subnet.public[3]
$ terraform state show module.subnets.aws_subnet.public[1]
Multiple instances found for the given pattern!
This command requires that the pattern match exactly one instance
of a resource. To view the matched instances, use "terraform state list".
Please modify the pattern to match only a single instance.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
The terraform state show
command is used to show the attributes of a single resource in the Terraform state.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
That’s weird that doing [1] doesn’t work
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
any different with 0
or *
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
thanks. no, it’s the same Multiple instances found for the given pattern!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Not really used state show before, but this looked like a potential cause https://github.com/hashicorp/terraform/issues/8929 if you haven’t seen it already
Hi there, Terraform v0.7.3 I had several environments with their own dedicated tfstate file located in s3 and remote state turned on. I accidentally connected to the incorrect state file when tryin…
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
hmm well terraform show
does output the expected state for module.subnets.aws_subnet.public.1
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I guess that will work for now
![sytten avatar](https://avatars.slack-edge.com/2019-03-01/564418310496_16e796635f1b40fcea36_72.jpg)
Just wanted to say thanks for the terraform modules, it helps me a lot for my school project
![cool-doge](/assets/images/custom_emojis/cool-doge.gif)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
2019-03-02
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Why does reference-architectures
insist on using keybase instead of slack?
Can this be ignored? What do I miss out on?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i think it is for verification of user identity using pgp keys
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
something around this feature, no? https://www.terraform.io/docs/providers/aws/r/iam_user_login_profile.html#pgp_key
Manages an IAM User Login Profile
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Keybase is used to encrypt user credentials so that only that user can decrypt the terraform output (or email)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
It’s nice as otherwise you need to figure out how to let users know their credentials in non plain text
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks both
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
hi all, I have a quick question. how do you provide estate visibility within dynamic infrastructure?
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
There is a “portal” that links you to k8s dashboard, grafana, Prometheus, Kibana
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
I am not referring just to k8s env dashboard but also to multi-cloud deployment of resource provisioned with terraform for example
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
What kind of visibility are you after?
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Ah, of all your Terraform provisioned infra? Like, what have I actually created?
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
I would like to create a visual single source of truth in which show all the resource provisioned
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Terraform graph and feed it to graphiz?
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
terraform graph | dot -Tpng > graph.png |
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
I was referring to something able to put terraform resources information into a kv to be consumed with other tools
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
statefile -> exporter -> kv
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Consumed by anything specific?
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
not currently
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@deftunix Terraboard might be the type of end result you’re looking for https://github.com/camptocamp/terraboard
A web dashboard to inspect Terraform States - camptocamp/terraboard
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s neat!
A web dashboard to inspect Terraform States - camptocamp/terraboard
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Surprised you didn’t know about it. Been around a long time. There is also, https://github.com/sepulworld/tfsoa. But it hasn’t been maintained as much
Terraform State of Awareness Dashboard. Contribute to sepulworld/tfsoa development by creating an account on GitHub.
![h3in3k3n avatar](https://secure.gravatar.com/avatar/2734fac9461ba0aa269f878ad186d0dc.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
will try terraboard immediately as We really need it.
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
I will check
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
yes, it’s exactly what I was looking for.
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
good starting point. thank you @Steven
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
welcome
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Nice
2019-03-03
2019-03-04
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Does anyone know how to use TF_CLI_ARGS_name
in a .tf
file?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
For instance ` comment = “${var.TF_CLI_ARGS_stage}”`
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
unknown variable referenced: 'TF_CLI_ARGS_stage'; define it with a 'variable' block
.. obvs setting it as a variable doesn’t fix this.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Just wondering how I’m to access TF_CLI_ARGS especialy when they’re coming through geodesic
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ok think I found it https://docs.cloudposse.com/geodesic/module/with-terraform/
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
not sure about the geodesic part, but any variable in terraform would generally just be var.stage
, and terraform will automatically read it from the env TF_VAR_stage
if present
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Terraform uses environment variables to configure various aspects of its behavior.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
TF_CLI_ARGS
is something else entirely
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
variable "stage" {}
variable "tf_bucket_region" {}
variable "tf_bucket" {}
variable "tf_dynamodb_table" {}
resource "null_resource" "null" {
triggers = {
test = "${var.stage}"
bucket_region = "${var.tf_bucket}"
bucket_name = "${var.tf_bucket_region}"
dynamodb_table = "${var.tf_dynamodb_table}"
}
}
output "test" {
value = "${null_resource.null.triggers}"
}
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
This should help anyone understand how to use GEODESIC vars inside of Terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Though those variables are all for the s3 backend in the terraform provider.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s why we use the TF_CLI_ARGS pattern
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
../modules/aws_cross_account_role
resource "aws_iam_role_policy_attachment" "policies" {
count = "${length(var.role_policies)}"
policy_arn = "${var.role_policies[count.index]}"
role = "${aws_iam_role.role.id}"
}
another file
module "remote_role" {
source = "../modules/aws_cross_account_role"
aws_external_account_id = "${local.aws_account_id}"
role_name = "remote_role"
role_policies = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"${aws_iam_policy.invoke_flow_resources_lambda_access.arn}",
"${aws_iam_policy.create_function_flow_resources_lambda_access.arn}"
]
}
does anyone know what am I missing here?
I’m getting error
* module.remote_role.aws_iam_role_policy_attachment.policies: aws_iam_role_policy_attachment.policies: value of 'count' cannot be computed
2019-03-05
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
could one of the aws_iam_policy
in the latter file be missing when you are trying to execute it?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Maxim Tishchenko that’s the infamous count
error
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we have some info here https://docs.cloudposse.com/troubleshooting/terraform-value-of-count-cannot-be-computed/
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
in your case, TF can’t calculate dynamic counts across modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(if you put all the resources into one module, it should be ok)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the easiest (but not prettiest) way to fix it in your case would be to add var.role_policies_count
variable to the modules/aws_cross_account_role
module and provide it from module "remote_role"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
module "remote_role" {
role_policies_count = 3
role_policies = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"${aws_iam_policy.invoke_flow_resources_lambda_access.arn}",
"${aws_iam_policy.create_function_flow_resources_lambda_access.arn}"
]
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
resource "aws_iam_role_policy_attachment" "policies" {
count = "${var.role_policies_count}"
policy_arn = "${var.role_policies[count.index]}"
role = "${aws_iam_role.role.id}"
}
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Mmmm
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we do it in some of our modules, like i said not pretty, but works
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Richy de la cuadra avatar](https://avatars.slack-edge.com/2019-02-05/542403090561_8e409525169bbe5eb0b4_72.jpg)
hi,somebody have a module for create a cloudwatch event for keep lambda warm?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Richy de la cuadra found this example, can be put into a module https://github.com/terraform-providers/terraform-provider-aws/issues/3040
This issue was originally opened by @xenemo as hashicorp/terraform#17125. It was migrated here as a result of the provider split. The original body of the issue is below. Hello Terraform Experts! I…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
this has a working example https://medium.com/build-acl/aws-lambda-deployment-with-terraform-24d36cc86533
![attachment image](https://cdn-images-1.medium.com/max/1200/1*26XijpOlh_1QLcgvDe8_vg.jpeg)
Use Terraform to overcome common deployment and development related challenges with AWS Lambda.
![Richy de la cuadra avatar](https://avatars.slack-edge.com/2019-02-05/542403090561_8e409525169bbe5eb0b4_72.jpg)
![squidfunk avatar](https://avatars.slack-edge.com/2020-03-05/985304242118_117566b559fb6c7e4976_72.jpg)
Anyone else experiencing very slow TF Lambda deployments? 30 seconds+ for every single function. This was much faster before. Already upgraded to the newest TF, no changes.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we did not test lambda recently
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
does it eventually finish successfully ?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
can you test the same from the AWS console and compare the times?
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
@squidfunk are things slow inside a geodesic
container?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(he’s not using geodesic yet)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
ok, just curious if it was related to TF_CLI_PLAN_PARALLELISM=2
– but looking at that var now, I’m guessing it only affects plan
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea… but you’re right, that does slow things down.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We have that due to running terraform
under ECS wher we experienced AWS platform rate limits
2019-03-06
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Hi, is anyone using Travis with private modules, what’s the best way to get git+ssh working there ?
![squidfunk avatar](https://avatars.slack-edge.com/2020-03-05/985304242118_117566b559fb6c7e4976_72.jpg)
Hey guys. I was at my girlfriend’s parents for the last days and, well, it turned out it was just the upstream. They have a really bad internet connection. Stupid me Sorry!
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
you have to take in-law internet into consideration when choosing to take the relationship to the next level.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@squidfunk AWS WorkSpaces FTW!
![Andy avatar](https://secure.gravatar.com/avatar/6cbdb6c4c1d1c345d316d38e46148ef8.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
Support for AWS Workspaces would be great, especially since there is existing support for AWS directory service directories in Terraform. Something like: resource "aws_workspaces_workspace&quo…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
of anyone is looking for something to contribute, looks like there’s a bug affecting a lot of users: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/issues/39
Using release 0.7.0 AWS provider 2.0 module "cf-s3-cdn" { name = "help-scentregroup-cf-s3-cdn" source = "cloudposse/cloudfront-s3-cdn/aws" version = "0.7.0" …
![h3in3k3n avatar](https://secure.gravatar.com/avatar/2734fac9461ba0aa269f878ad186d0dc.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
has anyone tried terratest ? new toy from gruntwork ?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yes it’s pretty good
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Tests written in go.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I will eventually share my testing setup but that will take around 3 weeks
![h3in3k3n avatar](https://secure.gravatar.com/avatar/2734fac9461ba0aa269f878ad186d0dc.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
yah i look forward to see that.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Combination of: Atlantis Terratest GOSS TFlint
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I like the look of terraformcompliance tho
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
BDD is nice
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Was talking to Erik on Monday and turns out my plans for Atlantis weren’t right. It’s meant to be used more as a CD tool than a tester… but all will be written up
2019-03-07
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Terraform AWS Provider Version 2 Upgrade Guide
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
geez, so many breaking changes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Community Note Please vote on this issue by adding a reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me to…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
here’s the pr for that one, they really didn’t actually change anything, it’s just the annoying deprecation warning
• https://github.com/terraform-providers/terraform-provider-aws/pull/7734/files
Closes #3895 Reference: #2926 Previously, the aws_route53_record resource did not follow standard Terraform conventions of requiring existing infrastructure to be imported into Terraform's stat…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(our bad for not pinning provider)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
All these deprecation but where’s the new features list yo https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hi guys, i’m having kind of an issue with the “terraform-aws-iam-user” module. Once I create a user and i get the keybase_password_decrypt_command i’m perfectlly capable of decrypting the user password but then when i try to login to the aws console it says that the login information is incorrect. Just as a quick debug i changed the user password using the root account and i logged in successfully.
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hmm, I don’t have any ideal exclude to clone terraform-aws-iam-user
module and modify for debugging. U can output encrypted_password
+ plaintext_password
. After that, decrypt the encrypted_password
and compare.
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks!, to output plaintext_password i should also add it to the module’s outputs rigth? because i don’t see it there
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
sorry, my bad. output of aws_iam_user_login_profile
just support encrypted_password
, U can’t do it
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Manages an IAM User Login Profile
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
damn
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
your keybase account is exist?
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
and u have a pgp public key on this account?
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, using keybase
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Solved it
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
How to fix? your mistake?
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yeah sorry i did not see that the command was adding an extra character.
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sorry to bother you
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Could anyone help me debug this? Thanks in advanced. BTW you have some awsome terraform modules. Greetings from Argentina!
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
hi all, I am deploying a consul and vault cluster on aws using terraform. do you have any example of pipeline able to manage the rolling upgrade of the cluster? all the nodes are in ASG
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Solved/Uderstood it!
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
for some reason
2019-03-08
![sweetops avatar](https://secure.gravatar.com/avatar/1faa3e7070c3854dcbf3441067e14eed.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
Anyone running into x509: certificate signed by unknown authority with registry.terraform.io?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haven’t noticed this yet, but we tend to pin to github releases directly
![sweetops avatar](https://secure.gravatar.com/avatar/1faa3e7070c3854dcbf3441067e14eed.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
running into it when running a terraform init
![github140 avatar](https://secure.gravatar.com/avatar/afcb56b638b9dc7f3541d9d13accee94.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@sweetops Is your certstore up to date? Does curl connect without issues?
![sweetops avatar](https://secure.gravatar.com/avatar/1faa3e7070c3854dcbf3441067e14eed.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
curl connects without issues
![sweetops avatar](https://secure.gravatar.com/avatar/1faa3e7070c3854dcbf3441067e14eed.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
curl <https://registry.terraform.io/.well-known/terraform.json>
{"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}
2019-03-09
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
It’d be nice if we could configure EKS workers to be spot instances here: https://github.com/cloudposse/terraform-aws-eks-workers
Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers - cloudposse/terraform-aws-eks-workers
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
So, I just used this example to get up and running with an EKS cluster: https://github.com/cloudposse/terraform-aws-eks-cluster
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
But I’m getting the error: no nodes available to schedule pods
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what happens when you run kubectl get nodes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Do you see all nodes participating in the cluster?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I can see that I have one worker node up, but I can’t see that node via kubectl
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
lol found someone that has the same issue, with no solution: http://www.snowcrash.eu/kubernetes-eks-warning-failedscheduling-default-scheduler-no-nodes-available-to-schedule-pods/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@cabrinha have you seen our example in terraform-root-modules
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
no, i was working off the examples dir: https://github.com/cloudposse/terraform-aws-eks-cluster/tree/master/examples/complete
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Have a look at this too https://github.com/cloudposse/terraform-root-modules/tree/master/aws/eks
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) has been keeping this up to date
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@Erik Osterman (Cloud Posse) thanks for pointing me in the right direction, just wondering why the module doesn’t have a complete working example in it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
keep in mind, recent changes in terraform-aws-provider
has introduced some issues; pinning to a pre-2.0 module might help or ensuring you’re on 2.1
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
there are so many moving pieces in terraform between versions of terraform, versions of providers and versions of modules. We cannot test all combinations. We try to keep it all stable and working, but we are not a large company :smiley: and all maintenance is paid for by cloudposse (~$10K/mo!) Despite that, we try to stay on top of our 130+ terraform modules, ~60 tools in cloudposse/packages
, 50+ helm charts in cloudposse/charts
, 300+ original open source projects on our github, dozens of pull requests every week, code reviews, etc. It’s not easy and pull requests are greatly appreciated.
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
2019-03-10
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@cabrinha the example here https://github.com/cloudposse/terraform-aws-eks-cluster/tree/master/examples/complete is a complete and working example, was tested about a month ago and also deployed by a few other people
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
did you run this for the worker nodes to join the cluster https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/examples/complete/kubectl.tf ?
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
2019-03-11
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Anyone already established a smart way of getting the VPC ID from another account (data resource from another account) when VPC peering?
# Mgmt VPC
data "aws_vpc" "requester_vpc" {
tags = {
Name = "${var.stage}-vpc"
}
}
# Other sub-account VPCs
data "aws_vpc" "accepter_vpc" {
tags = {
Name = "${var.stage}-vpc"
}
}
module "vpc_peering" {
source = "git::<https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=master>"
namespace = "he"
stage = "${var.stage}"
name = "vpn"
requester_vpc_id = "${data.aws_vpc.requester_vpc.vpc_id}"
requester_aws_assume_role_arn = "arn:aws:iam::xxx:role/vpc-admin"
requester_region = "${var.aws_region}"
accepter_vpc_id = "${var.vpn-vpc}"
accepter_aws_assume_role_arn = "arn:aws:iam::xxx:role/vpc-admin"
accepter_region = "${var.region}"
}
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
variable?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Would like to avoid hardcoding… edit: or user prompts
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
But I’ve taken on the tech debt of having it hardcoded in my Geodesic Dockerfile
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
How is it hard coding if you have it as a variable?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
It is either hardcoded (the vpc-id) or it requires input. Both aren’t a typical solution I go for..
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
you can look it up, but you have to pass the provider to the data source so the credential has permissions to query the other account
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
data "aws_vpc" "accepter_vpc" {
provider = "aws.<ALIAS_ACCEPTER>"
tags = {
Name = "${var.stage}-vpc"
}
}
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Providers are responsible in Terraform for managing the lifecycle of a resource: create, read, update, delete.
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but that would require some identification to be added eg. the var.stage in the example (+ the provider configuration) so why not just use vpc-id?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
personally i agree, i don’t like implicit references like that, but i’m just offering an answer to the question tho
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
so why not just use vpc-id?
I would 100% much rather have a global variable for a role ARN than a one/two-use variable like VPC-id being hardcoded
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks the multi provider link should do the trick.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Here’s how we used the terraform remote state provider to achieve a similar requirement https://github.com/cloudposse/terraform-root-modules/blob/master/aws/root-dns/ns/main.tf#L27-L51
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Trying to hunt down the source of a count
error.. despite project having no lists or maps
![foqal avatar](https://avatars.slack-edge.com/2019-03-11/572601092560_390fb278d5cedc640d76_72.png)
Helpful question stored to <@Foqal> by @Erik Osterman (Cloud Posse):
thanks for pointing me in the right direction, just wondering why the module doesn't have a complete working example in it :thinking_face:
2019-03-12
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
what was the tf tool being used to mask passwords
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
output "db_password" {
value = aws_db_instance.db.password
description = "The password for logging in to the database."
sensitive = true
}
`
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes this is the best approach for outputs
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
But it’s still stored in tfstate in plaintext. We hacked up a null-resource to change the RDS cluster password after TF provisions it with a dummy password. Roughly:
resource "null_resource" "password_setter" {
count = "${local.count}"
depends_on = ["aws_rds_cluster.rds"]
provisioner "local-exec" {
command = "${local.password_reset_command}"
}
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@mrwacky doesn’t this break idempotency?
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
Nope, because TF can’t read the master password from AWS. So it assumes the dummy one in the state is correct.
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
Or because of this, or both:
lifecycle {
ignore_changes = ["master_username", "master_password"]
}
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
sensitive = true
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
oh really
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
tfmask was the tool though
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
keep in mind sensitive
won’t catch all the leakage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if using random_id
or random_string
resources, they leak information in the plan
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if using the github
provider it leaks the oauth
key in the plan
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform utility to mask select output from terraform plan
and terraform apply
- cloudposse/tfmask
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hi guys sorry to bother you with a newbie question. I’m not completely sure as to how to use both terraform-aws-iam-user and terraform-aws-iam-assumed-roles combined. Can anyone help?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@AgustínGonzalezNicolini here is an example https://github.com/cloudposse/terraform-aws-iam-user/blob/master/examples/simple/main.tf
Terraform Module to provision a basic IAM user suitable for humans. - cloudposse/terraform-aws-iam-user
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you create IAM users and then add them to the groups (admin or readonly)
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so i should avoid using the “ groups = [”${module.assumed_roles_Infra.group_admin_name}”] “ input in the user definition and just use “admin_user_names = [“User.Name”] “ in my assumed-roles definition rigth?
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and execute them in that order,user creation, then groups, policies, etc
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
?
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(thanks in advanced for your help)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Actually, we recommend the reverse these days
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform Reference Architecture for Geodesic Module Parent (“Root” or “Identity”) Organization in AWS. - cloudposse/root.cloudposse.co
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Basically, adding a user should also add them to the groups
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s more managable and easier to remove a user - especially when practicing gitops
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ho I see!! i’ll look into reversing that! thanks so much!
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Erik i have one last question.
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in the user.tf files of the repo you mentioned, the groups input is set to “${local.admin_groups}”
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that local.admin_groups, where is it referencing to?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
see the ../
directory
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we use the terraform init -from-module=...
pattern so we “clone” a remote module locally
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then copy our users into that folder
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this is the upstream module
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ho i get it!
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks Erik, if you ever come to Argentina. I owe you one
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
would love to visit again some day!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Loved the Palermo Soho area
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I work rigth at the center of Palermo soho hehe.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thats cool!
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
You should start with https://github.com/cloudposse/terraform-aws-iam-user/blob/master/main.tf
terraform-aws-iam-user
help to create a normal IAM user (u can login with password aws_iam_user_login_profile
). After that, U need to assign this user to a group.
Terraform Module to provision a basic IAM user suitable for humans. - cloudposse/terraform-aws-iam-user
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
another example, you create users and then https://github.com/cloudposse/terraform-root-modules/blob/master/aws/root-iam/root.tf#L14
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
terraform-aws-iam-assumed-roles
is a big module, create a group, role, policy ….
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Anyone got a favourite way of creating openvpn server? Unlicensed as only need max 2 users.
Current choices are: 1) Use existing AMI on marketplace 2) Use existing AMI on marketplace as base in packer and provision with my stuff 3) New packer project htat installs openvpn with Ansible or Docker (or Ansible installing container…)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Check out Pritunl
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that said, we have a nice way of doing it in kubernetes, but I don’t think you’re going to be using k8s
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’m seeing examples of Pritunl being used with openvpn. Are you using as an alternative
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
what happen with openvpn OSS
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
max 2 users because u use openvpn-as
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
or https://www.wireguard.com/, this is a new project, in development, but i think it is awesome
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@oscarsullivan_old We don’t prescribe using VPNs
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Identity Aware Proxies are the way to go
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
@Arvind Few things i would like to understand:
- How can sententiously multiple developer can work on one Terraform Repo.
