#terraform (2019-04)
Discussions related to Terraform or Terraform Modules
Archive: https://archive.sweetops.com/terraform/
2019-04-01
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Today I tried the fixes that I thought were at the root of my CodePipeline/CodeBuild IAM issues, namely pulling out the ECR module so that it could be created before the pipeline was, but this didn’t actually solve the issue. Back at the same spot I was before.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m really not sure why the IAM logic inside of the CloudPosse ecs-codepipeline module is failing for me now.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
what’s the error?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
this is a working example of using ECS with CodePipeline https://github.com/cloudposse/terraform-aws-ecs-atlantis
Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the module gets called from here https://github.com/cloudposse/terraform-root-modules/tree/master/aws/ecs
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i feel that you are missing the default backend app https://github.com/cloudposse/terraform-root-modules/blob/master/aws/ecs/default-backend.tf, that is created and deployed to the cluster before the CodePipeline starts building your app
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@ldlework ^
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m gonna think about all that
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I’ve been going off this, https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
Terraform module which implements an ECS service which exposes a web service via ALB. - cloudposse/terraform-aws-ecs-alb-service-task
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And since I need a version that is not exposed by the ALB I have tried to edit it a bit
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But now I am just trying to call it directly https://gist.github.com/dustinlacewell/a9cbe46d2ace7b71e2973ffb32531121 and Terraform is complaining:
* module.backend.module.service.aws_ecs_service.ignore_changes_task_definition: 1 error(s) occurred:
* aws_ecs_service.ignore_changes_task_definition: InvalidParameterException: Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
try to use this example https://github.com/cloudposse/terraform-aws-ecs-web-app/tree/master/examples/without_authentication first
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
remove what you feel you don’t need later
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m so screwed
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
this is just not working
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I guess I should produce a minimal example
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What’s a cloudposse module that uses the ecs-codepipeline module?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
There’s one which uses the alb, ecr registry, container definition, the ecs task with alb, codepipeline, autoscaling, and cloudwatch in an example
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
but I can’t find it now
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Race condition is not something I thought I would have to face down with Terraform
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
https://github.com/cloudposse/terraform-aws-ecs-web-app uses CodePipeline and ECR to deploy a web app to ECS
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Working example how to call it: https://github.com/cloudposse/terraform-aws-ecs-web-app/tree/master/examples/without_authentication
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) Yeah that’s the one. I’ve basically tried to create a version of terraform-aws-ecs-web-app
that does not expose the service via ALB and it has been a nightmare
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Basically the part that really need changing is the module that it uses, terraform-aws-ecs-alb-service-task
which has the ALB target groups baked in
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
terraform-aws-ecs-web-app
is more or less an assembly module. It takes a bunch of other modules that do things, like terraform-aws-ecs-alb-service-task
.
Best approach, imho, is to fork the module and change the bits that need changing (which can mean that you would need to fork terraform-aws-ecs-alb-service-task
as well) and adapt it to your use case.
I ran into a similar issue yesterday as well, since I needed S3 instead of Github in the Codepipeline, for instance.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ve done this but I still get the issue I’m having.
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hello terraformers,
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
I am using this eks module and recieving this error
Error: module.eks_cluster.aws_eks_cluster.this: vpc_config.0: invalid or unknown key: endpoint_private_access
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
The module for eks https://github.com/terraform-aws-modules/terraform-aws-vpc
Terraform module which creates VPC resources on AWS - terraform-aws-modules/terraform-aws-vpc
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hi @Vidhi Virmani
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
hi @Andriy Knysh (Cloud Posse)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
ask in #terraform-aws-modules since you are asking about terraform-aws-vpc
from https://github.com/terraform-aws-modules
Collection of Terraform AWS modules supported by the community - Terraform AWS modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I narrowed it down. Check this out https://gist.github.com/dustinlacewell/0b049b6c7e9699362bf9a4a14cb11469#file-main-tf-L43 When I use the official CloudPosse task module, it works - no race condition. However, when I use my own module I get the race condition with the IAM role and the CodePipeline not being able to execute the CodeBuild step. But my modules is literally a clone of the cloudposse module with no changes
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What the actual?!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Simply changing the source =
line there causes the issue or not. How is this possible?!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Just as a reminder the error is:
Error calling startBuild: User: arn:aws:sts::607643753933:assumed-role/us-west-1-qa-backend-worker-codepipeline-assume/1554183144481 is not authorized to perform: codebuild:StartBuild on resource: arn:aws:codebuild:us-west-1:607643753933:project/us-west-1-qa-backend-worker-build (Service: AWSCodeBuild; Status Code: 400; Error Code: AccessDeniedException;
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
If I simply rerun the CodePipeline it runs successfully because the race condition is over.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The gist is basically the aws-ecs-web-app
code with very little changes at all.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Minus the webscaling, and alerts
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh god what if the autoscaling and alerts somehow affect the dependency ordering
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I mean, both the autoscaling and alerts refer to the ecs-alb-task’s service_name field the same way the codepipeline module does
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
The pipeline error should have nothing to do with the ECS related parts of the module.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ve wasted so many days on this lol
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I used the module as is, just disabling the codepipeline part with the parameter and built codepipeline outside and still got the error.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
When I use all the modules using git references, it all works.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
When I clone the ecs-alb-task locally, and refer to it instead, I get the race condition
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Always in the build step of the codepipeline, same error
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Since it only occurred when first setting up the pipeline, I didn’t bother investigating, so unfortunately I don’t have a fix for you, ready.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah it only occurs when setting up the pipeline, if you manually rerun it, it works.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
It also works, when triggering the pipeline automatically from the source step.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
manual github webhook trigger or whatever
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m pretty sure it is some kind of IAM race condition
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like Terraform is not deciding on the same dependency graph when those two lines in my gist are changed.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
If I got time later today, I might have a look at it.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@mmuehlberger My personal goal is to just use what’s in the aws-ecs-web-app
but without the ALB. I have containers that run just like my web containers but are queue workers that shouldn’t be exposed via ALB.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The whole point of the aws-ecs-web-app
module is that it’s a “web app” and an opinonated implementation of how that webapp should work.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you look at the module, however, you’ll see it’s composed by a handful of other modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
which is why it’s so easy to decompose and create your own opinionated version of what a web app should look like
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
our approach is not to make an individual module overly configurable, but instead make modules very composable.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so you can ignore me. i jumped in the thread too late.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea… sorry!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I thought this would be so easy
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
It always looks that way and it never is.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
do you think comparing the output between the two terraform runs might be useful?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I’d check where the permission is set and if there’s an explicit dependency missing. My best guess right now would be, that the policy is not set yet and codepipeline doesn’t wait for it. a depends_on
would do the trick.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
yeah just no idea on what
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
something in the task?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
something inside the codepipeline module itself? (if so why does changing the task module screw everything up?)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I think that has to do with how Terraform unwraps the dependency graph internally. As I mentioned, I get the exact same issue, but with different changes.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@mmuehlberger oh neat terraform has a graph
command
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I didn’t want to recommend it, because it does this with complex modules.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
mother of god
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So you’re pretty confident that it is not actually in the task module, but some non-determinism in the ecs-codepipeline module?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Yes, as the pipeline doesn’t touch ECS until the deploy step and everything is separated.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I noticed that the IAM roles use policy attachments.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Could it be that the codepipeline properly depends on the IAM role but not the attachment?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And so the role gets created before the pipeline, but not the attachment, which Terraform schedules afterwards?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Yes, that was my thought (without looking at the code).
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Maybe simply adding a depends_on from the pipeline to all the policy attachments, it might work reliably.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
2 am here though I’ll have to try in the morning.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I feel like I just ran into this race condition with policy attachments recently… Different resources and use case for me, but this is ringing a bell… Sometimes terraform’s parallelism gets the better of it :/
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
ahh, found it… a race condition with an instance profile… had the dependency on the role name rather than the profile name, but ec2 requires the profile to exist before trying to assign the instance profile…
while fixing that, discovered that the profile had no dependency on the policy attachment, so sometimes the instance would start spinning up and not yet have the necessary permissions
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@loren do you think you could look at the ecs-codepipeline module to see if you see anything obvious that’s of similar form?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
which specific module? (link) i’ve not used any of the ecs stuff, and seems like there’s quite a few repos
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/ - cloudposse/terraform-aws-ecs-codepipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
There is some kind of race condition that causes the CodeBuild step of the CodePipeline to fail due to IAM permission failure.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I can get the exact error if that helps.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
the only place i see aws_iam_role.default
referenced is in the aws_codepipeline.source_build_deploy
resource
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
so i’d say, yeah, if the error is in the pipeline, then try adding a depends block for the attachment to the pipeline resource
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@loren Should I do it for each attachment?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
As a matter of best-practice?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
in this case i would list all attachments in the depends block, not sure i’d go so far as best practice yet
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
hahaha
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
like something is ordered differently maybe
2019-04-02
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I think terraform got dumber. I got the error now a couple of times, but it should clearly be able to figure out the length of a static list module.chamber_database.aws_ssm_parameter.default: aws_ssm_parameter.default: value of 'count' cannot be computed
.
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Even this fails:
resource "aws_ssm_parameter" "default" {
count = "${length(local.parameter_write)}"
name = "${lookup(local.parameter_write[count.index], "name")}"
description = "${lookup(local.parameter_write[count.index], "description", lookup(local.parameter_write[count.index], "name"))}"
type = "${lookup(local.parameter_write[count.index], "type", "SecureString")}"
key_id = "${lookup(local.parameter_write[count.index], "type", "SecureString") == "SecureString" ? data.aws_kms_key.chamber.arn : ""}"
value = "${lookup(local.parameter_write[count.index], "value")}"
overwrite = "${lookup(local.parameter_write[count.index], "overwrite", "false")}"
allowed_pattern = "${lookup(local.parameter_write[count.index], "allowed_pattern", "")}"
tags = "${var.tags}"
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we threw in the towel on using an SSM module for writing to SSM
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it just doesn’t work for anything but constant values
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
basically, writing things from .tfvars
to SSM
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
writing things from any other module to SSM using a module :thumbsdown: (due to count of
problems)
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I get, when it can’t figure it out from dynamic values from another module and complex conditionals, but without a module, just a local list of params and the resource? How basic do I need to get?
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
At least it’s not that more repetitive to write them as one resource each.
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Hi, i provision a EKS cluster with terraform-aws-eks-cluster/examples/complete everything work but i see that my worked nods have multiple private ip assign to them, is this normal?
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Yes Vucomir, It is normal. AWS do the trick of assigning secondary IP addresses to Interfaces (ENI) in order to provide native VPC IPs to pods
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
so i got 10 secondary private ip’s on one mode
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and 2 private ip’s
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but i did not deploy anything in the cluster
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
AWS will have already deployed things like coredns, aws-node, etc. for you - so there’ll be some pods running already
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
According to the ec2 type, the aws eks reserves secondary IPs in advance
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Thanks!
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
if i go with node ports in that case i would not need VPC ip,
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
sorry for all this question i just start with Kubernetes
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
This article discusses the trade-offs of aws eks networking https://www.weave.works/blog/aws-and-kubernetes-networking-options-and-trade-offs-part-3
![attachment image](https://www.weave.works/assets/images/blt031dff047f137783/AmazonVPC.jpg)
In this instalment of Kubernetes networking on AWS, Mark Ramm, goes through the pros, cons and tradeoffs between VPC native networking vs implementing the VPC CNI plugin.
![Vucomir Ianculov avatar](https://secure.gravatar.com/avatar/9f6a589ab6d2468fc942dd8918a4dc57.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Thanks @Pablo Costa, will check it
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
You are welcome !!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@loren @Erik Osterman (Cloud Posse) @Andriy Knysh (Cloud Posse)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Is that better or worse than before?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It would fail instantly before.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Looks like it’s going to complete successfully. Thanks so much to all three of you again.
