#terraform (2019-07)

:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Jul 10, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)

Looking forward to this upcoming Office Hours!

Does anyone know if default block reuse through “locals” still works in 0.12? I’m getting consistent errors in 0.12 that I didn’t get in 0.11 like “An argument named “health_check” is not expected here. Did you mean to define a block of type “health_check”?”

Specifically I was using similar syntax to this but for health_checks instead of tags https://www.terraform.io/docs/configuration/locals.html

that sounds like the error where tf 0.12 differentiates strongly between attrs (assigned using =) and blocks (no assignment), i.e.

attr = { foo = "bar" }
block {
  foo = "bar"
}

tf 0.11 let you do either in many/most places, tf 0.12 forces you to use the syntax that matches the implementation

So this works

but if you use the same syntax for healthcheck’s, since you want to keep it DRY, it fails with the error above

Did TF 0.12 do some special grant for “tags” blocks?

yes, tags are no longer blocks, they are attrs

to make blocks DRY, you probably want to investigate dynamic blocks, https://www.terraform.io/docs/configuration/expressions.html#dynamic-blocks

Mmm I’ll take a look at those, thanks for the pointers @loren

The syntax is now expecting a for-loop as a base for it, instead of simple substitution using a “local” block. Even if I faked the for-loop it seems like I’d still need to repeat myself for all keys in the “content” section in all resources vs just referencing the local. Still trying to figure out if there’s any good way of doing this or if I just have to go back to repeating it in all resource blocks

@Vasco Pinho you will also get the same (or similar) error message when using dynamic block with for loop on a list variable without updating the type of the variable to list(object) and specifying the types of items in the list. For example:

https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf#L188

var.custom_error_response was type = "list" and a similar error was shown

needed to specify the concrete type https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/variables.tf#L284

Yeah the point here was to have a short concise file, which we did in 0.11 because the healthcheck block (which was the same for most resources) got interpolated. I just undid all of that for 0.12 and now it works. Oh well.

is there a module for an ASG with a mixed instances policy?

Anyone know of the best way to check for the existance of a variable and if not found, fall back on defaults?

Hi guys, what is the best way to have an S3 bucket in website mode backed by a CDN ? It seems like <https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn> does not support website mode and <https://github.com/cloudposse/terraform-aws-cloudfront-cdn> does not handle S3 origins

here is a real example https://github.com/cloudposse/terraform-root-modules/blob/master/aws/docs/main.tf

we use it to deploy https://docs.cloudposse.com/

Public Office Hours starting now! Join me here: https://zoom.us/meeting/register/dd2072a53834b30a7c24e00bf0acd2b8

Have any questions? This is your chance to ask us anything.

What is better way to setup condition for run or not provisioner?

better than?

Hi All, I am setting up a pipeline by using Terraform, getting below error tried changing the name fo S# bucket but still get the same error, please help me to get it resolved

Error creating S3 bucket: BucketAlreadyExists: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again. status code: 409, request id: 415EB74A26A388CF, host id: /YawK/bKVKRTufDZHJi35WZuzkDlF0Fg0qY+rEN2rVZgH0oFwQPRC4YwXOvUFOYb2lCpHADtlQ4=

on code_pipeline.tf line 1, in resource “aws_s3_bucket” “codepipeline”: 1: resource “aws_s3_bucket” “codepipeline” {

Hi @vishnu.shukla that means that someone out there has already taken the name of the bucket and you need to change it.

Error creating S3 bucket: BucketAlreadyExists: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.

I tried changing the name many times but no luck

Error: Error creating S3 bucket: BucketAlreadyExists: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again. status code: 409, request id: 331EC24BF2D990D5, host id: 43fnC5EwsbQ2TC9QF5OWNLomL6qHRe2YB6WEi0bVXUhyLG8ZflD7yROP+wPAjzY9G1PafUWh0fY=

on code_pipeline.tf line 1, in resource “aws_s3_bucket” “codepipelinesrttwegdye5w26wfdbg452”: 1: resource “aws_s3_bucket” “codepipelinesrttwegdye5w26wfdbg452” {

see this even weird name

hmm try that with aws cli and see if it will work

that is really weird

anyone has aws code deploy teraaform script?