S3 Backend - How can I manage multiple .tfsstate file, as I have three environments lab/stage/prod
Geodesic. Have multiple accounts. Each one has a bucket. You go into a different Geodesic container for each environment (one env per account). - What is the different b/w variables.tf and .tfsvar.
[variables.tf](http://variables.tf)
declares your variables and their data structure. A.tfvars
file sets the value of the variable neatly, instead of doing it in the same file as say a resource creation. Typical project of mine:
jenkins: ec2.tf elb.tf jenkins_sg.tf outputs.tf r53.tf terraform.tf > declare backend and other common data bits variables.tf
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Arvind has joined the channel
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Do we have any sample git repo where we are provisioning the infrastructure as per environments basis ex:stage/lab/prod.And i need to understand how terraform.tf file will read the environments specific variables. ex: in lab i require Redis instance smaller size while in stage and prod i require bigger size Redis instances.
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
@Arvind you mean like https://github.com/cloudposse/testing.cloudposse.co ?
Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@joshmyers’s suggestion is spot on
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
basically, you put all common code in terraform-root-modules
(like blueprints)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then you use that code in all of your account environments (E.g. [testing.cloudposse.co](http://testing.cloudposse.co)
is ours)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have root
, staging
, prod
, etc.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s where the custom settings go for each environment.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s been our experience that we want to run identical code (e.g. modules) in environments like staging and prod, but staging and prod necessarily differ in areas like instance sizes or perhaps the number of clusters
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
for example, in production for an Enterprise SaaS platform, there might be one cluster per enterprise customer, but you wouldn’t run one cluster per enterprise customer in staging.
2019-03-13
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hey, I have a issue with terrarom-aws-iam-user. First i run apply, my user add to group admin, but when i run again, my user is remove to group
~ module.assumed_roles.aws_iam_group_membership.admin
users.#: "1" => "0"
users.1070365961: "quang" => ""
~ module.quang.aws_iam_user_group_membership.default
groups.#: "0" => "1"
groups.3764225916: "" => "g_ops_users"
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
@xluffy what are you running?
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
terraform plan
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
I want to create normal IAM user, after that, I added this user to admin
group (create by terraform-aws-iam-assumed-roles
)
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
But when i run tf plan
. It is remove/add my user from group
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Where? Got some code to look at?
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
very simple, look like https://github.com/cloudposse/terraform-aws-iam-user/blob/master/examples/simple/main.tf
Terraform Module to provision a basic IAM user suitable for humans. - cloudposse/terraform-aws-iam-user
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
module "assumed_roles" {
source = "git::<https://github.com/cloudposse/terraform-aws-iam-assumed-roles.git?ref=tags/0.2.2>"
namespace = "eg"
stage = "testing"
}
module "erik" {
source = "../../"
name = "erik"
pgp_key = "keybase:osterman"
groups = ["${module.assumed_roles.group_admin_name}", "${module.assumed_roles.group_readonly_name}"]
}
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Anyone had this before when using the ec2 module? https://github.com/cloudposse/terraform-aws-ec2-instance/issues/37
* module.instance_01.output.network_interface_id: Resource 'aws_instance.default' does not have attribute 'network_interface_id' for variable 'aws_instance.default.*.network_interface_id'
What Error: Error applying plan: 1 error(s) occurred: * module.instance_01.output.network_interface_id: Resource 'aws_instance.default' does not have attribute 'network_interface_id'…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
looks like network_interface_id
output was removed from https://www.terraform.io/docs/providers/aws/r/instance.html#attributes-reference
(or it was working somehow before)
Provides an EC2 instance resource. This allows instances to be created, updated, and deleted. Instances also support provisioning.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
needs a PR
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ah fab
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
is there any possibility of mentioning an EBS resource in launch configuration using interpolation? ( i am trying to abstract out this , to conditionally mention an extra block device in LC)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what resource? share an example code
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
@Andriy Knysh (Cloud Posse)
resource "aws_launch_configuration" "launch-config" {
name = "${var.lc_name}"
image_id = "${var.image_id}"
instance_type = "${var.instance_type}"
user_data = "${var.user_data}"
root_block_device {
delete_on_termination = "${var.root_ebs_delete_on_termination}"
iops = "${var.root_ebs_iops}"
volume_size = "${var.root_ebs_volume_size}"
volume_type = "${var.root_ebs_volume_type}"
}
//TODO: change it to resource
ebs_block_device {
device_name = "${var.device_name}"
volume_size = "${var.volume_size}"
encrypted = "${var.encrypt_ebs}"
delete_on_termination = "${var.delete_on_termination}"
volume_type = "${var.volume_type}"
}
key_name = "${var.key_name}"
security_groups = ["${module.security_group.security_group_id}"]
}
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
what i wanted to do is have ebs_block_device created conditionally when creating this LC
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
please see https://www.reddit.com/r/Terraform/comments/99zri8/gke_regional_cluster_deployment_defining_zones/
0 votes and 3 comments so far on Reddit
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can use the slice
pattern here
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
ebs_block_device is actually a list
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
try ebs_block_device = []
first
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if it works, you can use the slice pattern to either provide an item with settings to the list, or have an empty list
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
depending on some condition
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
@Andriy Knysh (Cloud Posse) no the block inside launch-configuration is a “block resource embedded in it”, I don’t think there is right side assignment for these kinda block , however i see people create two resources one with ebs_block and one without and make a decision in autoscaling group depending on the situation
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
i was trying to find a more better option ( looks like waitinf for dynamic attributes in 0.12 is the only way)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you try ebs_block_device = []
, it could work. All those blocks are actually lists
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
@Andriy Knysh (Cloud Posse) , but since out Autoscaling group is randomly choosing an AZ while creating the instance i wonder how to deal this in that case
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
ebs_block_device
does not depend on AZ, you either add it to aws_launch_configuration
or not (in the later case try ebs_block_device = []
) depending on some condition
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
yeah that clears my mind , thanks a lot !
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
hi @Andriy Knysh (Cloud Posse), i tried your suggestion and got stuck since , i wanted to modularize this option as variable being used in the module so i tried someting like
resource "aws_launch_configuration" "launch-config" {
ebs_block_device = [ "${var.ebs_block_device_list}"]}
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
but now in the list of maps , i cant interpolate the variables in that variable
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
i tried assigning variable with default , somthing like
variable "ebs_block_device_list"{
type = list
default: [ {
device_name = "${var.device_name}"
volume_size = "${var.volume_size}"
encrypted = "${var.encrypt_ebs}"
delete_on_termination = "${var.delete_on_termination}"
volume_type = "${var.volume_type}"
}]
}
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
but terraform doesnt allow interpolation in variables
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You don’t use variables inside a variable
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You provide a list of maps with values to the module
![Arjun avatar](https://secure.gravatar.com/avatar/1a29aef8d3a5a2758636b412006ee822.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
but those values are not fixed
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
heads up this is no longer valid, https://github.com/cloudposse/terraform-root-modules/blob/master/aws/account-dns/main.tf#L26-L35
* aws_route53_record.dns_zone_soa: 1 error(s) occurred:
• aws_route53_record.dns_zone_soa: [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name='some.example.com.', type='SOA'] but it already exists]
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
used to work, 27 days ago for sure
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
but also not needed as SOA gets created by default
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Community Note Please vote on this issue by adding a reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me to…
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
ah
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It’s not that we want to create a new SOA; it is essential to set a low SOA TTL to prevent negative ttl caching in dynamic service discovery environments. E.g. a negative cache hit can cause 15 minutes of downtime for no good reason.
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
Has this guy popped up in here yet? https://github.com/iann0036/AWSConsoleRecorder
Records actions made in the AWS Management Console and outputs the equivalent CLI/SDK commands and CloudFormation/Terraform templates. - iann0036/AWSConsoleRecorder
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hah, wow, haven’t seen this before
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Holy cow that’s.. an amazing project. I do find aws easier to understand and ‘do’ with TF than when I use the console though tbh
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i find the terraform documentation phenomenal and often easier than to RTFM of AWS docs
![ansgar avatar](https://secure.gravatar.com/avatar/63787a0a000619d060655da11597e6f3.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
To chime in as a newbie (to AWS and Terraform): I sometimes find myself clicking through some AWS wizard to get an idea what exactly some property/config does
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
I wonder if it works
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I just got it today via meduim and quickly tried it. It’s a bit raw but an awsome tool
2019-03-14
![h3in3k3n avatar](https://secure.gravatar.com/avatar/2734fac9461ba0aa269f878ad186d0dc.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Hi everyone. I don’t know which channel to post this question but as I tend to implement with TF so I posted here.
My question is : How did you manage ECR repository on Terraform or alternative tools you using ? The problem I facing is
- i want to create multiple ecr repositories in 1 TF code, so which is the good way to generate those codes ? I writing go template. I think I will use that to generate the TF code from Yaml File
My yaml file format like this
```
[name-of-repository]
- [username-arn-id-a] - pull
- [username-arn-id-b] - push [name-of-repository2]
- [username-arn-id-d] - pull
- [username-arn-id-c] - push ``` Any one has other ideas feel free to tell me once, Appreciate !
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
@h3in3k3n the way I would do it is to create/find a module that has a proper ecr policy set and just use that one. The resource by itself in terraform is super small but with the policy it can get a bit bigger also you might need to pass the policy per repo or whatever your use case requires
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
Hi People, any recommendation for an IDE or a vim setting in which I can detect unused variables in terraform ?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
I think that one of the jetbrains IDEs has this feature.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Jetbrains IDEA has a very nice terraform support
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Feel free to give kudos to Vlad (creator of Terraform plugin for Jetbrains products) - https://twitter.com/Vlad_P53
The latest Tweets from Vladislav Rassokhin (@Vlad_P53). Software Developer @jetbrains. My opinions are my own. Saint-Petersburg
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Can detect missing and unused variables
![foqal avatar](https://avatars.slack-edge.com/2019-03-11/572601092560_390fb278d5cedc640d76_72.png)
Helpful question stored to <@Foqal> by @Nikola Velkovski:
Hi everyone. I don’t know which channel to post this question but as I tend to implement with TF so I posted here...
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
yeah that’s what I remember as well
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
but I don’t want to switch my precious VIM
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
And highlights everything
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It can emulate VIM editor so you don’t lose anything :)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
hmmm
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
ok let me check that out
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
thanks!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It’s a very nice product in my opinion
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
vscode does this also for terraform
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Supports all possible languages and frameworks
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
ok vscode I’ave installed but I haven’t seen this feature in action , do I need to install a special plugin @loren?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Vscode not bad too
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
yes, you need a plugin, one sec and i’ll get the name
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
thanks, I already have the tf plugin installed though
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
yeah, should just be terraform
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
you don’t see references like this?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
no I get
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
for every var..
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
I think it’s the way we use terraform ..
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
oh, it might not work when the references are in a different file?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
yes they are in a different folder..
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
and then we sprinkle some makefile magic
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
to make an apply
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
well, different file, same directory works fine
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
sorry different folder
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
so the plugin thinks it’s a different state
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
ok now I get it
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
that’s in a variables.tf file, same directory as main.tf where all the references are
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
yeah , that’s not the case where I currently work at
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
gotcha
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
but thanks for the help ! now I know that vscode works as expected
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
it is hard to do this kind of lint/validation when you have some wrapper/generator around your tf code
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
well, harder, i guess. need to generate it, then validate the output
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
yeah, I am not a fan of the wrappers as well.
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
but there’s a way , the Makefile generates a main.tf file
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
so I can just use that one
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
yep
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
yeah
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
thanks guys for your help!
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
Much appreciated
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
hmm I found out that the current plugin in vsode sets 0 references even if the variable is invoked inside a function
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
like so "{tf_function(var.something)}"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
IDEA can actually see and analyze variables in functions (and even in plain text)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it does not show the ref count as vscode does
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but when you click “Find Usages” on anything
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it shows all references
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
oh nice..
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
I am definitelly trying it out
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
highlights wrong/missing vars
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
that moment when you’re getting a product demo from a company and you notice a Cloud Posse browser tab + the label module naming format
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Turns out, @Erik Osterman (Cloud Posse) is known from the days at Sumo (by Nick Coffee)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hahah wow! small freggin world.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
He’s at Harness https://harness.io/
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
if I want to to test terraform 0.12 beta.. how do I get providers built against it?
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
I guess I have to compile myself
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Yeah, one of our guys wrote up how they did it, https://medium.com/@dirk.avery/terraform-0-12-development-a-step-by-step-guide-to-get-running-with-providers-cea87082ad54
![attachment image](https://cdn-images-1.medium.com/max/1200/1*cy96ULVXRPC3XAX4wSL8RA.jpeg)
Hashicorp has set the Terraform 0.12 release date broadly sometime before the end of March 2019. Version 0.12 will include many…
![mrwacky avatar](https://avatars.slack-edge.com/2018-08-22/423003208646_5ad1b1ba6be6b00306b3_72.jpg)
nice
2019-03-15
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I haven’t yet had a chance to try this, but it was on my mind.
Using Geodesic across multiple AWS accounts for each stage, I have Route 53 records to create.
I have one domain name: acme.co.uk
I own [acme.co.uk](http://acme.co.uk)
.
I have [acme.co.uk](http://acme.co.uk)
NS pointing to my ROOT account.
Scenario:
I have to create r53 records, say [test.acme.co.uk](http://test.acme.co.uk)
.
Naturally I want to create this on my testing account.
I want this r53 record to be public. Naturally this means the testing account needs to have an [acme.co.uk](http://acme.co.uk)
r53 public zone… but wait… I already have a public zone for this in ROOT with the public NS pointing to ROOT account.
Problem: Is this possible? Or to have public records for my one domain, must I assume a role into my ROOT account and only create public records there?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we do DNS zone delegation. In the root DNS, we provision the parent domain ([acme.co.uk](http://acme.co.uk)
) Zone and subdomains (e.g. [test.acme.co.uk](http://test.acme.co.uk)
) zones, then we provision the DNS zone [test.acme.co.uk](http://test.acme.co.uk)
in the test account, and then add the name server for [test.acme.co.uk](http://test.acme.co.uk)
in the parent DNS zone in the root account
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for root ^
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for member account ^
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I was wondering the same thing today. I’m debating with myself if it makes sense to split your naming into an infastructure zone like acme.cloud and have a separate one for your public-facing domain, being more picky which namespaces to use.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we recommend having a service discovery domain which is not your branded vanity domain
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so we have [cloudposse.org](http://cloudposse.org)
as our infra domain
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
[cloudposse.com](http://cloudposse.com)
as our vanity domain
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(and [cloudposse.co](http://cloudposse.co)
is just for our examples)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Yes so CloudPosse.org has NS records for all our member accounts
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Makes total sense now that you say it.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
prod.cloudposse.org NS points to prod.cloudposse.org zone
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
The only issue I thought might be a little bit tricky is with certificates, but I think it would just be the load balancer that needs to have a certificate for the vanity domain applied, so not too bad.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s possible now to associate multiple ACM ARNs with an ALB
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the alternative is to use SANs
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Ah, I somehow missed that. If possible, I try to avoid using SANs on vanity domains, it’s just neater.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Thanks for the clarification.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what we have in the root account cloudposse.co
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
certificates get provisioned in each account separately https://github.com/cloudposse/terraform-root-modules/blob/master/aws/acm/main.tf
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Since we’re on the subject, is it a good idea to create a hosting zone for a customer’s site and ask them to create an NS record, instead of giving them the ALB CNAME? My thoughts are that this way I can change the ALB if ever required without having to request a customer to make a DNS change.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if the service discovery domain will not change, then probably yes, give them the NS records
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
on the other hand, if you have a service discovery domain, e.g. [prod.mycompany.co](http://prod.mycompany.co)
which you control, you can ask them to add the CNAME record from their main (vanity) domain to [prod.mycompany.co](http://prod.mycompany.co)
(which should never change as well). No ALBs involved
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Is one approach better than the other?
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Amazon charges for CNAMEs, if that kind of penny pinching bothers you. Clarification: cnames count towards your queries, but those are stupidly cheap anyways. I’ve had bosses squawk over it though. A ALIAS records do not.
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
I think the two approaches, it’s mostly just how you want to manage it.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
In this case, I think the CNAME would be on the customer side, so no additional cost
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Oh, I missed the “customer’s site” - in that case, I might say you want to control your own domain stuff, make them use cnames, but that’s just me
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
CNAME has more visibility. Someone can access the site using [customer.mycompany.co](http://customer.mycompany.co)
instead of [site.customer.co](http://site.customer.co)
as intended.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I just tried the NS approach for the first time, and the ask was met with some skepticism (from the customer)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks.. great discussion. Your solution seems v easy @Andriy Knysh (Cloud Posse)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![SweetOps avatar](https://a.slack-edge.com/37d58/img/emoji_2017_12_06/apple/2753.png)
Are you using some of our terraform-modules in your projects? Maybe you could leave us a testimonial! It means a lot to us to hear from people like you.
![github140 avatar](https://secure.gravatar.com/avatar/afcb56b638b9dc7f3541d9d13accee94.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Could resources be deployed into two different AWS accounts having a single “TF environment” and still use some sort of ENV variables for keys? Is there even support for vault?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we handle that by having “generic” TF modules (that provision resources but all settings come from variables, they have no identity by itself). Then we have Docker containers (geodesic
in our case) for each AWS account. We copy the modules into each containers. All those TF vars get populated from ENV vars which can come from a few different places (Dockerfile, CI/CD pipeline, AWS SSM, chamber, https://direnv.net, etc.). When starting a container for a particular account, it already has all the code (TF, Helm, Helfiles, etc.) and all the ENV vars populated, so the container has all the info to provision infra for that account
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
since all settings are coming from ENV vars (including AWS regions and account IDs), and all TF modules use terraform-null-label
module to uniquely name all resources, the same setup could be used with multiple AWS accounts, or just with one if needed (in which case all containers will login/assume role into the same AWS account, but all the resources will have diff environment/stage
in their names, so all names are unique anyway)
![bilal avatar](https://secure.gravatar.com/avatar/53b2862c613cdc7c381bf973a2a41072.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Does this work cross accounts? Would I just need to create another hosted zone with the same NS?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it is cross-accounts
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
in the member accounts (prod, staging, dev) you create corresponding DNS zones (e.g. prod.cloudposse.co)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then get the NS servers from them
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and update the NS records in the root account
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
obviously you update the NS in the registrar (if it’s not Route53) to the root DNS zone name servers (first record in the image above)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then, to put it very simple, every request to let’s say prod.cloudposse.co will first hit the root zone for cloudposse.co and the DNS server will return the name servers for prod.cloudposse.co
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then all other records for prod.cloudposse.co will be requested from its name servers (which could be in the same AWS account or diff, does not matter)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Anyone else get access to TFE for the free remote state? I’m curious how people feel about it.
2019-03-16
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Can’t comment on TFE but I’m very happy with my S3 backend. TFE is out of the box and you pay for it. S3 backend is ‘free’ once you get your head around it.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
@Erik Osterman (Cloud Posse) perhaps for the first hangout I could demo how to set up one of my aws accounts to work with geodesic, aws vault, and s3 backend
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I think @johncblandii meant Terraform Saas which is expected to be affordable for many once it is public. If so, my question is more like this:
- Will I be able to run Terragrunt there (as a custom docker image with all other deps)?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
@Andriy Knysh (Cloud Posse) could you just double check I’m doing this right please?
ROOT account: Has acme.co.uk public zone Has NS record for sandbox.acme.co.uk pointing to the NS addresses that come default with the sandbox.acme.co.uk r53 zone I created in my sandbox account
Sandbox account: Has sandbox.acme.co.uk private zone without default NS records Has test.sandbox.acme.co.uk A record to 127.0.0.1
Expected result:
host [test.sandbox.acme.co.uk](http://test.sandbox.acme.co.uk)
127.0.0.1
Actual result:
Host test.sandbox.acme.co.uk not found: 2(SERVFAIL)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
You need a public zone for sandbox.acme.co.uk.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ty
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Private zones only work within the VPC.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Man that’s so cool. So much easier. What a great piece of knowledge right there
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I wonder if I can go a step further
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
If you want to see how that works you can use dig
to see the delegations happening: dig ns [sandbox.acme.co.uk](http://sandbox.acme.co.uk) +trace +nodnssec
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
ROOT: acme.co.uk Public
Sandbox: sandbox.acme.co.uk Public NS to sandbox.acme.net
Sandbox: sandbox.acme.net Private
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I don’t like the idea of my internal infra being on a public zone
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Got a few solutions up my sleeve that I’m going to test out.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
As far as I know you can’t scan DNS records easilly
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Oh really? A long time ago someone told me “don’t put internal infra on public DNS, it just makes it easier for intruders to map out your kit”
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
kinda just stuck as it sounded reasonable
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
We have that split dns setup in Route53. I wouldn’t do it again, starting over
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Did it for that same reason, originally
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So, not worth it?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Not with the same zone name, for sure
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
A quick article I just found on this topic is https://hackertarget.com/find-dns-host-records/. The only way to get the records is doing a DNS Zone Transfer, which doesn’t work from the public.