![cool-doge](/assets/images/custom_emojis/cool-doge.gif)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I kind of hate role attachments, but there isn’t yet a better option
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Trying hard to get this pr merged, which would handle the attachment right in the role resource,https://github.com/terraform-providers/terraform-provider-aws/pull/5904
Fixes part of #4426 Changes proposed in this pull request: resource/aws_iam_role: Add inline_policy and managed_policy_arns arguments to aws_iam_role to configure role policies and fix out-of-band…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
nice @ldlework
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so FYI, if you have similar issues and you think it’s a race condition, the fastest way to test it without modifying a bunch of modules is to use --target
to provision some resources first
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) @Erik Osterman (Cloud Posse) should I submit a PR?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
please submit
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
ok
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
This adds a depends_on clause to the aws_codepipeline resource pointing to each aws_iam_role_policy_attachment. This avoids a race condition where the policy attachments are not yet available when …
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
released 0.6.1
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
I was going to submit a talk, but it seems it would boil down to “Use Cloudposse modules” for the most part.
![fast_parrot](/assets/images/custom_emojis/fast_parrot.gif)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s still happening…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
sighs
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
how is that even possible
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Here’s a cleaned up terraform log showing the order in which it did things: https://gist.github.com/dustinlacewell/1c5bfad4b91c3ced519727045588e74d
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It looks like it created all of the policy stuff before the codepipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
ARGH!!!!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
wtf is going onnnn
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Could the same problem be plaguing the codebuild module?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I added the depends_on to even the codebuild project inside the codebuild module linking to the policy attachments that it uses
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And I still get the error
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m starting to think Terraform is garbage…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It’s solving a realllllllllly hard problem in a generic way
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the frustrating thing for me is that the workarounds often mean rearchitecting the terraform modules (combining them and not composing them) and that’s a non-starter
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this is why I think the analogies to CSS are so good. you can do it all in CSS, but you end up have a TON of workarounds.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
perhaps the problem is that we’re even trying to use HCL as a “programming language” rather than a “configuration”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and hashicorp should instead produce a tool like SASS to generate configurations.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(but I dn’t see that happening!)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
So maybe it’s what it says, the assumed role user does not have permissions
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Did you go to the AWS console and start the build manually?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) If I click the “Release Change” and start the pipeline manually it works fine.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) look at this gist which is a cleaned up log of the terraform application: https://gist.github.com/dustinlacewell/0162c8f06273fdefe5c534c3e5267fae
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Lines prefixed with @@
show the policy attachment lines
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Lines prefixed with !!
show the pipeline and codebuild creation lines
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It looks like everything is created in the right order?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Under which user do you login to the console manually and start the build?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
My own user
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It could have different permissions
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I have used the policy tester though in the past
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i know i’ve seen race conditions in things like s3 bucket policies, where i modify the bucket policy but then it takes a few seconds before it is effective (based on cli tests)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) if I kick off the build via telling github to send the webhook that should be a real test right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Is there any kind of waiter hacks I can do?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
sleep in local exec
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like, run this waiter locally until the policy works for the thing
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
what a tire fire
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I wonder if Terraform has a default parallelism I can turn off
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
yes
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
-parallelism=1
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
You can also switch the role in the console and test it manually under the real user
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Shouldn’t we be able to deduce precisely which part of the terraform is responsible for this?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
If it’s a permissions issue, it’s not terraform responsibility. You can give broader permissions to the created role and apply again
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Give it admin permissions to test
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) What I meant is, the HCL responsible for setting up this permission, like identifying the bit that is supposed to give the right permission to the right role.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m not sure what IAM role or policy document etc is responsible for this particular failure…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And if I give it admin, will that even matter since it seems to be a race condition? It wont have admin in time.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
That’s how you test if it’s a race condition or permissions issue
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) do you know which policy is the right one?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Give all four policies an admin permission and test
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Also try running the pipeline from the cli, in debug mode. Might capture the permission failure better
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
like this ?
statement {
sid = ""
actions = ["*"]
resources = ["*"]
effect = "Allow"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Yes try it
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) do I need to add the principal or will omitting it allow any service to assume it or whatever
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
- aws_iam_role.default: Error creating IAM Role us-west-1-qa-backend-codepipeline-assume: MalformedPolicyDocument: Has prohibited field Resource
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
data "aws_iam_policy_document" "assume" {
statement {
sid = ""
actions = ["*"]
resources = ["*"]
effect = "Allow"
}
}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
i’m going crazy lol
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Specify resources
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Learn the difference between identity-based policies and resource-based policies.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
huh, it’s building on the first time
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It should. We used those modules about 125 times and never saw the issues with race conditions (not saying they can’t be introduced by TF or AWS)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I suspect that it has something to do with how I’m wrapping your modules in my own modules. Like for my codepipeline, I call ecs-codepipeline and the cloudposse module for ECR as an example
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And I had to fork the ecs task module so I can remove the ALB
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Actually, I have zero idea
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Because why would making the role an admin work
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
it makes one want to crawl under their desk and dissapear
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Can I ask some general IAM questions about the ecs-codepipeline module? Is it creating one IAM role but attaching multiple policies? Like is one policy, the sts:AssumeRole
policy, the policy that lets the CodeBuild service assume the role we’re creating?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
and then the other policy documents that are attached describe what that user can do?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
freaking magnets
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
how do they work?!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK so I narrowed it down
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
data "aws_iam_policy_document" "codebuild" {
statement {
sid = ""
actions = [
"codebuild:*",
]
resources = ["${module.build.project_id}"]
effect = "Allow"
}
}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Changing the resources there to be "*"
fixes the issue apparently.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Thoughts?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Is that project_id
actually the arn? codebuild:StartBuild
requires the arn…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
arn:aws:codebuild:region-ID:account-ID:project/project-name
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Describes the AWS CodeBuild API operations and the corresponding actions you grant permissions to perform.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It’s in the official version: https://github.com/cloudposse/terraform-aws-ecs-codepipeline/blob/master/main.tf#L164
Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/ - cloudposse/terraform-aws-ecs-codepipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
output "project_id" {
description = "Project ID"
value = "${join("", aws_codebuild_project.default.*.id)}"
}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It does seem to be the ARN…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Yeah, it ought to be the arn, https://www.terraform.io/docs/providers/aws/r/codebuild_project.html#id
Provides a CodeBuild Project resource.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
There’s never any answers!!!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
lol
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ve redeployed a few times. It’s definitely the “*” for resources on that one policy.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Maybe look in the account and double-check that is the actual arn of the project, and that the policy lists that same arn
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
ok
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK I redeployed with the original code, and it failed as expected:
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
And here is the role, and attached policy with resource shown:
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Thoughts?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The ARN in the error message, and the ARN listed in the policy are the same.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
arn:aws:codebuild:us-west-1:607643753933:project/us-west-1-qa-backend-build
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
arn:aws:codebuild:us-west-1:607643753933:project/us-west-1-qa-backend-build
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
This looks like an aws thing, not so much a terraform thing….
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
There’s some permission getting used under the covers and the error message is obscuring the real error
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Still recommend trying to run the pipeline from the cli, using a credential for that same role
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Could it have anything to do with:
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
It’s really hard to create a restrictive IAM policy that doesn’t result in that message. I generally consider it a red herring
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
But, if you look at the codebuild IAM link I shared above, you’ll see that some actions do not support resource restrictions… So for those actions, the codebuild:*
permission isn’t applying, because the resource attribute is not *
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Delete, import, and some “list” actions, in particular
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
If the pipeline is, under covers, trying one of those actions, maybe list something or other, then it won’t have permission
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Which would explain why it works when you change the resource to *
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But not why this works for everyone else who uses the CloudPosse module as-is
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
¯_(ツ)_/¯
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
What’s the output of this?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
output "project_id" {
description = "Project ID"
value = "${join("", aws_codebuild_project.default.*.id)}"
}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I just destroyed and am re-rolling so I’ll let you know if a bit
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
us-west-1-qa-backend-build
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It actually looks like not a permissions issue :) and definitely not a race condition.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
project_id = arn:aws:codebuild:us-west-1:607643753933:project/us-west-1-qa-backend-build
project_name = us-west-1-qa-backend-build
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It just looks like wrong name
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m not crazy!!!!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
rejoyces.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Want a PR?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ll test first actually.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) because how does the policy end up with the right ARN as the resource?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) ecs-codepipeline does use the project_id
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So I think it’s correct…
![foqal avatar](https://avatars.slack-edge.com/2019-03-11/572601092560_390fb278d5cedc640d76_72.png)
Helpful question stored to <@Foqal> by @loren:
I suspect that it has something to do with how I'm wrapping your modules in my own modules. Like for my codepipeline, I call ecs-codepipeline and the cloudposse module for ECR as an example...
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m hedging on @loren’s explanation
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
You can extend the policy document to include a second statement for codebuild:List* with a resource of *
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
If that works reliably, good to go, got a viable min permissions policy
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Are you using one AWS account or many? That assume role is in the same account?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Because it has nothing to do with the permissions. When you changed the ARN of the build project (by using * but still) it worked
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Just one account.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) but I showed with screenshots before that the ARN that ends up in the policy is the same one mentioned in the error
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
But of course it should be the same, otherwise you would not see the error :)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
huh?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The policy gives codebuild access to the ARN of the project that shows up in the error complaining the policy doesen’t give it access
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
The error message was generated from the provisioned resources
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
That’s why the ARNs are the same
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But isn’t the ARNs being the same what gives the service permission to do stuff to that resource?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I feel like I’m missing something big here
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Are you using CP label module to name ALL the resources?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Check if namespace, stage and name are the same for all modules you are using
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) I haven’t changed any of the naming inside of the ecs-codepipeline
module. I pass in a namespace, stage, and name to ecs-codepipeline
but don’t change how it uses it.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Are you saying this needs to be the same across ALL resources across all CloudPosse modules in use?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like when I call the container definition, the ecs-alb-task, etc?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(I don’t want to maintain a fork of ecs-codepipeline
and so haven’t made any changes except the depends_on
changes which were merged, and changing the resource to "*"
.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
I just asked if you used the same namespace, stage and name for all resources and modules that you used in that particular project
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
No like, when I call a module, I pass in the aws_region as the namespace, the stage name as the stage, and the module name as the name
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
like I pass in “codepipeline” as the “name” to codepipeline module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ll try unifying everything
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
As far as I can see everything is already unified. I was wrong about changing the name parameter. I pass the top-level var.name
all the way down. So everything is getting “backend” as the var.name
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Share your complete code, we’ll take a look. Maybe something changed in TF or AWS, or maybe it’s a user/permissions issue (not the permissions from the module, but rather how it’s used)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@Andriy Knysh (Cloud Posse) https://gist.github.com/dustinlacewell/2ae006f32c2c0cd075dbaaf031b75349
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Let me know if you want me to add something else
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
qa/main.tf calls fargate-alb-task/main.tf calls my ecs-codepipeline/main.tf calls CloudPosse ecs-codepipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It is basically the ecs-alb-web-app module, with each layer, vpc, aurora, elasticache, alb, ecs, and each of the ecs services implemented as a layer module
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
each layer module usually calls out to CloudPosse modules - like my ecs-codepipeline module calls both the CloudPosse ECR and CodePipeline modules
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
stage -> layer -> component -> cloudposse/resources
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
so the qa stage has a layer called “backend” which is an invocation of the “fargate-alb-service”, which calls a number of my own component modules like “container” “ecs-alb-service” and “codepipeline”. My component modules usually compose a few cloudposse modules and resources.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I should rename my codepipeline module to something like cicd or pipeline
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I guess one thing I wonder is whether you guys would accept a patch that allowed you to override the resource value?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
This would allow me to move on without having to fork codepipeline for that
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
So we’ll take a look a little bit later
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
The problem with using * for resources is a security hole
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
for the record, here’s what i was trying to get at (while only on my phone last night)…
data "aws_iam_policy_document" "codebuild" {
statement {
sid = ""
actions = [
"codebuild:*",
]
resources = ["${module.build.project_id}"]
effect = "Allow"
}
statement {
sid = ""
actions = [
"codebuild:List*",
]
resources = "*"
effect = "Allow"
}
}
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
so basically the same, “write” actions still restricted to the project, but the “list” actions would now work
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
If the issue is just the missing list action, then yes. It needs to be tested
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
certainly
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It gives permissions for all codebuild resources
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah I understand. No one would have to use that option to override the resource as “*” though.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
These permissions are already pretty loose, https://github.com/cloudposse/terraform-aws-ecs-codepipeline/blob/master/main.tf#L71
Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/ - cloudposse/terraform-aws-ecs-codepipeline
2019-04-03
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
![Juan Cruz Diaz avatar](https://avatars.slack-edge.com/2019-10-29/815166113799_f394decf62a6e02cc6b9_72.jpg)
Hello there! Where i can find some references to cloudflare terraform modules
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
how can I convert
> replace(replace(replace(replace("m1.xlarge,c4.xlarge,c3.xlarge,c5.xlarge,t2.xlarge,r3.xlarge","/^/","{ \"InstanceType\" :\""),"/,/","\"},"),"/$/","\"}"),"/,/",",{\"InstanceType\": \"")
{ "InstanceType" :"m1.xlarge"},{"InstanceType": "c4.xlarge"},{"InstanceType": "c3.xlarge"},{"InstanceType": "c5.xlarge"},{"InstanceType": "t2.xlarge"},{"InstanceType": "r3.xlarge"}
into
[{ "InstanceType" :"m1.xlarge"},{"InstanceType": "c4.xlarge"},{"InstanceType": "c3.xlarge"},{"InstanceType": "c5.xlarge"},{"InstanceType": "t2.xlarge"},{"InstanceType": "r3.xlarge"}]
and still be able to use it in Cloudformation looks like the }
is the issue with the CF template
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@tallu you want to convert the string to a list, or just replace the chars?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
April 3rd, 2019 from 11:30 AM to 12:20 PM GMT-0700 at https://zoom.us/j/684901853
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’m going to hang out in this zoom for a little bit in case anyone has any questions.