@Nikola Velkovski sounds like you’re changing the resource name, and not the actual bucket name.

Look one line below, and there should be a bucket = "something"

ah yeah I somehow failed to see that

thanks @marc!

Too many context switches

no problem!

having some issue with this: https://github.com/cloudposse/terraform-aws-key-pair

am i supposed to create my own key first?

I’d like the module to generate the key and push it to AWS

@cabrinha if you set this var to true, a new key will be generated and pushed to AWS https://github.com/cloudposse/terraform-aws-key-pair/blob/master/variables.tf#L41

otherwise, an existing key gets imported

also look at the example https://github.com/cloudposse/terraform-aws-key-pair/tree/master/examples/complete

k thanks

Anyone had issues with TF12/Geodesic and provider aliasing in the aws provider?

genericish example https://gist.github.com/ChrisMcKee/675d4b954fffc08046a7712efe9497db

in geodesic I get

Error: fork/exec /conf/temp/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4: no such file or directory

running out of geodesic it works

Does that file exist?

yeah, tried it one that i’ve been using a while (setup guard duty in all the regions)

2019/07/05 16:53:27 [DEBUG] [aws-sdk-go] {}
2019/07/05 16:53:27 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-07-05T16:53:27.934Z [DEBUG] plugin.terraform-provider-aws_v2.18.0_x4: 2019/07/05 16:53:27 [ERR] plugin: plugin server: accept unix /tmp/plugin915308162: use of closed network connection
2019-07-05T16:53:27.945Z [DEBUG] plugin: plugin process exited: path=/conf/guardduty/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.18.0_x4

same error in debug

I tried shifting the aws provider back from 18 to 17^ as 18 came out today and I hate coincidences

race condition with multiple providers? init stepping on itself? try pre-staging the binary in the same directory as your terraform binary…?

we’ve also seen such errors due to the bash PATH cache (though in that case the file in the msg really does not exist)… https://medium.com/faun/no-such-file-or-directory-seriously-ee14e51a1cf2

terraform-provider-aws_v2.17.0_x4: no such file or directory

I’ve had these sorts of things happen on alpine

fixed by doing apk add libc6-compat

check if the binary exists. if it does, then run ldd /conf/temp/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4

that will show the dynamic linking

then ensure everything it dynamically links to exists.

Question: can I have a data resource that might not exist on the first run but will exist in subsequent runs ?

I remember having issues with data lookups that did not exist

no, data source must exist, this is a big limitation

bummer

@jose.amengual you can use a self made lambda datasource as workaround

how ?

like https://github.com/blinkist/terraform-aws-airship-ecs-service/blob/bd4f2c6af967ab0369747eb952d5cca367de28ba/modules/live_task_lookup/main.tf#L38 in here

so in your terraform run you apply the lambda and subsequently use aws_lambda_invocation for a lookup of a value.

so you are using the lambda as some sort of key:value store

no the lambda is used as a datasource. It’s doing the same kind of lookup a regular datasource would normally do but it won’t fail the moment the actual resource is not existing yet.

@Andriy Knysh (Cloud Posse) added local variables completion

what vim plugin is this?

I mainly use spacemacs and vscode, hope they add completion for 0.12 soon enough

Is terraform-lsp so it work in all editors

https://github.com/juliosueiras/terraform-lsp

^ that looks awesome

Is anyone familiar with queueing apply’s on all workspaces in TFE through an API call? Trying to figure out how to dynamically integrate the CI/CD pipeline that’s generating ECR images and lambda packages, into ECS task definitions and lambda functions. The trouble I’ve run into though is you can only queue up an apply call on an individual workspace, which means you need a list of them, which defeats dynamic-ism and the self-service nature of terraform

:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Jul 17, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)

hi. anyone here know how to get an old version of the terraform docs? over a year ago, we built our infrastructure using terraform v11 and the docs for IAM resources look completely different today.