Online tool to enumerate subdomains of a domain. Find host records for a domain during the discovery phase of a security assessment or penetration test.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Use a totally different zone name in the private zone, and that’s generally ok
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
If you have a private zone, I’d use something like .local
or .acme
as the root zone.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
The problem is, if you are working from outside (like you do with a multi-account AWS setup), you will run into more problems than not, if stuff doesn’t work.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Also, we run into problems we with multi account setups, where the accounts cannot resolve each other’s records from the private zones. There are ways of doing it, but it’s kludgey. So if you have internal services that should be resolvable across accounts, private zones end up being painful. This basic NS delegation that works with public zones does not work at all with private zones
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
My goal was:
VPC peer a VPC with Jenkins + VPN to all sub accounts. Continue having acme.co.uk on our ROOT account where all our infra currently is. Have a sub-account for each stage. Have all apps go through a loadbalancer that terminates SSL on acme.co.uk (we own this + have SSL). Have all internal infra on acme.net (we don’t own this and no need for ssl as terminates on ELBs)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
should be resolvable across accounts
Yep jenkins would need this big time
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I’m hoping the new route53 resolvers will get me out of this mess
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I didn’t really understand what this was showing to me. When I searched my public acme.co.uk only two results came up and both had public IPs
A quick article I just found on this topic is https://hackertarget.com/find-dns-host-records/. The only way to get the records is doing a DNS Zone Transfer, which doesn’t work from the public.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
What does this tell me?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
This was about finding DNS records out of the blue.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
But what does it tell me about my current setup that only two of our many public A records in our public acme.co.uk zone appear?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Nothing, I was just backing up my claim.
oscarsullivan [1:00 PM]
Oh really? A long time ago someone told me “don’t put internal infra on public DNS, it just makes it easier for intruders to map out your kit”
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Ah, now I understand what you mean. You should only receive all the records that are for acme.co.uk (and not any subdomain).
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
That site is doing more than just attempting a zone transfer (which doesn’t work with route53). They’re also scraping for site info and guessing common names
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Yes, it was more about the text, than the tool itself.
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hey, I checked some modules about VPC (on GitHub). But nobody implements a Network ACL on AWS. What are the reasons why don’t do that?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
They are very hard to manage, as they do not track connections, so you need rules to handle both outbound and any valid returning traffic
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
The only real valid use case I’ve seen is to throw on deny nacls for known bad actors ¯_(ツ)_/¯
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
That, and if you have a very tiered network, where you want to prevent miss use.
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
yeah, I see. So hard to manage + hard for debugging. But you must trade off between security vs convenience.
Some infrastructures (payment system, banking system) need security more.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
well, yes, but with nacls basically requiring allowing all ports for return traffic, or at least all epehmeral ports, they feel far more like checkbox security or security theatre than actual security
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/174 - there will be support for NACL very soon (I will review and merge this during a couple of days).
Network ACLs provide a layer of security to VPCs with stateless rules for inbound and outbound network connections. This PR adds support for configuring network ACLs for public, private, and intra …
2019-03-17
![Valter Henrique avatar](https://secure.gravatar.com/avatar/1b17b26a3a7c63cf652602f1d6e2f9e1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Hey guys, I’m trying to create a domain zone on AWS Route53 and create a certificate that will be used in an ALB later. However, I need to validate the record first. I’m trying the validation_method="DNS"
but is taking ages and nothing happens. My impression is that I need to create the domain, create the ALB, assign a record to the ALB and then try to validate the record. Is that right?
By the way, I’m talking about this: https://www.terraform.io/docs/providers/aws/r/acm_certificate_validation.html
Waits for and checks successful validation of an ACM certificate.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Hi @Valter Henrique so the dns zone you are requesting the certificate for should be accessible von the internet, meaning if the registrar is not Route53, then you need to create the zone in Route53, get the name servers and update the NS records in the registrar
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
In other words, if AWS can’t access your dns records, the validation will take forever and never finish
![Valter Henrique avatar](https://secure.gravatar.com/avatar/1b17b26a3a7c63cf652602f1d6e2f9e1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Right, thank you very much for that @Andriy Knysh (Cloud Posse)!
![Valter Henrique avatar](https://secure.gravatar.com/avatar/1b17b26a3a7c63cf652602f1d6e2f9e1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I was almost bashing my head against my keyboard hehehe
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Yea, we were bitten by that ad well. Certificate Manager adds the validation record to your zone, and you think if it can write it, it should be able to read it as well :)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
But no, it tries to read using public internet, not the internal network
![Valter Henrique avatar](https://secure.gravatar.com/avatar/1b17b26a3a7c63cf652602f1d6e2f9e1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Indeed
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
But of course, the purpose of that is to validate that you own the domain. Only if you bought the domain, you could update its name servers. Otherwise I could create a DNS zone for your domain and request a cert for it
2019-03-18
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I was looking at the ecs
modules and I’m trying to figure out, how it’s supposed to work with atlantis. The terraform-aws-ecs-atlantis
module uses the default-backend
for both service tasks (404 and atlantis), but shouldn’t it use the container image from ECR for the atlantis instance? (I hope this is the right place).
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@mmuehlberger sounds about right. You might notice that we hardcore the image to the default backend. That is by design.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The image should always be updated using codebuild/codepipeline, so if you see the 404 then you know it didn’t work :-)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This is our example implementation
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform Reference Architecture for Geodesic Module Parent (“Root” or “Identity”) Organization in AWS. - cloudposse/root.cloudposse.co
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s the build spec we use
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
God, I’m an idiot (was a long day already). Of course it get’s updated in the CodePipeline.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Because I used a private helmfiles image, the CodeBuild project failed, and it didn’t update yet. Duh.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
The problem is completely on my end. Sometimes I get lost in the dependency chain of Terraform modules.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ok! Let me know it goes…
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
It deploys fine now, as it should be (thank you for the pointers). Adding encrypted secrets to the buildspec is kind of a hastle though, because the user is burried deep in modules. Also there is issues with the healthcheck and atlantis shutting down. I need to investigate further tomorrow.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we use chamber
to write all secrets to ssm
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@mmuehlberger are you using atlantis
with #geodesic?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Yes, I’m using geodesic in a slightly more modern form than reference-architectures (like testing). It can read the parameters from SSM just fine, the role just doesn’t have permission to decrypt them.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Cool!
2019-03-19
![niek avatar](https://secure.gravatar.com/avatar/055049cebc56061309609f48090615fe.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Does anyone knows if it is possible to construct from a map a string.
For example
{
"key1" = "val1"
"key2" = "val2"
}
To: "key1, val1, key2, val2"
Currently having a tf module wich accepts as input a map for tagging in AWS. But there is on one place I need to pass the tags as a list. I prefer to keep my work backwards compatible.
![niek avatar](https://secure.gravatar.com/avatar/055049cebc56061309609f48090615fe.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Solved
replace(jsonencode(map("key1", "val1", "key2", "val2")), "/[\\{\\}\"\\s]/", "")
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Error: module.jenkins.module.cicd.data.aws_region.default: "current": [REMOVED] Defaults to current provider region if no other filtering is enabled
Error: module.jenkins.module.cicd.module.build.data.aws_region.default: "current": [REMOVED] Defaults to current provider region if no other filtering is enabled
Error: module.jenkins.module.efs_backup.data.aws_region.default: "current": [REMOVED] Defaults to current provider region if no other filtering is enabled
Error: module.jenkins.module.elastic_beanstalk_environment.data.aws_region.default: "current": [REMOVED] Defaults to current provider region if no other filtering is enabled
⧉ sandbox
✓ (sandbox-iac) jenkins ⨠ terraform -v
Terraform v0.11.11
+ provider.aws v2.2.0
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Anyone familiar with this?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Looks like the aws_region is not passed through the module itself to the submodules..
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Hmm having looked at the jenkins modules and the erroring sub modules it does pass aws_region down
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Terraform AWS Provider Version 2 Upgrade Guide
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Simply remove current = true from your Terraform configuration. The data source defaults to the current provider region if no other filtering is enabled.
:thinking_face:
Thanks for the link though I don’t understand to which file it refers nor do I recognise the current = true
flag
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ah got it
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
ah man
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Terraform Module for CI/CD with AWS Code Pipeline and Code Build - cloudposse/terraform-aws-cicd
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
its everywhere
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’m going to have to use so many forks until this is merged in lol
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
the argument has been deprecated for a while, just printing warnings instead error and exit non-zero
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
removing it is backwards compatible for a reasonable number of versions
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
PRs made for it
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
any idea how to change to my branch:
source = "git::<https://github.com/osulli/terraform-aws-cicd.git?ref=heads/osulli:patch-1>"
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
instead of tags
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’ve tried heads
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Just use the branch as a ref. ref=master
for instance
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
ty
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
fab that works
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Gone ahead and put it in here: https://github.com/cloudposse/terraform-aws-jenkins/pull/39
… And use my forks until PRs merged for AWS v2 support What Updates sub-module versions to latest releases Uses my forks until the PRs are merged for the sub-modules Why Use latest versions S…
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
That’s weird.. Still getting …
Error: module.jenkins.module.cicd.data.aws_region.default: "current": [REMOVED] Defaults to current provider region if no other filtering is enabled
even though..
oscar@infinitum:~/code/terraform-aws-efs-backup$ git checkout patch-1
Branch 'patch-1' set up to track remote branch 'patch-1' from 'origin'.
Switched to a new branch 'patch-1'
oscar@infinitum:~/code/terraform-aws-efs-backup$ grep -iR "current" ./*
./docs/terraform.md:| noncurrent_version_expiration_days | S3 object versions expiration period (days) | string | `35` | no |
./README.md: noncurrent_version_expiration_days = "${var.noncurrent_version_expiration_days}"
./README.md:> NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource
./README.md:| noncurrent_version_expiration_days | S3 object versions expiration period (days) | string | `35` | no |
./README.yaml: noncurrent_version_expiration_days = "${var.noncurrent_version_expiration_days}"
./README.yaml: > NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource
./s3.tf: noncurrent_version_expiration {
./s3.tf: days = "${var.noncurrent_version_expiration_days}"
./variables.tf:variable "noncurrent_version_expiration_days" {
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Next…
* module.jenkins.module.efs_backup.output.sns_topic_arn: Resource 'aws_cloudformation_stack.sns' does not have attribute 'outputs.TopicArn' for variable 'aws_cloudformation_stack.sns.outputs.TopicArn'
Has anyone used the Jenkins module lately?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Hi, I'm trying to create EFS backups using this module but I keep running into the following error: * module.efs_backup.output.sns_topic_arn: Resource 'aws_cloudformation_stack.sns' doe…
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ok it was looking for sns.TopicArn
instead of sns.arn
https://www.terraform.io/docs/providers/aws/r/sns_topic.html#arn
Provides an SNS topic resource.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
arn not valid either. Just going to remove the output.. Hopefully the output isn’t referenced elsewhere? Not sure you can reference an output anyway. That’s just visual.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Well, you can when looking up a remote terraform state.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
No but it’s not like in another module ${output.x.x}
is a thing
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So it should be safe to remove this one output that breaks the whole project
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Weird you can’t GET zone_id
for r53 zone?
https://www.terraform.io/docs/providers/aws/d/route53_zone.html#zone_id
Provides details about a specific Route 53 Hosted Zone
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Damn, received this a bunch of times.
module.jenkins.module.efs.aws_efs_mount_target.default[1]: Creation complete after 2m44s (ID: fsmt-xxx)
Error: Error applying plan:
1 error(s) occurred:
* module.jenkins.module.efs.aws_efs_mount_target.default[0]: 1 error(s) occurred:
* aws_efs_mount_target.default.0: MountTargetConflict: mount target already exists in this AZ
status code: 409, request id: 0df8f8c2-xxx-xxx-xxx-55a525bfd810
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
changed the versions of CP/efs but no luck. It seems to be duplicated to create it twice???
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yet doesn’t appear to be created twice:
oscar@infinitum:/devops/terraform/providers/aws/jenkins/.terraform/modules$ grep -ir "aws_efs_mount_target" ./*
./08d41c3e3037162fadbb4393ce396759/outputs.tf: value = ["${aws_efs_mount_target.default.*.id}"]
./08d41c3e3037162fadbb4393ce396759/outputs.tf: value = ["${aws_efs_mount_target.default.*.ip_address}"]
./08d41c3e3037162fadbb4393ce396759/main.tf:resource "aws_efs_mount_target" "default" {
./808f0aa181de2ea4cc344b3503eff684/efs.tf:data "aws_efs_mount_target" "default" {
./808f0aa181de2ea4cc344b3503eff684/cloudformation.tf: myEFSHost = "${var.use_ip_address == "true" ? data.aws_efs_mount_target.default.ip_address : format("%s.efs.%s.amazonaws.com", data.aws_efs_mount_target.default.file_system_id, (signum(length(var.region)) == 1 ? var.region : data.aws_region.default.name))}"
./808f0aa181de2ea4cc344b3503eff684/security_group.tf: security_group_id = "${data.aws_efs_mount_target.default.security_groups[0]}"
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
only one resource for it in the whole of the jenkins project and its modules
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
wants to create it a second time despite it already existing
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Found the cause:
terraform-aws-efs
Inside [main.tf](http://main.tf)
resource "aws_efs_mount_target" "default" {
count = "${length(var.availability_zones)}"
file_system_id = "${aws_efs_file_system.default.id}"
subnet_id = "${element(var.subnets, count.index)}"
security_groups = ["${aws_security_group.default.id}"]
}
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
The length was what was causing multiple to be created……. so I just only used one availability zone and no longer receiving that dupe error,
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Onto the next error
Error: Error refreshing state: 1 error(s) occurred:
* module.jenkins.module.efs_backup.output.datapipeline_ids: At column 48, line 1: map "aws_cloudformation_stack.datapipeline.outputs" does not have any elements so cannot determine type. in:
${aws_cloudformation_stack.datapipeline.outputs["DataPipelineId"]}
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Oh. Cool. I can’t terraform destroy
either
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
^ Commented out the output..
And now….
* aws_elastic_beanstalk_environment.default: InvalidParameterValue: No Solution Stack named '64bit Amazon Linux 2017.09 v2.8.4 running Docker 17.09.1-ce' found.
status code: 400, request id: d7bc0ae2-2278-4bbd-9540-bda532e9cd71
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Feel like I’m getting closer
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
You know what.. I’m going to try the live version and either: 1) Define the AWS provider version 2) Use it how it is + grep for the deprecated argument and just manually remove it
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
Guys, is there a way to do a split and get the last element of the list ?
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
or do I need to know the size of the list ?
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
${lenght(var.your_list)}
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
I did it like that, thanks
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
try [-1] for the index
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
-1 doesn’t work
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
I ended up using length function
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Embedded within strings in Terraform, whether you’re using the Terraform syntax or JSON syntax, you can interpolate other values into strings. These interpolations are wrapped in ${}
, such as ${var.foo}
.
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
For getting last element in a list, I think can use like that
variable "public_subnet" {
default = ["10.20.99.0/24" , "10.20.111.0/24", "10.20.222.0/24"]
}
output "last_element" {
value = "${element(var.public_subnet, length(var.public_subnet) - 1 )}"
}
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
will return to last_element = 10.20.222.0/24
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@oscarsullivan_old https://github.com/cloudposse/terraform-aws-jenkins was tested by us about a year ago (was deployed many times at the time), so prob a lot of things changed since then
Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack - cloudposse/terraform-aws-jenkins
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’ve realised @Andriy Knysh (Cloud Posse) trying so hard to use it lmao
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I can’t believe no one else (?) has used it recently though.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i think some people used it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just need to find them
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We have not personally used it for some time
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
It’s worrying that there are issues in it that actually prevent me from running terraform destroy
?!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
#codefresh FTW
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Astonished that’s possible
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I don’t have everything in containers yet
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Hello! is this the place to ask for help about https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn ?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hi @Mohamed Lrhazi
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Geat! Here I go… am testing for the first time with this:
» cat main.tf
module “cdn” {
source = “git://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn.git?ref=master>”
namespace = “ts-web”
stage = “prod”
name = “test”
aliases = []
parent_zone_name = “catholic.edu”
acm_certificate_arn = “arnacm947556264854:certificate/e9b7a021-ef1a-49f7-8f2c-5a8e13c89dd2”
use_regional_s3_endpoint = “true”
origin_force_destroy = “true”
cors_allowed_headers = [“”]
cors_allowed_methods = [“GET”, “HEAD”, “PUT”]
cors_allowed_origins = [“”]
cors_expose_headers = [“ETag”]
}
resource “aws_s3_bucket_object” “index” { bucket = “${module.cdn.s3_bucket}” key = “index.html” source = “${path.module}/index.html” content_type = “text/html” etag = “${md5(file(“${path.module}/index.html”))}” }
It seems to work fine.. but then when I visit the cdn site, I get:
» curl -i https://d18shdqwx0ry07.cloudfront.net HTTP/1.1 502 Bad Gateway Content-Type: text/html Content-Length: 507 Connection: keep-alive Server: CloudFront Date: Tue, 19 Mar 2019 1545 GMT Expires: Tue, 19 Mar 2019 1545 GMT X-Cache: Error from cloudfront Via: 1.1 e6aa91f0ba1f6ad473a8fc451c95d017.cloudfront.net (CloudFront) X-Amz-Cf-Id: P5kPEIr2kxXdfOBYgE2iiHiOUBOUh2bGSM8ZU9xI_w8zjcxT6PLCnw== … <H2>Failed to contact the origin.</H2>
Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@oscarsullivan_old what we noticed before, if deployment fails for any reasons, you need to manaully destroy those data pipelines
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
TF does not detroy them (uses CloudFormation)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and also, all of that should be updated to use https://aws.amazon.com/backup/
AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services in the cloud as well as on-premises using the AWS Storage Gateway.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Honestly, looking at the architecture for deploying a single, non HA Jenkins on beanstalk is enough for me to say I just don’t think it’s worth running jenkins. Plus, to get HA with Jenkins you have to go enterprise. At that point might as well look at other options.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
instead of the efs-backup
module which was a hack
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
lmao data pipelines aren’t even available in London
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I wonder where they were created
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I forgot the command but terraform has something you can run that will output the state
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
show
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
let me try that
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Checked all the data centers and not there lawwwwwwd
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
and cloud-nuke won’t solve this either
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ya @Andriy Knysh (Cloud Posse) is correct that pipelines should now be replaced with the backups service
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
execute me now pls
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
How long did you wait @Mohamed Lrhazi ?
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Any idea what I am missing?
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
oh.. maybe 10 mins ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It takes sometimes up to 30 minutes to create a distribution
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
h.. but it says DEPLOYED as status…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hrm
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
10 m is faster than I have seen. Not sure what is wrong based on your example.
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
and I think its actually been more than 30mins
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You can go into the webconsole and poke around
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
still giving same error…
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
yes, I looked at the s3 bucket and looks like it did assign the right perms, from what I can guess
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Did you use a custom SSL cert?
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Nope!
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
could that be it? docs dont says thats required!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
If yes, the cloudfront provided one will not work
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
In your code I see the cert ARN provided
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Oh sorry you’re right!!! I did add that
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Also the S3 bucket is not a website
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
oh.. the module does not do that for me?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You have to access any file by adding its name after the URL
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
There is another module for that
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
ok. let me poke around and see if I can make it work… one last question.. is the module supposed to also create route53 records needed?
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
cause it does not seem like it did in my simple test case.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I just want this jenkins module off of my account now.. Any idea how to get past this:
* module.jenkins.module.efs.module.dns.output.hostname: variable "default" is nil, but no error was reported
* module.jenkins.module.elastic_beanstalk_environment.module.tld.output.hostname: variable "default" is nil, but no error was reported
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Have tried commenting that output out and also removing all outputs.tf files
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Just need to be able to run terraform destroy
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Mohamed Lrhazi 1 sec
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
been in a half hour loop trying to purge it but always end up at the same spot
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@oscarsullivan_old did you find the pipelines in the AWS console? you need to manually delete them
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
They don’t exist
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I looked through all the data centers
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’m set to eu-west-2
(london) and that’s not even an available data center!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what do you see in CloudFormation? Delete those stacks manually
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
0 stacks
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Also checked the US DCs in case it defaulted to CP’s DC
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
when you run terraform destroy
, what’s the error?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
⧉ sandbox
✓ (healthera-sandbox-admin) jenkins ⨠ terraform destroy
data.aws_availability_zones.available: Refreshing state...
data.aws_region.default: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_iam_policy_document.ec2: Refreshing state...
data.aws_region.default: Refreshing state...
data.aws_route53_zone.he_uk: Refreshing state...
data.aws_elb_service_account.main: Refreshing state...
data.aws_iam_policy_document.role: Refreshing state...
data.aws_ami.amazon_linux: Refreshing state...
data.aws_ami.base_ami: Refreshing state...
data.aws_vpcs.account_vpc: Refreshing state...
data.aws_caller_identity.default: Refreshing state...
data.aws_iam_policy_document.permissions: Refreshing state...
data.aws_region.default: Refreshing state...
data.aws_iam_policy_document.resource_role: Refreshing state...
data.aws_iam_policy_document.service: Refreshing state...
data.aws_iam_policy_document.assume: Refreshing state...
data.aws_region.default: Refreshing state...
data.aws_caller_identity.default: Refreshing state...
data.aws_iam_policy_document.slaves: Refreshing state...
data.aws_iam_policy_document.role: Refreshing state...
data.aws_iam_policy_document.default: Refreshing state...
data.aws_acm_certificate.he_uk_ssl: Refreshing state...
data.aws_iam_policy_document.default: Refreshing state...
data.aws_subnet_ids.private_subnet: Refreshing state...
data.aws_subnet_ids.public_subnet: Refreshing state...
data.aws_vpc.default: Refreshing state...
data.aws_subnet_ids.default: Refreshing state...