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
I want to convert string or maybe list "m1.xlarge,c4.xlarge,c3.xlarge,c5.xlarge,t2.xlarge,r3.xlarge"
to json
[{ "InstanceType" :"m1.xlarge"},{"InstanceType": "c4.xlarge"},{"InstanceType": "c3.xlarge"},{"InstanceType": "c5.xlarge"},{"InstanceType": "t2.xlarge"},{"InstanceType": "r3.xlarge"}]
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s quite easy. use smething like this
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
format("[%s]", join(",", formatlist("{\"InstanceType\": \"%s\"}", split(var.list)))
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i haven’t tested that and might have bungled something small
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but if you look at the interpolations for terraform, you’ll see where i’m coming from
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
thanks let me give it a shot
![tallu avatar](https://secure.gravatar.com/avatar/e2f5f0e701f27310b76e326d52bbb7b9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
~the output seems to be working but something in that is making Cloudformation fail~evermind it seems something else
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Does anyone have any information on how to establish a registered domain name (say on GoDaddy) with AWS via Terraform?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’ve never done Route53 anything before.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform module to easily define consistent cluster domains on Route53 (e.g. [prod.ourcompany.com](http://prod.ourcompany.com)
) - cloudposse/terraform-aws-route53-cluster-zone
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@ldlework that module is used to create a zone with delegation
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
to create a zone in Route53 https://github.com/cloudposse/terraform-aws-route53-cluster-zone/blob/master/main.tf#L52
Terraform module to easily define consistent cluster domains on Route53 (e.g. [prod.ourcompany.com](http://prod.ourcompany.com)
) - cloudposse/terraform-aws-route53-cluster-zone
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What about the second-level-domain, like “example.com” how do I initially set that up with Route53? Or can I do that with the cluster-zone module?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then get the name servers from the output and update NS records in GoDaddy
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
What if I want to use AWS for the DNS?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Like I’m trying to migrate a domain from GoDaddy to completely managed by AWS with Terraform as much as possible.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the root name servers are where you buy the domain itself
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
it can be transfered right?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so if you buy it on GoDaddy, you can’t use the root NS on AWS
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you buy the domain in Route53, then yes
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
transfer too
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK, so that step has to be manual. But once the domain is “owned” by AWS, then I can create zones and stuff with Terraform.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
https://github.com/cloudposse/terraform-aws-route53-cluster-hostname - to create dns records
Terraform module to define a consistent AWS Route53 hostname - cloudposse/terraform-aws-route53-cluster-hostname
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Not sure if this is what was being asked, but, 2 things:
- you can manage the DNS in a different place to where you buy the domain, if you want
- Terraform can’t manage Route53 domain registrations/management; just the DNS side of things
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can create zones and records with TF even if you have not transferred the domain yet
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it just will not be visible on the internet
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I don’t know about GoDaddy, but many Registrars let you use different Nameservers including Route53.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(if you buy the domain on GoDaddy, you have to update the name servers there to point to the AWS NS)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(unless you transfer it to Route53)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK so it seems like just having the domain’s DNS point to route53 for now is fine and I’ll be able to build out the infrastructure just fine with that setup
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
thank you
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes, create the zone, get its name servers, update them in GoDaddy, then you can create records in the Route53 zone
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also, you will be able to request SSL certs with domain validation only after you update the NS records in GoDaddy
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(in other words, ROOT NS records can be updated in the DNS system only by the entity that sold you the domain, or you transfer it to)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
We have a single AWS account, and I’m going to be running QA in us-west-1 and Prod in us-east-1 (for the foreseeable future) does it make sense to have some Terraform that is not part of our “environment deployments” that sets up the zone for the dns in a “global-y” way sort of how I’m doing for the initial terraform state?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
@ldlework If you still need to setup QA, I would personally opt for a new account and sticking to the same region.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I asked and was denied.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Ugh, why, can I ask ?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
We’re a poor startup, far behind schedule, lead by a young inexperienced slightly petulant guy who makes random decisions that can’t be rationally accounted for.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Having seperate accounts is actually part of the AWS Well architected framework
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Trust me, its not even close to the most mind-bending thing I have to deal with.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I agree, I’m fully on board.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
and does not cost more, actually less if you have support on one account and no support on the qa account ( not sure if this still is the case)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
good luck with that anyway, what i do in certain situations is to give prod and dev their own hosted zone
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
you get a hosted zone, and you get a hosted zone, and you get a hosted zone…
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
haha
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
here you go
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
yaaaaas
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The point is you don’t have to convince me, I’m already convinced. I gave many more reasons too.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I see.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
dev.domain.com prod.domain.com or more obfusicated, and have terraform setups to maintain those hosted zones
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
what about “domain.com”
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
clearly for domain.com and www.domain.com you would need to create an alias to the existing record in prod.domain.com
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
so I can’t use “domain.com” instead of “prod.domain.com” ?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can do this (fewer reasons to convince the boss :
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
[domain.com](http://domain.com)
is the vanity domain, the brand (the business owns it)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
@ldlework you can , you can have multiple zones in your route53
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
one for domain.com ( with IN NS records delegating sub domains to different authorative nameservers AKA the other hosted zones you are going to make )
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
one for dev.domain.com
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
one for prod.domain.com
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- You buy
[domain.io](http://domain.io)
in Route53 and use it for all service discovery
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- Create
[prod.domain.io](http://prod.domain.io)
,[staging.domain.io](http://staging.domain.io)
,[dev.domain.io](http://dev.domain.io)
subdomains for your environments
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- Then in
[domain.com](http://domain.com)
zone, add CNAME to[prod.domain.io](http://prod.domain.io)
(this could even be on GoDaddy if the business does not want to move or update it)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
^ you separate the business-related stuff from the infra stuff
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
It makes a lot of sense.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So for a given domain, I have to extract the nameservers from something in Route53 and add them to GoDaddy. Do I extract the nameservers from the zone’s that are created with Terraform? Do I have to do this for each zone or just one?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
(You can tell how I’ve never done any of this before)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
just for one “root” zone (domain.com)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
get its name servers and update in GoDaddy
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You don’t think I should manage this indepdendently from environments?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Well you do, you said get two domains, but I only have one for now.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you have two cases here: 1) update the vanity domain NS in GoDaddy and then create all subdomains in the same Route53 zone
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
2) do service discovery domain and subdomains, and then add CNAME to the vanity domain
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Can’t I add one root zone with some side-Terraform for “domain.com”, get the NS from it, add those to GoDaddy. Then in my deployments create a per-deployment zone for “prod.domain.com” “dev.domain.com” etc, which point to that environment’s resources, using remote data resource to get a referencce to the root zone id or whatever? Then I could have some kind of CNAME in the root zone pointing at the “prod.domain.com” record in the prod-specific zone?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So that “domain.com” resolves to “prod.domain.com”?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s what we do
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it could be in one AWS account, or in multiple (in which case we do DNS zone delegation, which is to say we add NS records from [prod.domain.io](http://prod.domain.io)
to the root zone [domain.io](http://domain.io)
NS )
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK cool, so first step, write some side-terraform to setup the root zone for “domain.com” and get that configured with GoDaddy. Then I can update my deployment HCL, to get a reference to the root zone, to add a deployment specific zone on a subdomain. I guess I’ll have to hand-add the record pointing from “domain.com” to “prod.domain.com” or something.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Since it seems like a circular reference kinda.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you with CNAME, those should be diff domains
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK so I’ll need some other kind of record in the root zone then?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Or are you saying with a single domain, I should only have one zone, but each deployment adds records to it?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
argh, I should probably just start and a lot will be clearer on the way maybe
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
see the use-cases above ^
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
( one side note, for the apex record, not www. , just domain.com CNAME’s don’t exist, but aws has ALIAS A records which achieve the same thing )
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s why it’s always better to buy a vanity domain in Route53 or transfer to it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
1) update the vanity domain NS in GoDaddy and then create all subdomains in the same Route53 zone 2) do service discovery domain and subdomains, and then add CNAME to the vanity domain
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
So I guess I have to go with 1)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Which means just one zone…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
OK I’ll give it a go!
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Oh you guys were saying that I can use multiple zones, one root zone, multiple staging zones, if I add NS records to the root zone pointing to the staging zones.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
right?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Which is what I’ll want because I’ll need things like “db.dev.domain.com” so I do need per-stage zones, not just per-stage records in the root zone.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can use a separate zone per environment
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
add its name servers records to the root zone NS for the corresponding sub-domain
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
excellent
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we already had a similar discussion with all the examples here https://sweetops.slack.com/archives/CB6GHNLG0/p1552667297261900
I haven’t yet had a chance to try this, but it was on my mind.
Using Geodesic across multiple AWS accounts for each stage, I have Route 53 records to create.
I have one domain name: acme.co.uk
I own [acme.co.uk](http://acme.co.uk)
.
I have [acme.co.uk](http://acme.co.uk)
NS pointing to my ROOT account.
Scenario:
I have to create r53 records, say [test.acme.co.uk](http://test.acme.co.uk)
.
Naturally I want to create this on my testing account.
I want this r53 record to be public. Naturally this means the testing account needs to have an [acme.co.uk](http://acme.co.uk)
r53 public zone… but wait… I already have a public zone for this in ROOT with the public NS pointing to ROOT account.