According to this https://github.com/hashicorp/terraform/issues/15058#issuecomment-306099829 the only way is to view the versioned history of the website in git.

@drexler difference is not so big from what I experienced, what issues are you facing ?

is this what you need? https://www.terraform.io/docs/configuration-0-11/index.html

Does anyone know if there’s a syntax to convert a tuple to a list(string)? (Using 0.12)

The docs say “if a module argument requires a value of type list(string) and a user provides the tuple [“a”, 15, true], Terraform will internally transform the value to [“a”, “15”, “true”] by converting the elements to the required string element type.” However, I’m getting this error:

The given value is not suitable for child module variable “ingress_cidr_blocks” defined at .terraform/modules/postgres_security_group/terraform-aws-modules-terraform-aws-security-group-a332a3b/modules/postgresql/variables.tf element 0: string required.

Good summary of the changes, https://blog.gruntwork.io/terraform-up-running-2nd-edition-early-release-is-now-available-b104fc29783f

TIL count can reference data sources in tf 0.12!

without any “count of” errors?

Hi guys, I need a bit of help. I m setting up a bunch of aws codepipeline using terraform. I wanted today to add a step that integrates a Jenkins job ( Adding it from the console works great ) and I hit this issue: https://github.com/terraform-providers/terraform-provider-aws/issues/6931 Does anyone of you have a workaround for it?

Hey there,

Has anybody had issues with terraboard after upgrading its db (psql 10.6 – 11.4) ? Doesn’t show anything on the dashboard for me after the upgrade : / And in the logs, just an “automigrate” message.

Question : Is it possible to have a filter on a data resource to find something with a tag like : ``` name = “private: 1” like using regex or something ?

the subsequent subnets are private:2, 3 4 etc

TIL terraform state mv doesn’t support nested modules. They need to be moved one by one.

I have a situation with Cognito where my user_pool_client is recreated, but an authenticate rule on the ALB is not being updated with the new client id for some reason. Any ideas why? (v 0.11 of terraform)

@Andriy Knysh (Cloud Posse) @Erik Osterman (Cloud Posse) PR for https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/28

good news

the azuredevops terraform provider will be released on next wednesday

:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Jul 24, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)

Are ya’ll able to use https://github.com/cloudposse/testing.cloudposse.co/blob/master/conf/backing-services/.envrc#L2 pattern for private repos?

yes!

there are 2 ways

option A: use ssh agent https://github.com/cloudposse/geodesic/blob/master/rootfs/etc/init.d/atlantis.sh#L70-L76

option B: use git credential helpers to rewrite ssh:// and [[email protected]](mailto:[email protected]) repos to https:// and use GITHUB_TOKEN

https://github.com/cloudposse/geodesic/blob/master/rootfs/etc/init.d/atlantis.sh#L89-L102

Here’s the github-credential-helper “plugin” https://github.com/cloudposse/geodesic/blob/master/rootfs/usr/local/bin/git-credential-github

hmm, thought so but I’m getting asked for username/password when terraform init using .envrc even though I have SSH agent loaded

that’s if you use ssh-agent mode

but if you use the git credential helper, then you can simply use an ENV

ya

Are you using some of our terraform-modules in your projects? Maybe you could leave us a testimonial! It means a lot to us to hear from people like you.

Looks like https://github.com/cloudposse/terraform-root-modules/blob/master/aws/account-settings/outputs.tf#L5-L7 is broken

https://github.com/cloudposse/terraform-aws-iam-account-settings/blob/master/outputs.tf

doesn’t output minimum_password_length

Will open a PR shortly

https://github.com/cloudposse/terraform-aws-iam-account-settings/pull/6

@chrism IIRC you were using geodesic on Windows? Any gotchas?