Error: Error applying plan:
2 error(s) occurred:
* module.jenkins.module.efs.module.dns.output.hostname: variable "default" is nil, but no error was reported
* module.jenkins.module.elastic_beanstalk_environment.module.tld.output.hostname: variable "default" is nil, but no error was reported
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hmm, never seen those
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Have tried commenting out those ouputs, have tried removing all outputs.tf files, have attried re-applying then destroying etc
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I get something like this erry tim I use a CP module
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
but this is a complex one and hard to cleanup manually
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i guess just go to Route53 and delete those records
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(and fix the variables and outputs so it does not complain)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
There aren’t any R53 records
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
oh god
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i hope you did that in a test account that you could nuke somehow
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yeh but unsure nuke will work on this
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
if we’re taling cloud-nuke
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
had a read through the resources it can od
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i mean anything to destroy it, not exactly using the nuke module
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
jeeeeez
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Deprecate that god damn repo, please. This has been really unpleasant
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Let’s tone it down a notch. We’re all volunteering support here. https://gist.github.com/richhickey/1563cddea1002958f96e7ba9519972d9
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Outside your door stands a line of a few hundred people. They are patiently waiting for you to answer their questions, complaints, pull requests, and feature requests. You want to help all of them, but for now you’re putting it off. Maybe you had a hard day at work, or you’re tired, or you’re just trying to enjoy a weekend with your family and friends. But if you go to , there’s a constant reminder of how many people are waiting:
When you manage to find some spare time, you open the door to the first person. They’re well-meaning enough; they tried to use your project but ran into some confusion over the API. They’ve pasted their code into a GitHub comment, but they forgot or didn’t know how to format it, so their code is a big unreadable mess. Helpfully, you edit their comment to add a code block, so that it’s nicely formatted. But it’s still a lot of code to read. Also, their description of the problem is a bit hard to understand. Maybe this person doesn’t speak English as a first language, or maybe they have a disability that makes it difficult for them to communicate via writing. You’re not sure. Either way, you struggle to understand the paragraphs of text they’ve posted. Wearily, you glance at the hundreds of other folks waiting in line behind them. You could spend a half-hour trying to understand this person’s code, or you could just skim through it and offer some links to tutorials and documentation, on the off-chance that it will help solve their problem. You also cheerfully suggest that they try Stack Overflow or the Slack channel instead. The next person in line has a frown on their face. They spew out complaints about how your project wasted 2 hours of their life because a certain API didn’t work as advertised. Their vitriol gives you a bad feeling in the pit of your stomach. You don’t waste a lot of time on this person. You simply say, “This is an open-source project, and it’s maintained by volunteers. If there’s a bug in the code, please submit a reproducible test case or a PR.” The next person has run into a very common error, with an easy workaround. You know you’ve seen this error a few times before, but can’t quite recall where the solution was posted. Stack Overflow? The wiki? The mailing list? After a few minutes of Googling, you paste a link and close the issue. The next person is a regular contributor. You recognize their name from various community forums and sibling projects. They’ve run into a very esoteric issue and have proposed a pull request to fix it. Unfortunately the issue is complicated, and so their PR contains many paragraphs of prose explaining it. Again, your eye darts to the hundreds of people still waiting in line. You know that this person put a lot of work into their solution, and it’s probably a reasonable one. The Travis tests passed, and so you’re tempted to just say “LGTM” and merge the pull request. However, you’ve been burned by that before. In the past, you’ve merged a PR without fully evaluating it, and in the end it led to new headaches because of problems you failed to foresee. Maybe the tests passed, but the performance degraded by a factor of ten. Or maybe it introduced a memory leak. Or maybe the PR made the project too confusing for new users, because it excessively complicated the API surface. If you merge this PR now, you might wind up with even more issues tomorrow, because you broke someone else’s workflow by solving this one person’s (very edge-casey) problem. So you put it on the back burner. You’ll get to it later when you have more time. The next person in line has found a new bug, but you know that it’s actually a bug in a sibling project. They’re saying that this is blocking them from shipping their app. You know it’s a big problem, but it’s one of many, and so you don’t have time to fix it right now. You respond that this looks like a genuine issue, but it’s more appropriate to open in another repo. So you close their issue and copy it into the other repo, then add a comment suggesting where they might look in the code to start fixing it. You doubt they’ll actually do so, though. Very few do. The next person just says “What’s the status on this?” You’re not sure what they’re talking about, so you look at the context. They’ve commented on a lengthy GitHub thread about a long-standing bug in the project. Many people disagreed on the proper solution to the problem, so it generated a lot of discussion. There are more than 20 comments on this particular issue, and it would take you a long time to read through them all to jog your memory. So you merely respond, “Sorry, this issue has been open for a while, but nobody has tackled it yet. We’re still trying to understand the scope of the problem; a pull request could be a good start!” The next person is just a GreenKeeper bot. These are easy. Except that this particular repo has fairly flaky tests, and the tests failed for what looks like a spurious reason, so you have to restart them to pass. You restart the tests and try to remind yourself to look into it later after Travis has had a chance to run. The next person has opened a pull request, but it’s on a repo that’s fairly active, and so another maintainer is already providing feedback. You glance through the thread; you trust the other maintainer to handle this one. So you mark it as read and move on. The next person has run into what appears to be a bug, and it’s not one you’ve ever seen before. But unfortunately they’ve provided scant details on how the problem actually occurred. What browser was it? What version of Node? What version of the project? What code did they use to reproduce it? You ask them for clarification and close the tab. The constant stream After a while, you’ve gone through ten or twenty people like this. There are still more than a hundred waiting in line. But by now you’re feeling exhausted; each person has either had a complaint, a question, or a request for enhancement. In a sense, these GitHub notifications are a constant stream of negativity about your projects. Nobody opens an issue or a pull request when they’re satisfied with your work. They only do so when they’ve found something lacking. Even if you only spend a little bit of time reading through these notifications, it can be mentally and emotionally exhausting. Your partner has observed that you’re always grumpy after going through this ritual. Maybe you found yourself snapping at her for no reason, just because you were put in a sour mood. “If doing open source makes you so angry, why do you even do it?” she asks. You don’t have a good answer. You could take a break; in fact you’ve probably earned it by now. In the past, you’ve even taken vacations of a week or two from GitHub, just for your own mental health. But you know that that’s exactly how you ended up in this situation, with hundreds of people patiently waiting. If you had just kept on top of your GitHub notifications, you’d probably have a more manageable 20-30 to deal with per day. Instead you let them pile up, so now there are hundreds. You feel guilty. In the past, for one reason or another, you’ve really let issues pile up. You might have seen an issue that was left unanswered for months. Usually, when you go back to address such an issue, the person who opened it never responds. Or they respond by saying, “I fixed my problem by abandoning your project and using another one instead.” That makes you feel bad, but you understand their frustration. You’ve learned from experience that the most pragmatic response to these stale issues is often just to say, &…
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
My apologies, it was very rude of me as I was frustrated at the time and unsuccessful at getting it to work even after opening several forks and PRs.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
And thank you for calling me out on it
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
And thanks for that nolanlawson read
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so I think part of the issue was that the pipelines are not supported in the region (and maybe other resources)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but the error reporting is bad
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Mohamed Lrhazi this module https://github.com/cloudposse/terraform-aws-s3-website does create an S3 website
Terraform Module for Creating S3 backed Websites and Route53 DNS - cloudposse/terraform-aws-s3-website
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and then you use this https://github.com/cloudposse/terraform-aws-cloudfront-cdn to add CDN for it
Terraform Module that implements a CloudFront Distribution (CDN) for a custom origin. - cloudposse/terraform-aws-cloudfront-cdn
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(this https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn creates a regular S3 bucket, not a website, and points a CloudFront distribution to it)
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
OK. Thanks! I assumed this was a full working example: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/example/main.tf
Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
since it’s not a website, you have to access all the files by their names, e.g. https://d18shdqwx0ry07.cloudfront.net/index.html
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
I tried that, still getting same “Failed to contact the origin.” error!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and since you provided your own SSL cert (I guess you created it already), you have to access the site by the DNS name (not CloudFront) : https://catholic.edu/index.html
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Well, according to my state file it is GONE…
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
ok.. maybe that’s the key… thanks a lot!… I will see whats wrong with the DNS part…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
to create a new Route53 one https://github.com/cloudposse/terraform-aws-route53-cluster-zone
Terraform module to easily define consistent cluster domains on Route53 (e.g. [prod.ourcompany.com](http://prod.ourcompany.com)
) - cloudposse/terraform-aws-route53-cluster-zone
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
to add a new hostname record to the zone https://github.com/cloudposse/terraform-aws-route53-cluster-hostname
Terraform module to define a consistent AWS Route53 hostname - cloudposse/terraform-aws-route53-cluster-hostname
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Mohamed Lrhazi to create an S3 website (not just a regular S3 bucket) and then point a CloudFront CDN to it, we have this example https://github.com/cloudposse/terraform-root-modules/blob/master/aws/docs/main.tf
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
working because it’s how https://docs.cloudposse.com is deployed
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
Cool! Thanks!. I will start from that example then. I was really hoping a found a module that would allow me to just say : my site is foo.dom.ain, my content is in content folder… go do it but this example does not look that bad.. just need to learn me a bit of terraform
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
such a module could be created by using these two
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
If do have a website already set up and you mean go do it
as in go host it
.. you could use a container?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
which the example above shows
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
one of the reasons that they have not been combined in one module is that you can use an S3 website without any CDN
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
point your DNS to the S3 website endpoint
![Mohamed Lrhazi avatar](https://secure.gravatar.com/avatar/7384a1c4daf0837c96dc192d26f2af06.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
I think s3 website does not support ssl, so one needs cloudfront for that…
@oscarsullivan_old yes, I meant here is my static content, host it in s3+cloudfront… use my pre-created ssl cert, but do everything else for me. s3/perms/route53/cloudfront. all from one config file where I just say: fqdn, content path, and I guess ssl arn. but I think with all the examples you guys pointed out… am probably very close.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Just copy the example, it’s two modules to call instead of one
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
And the data source will lookup your pre-created SSL cert
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Or just provide the cert ARN and don’t use the lookup
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
@Andriy Knysh (Cloud Posse) I have a question this module
https://github.com/cloudposse/terraform-aws-vpc-peering/blob/master/variables.tf#L2
enabled
is boolean variable. I see you check this variable in main.tf like that count = "${var.enabled == "true" ? 1 : 0}"
Why not use enabled = true
and check with syntax count = "${var.enabled ? 1 : 0}"
. I think it is make sense.
Terraform module to create a peering connection between two VPCs in the same AWS account. - cloudposse/terraform-aws-vpc-peering
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
because TF recommends using strings instead of boolean values
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Input variables are parameters for Terraform modules. This page covers configuration syntax for variables.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Unexpected implementation semantics
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the issue is that booleans are always converted to strings in TF
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but that conversion is different (not consistent) in variables, tfvars files and on the command line
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
wow, thank you I see
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
@xluffy did you get the peering working? Just recently set this up myself. Let me know if any Qs
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
thank @oscarsullivan_old I’m just curious
2019-03-20
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I have successfully inserted my AWS_ACCESS_KEY and AWS_SECRET_KEYS in Vault
MacBook-Pro-5$ vault read secret/infra_secrets
Key Value
--- -----
refresh_interval xxh
access_key xxxxx
secret_key xxxx
Now can anyone can suggest to me how should i use this keys in my main.tf(code piece) so i can provision the infra in aws.
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
By using Geodesic’s assume-role
function or by running aws-vault exec [profile] [cmd]
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
so
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
aws-vault exec sandbox terraform apply
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
hey, I have a module for creating 2 VPC + another module for creating a peering between 2 VPC. In peering module, I have a read-only for counting route table. But I can’t count if i don’t create VPC first. How to depend them?
Error: Error refreshing state: 2 error(s) occurred:
* module.peering.data.aws_route_table.acceptor: data.aws_route_table.acceptor: value of 'count' cannot be computed
* module.peering.data.aws_route_table.requestor: data.aws_route_table.requestor: value of 'count' cannot be computed
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ultimate goal is to create VPCs and peer them? anything more complex?
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
yeah, just create 2 vpcs, after that, will create a peering between them
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
terraform doesn’t support depend on modules.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Two different projects
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Those are the main tf files
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So I run vpc.tf’s project inside of my geodesic module for each stage
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
and then I run vpc_peering in each sub-accounts module that isn’t mgmt or root
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
This is what I do to peer MGMT to all other sub accounts
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
yeah, will work. because u create VPC first (run vpc.tf).
But if u have a peering module + vpc module in a project. Peering module can’t query data in a VPC if VPC doesn’t create.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
think about creating projects (e.g. separate states) based on how they need to be applied
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so if one resource depends on the outputs of another module like a vpc, it might make more sense to separate them out
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
rather than needing to rely on -target
parameters to surgically apply state
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
https://github.com/cloudposse/terraform-aws-vpc-peering/blob/master/main.tf#L38
data "aws_route_table" "requestor" {
count = "${var.enabled == "true" ? length(distinct(sort(data.aws_subnet_ids.requestor.ids))) : 0}"
subnet_id = "${element(distinct(sort(data.aws_subnet_ids.requestor.ids)), count.index)}"
}
Lookup route tables from a VPC. If this VPC doesn’t create. will fail
Terraform module to create a peering connection between two VPCs in the same AWS account. - cloudposse/terraform-aws-vpc-peering
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
But if u have a peering module + vpc module in a project. Peering module can’t query data in a VPC if VPC doesn’t create.
That’s why they’re separate..
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Different ‘goals’ usually get isolated in my work
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Plus what if I want to create a VPC that isn’t peered etc
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
I see
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I also don’t use [main.tf](http://main.tf)
files.. I don’t like them
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I like a file per resource type
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
¯_(ツ)_/¯
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
That is quite a preference thing, not sure if quite a coding standard
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
agree with both
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I like a [main.tf](http://main.tf)
for common stuff like the provider definition
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and then when a lot of stuff is going on, break it out by .tf
files like @oscarsullivan_old
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
A module is a container for multiple resources that are used together.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I like a [main.tf](http://main.tf)
for common stuff like the provider definition
I have that in my [terraform.tf](http://terraform.tf)
!
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Anyway, the shed is blue.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
sneak data source
[terraform.tf](http://terraform.tf)
!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
¯_(ツ)_/¯
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Joining the meetup tonight @joshmyers?
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Where is this?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
March 20th, 2019 from 11:30 AM to 12:20 PM GMT-0700 at https://zoom.us/j/684901853
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(PST)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
01:30 GMT? @oscarsullivan_old
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
6:30 PM Wednesday, Greenwich Mean Time (GMT)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
haha not quite
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
6;30
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
after work sadly
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
ahh, I need to nip out but would be good to try and make that
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’ll have only just arrived at home at 6:10
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Deffo do
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
https://github.com/cloudposse/terraform-aws-eks-cluster SHOULD I create a new VPC just for EKS?
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
.. Or can I safely use my existing VPC that my sub-account uses for everything
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you can definitely use the same vpc
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the “SHOULD” would come down to a business requirement
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
e.g. “the EKS cluster SHOULD run in a separate PCI compliant VPC”
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ah awesome
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Not a technical requirement great
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yup
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ok this will help me get setup with EKS quickly
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha,
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and open issues that others have encountered with EKS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
most of the time errors encountered are due to missing a step
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@oscarsullivan_old this is working example https://github.com/cloudposse/terraform-aws-eks-cluster/tree/master/examples/complete
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
tested many times by a few people
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just update the vars https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/examples/complete/variables.tf
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks! Will spend tomorrow reading those and setting up first k8 cluster
2019-03-21
![DaGo avatar](https://secure.gravatar.com/avatar/7e63ff2eb1ab9bb937c04cbb7870c921.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
Has anyone tried this wizardry? https://modules.tf
Your infrastructure as code delivered as Terraform modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@antonbabenko
Your infrastructure as code delivered as Terraform modules
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
@DaGo Yes, I tried it.
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I really like Cloudcraft
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
here you go @DaGo
![fiesta_parrot](/assets/images/custom_emojis/fiesta_parrot.gif)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Cloudcraft doesn’t allow you to configure objects like ALB (e.g. listener and redirects)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
here’s a simple eu-west 2 ALB + EC2
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I think it’s really good for starting a new framework for a project
![DaGo avatar](https://secure.gravatar.com/avatar/7e63ff2eb1ab9bb937c04cbb7870c921.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
Awesome. Many thanks, Oscar!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Here’s a question for the crowd: Do you prefer to leave a default for variables?
Example:
variable "stage" {
type = "string"
default = "testing"
description = "Stage, e.g. 'prod', 'staging', 'dev' or 'testing'"
}
My take: I personally don’t like leaving defaults to variables like ‘name’ and ‘stage’, but don’t mind for ‘instance_size’. The reason is I’d rather it failed due to a NULL value and I could fix this var not being passed to TF (from, say, Geodesic) than read the whole PLAN and check I’m getting the correct stage etc.
What do you think?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Another example in a Dockerfile:
FROM node:8.15-alpine
ARG PORT
EXPOSE ${PORT}
I could have ARG PORT=3000
, but I’d rather it failed due to a lack of port definition than go through the build process and find the wrong / no port was exposed.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’d rather have NO PORT than the WRONG port for my built image. I feel it is easier for me to catch the NO PORT than the WRONG port.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I like defaults, for things, where I know that I’m not going to change them in every stage/environment or variables where it makes sense to have one. (e.g. require stage
to be set explicitly, but like you said, something like instance_type
is fine, even though, you might want to change it in every stage anyways). For something like PORT
I’d also set a default, usually to whatever the default is for the technology I’m using.
My take on defaults is basically: try to make it as easy as possible to use whatever you are building with ar little extra configuration as possible.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
RE: AKS cluster
variable "image_id" {
type = "string"
default = ""
description = "EC2 image ID to launch. If not provided, the module will lookup the most recent EKS AMI. See <https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html> for more details on EKS-optimized images"
}
variable "eks_worker_ami_name_filter" {
type = "string"
description = "AMI name filter to lookup the most recent EKS AMI if `image_id` is not provided"
default = "amazon-eks-node-v*"
}
* module.eks_workers.data.aws_ami.eks_worker: data.aws_ami.eks_worker: Your query returned no results. Please change your search criteria and try again.
What are people specifying as their IMAGE_ID or what filter have they got for the ami_name_filter?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Looks like they’re EKS specific, so I don’t want to use my standard AMI
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Looks like the pattern has changed. No v
for the semantic version
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
* aws_eks_cluster.default: error creating EKS Cluster (acme-sandbox-eks-cluster): InvalidParameterException: A CIDR attached to your VPC is invalid. Your VPC must have only RFC1918 or CG NAT CIDRs. Invalid CIDR: [14.0.0.0/16]
Hmmm looks like a valid CIDR to me
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Weird as they’re created with this:
module "vpc" {
source = "git::<https://github.com/cloudposse/terraform-aws-vpc.git?ref=master>"
version = "0.4.0"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "vpc"
cidr_block = "${var.cidr_prefix}.0.0.0/16"
}
module "dynamic_subnets" {
source = "git::<https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master>"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "dynamic_subnets"
region = "${var.aws_region}"
availability_zones = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
vpc_id = "${module.vpc.vpc_id}"
igw_id = "${module.vpc.igw_id}"
cidr_block = "${var.cidr_prefix}.0.0.0/16"
}
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Can the VPC and hte SUBNET not have the same block
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I thought it was more about linking them together
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ok should be fine https://github.com/cloudposse/terraform-aws-vpc/tree/master/examples/basic does the same as me
Terraform Module that defines a VPC with public/private subnets across multiple AZs with Internet Gateways - cloudposse/terraform-aws-vpc
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Valid RFC1918 CIDRs are only those 3:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Everything else is in the public IP space.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So https://github.com/cloudposse/terraform-aws-vpc/blob/master/examples/basic/terraform.tfvars.example#L11 is technically invalid?
Terraform Module that defines a VPC with public/private subnets across multiple AZs with Internet Gateways - cloudposse/terraform-aws-vpc
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
because it is 10.0.0.0/16
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
but should really be 10.0.0.0/8
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
AWS only allows /16 networks, not more.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So it sounds like 10.0.0.0/16 is not RFC1918 compliant then
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
No. /8 means, the first 8 bits must be fixed (10
in this case). /16 means, the first 16 bits must be fixed (so the first 2 parts)
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
10.0.0.0/16 is fine, 14.0.0.0/16 is not
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
10.0.0.0/16 is subnet of 10.0.0.0/8
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Oh
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
With VPCs in AWS you can have a range of 10.0.0.0/16
to 10.255.0.0/16
as valid network CIDRs. Also 172.16.0.0/16
to 172.31.0.0/16
and 192.168.0.0/16
.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
so 10.0.0.0/16 is valid
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
but my 14.0.0.0/16 is not
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
haha woops
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
but had I gone for 10.{var.cidr_prefix}.0.0/16 all would be well
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
(plus 100.64.0.0/16
to 100.127.0.0/16
but this is carrier-grade NAT, so better stay away from that)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Exactly.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Damn
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Alright, hopefully it should be easy to fix then
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks chaps for explaining CIDR blocks and RFC1918
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I forget where I read it, but there is a lot of truth to the quote, “in the cloud, everyone is a network engineer”
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Absolutely!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
My networking is so poor. For the last 2 years the networking aspect of my cloud was managed by the service provider!