Problem: Is this possible? Or to have public records for my one domain, must I assume a role into my ROOT account and only create public records there?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
aws_route53_zone.root: error deleting Route53 Hosted Zone (Z1I50I6TDQ378M): HostedZoneNotEmpty
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh god
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
first with s3 buckets, now zones
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
AWS, and by extension terraform, protecting you from yourself
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
yeah deleting a zone is definitely something you almost never do outside of testing…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
How does one install a third party provider from git?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Without manunally cloning it, etc
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
oh you can’t
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
If the third party provider publishes packages for your platform, then you can download that and place it in the same directory as your terraform binary
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
But if they don’t publish packages, then you need to build it yourself
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Yeah I was hoping that there was a mechanism to tell terraform where to get the binary package from like there is with terraform modules
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Unfortunately not
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Though, modules don’t need to be built, so, not surprising really
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
neither do binary packages
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Well, exactly
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Modules are not binary packages, they are just straight source code
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I get it.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
You guys ever get stuff like
module.backend-worker.module.cicd.module.pipeline.module.build.aws_s3_bucket.cache_bucket: aws_s3_bucket.cache_bucket: error getting S3 Bucket Object Lock configuration: RequestError: send request failed
caused by: Get <https://us-west-1-qa-backend-worker-build-dnwylutrpukx.s3.us-west-1.amazonaws.com/?object-lock=>: dial tcp: lookup us-west-1-qa-backend-worker-build-dnwylutrpukx.s3.us-west-1.amazonaws.com on 192.168.1.1:53: no such host
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
while refreshing state
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
don’t know what’s oging on but I can’t seem to make it through a refresh
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
yup. usually a temporary connectivity issue - just have to try again
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
(or check if there’s any status page messages on increased API error rates/latency for your service & region)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Right now for a given ECS service I specify the port and protocol in 3 different places: Once in the load_balancer
block of the ECS service, once in the ALB listener, and once in the ALB Target Group. If I am trying to do SSL termination at the ALB, what needs the HTTPS details what needs the HTTP details?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I’m guessing the listener gets the HTTPS, the target group gets HTTP and the ECS service gets HTTP
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
well maybe the ECS also gets HTTPS?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
From the aws_ecs_service
docs for the container port: The port on the container to associate with the load balancer.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
um
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
I guess this means the internal port, so HTTP
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
* module.alb.output.dns_name: 1:16: unknown variable accessed: var.domain in:
${var.stage}.${var.domain}
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
When targetting my frontend module.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But when I target my ALB module, it works fine?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Lol my root module has an output that depends on the module.alb.output.dns_name
value and it outputs just fine
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
But when targetting my frontend… i get this error. It just never ends…
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The alb
module definitely has a variable named domain
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The alb
module is definitely getting passed the domain
variable by the root module since I can target the alb module and apply it just fine.
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
maybe a circular dependency
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
doubt it though
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@ldlework as we already discussed (regarding the code pipeline), you can share your complete code (not just snippets) and people here could take a look and help you much faster. It’s difficult to answer anything without looking at the code
2019-04-04
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
A quick question on best practices regarding Parameter Store/Chamber. We have around 40 secrets/config parameters needed for our app, that we import with chamber. How would you go about adding them to chamber. The database-related secrets, I’d add using terraform, when creating the database. Would you add the rest to TF as well, manually adding secret values later (which is what we did before), or would you use something entirely different?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we write all secrets for the resources created with TF (e.g. RDS, Elasticache, DocumentDB) from TF when we apply. The rest of the secrets (e.g. k8s stuff, app secrets) we were writing manually (admin via geodesic). Maybe there is a better way of doing this
![mmuehlberger avatar](https://secure.gravatar.com/avatar/752c7a387bef6cb7254e3ff34b276d10.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Okay, thanks. That’s exactly the way I’m doing it (and thanks to chamber import/export
it’s actually not too bad)
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
What were you working on @ldlework
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
@oscarsullivan_old getting some Fargate services deployed behind ALB with automatic SSL challenge/termination
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
How do i deploy AWS ASG ec2 through terraform as a blue green deployment . i am thinking about diff types of methods
- Create a Launch template which update/ creates new ASG ,new ALB/ELB and switch the R53 domain to new
- Create a new Launch template ,, ASG and ALB and update and target ALB to existing R53
please suggest me best way
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
#2 will save you on load balancer and looks simpler to implement
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![attachment image](https://cdn-images-1.medium.com/max/1200/1*4g3ZWzPALOhcziUjMRiCOQ.jpeg)
Earlier this year, teams at Intuit migrated the AWS infrastructure for their web services to the Application Load Balancer (ALB) from the…
2019-04-05
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
this post was pretty good also… https://medium.com/@endofcake/using-terraform-for-zero-downtime-updates-of-an-auto-scaling-group-in-aws-60faca582664
![attachment image](https://cdn-images-1.medium.com/max/1200/1*NUCsYnxXNVEh3UTyiOkBfQ.jpeg)
A lot has been written about the benefits of immutable infrastructure. A brief version is that treating the infrastructure components as…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
personally, i also use terraform to wrap a cfn template for autoscaling groups and ec2 instances
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Seen that post a few times; yet to try it; does it work well with the cloudformation stuff?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i think it works great, but there are a couple caveats in our usage…
Community Note Please vote on this issue by adding a reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me to…
Affected Resource(s) aws_cloudformation_stack Background AWS released Termination protection for Cloudformation Stacks in August 2017: https://aws.amazon.com/about-aws/whats-new/2017/09/aws-cloudfo…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
neither is a show stopper for most usage, the first is really only an annoyance when developing, the second would be nice to have but can live without it for a while
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
the biggest benefits are being able to use cfn resource signals to determine instance health (and force terraform to wait until they are really ready) and the UpdatePolicy to easily manage blue/green or rolling updates
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
I am still not able to understand the downside of using terraform autoscaling groups for non web server clusters. Can someone please care to explain?
![ldlework avatar](https://secure.gravatar.com/avatar/15a3d53e591331fd5abf469cca819241.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
who told you there is a downside?
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
![attachment image](https://cdn-images-1.medium.com/max/1200/1*NUCsYnxXNVEh3UTyiOkBfQ.jpeg)
A lot has been written about the benefits of immutable infrastructure. A brief version is that treating the infrastructure components as…
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
you can see that in this post , they say using terraform Cloudformation resource is preffered over ASG resource
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
it’s an opinion piece, not a matter of best practice or a generalized statement that will apply to all use cases. try both. deploy your app, update your app, destroy your app. figure out the workflows. use whatever works for you
2019-04-06
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
What an odd combo
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Not an overly old article either
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Article:
CloudFormation is free, and by using it to manage the Auto Scaling groups in AWS, we are not increasing the vendor lock-in. So pragmatically, it is hard to find a reason not to leverage the functionality that is only available in CloudFormation. By embedding an aws_cloudformation_stack resource inside Terraform configuration, we get access to these capabilities, while still benefiting from the rich interpolation syntax and variable management in Terraform.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
It seems to think ASGs are not doable in TF.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i don’t read that conclusion in that quote at all
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
they simply say you can do things with an ASG in cloudformation that you cannot do in terraform because they are not exposed via an AWS API. this is simply true. doesn’t make ASG’s undoable in TF
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
and the two are definitely not one or the other. we use cfn in tf wherever necessary, as sometimes the tf resource just doesn’t yet exist. had tf accept guard duty invites via cfn (until yesterday, when we switched to the new tf resource). probably going use cfn to create email subscriptions to sns topics shortly
2019-04-07
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
if you’re already using Terraform it’s definitely easier to do ASGs within TF and there’s nothing inherently wrong with doing so. but if you want to do rolling deployments without doing the extra heavy lifting yourself, CF already does it really well (it’s a CF feature, not an ASG feature). the article’s proposition is ‘why not have both?’ - which can be done by managing the CF stack in TF
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
2019-04-08
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
anyone ever use this module? https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/v2.16.0
Terraform module which creates EC2-VPC security groups on AWS - terraform-aws-modules/terraform-aws-security-group
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
in the readme example, they’re passing in a VPC ID as a CIDR block for a security group rule
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
module "db_computed_merged_sg" {
# omitted for brevity
computed_ingress_cidr_blocks = ["10.10.0.0/16", "${data.aws_security_group.default.id}", "${module.vpc.vpc_id}"]
number_of_computed_ingress_cidr_blocks = 3
}
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but I’m having some issue doing the same
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I wonder if this is just a typo in the example
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
maybe also try #terraform-aws-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Noah Kernis https://github.com/cloudposse/terraform-aws-ecs-web-app is an opinionated example of an web ECS app that uses other TF modules. It’s not supposed to be a generic module. You probably should fork it and add what you need, and remove what you don’t need
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![Noah Kernis avatar](https://secure.gravatar.com/avatar/1116f972b1c1f04cb1ac7b3194c7c734.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
@Andriy Knysh (Cloud Posse) thank you for an insanely quick response. Makes sense to me. Had a feeling but wanted to 2x check. Thank you again!
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
has anyone done ~/.terraformrc
on CI to connect to TF Enterprise modules without manually writing the file to your CI server?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
anyone know of a way to generate data for all cidr_blocks of all VPCs?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
im trying to use data "aws_vpcs" "all" {}
to get a list of all my VPC IDs, but not sure what to do after that …
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
data "aws_vpc" "all" { id = "${data.aws_vpcs.all.ids}" }
causes TF to crash lol
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
you’re in an endless loop at that point. you’re calling a data query from a data query calling a data query from a data query calling….you get the idea.
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
"${data.aws_vpcs.all.ids}"
is accurate, but you would reference that elsewhere in your project
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
data "aws_vpcs" "foo" {}
resource "aws_flow_log" "test_flow_log" {
count = "${length(data.aws_vpcs.foo.ids)}"
# ...
vpc_id = "${element(data.aws_vpcs.foo.ids, count.index)}"
# ...
}
output "foo" {
value = "${data.aws_vpcs.foo.ids}"
}
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Provides a list of VPC Ids in a region
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@johncblandii so how do I get the cidr blocks out of data.aws_vpcs.all.ids ?
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
I’ve not had to do this so I have no clue
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
what’s your use here?
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
so it looks like you can take the id, use the aws_vpc
instead of aws_vpcs
and pull the cidr from there:
Provides details about a specific VPC
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@johncblandii the use is making a security group rule for all the CIDRs in a given region
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
yeah, then the above should be fine
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
so with that aws_vpc
data source
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
feed the id you want into the aws_vpc
data query and you should be golden
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
do i just use count
?
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
you can pull just one from the aws_vpcs
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
thats the thing, I want to feed in all IDs
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
you’re creating SGs across all VPCs at once?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
no
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
the SG will be in one VPC
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
but it’ll allow traffic from other VPCs
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
so why loop or count?
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
ahh…so you want the sg to be in a loop
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
well, im using a module to create the SG https://github.com/terraform-aws-modules/terraform-aws-security-group
Terraform module which creates EC2-VPC security groups on AWS - terraform-aws-modules/terraform-aws-security-group
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and this module seems to only take in cidr_blocks or other security group ids
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
i actually opened this issue a second ago: https://github.com/terraform-aws-modules/terraform-aws-security-group/issues/112
Example in README shows VPC ID being passed into computed_ingress_cidr_blocks list. Is this module supposed to allow VPC IDs to be passed into that parameter? module "db_computed_sg" { # …
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
because their example shows them passing in VPC IDs
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
If I could pass in just the VPC IDs, that’d be awesome
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
have you tried using count
on the sg module?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
nope, how would that look?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
i dont think it has that parameter
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
module "http_sg" {
source = "terraform-aws-modules/security-group/aws"
count = "${length(data.aws_vpcs.all)}"
...
}
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
besides i dont need multiple SGs, I just need one with a lot of rules
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
ah
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
so you want ingress_cidr_blocks to be “all vpcs”?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
all_vpcs.cidr_blocks
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
unless that module can take in VPC IDs instead of cidr blocks, but I dont think it can, eventhough they have an example in their readme doing just that
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
and, for clarity, you are not wanting peering, right?
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
you just want to allow traffic
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
nope, peering has been sorted out already
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
yeah just want the rules
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
so we just use an aws_security_group
with ingress defined by other security groups. they’re all internal to the same vpc, though.