Someone in my team is a Windows bod, there’s always one

lol everyones either windows or mac here; WSL can be a colossal D at times. I’ve had issues with the terraform plugin cache folder in recent weeks; but thats relocatable ENV TF_PLUGIN_CACHE_DIR=/tmp I have to set ENV ASSUME_ROLE_INTERACTIVE=false as assume-role fails to work in the new format.

aws-vault works fine though and the rest seems ok. Obviously if you want to utilise the /localhost thing it isn’t mapping to c:\users\user its mapping to c:\users\user\appdata.… etc… wsl path (it kindly pumps that out when it boots so you can tell where its mapped)

It’s minimal stuff tbh; I’m finding that most stuff wont get used unless its automated though… people are lazy af

Cool, cheers for that

Does anyone has an idea how I can make this snippet Terraform 0.11 code (which is part of a module) compatible with Terraform 0.12 so the module can already be used in a Terraform 0.12 context

data "aws_ami" "instance" {
  most_recent = true

  filter = "${var.runner_ami_filter}"

  owners = "${var.runner_ami_owners}"
}


variable "ami_filter" {
  type        = "list"

  default = [{
    name   = "name"
    values = ["amzn-ami-hvm-2018.03*-x86_64-ebs"]
  }]
}

The problem is the way I pass the block as list of a map is not supported by TF 0.12

IF it is still a block:

variable "ami_filter" {
  type        = "list"

  default {
    name   = "name"
    values = ["amzn-ami-hvm-2018.03*-x86_64-ebs"]
  }
}

OR if they changed default to be a map:

variable "ami_filter" {
  type        = "list"

  default = {
    name   = "name"
    values = ["amzn-ami-hvm-2018.03*-x86_64-ebs"]
  }
}

oh silly me, i see what you’re doing, that’s a variable def

Yepz, and a hack

I would give the user the option to define the filter in a flexible way

change the type

that is not solving my issue the part above is the module code, I would like to keep the module for the moment .011

but be able use as consumer of the module 0.12

you can’t keep this stuff backwards compatible

but the code snippet you provided is tf 0.12

the block/attr thing is a major blocker for us

slowing down our whole 0.12 adoption

Yepz, my plan was to make the module first .12 compatible

but seems impossible

basically have to uplift everything to 0.12 somehow

either maintain multiple branches/versions, or just make a hard stop on 0.11 support

yepz,

Thanks, for the feedback. I had last week a chat with a few guys from Hashicorp they mentioned that it should be possible to use a tf 0.11 module in a tf 0.12 context. So I was just giving it a try

PR for allowing ssl policy changes: https://github.com/cloudposse/terraform-aws-alb/pull/23

(backwards compatible) @Andriy Knysh (Cloud Posse) @Erik Osterman (Cloud Posse)

~@johncblandii - thanks for the enhancement. @Andriy Knysh (Cloud Posse) is on vacation so it may take a day or two before we get to it.~

looks harmless

tried to make sure it was backwards compat

thx for the quick merge

I am using terraform-aws-modules/rds/aws module, when i tried to restore database from snapshot it timed out

now when i try to terraform plan and terraform apply, i get the following error

 aws_db_instance.this: Error modifying DB Instance aartdb-eakf: InvalidDBInstanceState: Database instance is not in available state

Is anyone aware of this issue ?

@Erik Osterman (Cloud Posse) quick patch to the deployment controller work: https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/29.

It doesn’t work unless you have ignore changes on since the resources is duplicated. I completely missed that.

is it possible to add a service task on that module that is arbitrary ? like for a blue green ?

I’m doing blue/green right now

i can show you my approach after this

if blue_green = “enabled” and blue_green_port = “something” do x

I also know that @LeoGmad is doing it

yeah

we wrap this module so we just attached our stuff in our own module

I forked the module because of that

mmm I see

show me when you can , I’m very interested

gimme a sec. i’ll add bits here

my problem is that I can’t use the standard port

same problem with the alb module

yeah. i just added a new lb listener with port 8443 (vs 443)

since only creates http and https target groups

yeah, i just added new ones

what I was thinking to do is to create a Target group module

that is added to the alb module and where you can define arbitrary target group or defaults in no custom ones are defined