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
VPCs, subnets, security groups, NACLs, VPNs, WAFs, load balancers, oh my!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yep! The only thing I had to manage were firewall ingress/egress rules and load balancer rules.. none of the setup and maintenance
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
It was Infrastructure as a service really
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
That’s convenient… it’s so abstracted that I only need to change it in 2 values on the same file
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Oh dear, terraform isn’t detecting the change properly and isn’t destroying the old subnets
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
try terraform destroy without the changes first?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
No it has totally desynced from the bucket
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
so I’m makign it local
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
copying the S3 state
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
pasting that into the local
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
and then checking if terraform state list shows the resources
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
then I’ll push it back up
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
yep perfect showing the machiens again
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Plan: 26 to add, 2 to change, 26 to destroy.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
vs.
✓ (acme-sandbox-admin) vpc ⨠ terraform destroy
data.aws_availability_zones.available: Refreshing state...
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: no
Error: Destroy cancelled.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Specifically…
-/+ module.vpc.aws_vpc.default (new resource required)
id: "vpc-xxx" => <computed> (forces new resource)
arn: "arn:aws:ec2:eu-west-2:xxx:vpc/vpc-xxx" => <computed>
assign_generated_ipv6_cidr_block: "true" => "true"
cidr_block: "14.0.0.0/16" => "10.14.0.0/16" (forces new resource)
Should be compliant now
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Doh it’s happened again.. can’t delete modules
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
Team any suggestions on how to fix this error ?
"data.aws_vpc.vpc.tags" does not have homogenous types. found TypeString and then TypeMap in ${data.aws_vpc.vpc.tags["Name"]}
![rbadillo avatar](https://avatars.slack-edge.com/2020-02-24/955300874531_b0a820ed3b33153c08ca_72.jpg)
I have some Kubernetes Tags, doing some googling says to delete those tags but I want to avoid that
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so you can delete/update those tags in kubernetes. Terraform data sources just read them and you can’t change them on the fly
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
In the terraform-aws-ecs-codepipeline
module, it has an example buildspec: https://github.com/cloudposse/terraform-aws-ecs-codepipeline#example-buildspec
Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/ - cloudposse/terraform-aws-ecs-codepipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Where are the variables like $REPO_URL
and $IMAGE_REPO_NAME
coming from?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
They’re not official build environment variables.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh I see, it’s provided by the module.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/ - cloudposse/terraform-aws-ecs-codepipeline
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Has anyone encountered issues lately with the module terraform-aws-dynamic-subnets. I believe it has something to do with AWS adding an AZ (us-west-2d) to the us-west-2 region some time in Feb.
I ended up removing the subnets in one of my environments before being able to recreate them. Not something I want to do in OPS. Any insight on the issue?
-/+ module.subnets.aws_subnet.public[0] (new resource required)
id: "subnet-XXX" => <computed> (forces new resource)
arn: "arn:aws:ec2:us-west-2:XXX:subnet/subnet-XXX" => <computed>
assign_ipv6_address_on_creation: "false" => "false"
availability_zone: "us-west-2a" => "us-west-2a"
availability_zone_id: "usw2-az2" => <computed>
cidr_block: "10.0.96.0/19" => "10.0.128.0/19" (forces new resource)
-/+ module.subnets.aws_subnet.public[1] (new resource required)
id: "subnet-XXX" => <computed> (forces new resource)
arn: "arn:aws:ec2:us-west-2:XXX:subnet/subnet-XXX" => <computed>
assign_ipv6_address_on_creation: "false" => "false"
availability_zone: "us-west-2b" => "us-west-2b"
availability_zone_id: "usw2-az1" => <computed>
cidr_block: "10.0.128.0/19" => "10.0.160.0/19" (forces new resource)
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Sorry I don’t have the actual error output but it complained about the CIDR already existing
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Does it already exist?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I got bamboozled by that question today
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Well technically its that module.subnets.aws_subnet.public[1]
which never gets deleted
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
or updated.
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
I may be able to use 2d and 2b in this case, but not sure what my solution for my OPS env which currently uses a,b, and c. I may have to just ride a second VPC for a migration.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Good luck. I don’t think I have an answer for this!
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Actually, I may have found the solution! I’ll just temporarily go down to 2 subnets in OPS c, and d which should not conflict.
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I ran into this too. It has to do with how the module subdivides CIDR blocks. With the addition of us-west-2d, the module wants to create a new private subnet, but it tries to assign to it the CIDR block that’s already given to the public subnet for us-west-2a
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) can you take a look?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We specifically and deliberately tried to address this use-case in our module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but might have a logical problem affecting it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think your suggestion though is the best: hardcode the desired AZs for stability
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i’ll look into that
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
I see
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
i couldn’t figure out a fix.. fortunately my env was in a state where i could delete and recreate all the subnets
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
if you’re using terraform-aws-dynamic-subnets
directly, it looks like you should be able to set availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
![LeoGmad avatar](https://secure.gravatar.com/avatar/01b858af8e8800385f8a99b9865655dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Thanks I am using terraform-aws-dynamic-subnets
I’ll give it a go.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What might be going wrong with my cloudposse/terraform-aws-ecs-codepipeline if I’m getting the following error on deploy:
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m not sure what IAM role is relevant here (there so many O_O)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m not even sure what is being uploaded to s3?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh I deleted these lines from my buildspec:
- printf '[{"name":"%s","imageUri":"%s"}]' "$CONTAINER_NAME" "$REPO_URI:$IMAGE_TAG" | tee imagedefinitions.json
artifacts:
files: imagedefinitions.json
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Perhaps these are important? Not sure why there would an IAM role error?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@idlework are you using this in thee context of one of our other modules? e.g. the ecs-web-app
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if not, I would look at how our other modules leverage it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
GitHub is where people build software. More than 31 million people use GitHub to discover, fork, and contribute to over 100 million projects.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) yeah I’ve been following right out this, https://github.com/cloudposse/terraform-aws-ecs-web-app/blob/master/main.tf
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Adding those lines I removed seemed to make it work.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The last thing that’s not working is that the Github Webhook doesn’t seem to do anything.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I cut a release, Github says it sent the webhook, and nothing happens in CodePipeline even after 10 minutes.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I could probably post my HCL since I don’t think it contains any secrets.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Maybe it only works if the commit is different
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
still nothing
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) do I have to click this even though I setup the terraform module with an oauth token with the right permissions? terraform was able to setup the webhook on my repo afterall, http://logos.ldlework.com/caps/2019-03-21-22-33-18.png
![attachment image](http://logos.ldlework.com/caps/2019-03-21-22-33-18.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It would be nice if AWS listed the webhook events somewhere
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I don’t have a clue what could be wrong
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
When I list the webhooks via the AWS cli I see that there is a “authenticationConfiguration” section with a “SecretToken”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I don’t see this secret token anywhere in the webhook on the github side
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh that’s probably the obscured “Secret”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I have no idea
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The response on the github side says 200
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
SSL Verification is enabled
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Even got a x-amzn-RequestId
header in the response
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Filters on the Webhook:
"filters": [
{
"jsonPath": "$.action",
"matchEquals": "published"
}
]
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Websocket Payload:
{
"action": "published",
"release": {
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Hmm it was the password.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
That’s worrying. Oh well.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you mean the webhook secret?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
As I recall, the webhook secret on GitHub cannot be updated (rotated)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You need to delete/recreate
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
….at least with Terraform
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
That might’ve been it.
2019-03-22
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
When I try to destroy an ecs_codepipeline
module by removing it from my HCL, I get:
Error: Error asking for user input: 1 error(s) occurred:
* module.ecs_codepipeline.module.github_webhooks.github_repository_webhook.default: configuration for module.ecs_codepipeline.module.github_webhooks.provider.github is not present; a provider configuration block is required for all operations
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
welcome to terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’ve encountered this as well. I don’t know how to get around it.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol jeeze
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I love terraform, but every tool has it’s limitations. clean destroy’s are really hard to achieve with module compositions.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yet managing infrastructure without composable modules is not scalable for the amount of infrastructure we manage.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’re just hoping that these edgecases improve as terraform the language improves
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I recently joined a startup and I’m the only guy doing the infrastructure. CloudPosse modules have been a god-send, regardless of whatever little issues there are. I’ve almost got a completely serverless deployment of their stuff going, kicked off with Github releases, flowing through CodePipeline, deployed to Fargate, with CloudWatch events sending SNS notifications to kick off Typescript Lambda functions to send me Discord notifications for each step. All in about three weeks by myself, never having used Terraform before.
![party_parrot](/assets/images/custom_emojis/party_parrot.gif)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So yeah, blemishes aside…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m old enough to remember when you had to call someone on the phone to get a new VPS.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Wow! that sounds awesome
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’d like to get a demo of that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in 3 weeks!!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Heh, it’s really mostly thanks to the CloudPosse modules..
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Anyone familiar with this with vpc_peering? Had it working a few weeks ago but not working this time around:
Error: Error applying plan:
2 error(s) occurred:
* module.vpc_peering.aws_vpc_peering_connection_options.accepter: 1 error(s) occurred:
* aws_vpc_peering_connection_options.accepter: Error modifying VPC Peering Connection Options: OperationNotPermitted: Peering pcx-xxx8b80615da5 is not active. Peering options can be added only to active peerings.
status code: 400, request id: ed787be8-xxx-4c6c-xxx-117b303c9d84
* module.vpc_peering.aws_vpc_peering_connection_options.requester: 1 error(s) occurred:
* aws_vpc_peering_connection_options.requester: Error modifying VPC Peering Connection Options: OperationNotPermitted: Peering pcx-xxx8b80615da5 is not active. Peering options can be added only to active peerings.
status code: 400, request id: eca6b1ab-xxx-4cef-xxx-ac6f80bd903f
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
oh
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
ok I ran it a second time without destroying it after it failed and its working
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
guess it was a dependency thang
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I have an order of creation issue with an AutoScaling policy. I have one module that creates and ALB and Target Group and another that creates the AutoScaling policy, where I specify the target group resource_label. Terraform proceeds to create the AutoScaling policy using the Target Group, before the ALB->TargetGroup ALB listener rule is created, which causes an error. I tried a depends_on workaround by passing in the alb_forwarding_rule_id as a depends_on variable to the ASG module, but I assume I am still missing a step where I need to use this variable within the aws_autoscaling_policy resource block. Do I stick it in the count property?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Resources are the most important element in a Terraform configuration. Each resource corresponds to an infrastructure object, such as a virtual network or compute instance.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
depends_on
will not always work though
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
because TF does it already automatically
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it’s just a hint
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but if something could not be done b/c of AWS API or other things, it will not help
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
It’s a cross-module scenario, which I think isn’t supported until 0.12
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can try --target
which is not pretty
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
It works fine if I run the apply twice.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s another method
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Igor just out of curiosity, https://www.terraform.io/docs/providers/aws/r/autoscaling_policy.html#example-usage, instead of autoscaling_group_name = "${aws_autoscaling_group.bar.name}"
can you try autoscaling_group_name = "${aws_autoscaling_group.bar.id}"
and see what happens ?
Provides an AutoScaling Scaling Group resource.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Igor you can resolve module dependencies by using the “tags” attribute on stuff I’ve found.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Igor If you don’t use a variable, it is optimized away
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And doesn’t affect ordering
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So an easy way to use a dependent variable even though you don’t need it, is to stick the variable in a Tag on the resource
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
This worked perfectly for me, for your exact use case which I also ran into
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
oh nice, this is a solution we did not think about, thanks
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
heh, tags and descriptions, had to do that before myself. any reference to force terraform to see the dependency when it resolves the config
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
But then you’re left with an unwanted tag
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s not the worst thing, because afterall the module the tagged asset comes from does depend on whatever asset you’re interpolating into the tag.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
It actually makes sense, but I don’t think ASG policy has tags
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah that’s the only limitation I guess
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I can’t think of a way around it if there’s no field to stick the dependency on
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Something crazy like, using the dependency in a locals block in which you take just the first letter or something, and then use that local in the name of your ASG policy
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I can use count
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Can’t I?
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Just check that the depends_on is not empty
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
useless check, but maybe it will work
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I’ll give it a try and report back
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
policies have descriptions
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
hah
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Description not on the policy, count didn’t work, ended up putting the first letter of the ID in the policy name Seems to work
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lmfao
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Or you can create a list, put in there two items, one is real name, the other is something from the dependency
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Then get the first item
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Every time I apply I get the following change:
module.frontend-ecs.module.ecs_codepipeline.aws_codepipeline.source_build_deploy: Modifying... (ID: us-west-1-qa-frontend-codepipeline)
stage.0.action.0.configuration.%: "4" => "5"
stage.0.action.0.configuration.OAuthToken: "" => "<OAUTH-TOKEN>"
What is actually being changed here? Why is it always 4 -> 5? Why does it think the OAuth token is changing each time even though it is not?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) XD
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
We had similar issues with oauth tokens before
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
I think terraform or AWS ignore them, forgot who
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
@Andriy Knysh (Cloud Posse) Great suggestion, thanks
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
So you need to put the field into ignore changes, not good though if if ever changes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) Can anything use a lifecycle block?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Also, I can’t add the lifecycle block to a CloudPosse module right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Since this is happening inside the ecs_codepipeline
module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I wonder if anything on AWS is actually getting changed though. Or if it is just needlessly updating the Terraform state each time.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) any clue?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
lifecycles cannot be interpolated or passed between modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
maybe this is changing in 0.12? not sure
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in the end, I think it’s hard to escape needing a task runner for complicated setups
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(e.g. make
or variant
or terragrunt
or astro
)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
How does that help in this case?
![foqal avatar](https://avatars.slack-edge.com/2019-03-11/572601092560_390fb278d5cedc640d76_72.png)
Helpful question stored to <@Foqal> by @ldlework:
I have an order of creation issue with an AutoScaling policy. I have one module that creates a Target Group and another that creates the AutoScaling policy which uses the ALBRequestCountPerTarget,...
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you use terraform ... -target=
to surgically target what you want to modify
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in the order in which needs to happen that terraform was not able to figure out
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
In this case it just thinks that the github oauth token inside of the ecs-codepipeline is changing each time. So I’m not sure that it is a matter of ordering.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
oh sorry, i didn’t look closely enough at what you wanted to solve
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in this case, yea, maybe not the best solutino
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
If the thing that’s being updated is just the Terraform state, it might be no big deal to just let it update the state needlessly each time.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
really, the only option is to put the lifecycle
in the module but then it applies to everyone
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I can’t really tell by the message what’s changing though.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
jumping on call
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s not that it’s changing
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s that terraform doesn’t know what the current value is
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so it always changes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But does it have any consequences?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like changing infrastructure etc? Seems not? Can’t tell though.
![Charlie Mathews avatar](https://secure.gravatar.com/avatar/66c37510e0e96873bf5fd0132de8ce93.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
Might @anyone know why the cloudposse/terraform-aws-ecs-container-definition
doesn’t include VolumesFrom or Links? I’m trying to figure out if I should tack those things onto the json output in a hacky way or submit a MR.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we didn’t implement the full spec, just what we needed or others have contributed
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you see a way of adding support for it, please do!
![Charlie Mathews avatar](https://secure.gravatar.com/avatar/66c37510e0e96873bf5fd0132de8ce93.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
Will do, thanks!
![Charlie Mathews avatar](https://secure.gravatar.com/avatar/66c37510e0e96873bf5fd0132de8ce93.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
per ContainerDefinition -> VolumesFrom and ContainerDefinition -> Links
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Idlework, no consequences
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It just consider the token a secret
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
And does not know, or thinks it doesn’t know, the value
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Makes sense
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
How do you all handle different environments? Right now I’ve got a single branch, with a bunch of HCL, and a Summon secrets.yml
which contains the shared and environment specific Terraform variables. So by selecting an environment with Summon, different variables go into Terraform and I’m able to build different environments in different regions like that.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
However, another way I’ve been thinking about it, is having a branch per environment so that the latest commit on that branch is the exact code/variables etc that deployed a given enviornment.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
This allows different environments to actually have different/varying HCL files. So in a given environment you can actually change around the actual infrastructure and stuff. Then by merging changes from say, staging into production branch, you can move incremental infrastructure changes down the pipeline.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I wonder what you are all doing.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The long-lived branches tend to be discourage by most companies we’ve worked with. typically, they only want master
as the only long-lived branch.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
some use a hierchy like prod/us-west-2/vpc
, staging/us-west-2/vpc
and then a modules/
folder where they pull from
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we use a 1-repo-per-account approach
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
[prod.cloudposse.co](http://prod.cloudposse.co)
, [root.cloudposse.co](http://root.cloudposse.co)
, etc
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we treat our repos like a reflection of our AWS accounts
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then we have our terraform-root-modules
service catalog
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
read more abbout that here: https://github.com/cloudposse/terraform-root-modules
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) Do you know what I mean though? Let’s say you wanted to make substantial changes of a major module by say, switching from self-hosted DB to Aurora Serverless (say). If you have just one branch that holds all the environments, then all environments must see this module change at the same time. VS, if you have a branching strategy, then you can make the major changes in a dev environment, then merge it into a staging environment, and then finally merge it into production/master. Is that not a problem you face / approach you see being used?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I’ve tried using branches, but the trouble is that they are not visible enough. People lose track of them too easily. So for them to work, we need another layer over them anyway that cycles through various actions (validate/plan/apply/etc). Separate directories or repos seem easier to grok
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Huh, branches having low visibility. Not sure I understand that exactly, but thank you for your input.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I like the prospect of branching allowing for experimental environments to be spun up and destroyed creatively.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It appears this is the strategy that Hashicorp recommends for it’s enterprise users.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
My personal approach has been to write a module that abstracts the functionality, and then one or more separate repos that invoke the module for a specific implementation
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure but consider a major refactor of that module.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I appreciate how parametic modules allows you to achieve multiple environments, that’s what I’m doing right now.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But it seems like the repo would overall be more simple with less going on in a given branch.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Tags as versions, each implementation is isolated from changes to the module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
This requires you to use external modules, no?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Define “external”… You can keep the module in the same repo if you like
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So now you have the maintanience overhead of a new repo * how many modules.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
How do you tag modules that live in the same repo?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we use one repo for our service catalog
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and one repo to define the invocation
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
since we don’t use the same repo, we can surgically version pin every single module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and never force an upgrade we didn’t want
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
It’s easier to pin if they are separate repos, for sure
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Not impossible if they are in the same repo, but some mental gymnastics are needed
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s the only way it can work for us since we build infra for multiple organizations
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It makes perfect sense to me that you’d externalize modules you’re reusing across organizations sure.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m just one person at a tiny startup right now though.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I know monorepos have gained in popularity over recent years and major companies have come out in favor of them
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i think they can work well inside of an organization that builds 99% of their stuff internally
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but open source is necessarily democratized into a number of smaller repos (think NPM, ruby, perl, go, and ……. terraform modules)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s not really a mono-repo in the sense that are multiple disjoint substantial projects in a single repo.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it sounds like you’re going to have modules within your repo that have different SDLCs
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
No that’s the point, they don’t really have different SDLCs.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
They’re not really indepdent abstractions we intend to reuse in multiple places.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Most of my HCL code is just invocations of high-level CloudPosse modules.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Let’s say you wanted to make substantial changes of a major module by say, switching from self-hosted DB to Aurora Serverless (say). If you have just one branch that holds all the environments, then all environments must see this module change at the same time.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so we don’t have more than one environment per repo
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What has different SDLCs are the overall architecture of the different environments.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yes, that is in terms of the HCL defining our architecture, but I don’t really have a reusable module which defines arbitrary DBs
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
You can try tf workspaces also, that might work for your use case
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I guess I was just waiting to hear “Yeah branches sound like they’ll work for your use-case too”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Thank you!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
there’s no right/wrong, only different opinions
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you can achieve what you want to do with branches/workspaces
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
My experience has just between that I always, eventually, need to separate configuration from logic
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I think you could even combine approaches.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what i don’t like about workspaces is the assume a shared statebucket
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we never share a statebucket across stages or accounts
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I don’t intend on using Workspaces. I’ve read enough about them to avoid them for now.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I almost went full Terragrunt, but I’m trying to thread the needle with my time and workload
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha, well, a lot of good patterns they’ve developed
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’ve borrowed the terraform init -from-module=...
pattern
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what we didn’t like about terragrunt is that overloads .tfvars
with HCL
-like code that isn’t supported by terraform.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so it’s writing something vendor-locked
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
“Why didn’t you use k8s or EKS?”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha, ok, so yea that’s one approach that appeals to many. just another camp
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
“Uhh, because I can fit CodePipeline in my head” lol
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) So basically your suggestion to me is to have two repos: 1 repo that contains all the modules. 1 repo which contains the environment-specific calls into those modules to build environment-specific infrastructure. Each environment’s HCL that uses the modules can pin to different versions of those modules, even though all the modules are in one repo, since each module call has a different source
parameter. Is this close?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
nailed it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so technically, it can all be in one repo and still use source
pinning to the git repo, just my head hurts doing it that way
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Mental gymnastics
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Also, Chinese finger traps
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) so I guess my only concern is moving enhancements made in one environment’s HCL to another environment, and the next. It all comes down to how much per-environment HCL there is to arrange the modules in order to construct the infrastructure. To put things at their extremes to make the point; in order to have essentially zero manual maintanece of moving changes between environments, the modules would have to be essentially so high-level that they simply implement the entire environment. Rather than the environment HCL having room to vary in their composure of slightly-lower level modules and being able to express different approaches in infrastructure architecture.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
little wordy there, i just hope to be understood (so that I can in turn understand too)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
This is contrasted to the “per-environment HCL” being in branches and letting Git do the work
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, it comes at a trade off of being more effort to manage changes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(whether or not you use remote modules)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Basically my point is, you’ll always have to manually “merge” across environments if the per-environment HCL is in a single branch, regardless of module use.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
, the modules would have to be essentially so high-level that they simply implement the entire environment
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(so maybe if you combined approaches you’d achieve the theoretical minimum maintainence)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this = “terraform root module”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the root invocatin of a module is a module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh you’re saying there is literally no per-environment HCL?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yep
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Per-environment HCL is a tagged “highest-level-module” ?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Modules allow multiple resources to be grouped together and encapsulated.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol why you link that?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol no I know
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
to define what a “Root module” is from the canonical source
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so just saying the root is a module. treat it like one. invoke it everywhere you need that capability
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
use .tfvars
to tailor the settings
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Module in module inception
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah but you might have variance across environment in the implementation of that module.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And so what you’re saying is that, you achieve that, by having a separate repo, which simply refers to a tagged implementation of that module.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so you can invoke an environment 20 times
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Clever.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
just call terraofrm init -from-module
20x
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(in different folders)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
And then you have terragrunt
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so i gotta run, but this is why we came up with tfenv
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
In the configuration repo, where each environment simply invokes a tag of the remote root-module, the amount of code you have per-environment is so little there’s no reason to have different branches.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s the unwrapper for using terraform init -from-module=...