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
your github issue seems to have code showing how to do it
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
did you try that and it failed?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
yeah i think for some reason you actually cannot pass in VPC IDs
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
I think this might work for me:
data "aws_vpcs" "all" {}
data "aws_vpc" "all" {
count = "${length("${data.aws_vpcs.all.ids}")}"
id = "${element("${data.aws_vpcs.all.ids}", count.index)}"
}
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
ingress_cidr_blocks = ["${data.aws_vpc.all.*.cidr_block}"]
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
i see the computed_ingress_cidr_blocks
variable throughout a lot of modules in that repo
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
computed_ingress_cidr_blocks
should be it, but i dont see anything in the source code that takes a VPC ID and returns cidr blocks
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
maybe just try to output those cidr_block
to verify you get back the cidr then you can likely just use https://www.terraform.io/docs/providers/aws/r/security_group.html
Provides a security group resource.
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
ingress takes a list of cidr_blocks
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
this is working great: ingress_cidr_blocks = ["${data.aws_vpc.all.*.cidr_block}"]
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
here is our db sg:
ingress {
description = "Application traffic"
from_port = 5432
to_port = 5432
protocol = "TCP"
security_groups = [
"${module.vpc.internal_only_security_group_id}",
"${module.vpc.web_security_group_id}",
]
}
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
oh, great…so you got it working?
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
yep
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
sweet
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
data "aws_vpcs" "all" {}
data "aws_vpc" "all" {
count = "${length("${data.aws_vpcs.all.ids}")}"
id = "${element("${data.aws_vpcs.all.ids}", count.index)}"
}
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
good deal
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
glad you got it
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
thanks for the help
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
np
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
fwiw since you mentioned it above - count
doesn’t work for modules, sadly
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
i dont need it to but thanks
2019-04-09
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Help !! Regarding Error
* provider.vault: failed to create limited child token: Error making API request.
URL: POST <https://vault.abc.net/v1/auth/token/create>
Code: 403. Errors:
* 1 error occurred:
* permission denied
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I am trying to get my AWS KEYS from Vault.
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
provider "vault" {
}
data "vault_generic_secret" "aws_auth" {
path = "secret/project/abc/infra_secrets"
}
provider "aws" {
access_key = "${data.vault_generic_secret.aws_auth.data["access_key"]}"
secret_key = "${data.vault_generic_secret.aws_auth.data["secret_key"]}"
#profile = "${var.profile}"
#profile = "dev"
region = "${var.region}"
}
![kritonas.prod avatar](https://secure.gravatar.com/avatar/eefb4047217726358acbb8c894279406.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Question regardin module cloudposse/terraform-aws-s3-bucket
: How can I enable “Static website hosting” on the bucket created via the module?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@kritonas.prod you can use this module to create S3 website https://github.com/cloudposse/terraform-aws-s3-website
Terraform Module for Creating S3 backed Websites and Route53 DNS - cloudposse/terraform-aws-s3-website
![kritonas.prod avatar](https://secure.gravatar.com/avatar/eefb4047217726358acbb8c894279406.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks @Andriy Knysh (Cloud Posse) I’ll have a look!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
here is a working example on how to use the module together with CloudFront CDN https://github.com/cloudposse/terraform-root-modules/blob/master/aws/docs/main.tf#L72
Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s how https://docs.cloudposse.com/ is deployed
![kritonas.prod avatar](https://secure.gravatar.com/avatar/eefb4047217726358acbb8c894279406.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) thank you so much, that’s exactly what I was looking for! sorry for the late reply
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Glad it worked for you
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hi guys, do you have any module for privatelink?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@AgustínGonzalezNicolini CloudPosse doesn’t have such a module, maybe other people here have it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also take a look at https://github.com/traveloka?utf8=%E2%9C%93&q=privatelink&type=&language=
Enabling Mobility. Traveloka has 2 repositories available. Follow their code on GitHub.
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thanks!
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
* provider.vault: failed to create limited child token: Error making API request.
URL: POST <https://vault.or1.net/v1/auth/token/create>
Code: 403. Errors:
* 1 error occurred:
* permission denied
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Any pointers
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
No experience with the vault provider.
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Is there any way I can use my AWS access and secret key from remote I don’t want to set environmental variables for aws access and secrets key or locally
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
in geodesic
, we use assume role
to login to diff accounts. But you will have to provision the required roles, and in your TF modules add the code for TF to assume the roles as well, e.g. https://github.com/cloudposse/terraform-root-modules/blob/master/aws/eks/main.tf#L11
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Let me integrate the same
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
geodesic uses aws-vault to store the credentials
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I am unable to use that > https://github.com/cloudposse/terraform-root-modules/blob/master/aws/eks/main.tf#L11
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
![Arvind avatar](https://secure.gravatar.com/avatar/b6ae9504db8c5ac0c1f7c8df200a68ba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Not understand where i need to add this
provider "vault" {
}
data "vault_generic_secret" "aws_auth" {
path = "secret/lav/projects/infra_secrets"
}
provider "aws" {
access_key = "${data.vault_generic_secret.aws_auth.data["access_key"]}"
secret_key = "${data.vault_generic_secret.aws_auth.data["secret_key"]}"
#profile = "${var.profile}"
profile = "dev"
region = "${var.region}"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
https://github.com/99designs/aws-vault is a completely different thing from the HashiCorp Vault. We did not use the HashiCorp Vault provider
A vault for securely storing and accessing AWS credentials in development environments - 99designs/aws-vault
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It also supports aws-okta if you want to login with SAML provider
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
Hi Guys, Question regarding ASL-ELB . Once my stack are deployed with AWS ASG and a classic load balancer . Next terraform plan and apply is deregistering the instances behing the load balancer. I am unable to find the root cause for deregistering the instances . How do i make sure ASG instances are always registered under ELB
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@phanindra bolla it sounds more like terraform wants to recreate something and that’s why they are getting deregistered.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you share the plan output, that would help more.
2019-04-10
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hi,
I was trying to run this code on my local https://www.terraform.io/docs/providers/helm/repository.html but receiving this error
helm_release.mydatabase: Couldn't load repositories file (helm/repository/repositories.yaml).
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
sorry this was my mistake I have set the home as ./helm. By removing home in provider fixed the issue
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Strange, I’ve had to change my values for bucket prefix
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Working: TF_BUCKET_PREFIX="backend"
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
old way: export TF_CLI_INIT_BACKEND_CONFIG_KEY="backend"
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Terraform v0.11.11
+ provider.aws v2.5.0
+ provider.local v1.2.0
+ provider.null v2.1.0
+ provider.template v2.1.0
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Any way to have R53 zones for acme.co.uk on two accounts?
Got records like [dev-api.acme.co.uk](http://dev-api.acme.co.uk)
on account 1 and [staging-api.acme.co.uk](http://staging-api.acme.co.uk)
on account 2
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
But having the acme.co.uk zones on multiple accounts obviously isn’t picked up. Feel like a NS needs updating somewhere to listen to all the accounts….?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You can do cross-account route53/iam
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but the zone must exist in exactly one account
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
or you can delegate zones
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Have done a cross-acount r53 IAM
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
With an aliased provider for R53 resources!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
nice! you’re moving fast
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
The reason for this is because I originally had a zone on each account called [develop.acme.co.uk](http://develop.acme.co.uk)
, however my *.[acme.co.uk](http://acme.co.uk)
SSL was single level subdomain and I couldn’t figure out how to get a second level SSL cert
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
The only other option I can think of is having all R53 resources be run against an IAM role for the root account which has the functional [acme.co.uk](http://acme.co.uk)
zone
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
^ That deffo doesn’t have in mind the Terraform / Geodesic model
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sounds like your thinking more about AWS than DNS. This is an easy DNS issue. AWS has nothing to do with it. You can spread DNS subdomains across as many accounts as you want. I have multiple per account. You just need to create a NS record for each one in it’s parent zone
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
As far as SSL, you need to add aliases when the SSL cert is created for each subdmain you want it to apply too
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So, if you created a SSL cert for *.acme.co.uk you would have added an alias for *.develop.acme.co.uk to it
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
- I have
*.[acme.co.uk](http://acme.co.uk)
SSL cert - On my root account I have a working
[acme.co.uk](http://acme.co.uk)
R53 zone (connected to our domain providers records) - On my develop account I have either
[develop.acme.co.uk](http://develop.acme.co.uk)
or[acme.co.uk](http://acme.co.uk)
R53 zone
I would like to have [develop.api.acme.co.uk](http://develop.api.acme.co.uk)
use my *.[acme.co.uk](http://acme.co.uk)
SSL certificate, somehow
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
So it’s either I change it to [develop-api.acme.co.uk](http://develop-api.acme.co.uk)
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Can’t without recreating the cert
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
SSL wildcards are single level only
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Ah right
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I would rather not have to use two level certs
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I would like to have multiple [acme.co.uk](http://acme.co.uk)
zones across my account and them all work publically
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
An alternative I see is have them be private zones (all accounts are VPC peered)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
so when I go onto VPN I’ll get the DNS records
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
What I do, is for each subdomain x.example.com I create a cert with *.x.example.com and *.example.com that everything in that subdomain can use
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I also have 3 and 4 level SSL certs in my org
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Where do you do this
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Atm I’m stuck with certificates from godaddy
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Keen to move cert management to ACM
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
But I think I would invalidate my existing, prod live, cert in the process
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I organize multiple app environments per AWS account. We decided to reflect this as name spacing in DNS as app.env.account.company.com. I create SSL certs to handle all layers so I can create DNS aliases at any level
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You can have many different certs for the same thing (*.example.com) as long as a given service only uses only one of them
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
And you manage this in ACM?
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yes. It is easy there because it can be fully automated in terraform
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It was also done this way to simplify terraform use. The run that setups up the route53 zone needs access to 2 AWS accounts (subdomain and parent domain accounts), but after that other terraform runs only need to use the subdomain account
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
@Erik Osterman (Cloud Posse) Please checkout the terraform plan . This is what my plan changes when i re run the terraform life cycles .
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
can you share the code in this thread where you attach the instances?
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@oscarsullivan_old why do you think using ACM would invalidate your godaddy certs?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I think you have to point ‘it’ to AWS ?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Also I can’t find a place to actually give an ACM CSR to godaddy
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can’t give AWS cert to GoDaddy, or to anybody else.They are not exportable and can be used only with other AWS services
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks. What I meant was I go to create a CA and you have a CSR that needs to be given to the parent CA – don’t htink you can do that with CA
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You should first solve how you manage DNS..
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I don’t know if godaddy supports delegating a subdomain to AWS but if it does not then you would have to migrate everything (DNS) to AWS
![Samuli avatar](https://secure.gravatar.com/avatar/347245a6b0053a6eed1f4e28cf8f5073.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
After that ACM can use DNS to validate the domains you want to have SSL certs generated for
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
Hi, Do we have an example of creating a cloud-init module with multiple cloud init configurations within it. So that the terraform code can source the cloud-init module and use specific cloud-init config from the cloud-init module. Can we make cloud-init template_file optional so that we can render specific template_file in terraform code depends on the requirement
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
do we have an example of achieving it using https://www.terraform.io/docs/providers/template/d/cloudinit_config.html
Renders a multi-part cloud-init config from source files.
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
making template_files optional and render only template_file what is needed for end terraform code >
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
Hi @praveen there’s an open pr where this resource is being used have a look, https://github.com/cloudposse/terraform-aws-cloudwatch-agent/pull/1 it should help you getting started.
This PR includes: a module for installing a cloudwatch agent on ec2 instances. documentation for it ( examples, inputs, outputs ) I excuse myself for the massive PR. If needed I can split it up i…
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
Hi @Nikola Velkovski, My question was about cloud-init
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
rendering terraform
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
let me know if I am confusing you
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
Contribute to cloudposse/terraform-aws-cloudwatch-agent development by creating an account on GitHub.
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
check this file out
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
the resource is the same as the one you where asking about.
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
@Nikola Velkovski the current example is sourcing multiple cloud init configurations and merging them. My requirement is to create separate cloud-init module, with all yaml files (configuration files ) required for complete environment is made available within it. For end Terraform code when I source the cloud-init module I should be able to render specific cloud-init config file for the specific service(without rendering all configuration files)
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
which means the cloud-init module should omit(making all template_files optional) all cloud-init files and render specific file needed for the service/terraform code
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
am i making sense. I mean, can this be achieved.