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you can just specify environment variables that terraform init
already supports
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and it will clone the remote module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and initialize it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
25 votes and 10 comments so far on Reddit
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
here’s my post on it
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Also, highly recommend dependabot or something similar for bumping version tags
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The root modules don’t really seem like all encompassing modules which compose many (say) AWS modules to build a whole infrastructure.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like one just sets up an ECR registry, etc. A real service is going to require a bunch of these “root modules” composed together to make it happen.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So any “environment repo” which is supposed to just call out to a single tagged remote root module to build the entire environment doesn’t seem like it would work with these root modules. Like, the HCL in the environment repo is going to be pretty substantial in order to tie these together. And then you have the manual merging problem again.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Modules all the way down, that’s where inception comes in
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
https://github.com/cloudposse/terraform-root-modules/tree/master/aws - just an example of the approach
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you, and every company that want to use the strategy, should create their own catalog of root modules (which is logic), and then invoke them from diff repos (config)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Discussion reminds me of this thread, https://github.com/gruntwork-io/terragrunt/issues/627
So the "best practice" layout as defined in the repository I've seen with terragrunt has each module in its own folder with its own tfvars per environment My problem here is I have a …
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so you put in there as many modules of diff types as you want to have in ALL your environments
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just diff approaches
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but I agree with @loren, it comes to separation of logic from config
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Hmm, do I understand that you’re saying that the root modules are really “root” with regards to individual substantial LAYERS of your environment’s architecture?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The environment isn’t defined by calling a SINGLE module, but rather, it builds the environment out of a few major “layer-level root” modules?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Bingo
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Though, you could try to have one module to rule them all, with all the logic and calling all the modules conditionally as necessary
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So while there is more “cross environment” manual merging to be done than the ideal, it’s still probably less than would warrant separate branches.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Well you wouldn’t do it conditionally.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Each environment would pin to a different tag of the God Module
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Yep, but the God module changes over time also, and different invocations of the module may need different things, so conditionally calling submodules becomes important
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Which you can pin to different tags, etc?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
consider them as a collection/catalog of everything you need in all your environments
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yes, but there’s different conceptual abstraction levels of “everything you need in all your environments”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You could imagine a SINGLE remote module being the sole invocation that defines everything for an environment.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or you could imagine a handful of remote modules which define the major layers of the architecture. VPC/Networking, ECS/ALB for each server, ECR, CloudWatch etc
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I dunno.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s your call how you configure them. We use the second approach
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The thing is you never ever want one module that does everything
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yep
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) see the thread above
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I was only thinking about one module because we were aiming at minimizing “cross environment merging”.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
One module, while silly, would allow each environment to simply pin to the exact implementation of the God Module relevant to that environment.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
That one module could in-turn compose Layer Modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Which in-turn compose Component Modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
w/e
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
A) terraform module composition has a lot of problems as you discovered
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But yeah overall I think I’m clearer on the approach you were all suggesting.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
B) mono modules have huge state. We ran into this 2 years ago where a module was so big it took 20 minutes to run a plan
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s just another level similar to the way your “root” (I read “layer/stack”) modules compose component modules.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
C) huge state means huge blast radius. You cannot easily roll out small incremental changes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You could.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You would change the god module to compose the layer modules differently.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Then you would update a given environment to the new pin of the god module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Exactly how layer modules work with component modules.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s just another level of abstraction.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m not saying it’s useful.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
no one God Module
, we use separate folders for each service or a group of services (if that makes sense), so there is no one big single state
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(but just from a thought experiment of how to absolutely minimize the cross-environment maintanence of merging the per-environment HCL)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(if one is to avoid branching strategy)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
there is no merging as in git branches, you just make changes to the root modules and apply them in each env separately as needed
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) there is
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
If each environment needs HCL to describe how it composes the high-level layer modules to describe the whole infrastructure for the environment
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
then you need to manually adopt those changes from one environment to the next, since they’re all in a single branch
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sorry, on my phone and don’t have the keyboard speed to keep up with this
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
if each environment simple makes one module { } call, then the amount you have to manually copy-paste over as you move enhancements/changes down the environment pipeline is the smallest amount possible
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s true but that’s not what blast radius refers to
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we don’t; apply everything at once
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
No, I’m just explaining why we’re talking about this in the first place
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
to @Andriy Knysh (Cloud Posse)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just the modules we need to change
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) he is doing a thought experiment
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) right
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
you typically apply just major layers
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
He is not asking what we do :-)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
-target is hugely powerful
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
yeah
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m going to refactor my stuff into layers like this tonight
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
He wants to understand why he should/shouldn’t do what he is proposing
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
VPC/Networking, ECS/ALB/CodePipeline for a given Container, Database, Caching
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i get it
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Make “root modules” for each of those
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just saying that don’t apply everything and don’t merge anything - just make changes somewhere and apply step by step one by one
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Does it make sense to have a root module covering CodePipeline/ECS/ALB-target-and-listeners for a given container?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like everything needed to deploy a given container-layer of our overall product infrastructure
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Pass in the VPC/ALB info, etc
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Have it provision literally everything needed to build and run that container
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Have a module we can reuse for that for each container we have
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or should there be a root module for each container?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So if you have one module that tried to do all of that (beyond terraform not supporting it due to count of cannot be computed errors) the problem is the amount of infrastructure it touches is massive. So if you just wanted to change an auto scale group max size, you will incidentally be risking changes to every other part of the infrastructure because everything is in one module.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure, but it would be all the infrastructure having to do with a logical component of the overall microservice architecture.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
If anything related to that microserivice gets boofed, the whole microservice is boofed anyway.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
All I can say is you have to experience it first hand :-)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
That top-level module could of course be compose of other modules for doing just the ECS, just the CodePipeline, just the ALB
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
infact, those are already written
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
they’re yours
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
It’s hugely composable and there is no one right answer
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I run two container-layers in our microservice architecture with this module: https://gist.github.com/dustinlacewell/c89421595a20577f1394251e99d51dd8
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Just tradeoffs
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
exactly
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It does ECR/CloudWatch/Container/Task/ALB-target-listener/CodePipeline
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we, for example, have big
and small
root modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lmao
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
wish i found that first link three days ago
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
i literally just built all that, but not as good, and there’s more there like dns
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Isn’t it Friday night? Here we all are on slack
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I work for a broke startup so I work all the time for the foreseeable future
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
let’s get some beer
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Here’s a question I haven’t been able to answer for myself yet. Is a single ECR registry capable of holding multiple images? Or is a single ECR only for a single Docker image?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I know that a Docker image can have multiple tags. I don’t mean that. I mean can you store multiple images in a single ECR. Do I need an ECR for each of my containers, or just one for the region?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Cuz, Docker Registry obviously does multiple images, so I’m confused on this point.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
one ECR can have just one image
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Got it thank you
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Make sense since the ECR name is set as the image name. Thanks for confirming.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Gotta sign off, catch some zzzzzzs. Good discussion! Night folks!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
o/
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I must admit, I poured a cup of coffee instead.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
haha, maybe tomorrow, good night
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Another thing I worry about, is that I have a container to containerize soon that hosts multiple ports.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I think I will need to place this Fargate container into multiple target-groups, one for each of the ports.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But the posse module for tasks only takes a single ARN
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh maybe you have just one target group for the container, but you add multiple listeners.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
That must be it.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, if you’re using our terraform-aws-ecs-web-app
module, you might want to fork it for your needs since it’s rather opinionated. it was designed to show how to use all of our other ecs modules together.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m now pondering whether each top-level layer module should have it’s own remote state. And whether the environment HCL should pass values to layers by utilizing the remote_state data source. That’s basically essential if you’re going to use -target right? Like how else does the auroradb layer get the right private DNS zone id? It has a variable on it’s module for that. But how does the environment HCL pass it to it, if the private zone isn’t being provisioned due to only the auroradb layer being targetted? It has to use the remote data source to access the other layer module’s outputs right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) thoughts on that?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we do use separate states for each root module
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and we use both 1) remote state 2) data source lookup to communicate values b/w them
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but again, that depends
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we also use 3) write values from a module into SSM param store or AWS Secret Manager, then read those values from other modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber. - cloudposse/terraform-aws-ssm-parameter-store
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Never even heard of that before
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I’m trying to imagine how all the state management would look on the environment/configuration repo that calls the various root modules.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Right now, I just have a little folder with a tiny bit of HCL that sets up an S3 bucket and DynamoDB table, and then those details are used when I apply my actual HCL
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Would I have to have little side modules on the environment side for each root module the enviornment uses?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I bet you guys have some crazy complex infrastructures
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I love all your abstractions, it’s great.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so, this is opinionated, but here’s what we have/use (in simple terms, regardless of complex infrastructure or not):
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- TF modules https://github.com/cloudposse?utf8=%E2%9C%93&q=terraform-&type=&language= - this is logic and also just the definition w/o specifying the invocation
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ve been calling those Asset/Component modules. Individual AWS assets. Got it.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- Then we describe the invocation of those modules (which ones to use deppens on your use case) in the catalog of module invocation https://github.com/cloudposse/terraform-root-modules
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ve been calling those Layer Modules. They define major aspects/facets of an environments overall infrastructure. Got it.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
those invocations are identity-less, they don’t care where and how they are deployed, this is just logic
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Right, like you said some are big, some are small, but they compose the lower-level Asset modules.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- Then for each environment (prod, staging, dev, test), we have a GitHub repo with a Dockerfile that does two things:
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
1) Copies the invocation of the root modules from the catalog into the container (geodesic
in our case) - this is logic
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
2) Defines ENV vars to configure the modules (the ENV vars could come from many diff places including Dockerfile, SSM param store, HashiCorp Vault, direnv, etc.) - this is config
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then we start the container and it has all the code and config required to run a particular environment
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so only the final container has identity and knows what it will be deploying and where and how (environment, AWS region, AWS account. etc.)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the final container could be run from your computer or from a CI/CD system (e.g #codefresh )
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK I got confused along the way
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform/Kubernetes Reference Infrastructure for Cloud Posse Production Organization in AWS - cloudposse/prod.cloudposse.co
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You said “Copies the invocation of the root modules from the catalog into the container”. I thought the “catalog” was a repo with all the root/layer modules inside of it. And that this environment repo had some HCL that called root/layer modules out of the catalog to compose an entire environment architecture.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Where did I go wrong? Is the catalog something different than the repo containing the root/layer modules?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform/Kubernetes Reference Infrastructure for Cloud Posse Production Organization in AWS - cloudposse/prod.cloudposse.co
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
each environment (prod, staging, dev) copies the entire catalog, OR only those modules that are needed for the particular environment
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure, and it also has some HCL of its own for calling the root/layer modules from the catalog right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The environments.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
looks at the links.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it can have (if it’s very specific to the environment AND is not re-used in other environments)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but usually you want to re-use modules across diff environment (with different params of cause)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s why we put those module invocations in the common catalog (root modules as we call it)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so in other words, the catalog is a collection of reusable module invocations (not definitions) that you would reuse in your environments. But any of those environments could have some specific module definitions and invocations nott from the catalog (if that makes sense)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yes, reuse modules, but in an experimental environment, you might be trying to save costs and switch from one DB to another DB, and so a different root/layer module would be called in that environment’s HCL right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like, you probably use a half-dozen or so root/layer modules to create a moderate environment for a reasonable multi-layered service right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So there’s got to be something in the environment, HCL, which calls all those modules.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Remember, there’s no God Module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like an environment doesn’t invoke just one God Module from the catalogue right? Because the catalog contains modules which only cover a single “layer” of the environment. ECS, Networking, Database, etc right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So each environment must have a bit of HCL which are the invocations of the various layer modules which define the major sections of the infrastructure.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol I’m gonna make sense of this eventually
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see in your Dockerfile you’re copying the various root modules which create various layers of the environment. account-dns, acm, cloudtrail, etc
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Which reaffirms my idea that root modules only cover a facet of the environment, so you need multiple root modules to define an environment.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So where is the per-environment HCL that invokes those modules? in conf/
perhaps.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
There’s nothing in conf/!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Are you mounting the environment’s HCL into the container via volume at conf/
?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The stuff that calls the root modules?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OHH you’re literally CD’ing into the root modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
or use atlantis
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
and running terraform apply from inside the root modules themselves
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
If we need something special or new, we add it to the catalog and then can copy to the container of that environment
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
nothing calls the root modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
If we need a smaller db instance for dev, all those settings are config and provided from ENV vars
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So let’s say you needed two “instances” of what a root module provides. Like say it provides all the ECS and related infrastructure for running a microservice web-container.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Do you cd into the same root module and call it with different args?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or would you end up making two root modules, one for each container in the microservice architecture?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m guessing the latter?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
In our case, we would create a “big” root module combining the smaller ones, and put it into the catalog
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Then configure it from ENV vars from the container
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Let me give an example.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Let’s say you have a single webservice container that does server side rendering. Like a Django application serving it’s own static media. You have an Asset module like the CloudPosse ecs-codepipeline module, and other’s like the Task and Container module. You create a Root Module which ties these together so you can deploy your Django application and everything it needs as a single Root Module. You might also have Root Module for the VPC/Networking for that application. So, you have an environment dockerfile, and you start by CD’ing into the VPC Root Module, and you deploy it. Then you CD into the Django App’s Root Module, and you deploy that too. OK so now you have a Django web-service deployed.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Now lets say your dev team refactors the app so that Django only serves the backend, and you have an Nginx container serving the static assets for the frontend. So now you need another ECS-CodePipeline module, Task and Container modules. Just like for the Django container.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Do you create another Root Module for the Nginx Frontend container, which calls the CodePipeline, Task and Container modules again?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So then you’d have 3 Root Modules you’d be able to deploy independently? How would you resolve the duplication?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(the calling of ecs-codepipeline, task, and container modules the same way in two root modules representing the two container services in your environment)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
BTW thanks for all the charity.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so yea, good example
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we mostly use k8s for that kind of things
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and did not have ECS infra such as that
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure but you can imagine someone using your modules for that (I am )
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but i guess we would create one module with all that stuff but with many params to be able to parameterize all the things and even switch some things on/off
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure, a root module which combines ecs-codepipeline, task and container, etc to deploy a single containerized microservice
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But what if you needed two? Two different containers but deployed essentially the same way.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You already have on Root Module for deploying the unified container.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But now you need two, so do you just copy paste the Root Module for the second container, as it is basically exactly the same minus some port mappings and source repo, and stuff?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s config
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or would you create a high-level NON-root-module which expressed how to deploy a ecs-codepipeline, task and container together
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
can be parmeterized
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so yes, one module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And then two root modules which just called the non-root-module with different settings?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
one non-root module though?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But like
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK so you have one generalized root module for deploying ecs services great.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
those are just names (root or not)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So where are the different configs for the different containers?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like in your prod.posse.com example.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Because it seems the only config that’s available is environmental config
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like the difference between dev and prod
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you want to re-use the module (which can combine smaller modules), parametirize it and out into the catalog
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But where would the difference between frontend and backend be, for calling the ecs root module twice?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The catalog is the thing that holds root modules right?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it holds modules, big and small, that can be re-used
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or is the catalog the repo of modules that your root modules use?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Never compose “root modules” inside of other root modules. If or when this is desired, then the module should be split off into a new repository and versioned independently as a standalone module.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure, I think I’m down with that idea.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK, so you already have the ECS module right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It is a general parameterized module that can deploy any ECS service.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You want to call it twice, with different parameters.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Where do you store the different paremters for calling that module twice?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That would be considered a different project folder.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
e.g. conf/vpc1
and conf/vpc2
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
or conf/us-west-2/vpc
and conf/us-east-1/vpc
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So you’d simply copy the Root Module out of the source Docker image twice?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
depends what you mean by “copy”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we terraform init
both
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
using -from-module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like two ECS layers.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
A frontend and a backend.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
They can both be implemented by the root module you have “ecs” in your root modules example.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
By passing different settings to it.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, so we init a new root module from that one. then we use terraform.tfvars
to update the settings (or envs)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So inside the prod Docker image, we copy the ECS root module… once? twice?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you want 2 ECS clusters, you copy it twice
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but you wouldn’t have both clusters in the same project folder
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you might have us-west-2/mgmt
and us-west-2/public
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Right so where do the parameters you pass to each copy come from? Its the same HCL module, but you’re going to call it/init/apply it twice with separate states.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the parameters are stored in us-west-2/mgmt/terraform.tfvars
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Same HCL in terms of implementation - it’s been copied to two different places in conf/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and us-west-2/public/terraform.tfvars
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Where are those?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you create those var files
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
those are your settings
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s what makes it unique to your org and not ours
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Are they baked into the prod shell image?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s one way
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
they are always in the git repo
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this is central to our CI/CD strategy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
first important to understand how that works
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
when we use atlantis, then we deploy it in the account container
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK so the environment specific repo has environment specific variable files for invoking the various root modules that the environment specific dockerfile/shell has available
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
when we do that, we cannot rebuild the container with every change; instead atlantis clones the changes into the container
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so yes, depending on what you want, you can 1) copy the same module twice and use it with diff params; 2) crerate a “bigger” module combining the smaller ones and copy it once
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Idlework I think you summarized it well
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Because the only environment variables that change between your environment repos is environment specific stuff.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like between dev and prod.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So you’re in dev, you copy in the ECS module into the Docker image
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You’re loaded into the geodesic shell
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You’re ready to deploy root modules by CD’ing into them and running terraform apply
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You CD into the ecs root module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
How do you go about deploying the frontend
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And then how do you go about deploying the backend?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
They both depend on this generalized ECS root module we copied into the prod Docker image.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
well, make a “bigger” module with frontend and backend in it, and put into the catalog into diff folder
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that all depends on many diff factors
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we are talking about ideas and patterns here
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
how do you implement it, your choice
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Sure, I’m totally just fishing to understand how the posse does it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes I get it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and thanks for those questions
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
no solution is perfect
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
some of your use-cases could be not covered, or covered better by some other solutions
![foqal avatar](https://avatars.slack-edge.com/2019-03-11/572601092560_390fb278d5cedc640d76_72.png)
Helpful question stored to <@Foqal> by @Andriy Knysh (Cloud Posse):
I'm trying to imagine how all the state management would look on the environment/configuration repo that calls the various root modules...
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Since root modules are literally terraform apply
contexts… how do they boot strap their remote state?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You CD into one and terrafrom apply
, didn’t I need to bootstrap its remote state first somehow?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it uses the S3 backend provisioned separately before
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the backend is configured from ENV vars in the container
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Do you guys provision like just one backend bucket, and then use varying names to store the various states in that bucket in different files? So you only have to provision the backend once?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
looks
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
one backend per environment (AWS account)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh I see OK
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then each projects is in separate folder in the repo and in the backend S3 bucket
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
by project you mean “root module where we run terraform apply” right
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
all these folders here https://github.com/cloudposse/terraform-root-modules/tree/master/aws
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
right
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
BTW, take a look at the docs
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
little bit outdated, but can give you some ideas
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I really appreciate all the advice. It was way above and beyond. Thanks for sticking through all that. Really!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Wow atlantis looks cool
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
phew there is still so much to learn
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Just in case you want to follow, #atlantis
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh dang, you can’t refer to modules in a remote git repo that are not at the root?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
rough
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
try this:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform init -from-module=git::<https://github.com/cloudposse/terraform-root-modules.git//aws/users?ref=tags/0.53.3>"
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that initializes the aws/users
module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I mean in a module { source = } block
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or maybe that double slash works there too?
2019-03-23
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, that works in a source block too
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Nice
2019-03-25
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hey, I have a string variable 10.20.30.111
, I want to get last element of this string, expecting output is 111
, I can use
value = "${element(split(".", var.private_ip), length(split(".", var.private_ip)) - 1 )}"
But too complex, any suggestion?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Is that too complicated?
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hmm, It’s work but too complicated with me. I want to make sure to have another solution
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
you’re splitting on “.” and looking for the last index of the output
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
You can also just do element(split(".", var.private_ip), 3)
since IP addresses have a predefined syntax (always 4 blocks).
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
yeah, my bad tks
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Does anyone else ever get this?
Failed to load backend:
Error configuring the backend "s3": RequestError: send request failed
caused by: Post <https://sts.amazonaws.com/>: dial tcp: lookup sts.amazonaws.com on 8.8.4.4:53: read udp 172.17.0.2:46647->8.8.4.4:53: i/o timeout
Please update the configuration in your Terraform files to fix this error.
If you'd like to update the configuration interactively without storing
the values in your configuration, run "terraform init".
I feel it has something to do with my VPN
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
On my end?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
It does seem to sort itself out when I turn off wifi / vpns thereby resetting my network connection
![albttx avatar](https://secure.gravatar.com/avatar/0dc920d97dce69c0e19a8b5eba62b41c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
Hello, just posted this https://github.com/cloudposse/terraform-aws-acm-request-certificate/issues/16 just wan’t to be sure it’s an error from the module… any idea ?
Error: module.acm_request_certificate.aws_route53_record.default: 1 error(s) occurred: * module.acm_request_certificate.aws_route53_record.default: At column 3, line 1: lookup: argument 1 should be…
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
How do I get what I believe is NATing so that public IP r53 records NAT to private IP when using openvpn?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Nvm looks like a security group issue actually
![Bharat avatar](https://secure.gravatar.com/avatar/304a804eafceb08cd1828e80216060df.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
Terraform is marking task-def as inactive, when ever we update the task-def. We need those old task-def’s to do roll-back. We are deploying ECS-Service as part of CI. Any work around on how to retain the older versions of task-def’s ?
2019-03-26
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
hi everyone
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
I am using terraform to provision consul cluster on aws using the https://github.com/hashicorp/terraform-aws-consul module. do you have any
A Terraform Module for how to run Consul on AWS using Terraform and Packer - hashicorp/terraform-aws-consul
![deftunix avatar](https://secure.gravatar.com/avatar/d7ddb1c2c5c8f3b7aaac64bb65b2c70b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
suggestion to terminate instance one by one when launch configuration change?
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I am suddenly having trouble passing the route 53 zone nameservers as records to the NS record
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
The error I get is records.0 must be a single value, not a list
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I am passing in ["${aws_route53_zone.hostedzone.*.name_servers}"]
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Thanks, I just stumbled on that
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Or actually try: ["${aws_route53_zone.hostedzone.name_servers[0]}"]
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
element(…, 0) didn’t (“element() may only be used with flat lists”)
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
right, combine with flatten, if you need to get just one element
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Thanks
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
given values="m1.xlarge,c4.xlarge,c3.xlarge,c5.xlarge,t2.xlarge,r3.xlarge"
can I use jsonencode
or something similar to get the following
{
"InstanceType": "m1.xlarge"
},
{
"InstanceType": "c4.xlarge"
},
{
"InstanceType": "c3.xlarge"
},
{
"InstanceType": "c5.xlarge"
},
{
"InstanceType": "t2.xlarge"
},
{
"InstanceType": "r3.xlarge"
}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@tallu https://www.terraform.io/docs/configuration/functions/split.html https://www.terraform.io/docs/configuration/functions/map.html
The split function produces a list by dividing a given string at all occurrences of a given separator.
The map function constructs a map from some given elements.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can use split
+ zipmap
https://www.terraform.io/docs/configuration-0-11/interpolation.html#zipmap-list-list-
Embedded within strings in Terraform, whether you’re using the Terraform syntax or JSON syntax, you can interpolate other values into strings. These interpolations are wrapped in ${}
, such as ${var.foo}
.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
or use null_data_source
to construct anything you want, e.g. https://github.com/cloudposse/terraform-aws-ec2-autoscale-group/blob/master/main.tf#L63
Terraform module to provision Auto Scaling Group and Launch Template on AWS - cloudposse/terraform-aws-ec2-autoscale-group
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
map
fails when the key is same like
> map("InstanceType","m1.xlarge","InstanceType","c4.xlarge")
map: argument 3 is a duplicate key: "InstanceType" in:
${map("InstanceType","m1.xlarge","InstanceType","c4.xlarge")}
Terraform module to provision Auto Scaling Group and Launch Template on AWS - cloudposse/terraform-aws-ec2-autoscale-group
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
could not get my desired output looking at all the proposed links
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
thanks I will try it out
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
https://www.terraform.io/docs/configuration/functions/formatlist.html is this terraform 0.12 only ?
The formatlist function produces a list of strings by formatting a number of other values according to a specification string.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
no
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Embedded within strings in Terraform, whether you’re using the Terraform syntax or JSON syntax, you can interpolate other values into strings. These interpolations are wrapped in ${}
, such as ${var.foo}
.
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
> formatlist("Hello, %s!", ["Valentina", "Ander", "Olivia", "Sam"])
parse error at 1:28: expected expression but found "["
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
in terraform console
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
nevermind formatlist("Hello, %s!", list("Valentina", "Ander", "Olivia", "Sam"))
worked
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What would be the cause of this failure when deploying ecs-codepipeline
* module.backend.module.ecs_codepipeline.module.github_webhooks.github_repository_webhook.default: 1 error(s) occurred:
• github_repository_webhook.default: POST <https://api.github.com/repos/dustinlacewell/roboduels-frontend/hooks>: 404 Not Found []
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
did you create a correct GitHub token?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Hmm…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh I know what happened. Thanks @Andriy Knysh (Cloud Posse) lol.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK, does anyone ahve an idea about this one? I’m chalking this up to my inexperience with the interpolation details:
* output.cache_hostname: element: element() may only be used with flat lists, this list contains elements of type map in:
${element(module.elasticache.nodes, 0)}
* module.elasticache.aws_route53_record.cache: 1 error(s) occurred:
* module.elasticache.aws_route53_record.cache: At column 3, line 1: element: argument 1 should be type list, got type string in:
${element(aws_elasticache_cluster.cache.cache_nodes.*.address, 0)}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh that’s two errors
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
aws_elasticache_cluster.cache.cache_nodes
is a map
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
isn’t it a list of maps?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
lookup(element(aws_elasticache_cluster.cache.cache_nodes, 0), "address")
- try something like this
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Interesting.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
ew I think I have to escape the inner quotes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
does a raindance for 0.12
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
escaping doesn’t work either…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
value = "${lookup(element(module.elasticache.nodes, 0), \"address\")}"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what are you escaping?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Error: Error loading /home/ldlework/roboduels/infra/stages/qa/outputs.tf: Error reading config for output cache_hostname: parse error at 1 expected expression but found invalid sequence “\”
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
a miracle of hcl is that you do not need to escape inner quotes like that
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
value = "${element(module.elasticache.nodes, 0)["address"]}"
- or this
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
element() may only be used with flat lists, this list contains elements of type map in ...
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
so, no element()
for you…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol what, how do I report the address of the primary elasticache node? can I just output the whole list?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
aws_elasticache_cluster.cache.cache_nodes[0]
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
that will output the whole map right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
i guess i don’t know why I’m trying to reduce all my outputs to single values
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
stops doing that.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i think i also mixed up the two errors there, oops
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh ok, so I guess I still have a problem
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I want to give internal simple DNS to the first ip in the elasticache cluster
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I so had something like:
records = ["${element(aws_elasticache_cluster.cache.cache_nodes.*.address, 0)}"]
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But it sounds like none of the options we just discussed are going to work to extract the address of the first item?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Element will not work on list of maps
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
In this case use something like this https://github.com/cloudposse/terraform-aws-ec2-autoscale-group/blob/master/main.tf#L63
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You can input and output anything
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Really? How will I extract the address of the first map of the lists?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Wont I have the same exact problem there?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You can output a list of values
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
And then use element
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Genius.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So you mean, output all the addresses as a list using splat. Then take the first. I’ll try it.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
here is an example of working with list of maps and getting the first element https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/main.tf#L114
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
[0]
works with maps
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I have:
data "null_data_source" "cache_addresses" {
inputs = {
addresses = ["${aws_elasticache_cluster.cache.cache_nodes.*.address}"]
}
}
resource "aws_route53_record" "cache" {
zone_id = "${var.zone_id}"
name = "${local.name}"
type = "CNAME"
records = ["${data.null_data_source.cache_addresses.outputs["addresses"]}"]
ttl = "300"
}
and get:
Error: module.elasticache.aws_route53_record.cache: records: should be a list Error: module.elasticache.data.null_data_source.cache_addresses: inputs (addresses): ‘’ expected type ‘string’, got unconvertible type ‘[]interface {}’
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
this is a pretty confusing DSL all things considered
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just try [0]
for now
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse)
resource "aws_route53_record" "cache" {
zone_id = "${var.zone_id}"
name = "${local.name}"
type = "CNAME"
records = ["${aws_elasticache_cluster.cache.cache_nodes[0].address}"]
ttl = "300"
}
Error downloading modules: Error loading modules: module elasticache: Error loading .terraform/modules/a86e58cdab02f33e0c2a0f76c4ae3934/stacks/elasticache/main.tf: Error reading config for aws_route53_record[cache]: parse error at 1 expected “}” but found “.”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Is that what you meant?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Starting to feel a little dumb here lol.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
[“${aws_elasticache_cluster.cache.cache_nodes[0][“address”]}“]
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if [0]["address"]
together does not work, use locals as in the example (we had the same issues)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
yeah that doesn’t work
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK trying coalescelist
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
coalescelist
has nothing to do with that
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
what am i looking at then hehe
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
the splat?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
ohhhh
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
the next few lines
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i mean use locals to first get [0]
from the list, then another local to get [“data”] from the map
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
tries
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) thanks homie
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Why is the ECS container definition for the environment a list of maps?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh i probably need to do name/value
![GFox)(AWSDevSecOps avatar](https://avatars.slack-edge.com/2020-09-09/1350677900901_7fc87ee194554700bbcf_72.jpg)
Hello, anyone have any Terraform modules code to automate cis benchmarks in azure subscriptions / tenants ???
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
maybe ask in #azure
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![GFox)(AWSDevSecOps avatar](https://avatars.slack-edge.com/2020-09-09/1350677900901_7fc87ee194554700bbcf_72.jpg)
if so, you’re going to be very popular!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
A dependency graph encompassing all the CloudPosse projects would be awesome
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
nice idea! we’ll consider it thanks
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m changing the environment
setting of a https://github.com/cloudposse/terraform-aws-ecs-container-definition module and it isn’t updating the container defnition.
Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource - cloudposse/terraform-aws-ecs-container-definition
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Not sure how to get it to change.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
TIL how to taint
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
not clear how to taint the container definition though…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
just destroys the whole module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it just generates JSON output
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
are you using it with https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/blob/master/examples/complete/main.tf#L52 ?
Terraform module which implements an ECS service which exposes a web service via ALB. - cloudposse/terraform-aws-ecs-alb-service-task
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
yes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
and with ecs-codepipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
what am I missing?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you need to taint https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/blob/master/main.tf#L41, the resources that uses the generated json
Terraform module which implements an ECS service which exposes a web service via ALB. - cloudposse/terraform-aws-ecs-alb-service-task
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
not sure why https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/blob/master/main.tf#L202
Terraform module which implements an ECS service which exposes a web service via ALB. - cloudposse/terraform-aws-ecs-alb-service-task
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but this will prevent from updating the entire task definition including the container definition
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I ran terraform destroy
on the whole module and it says:
* module.backend.module.ecs_codepipeline.aws_s3_bucket.default (destroy): 1 error(s) occurred:
* aws_s3_bucket.default: error deleting S3 Bucket (us-west-1-qa-backend-codepipeline): BucketNotEmpty: The bucket you tried to delete is not empty
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I guess you have to manually go in and delete the bucket data?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lame
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we will consider updating the module to add a var for force destroy on the bucket
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) why are the container definitions ignored in the lifecycle??
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
don’t know, did not implement that part, maybe there was a good reason, need to take a look
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
np
2019-03-27
![jaykm avatar](https://secure.gravatar.com/avatar/44c136a39b008eb9219556b5079d7ec6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
Hello everyone, I Just joined this channel.
I want to ask one thing related to API gateway, I’m able to create API gateway, methods, and integration with lambda and I also configured all the headers, origins, methods, in the response parameters but CORS has not been configured. Can someone help me to get in, I can also send the terraform script how I’m implementing. @sahil FYI
![jaykm avatar](https://secure.gravatar.com/avatar/44c136a39b008eb9219556b5079d7ec6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
@foqal No, I’m already given the permission of lambda to API gateway and I can also access the lambda from API gateway but If I do a request from the browser (Client) then It gives me CORS error and you can also see the error.
![jaykm avatar](https://secure.gravatar.com/avatar/44c136a39b008eb9219556b5079d7ec6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
![jaykm avatar](https://secure.gravatar.com/avatar/44c136a39b008eb9219556b5079d7ec6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
@foqal
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Anyone been lucky in using https://github.com/cloudposse/terraform-aws-ecr and setting up ECR
Terraform Module to manage Docker Container Registries on AWS ECR - cloudposse/terraform-aws-ecr
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it was used many times before
Terraform Module to manage Docker Container Registries on AWS ECR - cloudposse/terraform-aws-ecr
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what’s the issue?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
2 probs.
1)
In the example module-resource “roles” argument is set. This isn’t in the documentation, variables.tf and also errors
I forked and did a make readme
to see if it was just not run but it doesn’t exist.
2) In the examples for cicd_user for codefresh the outputs error with
terraform init
Initializing modules...
- module.cicd_user
Getting source "git::<https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.4.1>"
- module.ecr
- module.cicd_user.label
Getting source "git::<https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.4>"
- module.ecr.label
Initializing the backend...
Error: resource 'aws_iam_policy_attachment.login' config: "policy_login_arn" is not a valid output for module "ecr"
Error: resource 'aws_iam_policy_attachment.read' config: "policy_read_arn" is not a valid output for module "ecr"
Error: resource 'aws_iam_policy_attachment.write' config: "policy_write_arn" is not a valid output for module "ecr"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
here it was tested about a month ago https://github.com/cloudposse/terraform-aws-ecs-web-app/blob/master/main.tf#L9
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the above is used here https://github.com/cloudposse/terraform-aws-ecs-atlantis/blob/master/main.tf#L59
Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also, here it was tested/deployed many months ago https://github.com/cloudposse/terraform-aws-jenkins/blob/master/main.tf#L65
Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack - cloudposse/terraform-aws-jenkins
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yep that looks like how I’ve set it up now
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Not sure why the doc has “roles” as an input then
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
prob because the module was completely redesigned in https://github.com/cloudposse/terraform-aws-ecr/releases/tag/0.3.0 and https://github.com/cloudposse/terraform-aws-ecr/releases/tag/0.4.0
Terraform Module to manage Docker Container Registries on AWS ECR - cloudposse/terraform-aws-ecr
Terraform Module to manage Docker Container Registries on AWS ECR - cloudposse/terraform-aws-ecr
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and the docs were not updated
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Think its best to use the 2.x v?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
feel like I’m setting myself up for one if I use 4.0
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
not sure, I tested it up to 0.2.9
, did not test latest releases, but they were tested by other people in many deployments (but maybe the interface is different)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
hmm
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Using 0.40 I have an ECR with permissions
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
so it can’t NOT be working
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
ECR repo w/ permissions & lifecycle policy which was the premise
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Just the docs that are outdated it seems
![midacts avatar](https://secure.gravatar.com/avatar/aeb8c6947c394a9d7ae94afbda638a0d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
https://github.com/cloudposse/terraform-aws-ec2-instance Would i need to fork this to add a provisioner? We’d need to join Windows machines to the domain and run post provisioning steps on Windows and Linux.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Does anyone else find that output.tf inside a module don’t go to stdout when using the module?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
terraform output -module= mymodule
apparently this is a solution but eh
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@oscarsullivan_old only the root module’s outputs are printed right?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Yeh
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you need to add the outputs from the child module(s) to the outputs of the parent
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ah ok. That’s what I thought was but hoping to avoid that.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Now I know about -module=x
I at least have a way to not dupe them
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Just discovered https://codeherent.tech/ - new kid in town, or am I the last one to find it?
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Looks cool ^^
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
They have been reaching out to us
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Guess I should check it out
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
It is too early and does not look for my cases or for my customers.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
watched the demo video… yea, an IDE for TF is not something we would support at this itme
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I’d like to have smart IDE with real-time validation and suggestions. Something what I could easily integrate in my existing workflows.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I’ve been looking at https://github.com/camptocamp/terraboard
A web dashboard to inspect Terraform States - camptocamp/terraboard
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
oh actually seeing slightly different use cases there
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
that’s actually a tool to visually USE terraform not audit it
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
modules.tf does visual->code, but it’d be good to be able to do code->visual. Think Atlantis, except for the large text output, you get a link to a nice diagram that describes the deltas.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
And ideally another one after the apply is complete, with all of the unknowns resolved
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
@Igor I have some nice ideas and POC how to get code -> visual
, but lack of time or $$$ to work on that.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I bet it’s a harder problem to solve than visual -> code
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
It is pretty much equal with the same amount of details. More work is to convert from visual to cloudformation and from cloudformation to Terraform.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I suppose this appeals to a certain mode of developer and probably not the one using vim as their primary IDE ;)
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
It might make it easier to do code reviews
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes, as usual something like that looks nice and helpful at first, but then always gets in the way
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Does this example actually work? https://github.com/cloudposse/terraform-aws-ecs-container-definition/blob/master/examples/multi_port_mappings/main.tf#L25-L36
I got this error when using a similar approach, but with 8080/80 (container/host):
* aws_ecs_task_definition.default: ClientException: When networkMode=awsvpc, the host ports and container ports in port mappings must match.
So I sleuthed and found https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html:
If you are using containers in a task with the awsvpc or host network mode, exposed ports should be specified using containerPort. The hostPort can be left blank or it must be the same value as the containerPort.
Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource - cloudposse/terraform-aws-ecs-container-definition
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
looks line not, needs a PR
Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource - cloudposse/terraform-aws-ecs-container-definition
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
ok. just wanted to make sure i wasn’t in crazy town
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’re holding an office hours
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
@Erik Osterman (Cloud Posse) Yeah I’m just listening in to see what’s up
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Has anyone ever gotten a diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.
message from Terraform?
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
i’ve seen it a couple of times. usually just another apply fixed it… … but i would make sure your state is backed up - if you don’t already have it versioned - just in case
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Thanks, it looks like it didn’t harm anything on my side either
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Maybe consider making https://github.com/cloudposse/terraform-aws-ecs-alb-service-task.git support building the alb conditionally
Terraform module which implements an ECS service which exposes a web service via ALB. - cloudposse/terraform-aws-ecs-alb-service-task
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
the target_group / listener I mean
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s annoying to do in 0.11 I know - but that’s exactly why I’d prefer if you maintained the HCL
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we’ll consider that
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
this is how ALB is added now https://github.com/cloudposse/terraform-root-modules/tree/master/aws/ecs
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
2019-03-28
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Be careful terraform destroying an ECR… it isn’t like an S3 bucket where it warns you it is not empty… your images will go poof
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@oscarsullivan_old i had the other problem the other day it wouldn’t delete the content inside of an s3 bucket when deleting an ecs-codepipeline
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
That’s a good thing! Don’t want to accidentally remove data, right? Is that what you mean
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I mean, ECR images when I literally tell terraform to destroy it?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It should at least be an option..
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Guys, I have a question regarding team collaboration. What do you guys use to work in teams when running terraform? I know that terraform provides a solution to this on their paid tiers, but they are cost prohibitive for us. Currently, our workaround has been to share our terraform templates via a cloud drive which is replicated locally to each developer workstation. It sorta works, but there are running into several limitations and issues. Any suggestions?
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
we just commit into a git repo, and use remote state (s3 with locking via dynamodb). have you seen atlantis? pretty much the free version of terraform enterprise, as i understand
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
we already use s3 as backend to save the terraform state. but we still need a way to run ‘terraform apply’ in different machines. using git only takes care of the source code, but it ignores several other files which must also be shared with team members
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
i checked atlantis earlier but i couldn’t find anything specific to team collaboration
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
atlantis’ whole purpose is team collab - their tagline is even ‘Start working on Terraform as a team.’ https://www.runatlantis.io/
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
re the other files that need to be shared - what sort of files are we talking?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
This is IMO the hardest part of terraform. I would recommend using workspaces
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
In order to solve the team issue, you would need some kind of pipelines that have queues.