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
that will not be easily doable because of Yamls requirement for strict spacing. Maybe if passing the pieces base64 encoded.
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
is it, let me prepare a module and test it to see if we can achieve it. I will share the module once i create
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
As this approach being new, wanted to to check if it is doable
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
Thank you Nikola
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
you are welcome
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@praveen I did this type of thing in a different tool years ago. If you create a template for each cloud-init section and then either concat them together or use a template to put them together with a little conditional logic you should be able to do this
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
hi Steven, can I have reference to the repo, so that I can refer to it
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The one that I did was in puppet for a config file for something else. So, the logic would be different (also not sure where it is). But the concept should work. Probably will not be easy to debug or elegant
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I remember in puppet it worked well, but the code was not easy to understand
![praveen avatar](https://secure.gravatar.com/avatar/96e3194df0304ad34482ffbb5a0b5588.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
Sure Steven, let me create one and try. Thanks for the info Steven
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
welcome
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Office Hours Today from 11:30 AM to 12:20 PM (PST) at https://zoom.us/j/684901853
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
hiya, so forgive me if this a dumb question, but I’m new to the community and I’ve found you through the registry and it seems this is a fairly active set of maintained modules and contributers. I’m looking to reproduce something like https://docs.aws.amazon.com/quickstart/latest/compliance-nist/overview.html in terraform. I’m in the experiment stage and so I wrote a more simple public private subnet without peering or the addtional things in the diagram. At this point, I’m not exactly sure what bit’s and pieces will make sense and how to best ultilze some of the modules and aim for something closer to my goal on this iteration.
Overview of the NIST-based standardized architecture on AWS: topology, AWS services, best practices, and cost and licenses.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hey @Rich Allen welcome
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
did you see this https://github.com/aws-quickstart/quickstart-compliance-nist
AWS Quick Start Team. Contribute to aws-quickstart/quickstart-compliance-nist development by creating an account on GitHub.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it’s in CloudFormation, but should give you ideas what needs to be done
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
yes, I was hoping to remain cloud agnostic about it for future purposes. We use aws right now, however for this particular need we’d also like to do other providers.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Strongly recommend this read also, https://bravenewgeek.com/multi-cloud-is-a-trap/
It comes up in a lot of conversations with clients. We want to be cloud-agnostic. We need to avoid vendor lock-in. We want to be able to shift workloads seamlessly between cloud providers. Let me s…
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
this looks very interesting, I gave it a scan and will review it later. I’m not sure if this addresses that but my worry is not to run a single application in HA/Failover in many clouds, we will deploy slightly different variotions of a basic web application stack (something like django or symfony). My thought is, even if we have to maintain a few different stacks (azure, gcp, aws), we don’t have to have everyone know CF + Terraform. I’m also considering k8s but at this point I feel like k8s is a challenge and we’re not really super mature our CICD/Iaac yet. That read should help me understand my approch avoiding CF. It may be just as easy to use the aws_cloudformation_stack, that’s seems to be a bit of an extra layer of abstraction but it’s something I still need to look into.
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
it just seemed like this was common, and before I went out and wrote something
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
just wanted to check in with some folks who might have advice or a module I was missing.
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
your suggestion is my exact plan at the moment haha
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yea, when you look at those templates, you will have more info on what needs to be implemented
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also, TF is not cloud agnostic either, it’s just the same syntax, but different resources and modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Community Note Please vote on this issue by adding a reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me to…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
2019-04-11
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hi, Has someone tried to setup istio using terraform?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
As opposed to using helm?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…otherwise, using terraform to call helm to install the official chart?
2019-04-12
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Hello
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Can someone help me with https://github.com/cloudposse/terraform-aws-iam-role/issues/4
I am trying to create an iam role using this module. The template file looks like below data "aws_iam_policy_document" "resource_full_access" { statement { sid = "FullAcces…
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
May be I am doing something wrong and one of you guys can help to sort it out
![renaldrozario avatar](https://secure.gravatar.com/avatar/37833ec632eac452f7da4d73eaf55800.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
Which one would you vote for… remote exec or userdata?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
hey @Raju did @Igor Rodionov get back to you?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
He’s the one who wrote/maintains that module
2019-04-13
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Hi @Erik Osterman (Cloud Posse) Nops, I am yet waiting for a response on it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Raju sorry about that. @Igor Rodionov has been incredibly busy on another project. I’ll ping him again next week.
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Thanks a lot
![Igor Rodionov avatar](https://secure.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@Raju can you provide the versions of terraform
and aws provider
![Igor Rodionov avatar](https://secure.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
You can ran terraform version
![Igor Rodionov avatar](https://secure.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
I have
Terraform v0.11.11
+ provider.aws v2.6.0
+ provider.null v2.1.1
+ provider.random v2.1.1
Your version of Terraform is out of date! The latest version
is 0.11.13. You can update by downloading from www.terraform.io/downloads.html
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
The aws and null provider versions are different
![Raju avatar](https://secure.gravatar.com/avatar/38866f4c164f5eabacd3b952f8b4417c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Terraform v0.11.11
+ provider.aws v1.8.0
+ provider.null v1.0.0
+ provider.random v2.1.1
Your version of Terraform is out of date! The latest version
is 0.11.13. You can update by downloading from www.terraform.io/downloads.html
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
have you guys heard of pulumi? at this point, I have severe distaste of it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’ve also heard the same. In fact, I’ve not heard anything positive yet from it.
That said, i want to like it given the short comings of HCL.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So I remain optimistic that by the time we do dig into it, it’s matured to the point it solves a real problem for us.
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
the general tone of the marketing, the ideal and its execution is pretty weak, and the fact that is a full SaaS service is a main issue for me
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I didn’t realize it was full-SaaS. That’s a deal breaker.
![Andrew Nazarov avatar](https://avatars.slack-edge.com/2021-06-09/2146832855878_fbb84e3b2832cc494a93_72.jpg)
AFAIK they provide on-prem/self-hosted options. Also Pulumi could store its state on the local filesystem instead of doing REST API calls.
![Andrew Nazarov avatar](https://avatars.slack-edge.com/2021-06-09/2146832855878_fbb84e3b2832cc494a93_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hi @Julio Tain Sueiras, we heard of it, looked at some examples, but did not actually use it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i thought it was nice to try b/c it uses general purpose languages (Python, Go, Node) so could have much fewer restrictions than terraform
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also can deploy k8s using the same language
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@Erik Osterman (Cloud Posse) my big issue with pulumi is mostly stem from them piggybacking from terraform, but at the same time dissing terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I like that they piggy back on terraform though. Can you imagine the amount of trade skill/knowhow/lessons learned baked into the terraform providers? I would hate to have to go through all that again in another system. That said, I guess the way I’ve been mentally painting pulumi is as the equivalent of SASS for HCL. But I haven’t actually tried using pulumi in any way.
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
(their provider is actually terraform provider)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@Andriy Knysh (Cloud Posse) my opinion about General purpose languages is , that it def can help with less restriction, but then at the same time move away from the ideal of the code is the infrastructure
2019-04-14
2019-04-15
![kskewes avatar](https://avatars.slack-edge.com/2019-04-05/592663364881_098e29e5a0fe63cc7c82_72.jpg)
Look at the onboarding process of new employees with something like pulumi versus terraform. Lot more skill with and best practices with the latter out there.
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
XTerrafile is a pure Go tool for managing vendored modules and formulas using a YAML file - devopsmakers/xterrafile
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Nope but looks interesting, seeing more and more of these small Terraform helper tools for managing and vendoring modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Abel Luck do you know if it works recursively?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(for modules composed of other modules)
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
i haven’t tried it yet, but that would be a requirement for my use case as well
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
as much as i like the community taking the initiative to develop tools, i can’t help but feel it should be a part of terraform proper.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, we recently tried to do this with the help of @tamsky
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s not an easy problem to solve.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
nested modules, pinned at different versions of the same modules. we were able to mock up a prototype using terraform init
to fetch all modules, parsed modules.json
with jq
to get the inventory, and did and some sed
foo to rewrite sources to local ones.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but the part that got messy is we couldn’t really use a vendor/
folder b/c it would mean huge amounts of ../../../.././../vendor/github.com/cloudposse/terraform-null-label/0.4.5
type stuff
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
something like govendor/glide/etc for terraform…. With a true hcl parser/templater and round trip read/write support
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I wonder if hashicorp would consider a terraform vendor
or terraform package
command ..?
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
![SweetOps avatar](https://a.slack-edge.com/37d58/img/emoji_2017_12_06/apple/2753.png)
Are you using some of our terraform-modules in your projects? Maybe you could leave us a testimonial! It means a lot to us to hear from people like you.
2019-04-16
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@Andriy Knysh (Cloud Posse) have you guys used nix before?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Julio Tain Sueiras what is nix?
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Looks interesting, we didn’t use it
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
the most interesting use of it for me is baking packages into docker image
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
so no more using ansible or Dockerfile to do apt install or yum install etc
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
is just
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
contents = [
vim
terraform
]
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![party_parrot](/assets/images/custom_emojis/party_parrot.gif)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Codefresh’s UI looks really good. There are some quality updates since the last UI I saw
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea, the are constantly improving it. In fact, there’s even a newer UI than in this demo that they are about to release.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That update will make it easier to visually deal with hundreds of repos and dozens of pipelines per repo.
2019-04-17
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
anyone have exp w/ the TF ALB resource, particularly the access_logs block. I define an existing bucket, but get access denied. note that this is in dev, I created the bucket and the TF apply is running under my account
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Specifically access denied to what?
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
aws_lb.alb_example: Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: shaitestiasapi[hidden]. Please check S3bucket permission status code: 400, request id: 5ba27350-610e-11e9-af7f-1535341880fe
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
in cloudtrail I see `“errorCode”: “InvalidConfigurationRequestException”, “errorMessage”: “Access Denied for bucket: shaitestiasapi[hidden]. Please check S3bucket permission”,
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
The AWS LB documention shows no references for access logs, so I’m wondering if this is a bug or old feature in TF: https://docs.aws.amazon.com/cli/latest/reference/elbv2/index.html
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
If I comment the access_log block out, then the TF template deploys fine:
# access_logs {
# bucket = “${var.s3_alb_logs_bucket}”
# prefix = “${var.log_prefix}”
# enabled = false
# }
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Your account needs permissions to S3 bucket to setup and LB needs permissions to write the logs
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
are there any particular permissions?
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
I have full admin
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Then you’re good for the terraform run. But you need to give the LB permissions to S3
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Should be an example of that somewhere
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@Steven thx for the help, yep, I’m looking for that example as that’s the part that’s holding me back
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
it’s here, thx! https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html?icmpid=docs_elbv2_console
Learn how to monitor your Application Load Balancer using access logs provided by Elastic Load Balancing.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
here’s how we create S3 bucket with policy for LB logs (it’s Elastic Beanstalk, but should be the same for any LB) https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/main.tf#L1029
Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
ty!
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Hashicorp email just came through
Maybe You Don’t Need Kubernetes, Unleashing Terraform 0.12, and Nomad 0.9 & Vault 1.1 Releases
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
^ me right now at seeing .12 mentioned
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I did the same double take
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
I got amped because I thought it was them releasing it
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Even went to the github releases page thinking…. “waaaaaiit a minute, did I miss something?”
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
LMBO
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
my sprint was about to get jacked up!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
lol
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
andddddddd…the referenced article is from March: https://medium.com/hashicorp-engineering/unleashing-the-power-of-terraform-0-12-f864dd0cec4b
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Office Hours Today from 11:30 AM to 12:20 PM at https://zoom.us/j/684901853
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(PST)
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
has anyone runinto challenges deploying an s3 bucket when the role has a policy w/ s3:GetBucketWebsite deny?
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
- aws_s3_bucket.b: aws_s3_bucket.b: error getting S3 Bucket website configuration: AccessDenied: Access Denied status code: 403, request id: 58F8BCE915142469, host id: BJd1A2Zr/RhBG7CNU+zOe4cFoCW63zt+h9ea6jsqC/D7fl3x90uxIrvBIVMezFY8sr5/yxNYdZ0=
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
resource “aws_s3_bucket” “b” { bucket = “my-tf-test-buckeas231231232144445” acl = “private”
tags = { Name = “test bucket” Environment = “Dev” } }
provider “aws” { region = “us-east-1” }
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
that’s the TF code, nothing else
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
IAM policy: { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Deny”, “Action”: [ “s3:DeleteBucketWebsite”, “s3:GetBucketWebsite”, “s3:PutBucketWebsite” ], “Resource”: “*” } ] }
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you denied those actions. any reason for doing it?
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
not my env, customers that insists those have to be denied
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
heh, chicken, meet egg
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
might need some kind of condition on the statement such that it doesn’t apply to whatever principal you want to use to apply the tf config
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
yeah, that’s what I’m thinking, but oddly I can run the create bucket via CLI with no issues. So TF is doing something with the CLI call beyond the basics I’m asking it to do
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
yes, TF does a lot of “get”-type calls to check state
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@shaiss do you create the same policy with Deny
when using cli?
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
policy is already their when they setup the account
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hmm…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
both TF and cli call the same AWS API
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
The AWS cli is only doing the create bucket though, TF is trying to manage all the attributes on the bucket and so queries the current state first
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
No, that would be a security hole :) the policy is already in the account as I understand it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@shaiss might be creating S3 website bucket in TF (not actually using the code shown above), but just plain bucket from the cli
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i’m not following that… his role/user is not allowed the s3:GetBucketWebsite
action, but TF is clearly attempting to do exactly that
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@Andriy Knysh (Cloud Posse) that shouldn’t be the case w/ the TF code I posted above as it’s pulled directly from the Terraform doc for creating a basic bucket
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@loren exactly
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
all i’m saying is that TF makes many api calls when it refreshes state, because TF isn’t doing a single api action in an s3_bucket resource
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
I love to see the underlying API call TF is making, I enabled tracing but the output is still a bit cryptic
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if the policy is a resource (bucket) policy, creating S3 website would not work in any case
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@Andriy Knysh (Cloud Posse) the policy is an IAM policy
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
that IAM policy is attached to the role I’m assuming
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Identity-based policies – Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
Resource-based policies – Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to a principal entity that is specified in the policy. Principals can be in the same account as the resource or in other accounts.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
set yourself up with a throwaway aws account for the free tier, then setup a role with zero read privs, use that with TF to create the bucket. then you’ll see all the aws api calls that TF is performing, as you get denied one-by-one, grant yourself that specific api read action
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that IAM policy is attached to the role I’m assuming
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
are you assuming the same role when using the cli?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
in TF, a different set of api actions is required to create the bucket the first time vs applying the config again (even with no changes) due to the extra read cycle
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Terraform AWS provider. Contribute to terraform-providers/terraform-provider-aws development by creating an account on GitHub.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Terraform AWS provider. Contribute to terraform-providers/terraform-provider-aws development by creating an account on GitHub.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
skim that file for s3conn.
to get an idea of the api actions required
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i’m just trying to say that if @shaiss assumes the role with the policy when using TF, then it will not work b/c/ of the permissions. With cli, if he assumes the same role, it should not work either. If he uses another way to login with cli, then it would work since the policy is not attached to the other credentials. If he assumes the same role using cli and it works, then it’s very strange
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
right, the difference is that with the aws cli, the only thing he did is create-bucket
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
TF does much more than just create-bucket when operating on an aws_s3_bucket resource
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@Andriy Knysh (Cloud Posse) I assume the role w/ both TF and CLI, and CLI works, TF fails
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@loren is on the right path here.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
it’s those additional things that TF is doing that in this case fails b/c the customer insists on having that IAM policy attached to ALL roles
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i can’t really imagine why they’d want to restrict s3:GetBucketWebsite
on all buckets, that just means they can’t even confirm that the buckets do not have a website configured, as you’re seeing
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yea agree, that permission should be lifted since it’s just read-only anyway
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
@loren I agree, but atm they won’t budge, so before I argue that point, I want to make sure there’s no other Terraform way around this
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
looking at the TF code, i don’t see a way. TF needs it to execute its “read” operation on the bucket
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
and without supporting the “read” operation, there isn’t much point in using TF
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
maybe I just need to fork it and remove that
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
I’ll call it shaiform
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
lulz
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
from the TF code, it does look like the bucket should have been created… it would be after that when TF attempts the read operation that fails… can you double-check that maybe?
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
it does indeed create the bucket
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
but the customer would still say the terraform code is invalid because of that error
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
after that you ask them to remove s3:GetBucketWebsite
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it’s not a big deal and not a security concern
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
man I know!
![shaiss avatar](https://secure.gravatar.com/avatar/620f47c6e0966abfddd0a2ab4cee86cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
it’s a pain atm and just trying to submit clean code without errors
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i mean, you could try to submit an issue asking that the TF provider be more considerate of insanely restrictive IAM policies and illogical customers
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
since the TF config doesn’t specify an s3 website config, TF could key on that absence to avoid the calls
2019-04-18
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
guys, is there any way to user archive_file
zip with -X argument?
because every time when I do apply, .zip change timestamp, and upload lambda function
I want to stop it. and do upload when it changed only
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I know what you mean, and I don’t think it’s possible
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
really ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Not using archive file
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I saw some one write an idempotent zip generator (reddit?)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But I can’t find it now and forgot to star it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also the order of the files matters
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It was specifically for this use case
![Gabor Csikos avatar](https://secure.gravatar.com/avatar/63d31fbd96ff20e85b582bb4d570e0c4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
there are usecases and workarounds on github issues of (probably aws provider?) , they build around lifecycle { ignore_changes } feature of TF
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
yes, aws provider
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
@Gabor Csikos could you do me a favour and provide a link to ignore_changes
feature?
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
lifecycle {
ignore_changes = ["filename"]
}
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
I found
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Is anyone using the terraform-aws-eks-cluster
TF module?
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Using the example provided, I’m having the following issue:
Error: Error running plan: 5 error(s) occurred:
* module.eks_cluster.output.eks_cluster_id: Resource 'aws_eks_cluster.default' does not have attribute 'id' for variable 'aws_eks_cluster.default.*.id'
* module.eks_cluster.output.eks_cluster_version: Resource 'aws_eks_cluster.default' does not have attribute 'version' for variable 'aws_eks_cluster.default.*.version'
* module.eks_cluster.local.certificate_authority_data_list: local.certificate_authority_data_list: Resource 'aws_eks_cluster.default' does not have attribute 'certificate_authority' for variable 'aws_eks_cluster.default.*.certificate_authority'
* module.eks_cluster.output.eks_cluster_arn: Resource 'aws_eks_cluster.default' does not have attribute 'arn' for variable 'aws_eks_cluster.default.*.arn'
* module.eks_cluster.output.eks_cluster_endpoint: Resource 'aws_eks_cluster.default' does not have attribute 'endpoint' for variable 'aws_eks_cluster.default.*.endpoint'
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@dalekurt have you looked at the example https://github.com/cloudposse/terraform-aws-eks-cluster/tree/master/examples/complete
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it’s tested many times, and many people have deployed EKS cluster using it
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
@Andriy Knysh (Cloud Posse) Yes, i’m actually using that
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
I will give another go with a clean slate.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) should we pin the AWS provider on that module?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yea, good idea, we pin all dependencies except the provider
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i think we need to since the provider has been breaking so much stuff
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
I’ll open PRs
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
the provider broke stuff on us recently
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
all things were blocked; very disappointing
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
@dalekurt I’m using the EKS module. i haven’t seen that issue
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Thanks @johncblandii @Andriy Knysh (Cloud Posse) I plowed through that and now i’m solving for the following
Error: Error refreshing state: 1 error(s) occurred:
* module.eks_workers.data.aws_ami.eks_worker: 1 error(s) occurred:
* module.eks_workers.data.aws_ami.eks_worker: data.aws_ami.eks_worker: Your query returned no results. Please change your search criteria and try again.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@dalekurt what region are you using for EKS?
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
@Andriy Knysh (Cloud Posse) us-east-1a
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
My filter was based on amazon-eks-node-v*
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
A terraform provider to create to create a zip file from different kind of source. - ArthurHlt/terraform-provider-zipper
![Gabe avatar](https://avatars.slack-edge.com/2018-09-18/438189792083_bdb8f075d8d0a1246f88_72.jpg)
does anyone have experience with https://docs.geopoiesis.io?
Turbocharging your infrastructure-as-code
![Gabe avatar](https://avatars.slack-edge.com/2018-09-18/438189792083_bdb8f075d8d0a1246f88_72.jpg)
looks like atlantis but seems to have a nicer interface and ability to limit user access better
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
oh right! thanks for bringing that back to my attention
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
SweetOps is a collaborative DevOps community. We welcome engineers from around the world of all skill levels, backgrounds, and experience to join us! This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build sweet infrastructure.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@antonbabenko might have some experience (by now)
![antonbabenko avatar](https://secure.gravatar.com/avatar/fc9fce3c16a287d672ec5433430f11ca.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I have not looked into it since we talked about it last time. Too busy with other things. You know :)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
So it is a Terraform Enterprise competitor with a 100x worse name?
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
I kid.
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
terraforming
geo = earth, poiesis = making
“second, there is the principle of gaian geopoiesis, a global principle of self-organization, that trumps the interests of individuals and species.”
Learn something new every day; still can’t pronounce it.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea the name is overboard
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s nice to see each stage and changes pending
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Very cool
2019-04-19
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Hm might give that go. Looks easier than Atlantis at a glance
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Easier to try 0.12 now… https://www.hashicorp.com/blog/announcing-terraform-0-1-2-beta-2
We are pleased to announce the availability of the second beta release of HashiCorp Terraform 0.12! The 0.12 release of Terraform contains major language improvements and a host of…
![nyan_parrot](/assets/images/custom_emojis/nyan_parrot.gif)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
uh oh….can’t wait
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
SEARCH IN THE DOCS!! SEARCH IN THE DOCS!! SEARCH IN THE DOCS!! SEARCH IN THE DOCS!! SEARCH IN THE DOCS!! SEARCH IN THE DOCS!!
Terraform is used to create, manage, and manipulate infrastructure resources. Examples of resources include physical machines, VMs, network switches, containers, etc. Almost any infrastructure noun can be represented as a resource in Terraform.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
nice - looks like they revamped the docs
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Google probably still faster
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
lmbo. prob so
![Joe Presley avatar](https://avatars.slack-edge.com/2021-04-22/1999001350244_6ed74ac664e8eee4204c_72.jpg)
What’s the recommended workflow for secrets management with terraform and the google cloud provider?
![Joe Presley avatar](https://avatars.slack-edge.com/2021-04-22/1999001350244_6ed74ac664e8eee4204c_72.jpg)
I’m curious if there’s a non-vault way that’s as easy as the AWS’s KMS integration with terraform.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(me too)
![Joe Presley avatar](https://avatars.slack-edge.com/2021-04-22/1999001350244_6ed74ac664e8eee4204c_72.jpg)
I asked the same question on reddit https://www.reddit.com/r/Terraform/comments/bf2ly2/secrets_management_with_terraform_and_google/?utm_source=share&utm_medium=web2x. There have been a couple of replies. Sops is an interesting take on the problem.