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
We have ssh keys that are used when terraform deploys our bastion hosts. We also have terraform.tfvars which include credentials which cannot be pushed to git. And finally, our .terraform directory is not pushed to git which then forces each developer to reinitialize their local terraform environment with ‘terraform init’. We’ve been able to successfully do all of this using OneDrive… but I feel like this is a silly workaround and there must be a better solution out there that does not require spending \(\)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
I’ve used jenkins in the past and it worked quite wel.
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Another option for us was to create a shared VM where multiple users could use, one at a time (ughh)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
First you need to solve the issue you’ve mentioned above though.
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
A third option that we are considering is using an NFS shared drive (even Amazon EFS) where we store all of our terraform files
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
And yes, we use Jenkins already to schedule and automate our deployments, but we still need to test them manually in our local machines
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
test meaning ?
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Developer A makes a change to a terraform template locally on his machine. He runs ‘terraform apply’. It works.
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
He goes out to lunch. Developer B needs to pick up where he left of on his own machine
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
Well, why not put that on jenkins ?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
or any other ci for that matter.
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
you mean use Jenkins as a shared VM?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
and for this terraform plan
would suffice
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
you mean use Jenkins as a shared VM?
wait first you need a clear definition of a workflow
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
when you have this, then you can jump on implementation.
![hkaya avatar](https://avatars.slack-edge.com/2022-06-24/3714034883509_a421e2a1c13af69d16cb_72.png)
it doesn’t have to be jenkins, any pipeline would be fine, gitlab-ci or codefresh could also be used as a service, hence no vm involved
![hkaya avatar](https://avatars.slack-edge.com/2022-06-24/3714034883509_a421e2a1c13af69d16cb_72.png)
as for the public ssh keys, check them in to your repo, that’s why they are called public
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
definitely recommend some sort of secret share to get around the tfvars problem we use lastpass and manually update our local envs, but we don’t have a lot of secrets - could get painful if there were more. this could handle the ssh keys too (if they’re private)
if a full secret share is too much to jump to right away, you could even store tfvars in s3 to get started with - but of course tightly control the access
re init’ing local .terraform directory - that shouldn’t take very long to do, and terraform will tell you if you need to update - that shouldn’t be a deal breaker to require people to do that (in fact, it’s almost a necessity - it downloads the provider binaries suitable for the person’s machine)
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
we commit everything to git, but use mozilla’s sops utility to encrypt the secrets
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
Secrets management stinks, use some sops! Contribute to mozilla/sops development by creating an account on GitHub.
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
there’s a fantastic terraform provider for sops that lets you use the encrypted yaml/json seamlessly https://github.com/carlpett/terraform-provider-sops
A Terraform provider for reading Mozilla sops files - carlpett/terraform-provider-sops
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I appreciate all of the feedback you have provided so far. The jenkins/ci pipeline makes sense to me, but only for automation deployments. But we still want independent execution to be done manually via our local terminal from our Mac. I will look into the secret share suggestions that you have pointed out as that does make sense. Thanks again.
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I just checked sops and this is what I think makes the most sense. It will allow to check everything into git. Thanks @Abel Luck
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
I’m a half fan of git-crypt https://github.com/AGWA/git-crypt - it’s cleanly transparent. as long as you have it setup anyway. (if you dont, it gets a bit uglier).
Transparent file encryption in git. Contribute to AGWA/git-crypt development by creating an account on GitHub.
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
your specified files are decrypted on disk, but encrypted in the repo - transparently during the commit/checkout.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can also use AWS SSM param store + chamber
to store secrets
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it works in a container on local machine
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and from a CI/CD pipeline
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
# Deploy chart to cluster using helmfile (with chamber secrets)
- "chamber exec kops app -- helmfile --file config/helmfile.yaml --selector component=app sync --concurrency 1 --args '--wait --timeout=600 --force --reset-values'"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
chamber exec namespace -- terraform plan
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@inactive I’m particularly fond of using gopass
as a git-based secret store https://github.com/gopasspw/gopass which has first class support for summon
which is a tool that injects secrets as environment variables into processes (like when you run terraform apply
) https://github.com/cyberark/summon Here is an example of how Terraform is run:
summon -p $(which gopass) -f secrets.yml terraform apply
The slightly more awesome standard unix password manager for teams - gopasspw/gopass
CLI that provides on-demand secrets access for common DevOps tools - cyberark/summon
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Your secrets.yml
file simply is a mapping between environment variables you want to set on the terraform process, and the secret within the gopass store so like:
TF_VAR_github_oauth_token: !var roboduels/github/oauth-token
TF_VAR_discord_webhook_url: !var roboduels/discord/webhook-url
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Since the variables use the TF_VAR_ prefix, they will actually be set as Terraform variables on your root module!
![inactive avatar](https://secure.gravatar.com/avatar/24d5c3c5823d5de53a6d2519b4f0de88.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Thanks again to all. Very useful tips.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
someone could write a blog post based on it??
2019-03-29
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
Hey people, I just noticed some interesting behavior when using the ECR module https://github.com/cloudposse/terraform-aws-ecr/blob/master/main.tf#L34 makes apply fail if it’s empty. I use the label module but I do not have stage set, so I am wondering if setting a simple conditional here: https://github.com/cloudposse/terraform-aws-ecr/blob/master/main.tf#L11 would be good enough ?
Terraform Module to manage Docker Container Registries on AWS ECR - cloudposse/terraform-aws-ecr
Terraform Module to manage Docker Container Registries on AWS ECR - cloudposse/terraform-aws-ecr
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
The error is
aws_ecr_lifecycle_policy.default: InvalidParameterException: Invalid parameter at 'LifecyclePolicyText' failed to satisfy constraint: 'Lifecycle policy validation failure:
string "" is too short (length: 0, required minimum: 1)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hmm… why don’t you use something for the stage, e.g. test
or testing
? what’s the reason to not use it (all the modules were designed with the assumption to have namespace
, stage
and name
)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
no, but that’s just because I Am used to environment rather than stage
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
nvm I can pass env in place of stage
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yep, those are just labels
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(environment and stage are the same in all cases we use the modules)
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
thanks for the reply though
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You can even change the order if using terraform-null-label
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
oh yeah, I really dig that module
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
kudos for that one
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
hi
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hi @Julio Tain Sueiras
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
just wanted to ask the opinion for a terraform LSP?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
(though right now mostly focusing on adding provider/provisioner completion and adding terraform v0.12 support once is in GA to my plugin)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
also any vim + terraform users here?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what is terraform LSP? https://langserver.org ?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
correct
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
(my plugin is https://github.com/juliosueiras/vim-terraform-completion )
A (Neo)Vim Autocompletion and linter for Terraform, a HashiCorp tool - juliosueiras/vim-terraform-completion
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you are talking about autocompletion/syntax highlighting/error highlighting, a lot of people are using VScode (with terraform plugin) or JetBrains IDEA (with terraform plugin)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I know that part(also a lot of people use my plugin for vim as well)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
nice plugin @Julio Tain Sueiras
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
since my thinking is, a LSP approach would allow any editor, and also can just focus on the new features rather then editor specific implementation
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i like the LSP idea
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
for ex. vlad’s plugin is very good
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but because is a standard jetbrains plugin
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
meaning that update time is quite far apart
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but terraform provider get updated very frequently
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
(for that issue, I implemented a bot that auto update ,and do version base completion, incase you want to use data from older version of the provider)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
also LSP would allow even more nonstandard editor
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
to have terraform features
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
like Atom(RIP)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
P.S. @Andriy Knysh (Cloud Posse) for the vscode terraform plugin, right now, it only support aws/gcp/azure
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
he is implementing a new feature that would load the completion data from my plugin
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
oh nice
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
A (Neo)Vim Autocompletion and linter for Terraform, a HashiCorp tool - juliosueiras/vim-terraform-completion
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
A (Neo)Vim Autocompletion and linter for Terraform, a HashiCorp tool - juliosueiras/vim-terraform-completion
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
if you click on aws for example
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
it have the data for every version of the provider
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
since my thinking was, what if you want to lock to a version
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and only want the editor have completion data of that version
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
great, looks like you did a lot of work for that
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
there is also extra small stuff like, autocomplete module’s attribute and argument , autocomplete modules list from registry.terraform.com, evaluate interpolation, open documentation of the current parameter in a module, etc
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
@Julio Tain Sueiras cool stuff!
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
the entire reason I did the plugin is, I don’t want to use another editor
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but if there is no autocompletion, then terraform is quite annoyed to work with
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(yea, that’s what it says on your GitHub profile )
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but yeah, once TF0.12 is on GA
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
then I will work a LSP implementation
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
especially because Golang have the AST for HCL
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
are you going to use Golang or Ruby?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
go
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
even better
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I did several provider for terraform & added new feature to official terraform providers(vsphere) and packer(vsphere as well)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
@Julio Tain Sueiras Can you add a Microsoft Clippy in case a user is writing iam_role_policy_attachment
?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but Clippy did not end up well
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
party pooper
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@Andriy Knysh (Cloud Posse) https://github.com/juliosueiras/terraform-provider-packer
A Terraform Provider to generate Packer JSON. Contribute to juliosueiras/terraform-provider-packer development by creating an account on GitHub.
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
also how would that work
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Clippy:
It looks like you want to use iam_role_policy_attachment
, are you sure about that ?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
XD
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I actually use that, since I don’t like dealing with json
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
do you also correct formatting like hclfmt does ?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
my plugin have a dependencies for vim-terraform
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
which have auto format
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
using terraform format
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
also any of you guys use vault?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I’m working with it at the moment
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
since I had a meeting with the Hashicorp’s people(Toronto division) around 1 month ago
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and I mention that I wish there is a similar thing for vault like aws_iam_policy_document
data source
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and they have it now
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but……………
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
is not on the terraform docs
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
why not?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
not sure
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but is part of the official release
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
not a beta/alpha
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
so you can write all the vault policy
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
without using heredoc
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s nice
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
P.S. the biggest best feeling I did was for kubernetes pod terraform
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
kube provider is nightmare to work with, without autocompletion
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
You can always use json2hcl (https://github.com/kvz/json2hcl) to write packer.json as hcl and then just convert it to valid json. I use it pretty often for various cases.
Convert JSON to HCL, and vice versa . Contribute to kvz/json2hcl development by creating an account on GitHub.
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Though more often I use yaml<>json using https://github.com/dbohdan/remarshal
Convert between TOML, YAML and JSON. Contribute to dbohdan/remarshal development by creating an account on GitHub.
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
the use case I did for packer is because I want to reference terraform resources in packer
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and json2hcl is a hard convert
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but doesn’t account for several things
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
like terraform doesn’t understand the ideal of sequential
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
(so provisioners is going to have problem)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I use my provider with local_file resource
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
then null_resource with packer build
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
or validate
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
@Julio Tain Sueiras I used your documentation generators back in the days (2+ years ago in my project - https://github.com/antonbabenko/terrapin). I mentioned you there in the bottom of README Thanks for that! It saved me some time. I will probably contact you in the future.
[not-WIP] Terraform module generator (not ready for its prime time, yet) - antonbabenko/terrapin
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
no problem
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
one of the most funniest I did (with my plugin)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
was doing terraform with my android phone
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
hehe, this one is pretty amazing usage of Terraform - https://www.youtube.com/watch?v=--iS_LH-5ls
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
nice!!
2019-03-30
![Bruce avatar](https://avatars.slack-edge.com/2019-03-30/595110427959_55a450c0df894b6e97fd_72.jpg)
Hey guys, I’m looking for a module to create a client VPN server to connect to our aws private network (home of our vault server). Any suggestions?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hi @Bruce we have this module to create a vpn connection on AWS https://github.com/cloudposse/terraform-aws-vpn-connection
Terraform module to provision a site-to-site VPN connection between a VPC and an on-premises network - cloudposse/terraform-aws-vpn-connection
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
hey guys, I’m trying to fetch users from group via TF. but seems for me it is impossible… it is correct?
I was tried to fetch like that
data "aws_iam_group" "admin_group" {
group_name = "Admins"
}
but I can’t get user list from this data…
I was tried to fetch user with group like this
data "aws_iam_user" "admins" {
}
but it doesn’t have such filter.
can anybody help me ?
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
This is true, there does not seem to be a way to fetch members of group, so you have to use external
data-source with aws- cli
(or other ways).
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
yeah.. thanks
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Why would ` count = “${var.alb_target_group_arn == “” ? 1 : 0}” produce:
* module.backend-worker.module.task.aws_ecs_service.default: aws_ecs_service.default: value of ‘count’ cannot be computed`
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Holy crap, you can’t have a submodule that uses dynamic counts?!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea, more or less. It’s massively frustrating. It used to work better in older versions of terraform.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m stunned.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in the end, we need something like sass for hcl.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Is this issue fixed in 0.12?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
nope
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Define cloud apps and infrastructure in your favorite language and deploy to any cloud - pulumi/pulumi
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol is cloudposse going to migrate to that?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
No, it would be too much effort.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What about using a system like Jinja2 to generate HCL?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s what some people are doing
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Basically do what Saltstack does
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The problem with that IMO is unless there is an open framework for doing it consistently across organizations, it leads to snowflakes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if there was an established way of doing (e.g. like SASS for CSS), then I could get behind it maybe
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
here was a fun hack by @antonbabenko https://github.com/antonbabenko/terrible
Let’s orchestrate Terraform configuration files with Ansible! Terrible! - antonbabenko/terrible
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I just thought of a nice project subtitle for pulumi:
Pulumi: Write your own bugs instead!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Erik Osterman (Cloud Posse) Saltstack literally uses Jinja2 so at least there is prior-art there.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It generates YAML. Compare this to ansible, which extends YAML is silly ways to give it dynamic features.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s much more easier to understand a template that generates standard YAML. Easier to debug too. And the potential abstractions are much stronger.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But with Jinja2 you could easily have conditional say, load_balancer
blocks in your aws_ecs_service resource.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
shakes fist
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’m not saying there’s no prior art. I’m saying there’s no canonical way of doing it so one person does it in jinja, another person does it in ansible, another in salt, another using gotemplates, another using bash scripting, etc. So what we end up with is a proliferation of incompatible approaches. Even two people using jinja will probably approach it differently. Also, I don’t like a generalized tool repurposed for templating HCL (the way helm has done for YAML). Instead, I think it should be a highly opinionated, purpose built tool that uses a custom DSL which generates HCL.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I mean in that case, HCL itself just needs to improve. I was thinking more stop-gap measure.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But I also did not think about the fact that if you have some module that’s parametrically expanded by some template system that there’s no way to do that between one module calling another. It basically wouldn’t work anyway.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ideally HCL itself should improve - and it is with leaps and bounds in 0.12. However, Hashimoto himself said this whole count issue is incredibly difficult for them to solve and they don’t have a definitive solution for it.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
DSL to generate terraform configuration and run it - MastodonC/terraboot
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(not recommending it… just stumbled across it)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Bundle a single artifact as a Terraform module. Contribute to joshdk/tfbundle development by creating an account on GitHub.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@tamsky
Bundle a single artifact as a Terraform module. Contribute to joshdk/tfbundle development by creating an account on GitHub.
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
@Erik Osterman (Cloud Posse) I don’t understand where tfbundle
would be useful. could you please elaborate the usecase(s) ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
complex lambdas e.g. that npm install a lot of deps.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
using artifacts is nice b/c those artifacts are immutable
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, anyone can then deploy that lambda even if they don’t have npm installed locally
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
typically, in terraform modules that you see deploy an advanced lambda, they expect the end user to have a full local dev environment with all build tools required to build the lambda and zip it up. if that lambda is instead distributed as a zip, it mitigates that problem.
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
makes sense now
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
What is the best way to version your own terraform modules ? So that you use a particular version of your module(well tested) in prod and can also actively work on it
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
By splitting your sub-modules from your root-modules and using a git-tag as the source value on the module invocation.
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
I was thinking in the same lines but not exactly sure on how to do it. Does you have examples that i can look at ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
those are all of our examples of invoking modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
everytime we merge to master, we cut a new release
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then in prod or staging, we do something like terraform init -from-module=git::<https://github.com/cloudposse/terraform-root-modules.git//aws/chamber?ref=tags/0.35.1>
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(technically, we use cloudposse/tfenv
to make this easier)
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
I have my root module that invokes my submodules(compute,storage,networking) and each of my submodules uses different resourses/modules, what would be the best way to version in this scenario ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You version your root modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then the root modules are what you promote to each account/stage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
are you familiar with terraform init -from-module=
?
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
nope
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s the missing piece
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The terraform init
command is used to initialize a Terraform configuration. This is the first command that should be run for any new or existing Terraform configuration. It is safe to run this command multiple times.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Optionally, init can be run against an empty directory with the -from-module=MODULE-SOURCE option, in which case the given module will be copied into the target directory before any other initialization steps are run.
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Interesting. So if my sub modules are currently pointing to ?ref=tags/1.2.2
and then i could run something like
terraform init -from-module=git::<https://github.com/cloudposse/terraform-root-modules.git//aws/chamber?ref=tags/2.1.2>
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
exactly
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
it will replace the source code in my sub modules with latest version code
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
correct ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it won’t replace though; it will error if your current directory contains *.tf
files
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you could have a Makefile
with an init
target
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that calls the abbove
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Ohh. I would have to think more about the Makefile and init
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
or you can do this
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
export TF_CLI_ARGS_init="-from-module=git::<https://github.com/cloudposse/terraform-root-modules.git//aws/chamber?ref=tags/2.1.2>"
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then when you run terraform init
, it will automatically import that module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(that’s what we do)
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
it will automatically import the latest version if i do exactly like what you do
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
sounds like magic
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s an incredibly DRY way of doing terraform
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
So where does cloudposse/tfenv
fit in the process ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so the TF_CLI_ARGS_*
envs contain a long list of concatenated arguments
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you want to toggle just one argument, that’s a pain. for example, we want to target the prefix in the S3 bucket for state.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So we want to define key value pairs of environment variables, then use tfenv
to combine them into argument above.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We discuss tfenv
in more detail. search here: https://archive.sweetops.com/terraform/
SweetOps is a collaborative DevOps community. We welcome engineers from around the world of all skill levels, backgrounds, and experience to join us! This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build sweet infrastructure.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
^F
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
25 votes and 10 comments so far on Reddit
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
This is awesome
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
It is very tempting
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
I will have to try it soon
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
@Erik Osterman (Cloud Posse) you guys are doing amazing work
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thanks @rohit!! Appreciate it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Why would I be getting:
module.frontend.module.codepipeline.module.ecs_codepipeline.module.github_webhooks.provider.github: 1:3: unknown variable accessed: var.github_organization in:
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s a variable problem inside of ecs-codepipeline?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
scratches his head.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
“Error: Error asking for user input: 1 error(s) occurred:”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh man i have no idea what this is
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
2019-03-30T17:24:05.054-0500 [DEBUG] plugin.terraform-provider-github_v1.3.0_x4: plugin address: timestamp=2019-03-30T17:24:05.054-0500 network=unix address=/tmp/plugin407023942
2019/03/30 17:24:05 [ERROR] root.frontend.codepipeline.ecs_codepipeline.github_webhooks: eval: *terraform.EvalOpFilter, err: 1:3: unknown variable accessed: var.github_organization in:
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I have two ecs-codepipelines working great. When I tried to deploy a third, I got:
Action execution failed
Error calling startBuild: User: arn:aws:sts::607643753933:assumed-role/us-west-1-qa-backend-worker-codepipeline-assume/1553989516226 is not authorized to perform: codebuild:StartBuild on resource: arn:aws:codebuild:us-west-1:607643753933:project/us-west-1-qa-backend-worker-build (Service: AWSCodeBuild; Status Code: 400; Error Code: AccessDeniedException; Request ID: deba2268-5345-11e9-a5ef-d15213ce18a0)
I’m confused because the ecs-codepipeline module does not take any IAM information as variables…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Looks like the ARNs mentions are unique to that third service “backend-worker”
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So like there shouldn’t be any collision with the others. In which case why wouldn’t the IAM stuff that the module creates for itself be working?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Can anyone please help me reason why ecs-codebuild module would suffer this permission error when trying to build the container?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
hrmmmm that’s odd… you were able to deploy (2) without any problems, but the (3)rd one errors?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
execute arbitrary commands on Terraform create and destroy - samsung-cnct/terraform-provider-execute
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Welcome to terragrunt
execute arbitrary commands on Terraform create and destroy - samsung-cnct/terraform-provider-execute
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
except for terragrunt is a strap on
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
But yeah, I see the value in such provider as a replacement to a script which will do something before the main “terraform apply”.
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
More watchers than stars on github usually means that all company’s employees are watching
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
oh yea, in this case it’s not been updated also for a couple years
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i highly doubt it’s (terraform-provider-external
) is compatible with the current version of tf
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
certainly not, but there were similar providers out there.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this opens up interesting possibilities
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
anyone ever kick the tires on this?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…basically execute any command as part of the apply
or destroy
phase; this is different from local-exec on null_resource
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol I think my issue is coming from the fact that my codepipeline is getting created before the service/task
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
the service uses the json from the container, the container uses the ecr registry url from the codepipeline and so yeah
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
the world makes sense again
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
phew!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
guess I have to break out the ECR from my codepipeline abstracting module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i love that feeling