3 votes and 3 comments so far on Reddit
2019-04-21
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Has anyone successfully deployed the reference-architectures
? I’m currently using it for my company but I’m not getting a successful deployment. I would love some help troubleshooting this
https://github.com/cloudposse/reference-architectures
Get up and running quickly with one of our reference architecture using our fully automated cold-start process. - cloudposse/reference-architectures
![foqal avatar](https://avatars.slack-edge.com/2019-03-11/572601092560_390fb278d5cedc640d76_72.png)
@dalekurt’s question was answered by <@Foqal>
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@dalekurt best to ask in #geodesic for now
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Maybe should create dedicated channel
2019-04-22
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Thanks @Erik Osterman (Cloud Posse)
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
by now you have figured out I’m using a lot of your terraform modules on numerous projects. I’m trying to get this Terraform module <https://github.com/cloudposse/terraform-aws-eks-cluster>
but I’m coming up with a single error
Error: Error refreshing state: 1 error(s) occurred:
* module.eks_workers.data.aws_ami.eks_worker: 1 error(s) occurred:
* module.eks_workers.data.aws_ami.eks_worker: data.aws_ami.eks_worker: Your query returned no results. Please change your search criteria and try again.
The module
data "aws_ami" "eks_worker" {
count = "${var.enabled == "true" && var.use_custom_image_id == "false" ? 1 : 0}"
most_recent = true
name_regex = "${var.eks_worker_ami_name_regex}"
filter {
name = "name"
values = ["${var.eks_worker_ami_name_filter}"]
}
most_recent = true
owners = ["602401143452"] # Amazon
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@dalekurt what AWS region and what version (release) of the module are you using?
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
@Andriy Knysh (Cloud Posse) us-east-1
and master
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the AMI search and filter were changed in recent PRs, You can create a separate project using just the code above, and try to update eks_worker_ami_name_regex
and/or eks_worker_ami_name_filter
to see what’s returned. If nothing returned, then the AMI list has already been changed in AWS, try to change eks_worker_ami_name_regex
to see if you can find any EKS AMIs
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Okay, I was on the right track for resolving this. I will try that after my stand up. Thank you very much
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
@Andriy Knysh (Cloud Posse) Confirmed, I created a new project for the EKS cluster using the example and the result was the same. I will look into the eks_worker_ami_name_regex
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
I defined a terraform.tfvars
with
eks_worker_ami_name_filter = "amazon-eks-node-*"
eks_worker_ami_name_regex = "^amazon-eks-node-[1-9,\\.]+-v\\d{8}$"
` Which got me past that issue.
Now I get the following
------------------------------------------------------------------------
Error: Error running plan: 5 error(s) occurred:
* module.eks_cluster.output.eks_cluster_id: Resource 'aws_eks_cluster.default' does not have attribute 'id' for variable 'aws_eks_cluster.default.*.id'
* module.eks_cluster.output.eks_cluster_endpoint: Resource 'aws_eks_cluster.default' does not have attribute 'endpoint' for variable 'aws_eks_cluster.default.*.endpoint'
* module.eks_cluster.local.certificate_authority_data_list: local.certificate_authority_data_list: Resource 'aws_eks_cluster.default' does not have attribute 'certificate_authority' for variable 'aws_eks_cluster.default.*.certificate_authority'
* module.eks_cluster.output.eks_cluster_version: Resource 'aws_eks_cluster.default' does not have attribute 'version' for variable 'aws_eks_cluster.default.*.version'
* module.eks_cluster.output.eks_cluster_arn: Resource 'aws_eks_cluster.default' does not have attribute 'arn' for variable 'aws_eks_cluster.default.*.arn'
I have to define the certificate data for one of those errors.
![Cloud Posse avatar](https://a.slack-edge.com/37d58/img/emoji_2017_12_06/apple/1f4c6.png)
Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7).
This is an opportunity to ask us questions on terraform
and get to know others in the community on a more personal level. Next one is Mar 20, 2019 11:30AM.
Add it to your calendar
https://zoom.us/j/684901853
#office-hours (our channel)
2019-04-23
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
guys, quick question
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in the module terraform-terrafom-label there is a “local.enabled == true ? … ” isn’t it redundant and could be just defined as “local.enabled ? …” ?
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I mean, is there a specific reason why that is written that way?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
no specific reason, could be written both ways
![AgustínGonzalezNicolini avatar](https://secure.gravatar.com/avatar/fb02f51e23f1d447002da0c44050df3d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thanks!
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Is there an example out there of how to do a list of ports with aws terraform security groups?
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
If they’re all in order, you could just do a range - from
and to
.
Otherwise, I’d probably put them into a local variable as a list and build the rules from that with count
.
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Something like:
locals {
ports = [80, 443]
}
resource “aws_security_group_rule” “main” {
count = “${length(local.ports)}”
...
from = “${local.ports[count.index]}”
...
}
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Awesome!
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Also, I’m trying to create generic automation builds… Is there a way to somthing like this: If a user has a subnet they want the instance in then they can input that subnet else create a subnet to put the instance in but dont create a subnet if they do put a subnet in…
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
you could create a variable that defaults to an empty string
and then use count = "${var.subnet = "" ? 1 : 0}"
on your subnet resource to only create it if the variable is blank
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
How would you get resources to select whichever one had a value?
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
use a similar conditional
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
subnet = "${var.subnet = "" ? ..... : var.subnet}"
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Would it be:
subnet = “${var.subnet = “” ? ….. : data.subnet}”
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
the ......
i left for you to fill in, but data.subnet
wouldn’t be a valid address - if you’re pulling the subnet in through a data source it would be something like data.aws_subnet.selected.subnet_id
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
subnet = “${var.subnet = “” ? : data.aws_subnet.selected.subnet_id”
So like that^ Sorry trying to learn this piece of it
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
subnet = "${var.subnet = "" ? data.aws_subnet.selected.subnet_id : var.subnet"
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
See https://www.terraform.io/docs/configuration-0-11/interpolation.html#conditionals for further details on how it works
2019-04-24
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Utilizing the VPC Peering module. I am getting this regardless if I use VPCID’s or VPC Tags for the selector: data.aws_vpc.requestor: multiple VPCs matched; use additional constraints to reduce matches to a single VPC
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Each of my VPC’s are uniquely named and have unique vpc ID’s obviously.
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Ah, nevermind. I had two blocks of VPC peering module in my main.tf.
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Can you iterate over nested blocks in Terraform?
2019-04-25
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
just found a weird behavior in terraform
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
locals {
tasks = {
main_num = 200
other_num = "${local.tasks["main_num"] + (local.tasks["main_num"] * 0.50)}"
}
}
output "other_num" {
value = "${local.tasks["other_num"]}"
}
output "main_num" {
value = "${local.tasks["main_num"]}"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we recently got a lot of issues with TF maps. Work in some cases, in other don’t (mostly don’t work across many modules). And we’ve seen issue where a map gets sent b/w modules, but arrives empty or broken
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
well can’t wait for 0.12 they should’ve tackled all of these issues.
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
this empties the whole tasks
map!
![ankur.gurha avatar](https://secure.gravatar.com/avatar/0c47c716a00e0a9f9d3a56e169a57c11.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Can someone point me to sample terraform project which pulls a docker image from dockerhub and deploys into ecs ?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@ankur.gurha take a look here https://github.com/cloudposse/terraform-aws-ecs-web-app
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it deploys an app into ECS
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
look into the examples https://github.com/cloudposse/terraform-aws-ecs-web-app/tree/master/examples
Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
hey ho, any one using https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account?ref=tags/0.5.0 with success?
Terraform module to provision a VPC peering across multiple VPCs in different accounts by using multiple providers - cloudposse/terraform-aws-vpc-peering-multi-account
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
I can use it perfectly fine via the geodesic images but struggling via a jenkins pipeline
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
hey @Jan, we deployed it to a client recently
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
working example here https://github.com/cloudposse/terraform-root-modules/tree/master/aws/kops-legacy-account-vpc-peering
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Jan it needs to be able to assume role into multiple accounts
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Does Jenkins have that permission?
![Jan avatar](https://secure.gravatar.com/avatar/39fc70600d70a0afa40b682c3a695dc0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
As far as I am aware yes, I am debugging further. Whats interesting is that terraform errors out about not having credentials for the providers (running the same module with the same tfvars just as the reference./geodesic admin user it works)
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Can anyone help me understand this error
kubernetes_service_account.tiller: 1 error(s) occurred:
* kubernetes_service_account.tiller: Post <http://localhost/api/v1/namespaces/kube-system/serviceaccounts>: dial tcp [::1]:80: connect: connection refused
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
sounds like your k8s cluster API isn’t accessible
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
you’re running it locally, right? is it definitely up, etc.?
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
no running through terraform enterprise.
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
maybe i need to set kubernetes provider. I am only relying on helm kubernetes config
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
yeah it looks like it’s trying to connect to a local cluster, which won’t work in enterprise you’ll need to set the host and access details for the kubernetes provider
![Vidhi Virmani avatar](https://secure.gravatar.com/avatar/edad5aa6764eb61ed3e05f1d2c3f6114.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
2019-04-26
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
I want to set a local value in terraform, the value should be the value from a data provider, if the value exists, otherwise a value from a variable.. anyone know if this is possible?
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
in psuedo non-hcl code: local foobar = data.something.foobar != null ? data.something.foobar : var.default_foobar
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
hm i suppose a ternary might work in the interpolation?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
@Abel Luck why not ?
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
data "aws_ami" "test" {
most_recent = true
filter {
name = "name"
values = ["Deep Learning AMI (Ubuntu)*"]
}
owners = [
"amazon",
]
}
locals {
abel = "${data.aws_ami.test.id != "" ? data.aws_ami.test.id : "bar"}"
}
output "abel" {
value = "${local.abel}"
}
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
although the data.aws_ami
resource is a poor example since it fails when not being able to match any amis but the logic is the same with whatever you are using.
2019-04-29
![Cloud Posse avatar](https://a.slack-edge.com/37d58/img/emoji_2017_12_06/apple/1f4c6.png)
Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7).
This is an opportunity to ask us questions on terraform
and get to know others in the community on a more personal level. Next one is Mar 20, 2019 11:30AM.
Add it to your calendar
https://zoom.us/j/684901853
#office-hours (our channel)
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
@Andriy Knysh (Cloud Posse) hi?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Hi @Julio Tain Sueiras
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
so , I have officially started on the LSP implementation for terraform
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
and from what I am seeing so far, once I have the base configs for parsing done, the completion will be reading for not just resources but for any user defined object variable
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
so is going to be a very interesting approach
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
got somestuff working
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
it will be hcl2 parser inside the terraform to parse the source code, then adapt tfschema to use go-plugin grpc to call the provider binary directly to get the schema
![Julio Tain Sueiras avatar](https://secure.gravatar.com/avatar/ae8dd22144ec05342181f30748bad052.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
since terraform have split the providers
2019-04-30
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
what do we all think of modules containing A LOT of data lookups? we have our own module, called “aws”, and this module … we’re thinking about putting a ton of data lookups we use all the time but, seems that whenever we call the module, all the data lookups get evaluated
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We’ve done this before and it “works” however it totally breaks cold-starts
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
friend of mine saying it’ll end up beating up the aws api
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
i thought there was a way to have data lookups evaluated only when you use them
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@cabrinha if data sources are in the code, they will be evaluated with terraform plan
(and apply
of cause)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can use count
in data sources if you want to disable them https://www.terraform.io/docs/configuration/data-sources.html#multiple-resource-instances
Data sources allow data to be fetched or computed for use elsewhere in Terraform configuration.
![cabrinha avatar](https://secure.gravatar.com/avatar/a60e998ca395399f6ec8cdd190fac1ab.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
thanks
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
generally it works ok when everything is already created and in good state
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
issues could arise during cold start (as @Erik Osterman (Cloud Posse) mentioned) and with terraform destroy
![tchia04 avatar](https://secure.gravatar.com/avatar/194ac4a202a362e5ec789fb834034c14.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
What are the pros and cons of using data lookup vs remote state file ?
![tchia04 avatar](https://secure.gravatar.com/avatar/194ac4a202a362e5ec789fb834034c14.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
If in an large organization where different group does different part and the remote state file is not accessible the I would say use data lookup. But if the same time that does all the setup then is it better to use either data lookup or remote state file ?