(leaving parts out for brevity)

module "alb_service_task" {
  source = "git::<https://github.com/cloudposse/terraform-aws-ecs-alb-service-task.git?ref=tags/0.13.0>"
}

module "alb_ingress" {
  source = "git::<https://github.com/cloudposse/terraform-aws-alb-ingress.git?ref=tags/0.7.0>"
}

module "alb_ingress_green" {
  source = "git::<https://github.com/cloudposse/terraform-aws-alb-ingress.git?ref=tags/0.7.0>"
}

resource "aws_lb_listener" "green" {
  load_balancer_arn = "${var.alb_arn}"

  port            = "${var.alb_ingress_port_green}"
  protocol        = "${coalesce(var.alb_ingress_protocol_green, var.alb_ingress_protocol)}"
  ssl_policy      = "${var.ssl_policy}"
  certificate_arn = "${var.certificate_arn}"

  default_action {
    target_group_arn = "${module.alb_ingress_green.target_group_arn}"
    type             = "forward"
  }
}

and the same thing with the task

default_action {
    target_group_arn = "${module.alb_ingress_green.target_group_arn}"
    type             = "forward"
  }

is that TF 0.11 compatible ?

yup

this is all 0.11; we’re migrating to .12 now, but none of that is active

do you have your code deploy bits worked out?

0.13.1 works, @Erik Osterman (Cloud Posse):

      deployment_controller.0.type:                                                                                     "ECS" => "CODE_DEPLOY" (forces new resource)

yes code deploy is all good

I used it for Fargate but is almost the same

what do you need ?

same

I can send you a gist if you want

nah, i have it worked out. was going to share if you were still piecing it together

just finalizing the TF at this point

how are you going to do the route traffic thing in Code deploy

manual

did you do a script to do the API call ?

ohh I see

but it is configurable w/ timeouts

we have not decided on that

we technically haven’t either so using manual for now.

it demo’s better.

I will like it automatic

run some test and then do it

nice

how’d you do your aws_codedeploy_deployment_group, @jose.amengual? specifically the lb section:

  load_balancer_info {
    target_group_pair_info {
      prod_traffic_route {
        listener_arns = ["${module.alb.https_listener_arn}"]
      }

      target_group {
        name = "${module.main_container.alb_target_group_name}"
      }

      test_traffic_route {
        listener_arns = ["${module.main_container.alb_green_listener_arn}"]
      }
    }
  }

on sec

* aws_codedeploy_deployment_group.this: InvalidTargetGroupPairException: Target group pair must have exactly two target groups

what i thought. cool. i’ll add the second target_group

I’m planning to use terraform-aws-route53-cluster-zoneto create Route53 hosted zones, and I have a question regarding the creation of the parent zone. Can I use this module to create a parent zone resource in Route53?

I don’t think this module handles that use-case.

Actually, we don’t have a module for the TLD; I guess since we mostly register the zone via Route53 which creates them for us.

Ah, thanks.

I will write the modules for that then.

#office-hours starting now! https://zoom.us/s/508587304

=( the azuredevops terraform provider postpone to next week to finalize the license on the repo

Has anyone here used https://github.com/nozaq/terraform-aws-secure-baseline

Copying this from general channel! Hi guys, I am using your ssh-key-gen module for generating ssh key pair via terraform (https://github.com/cloudposse/terraform-aws-key-pair). I keep was following through the example in readme, however I keep getting permission denied error for creating secrets directory.

Error: mkdir /secrets: permission denied

  on .terraform/modules/test.ssh_key_pair/main.tf line 45, in resource "local_file" "public_key_openssh":
  45: resource "local_file" "public_key_openssh" {

Error: mkdir /secrets: permission denied

  on .terraform/modules/test.ssh_key_pair/main.tf line 52, in resource "local_file" "private_key_pem":
  52: resource "local_file" "private_key_pem" {

Can someone help me out and suggest me what needs to be updated?

the user you are running under does not have permissions to folder /secrets

try to change the folder to ./secrets

or change the user

or give it the required permissions

cool, I will try it out. Another dumb question, user in this case is my machine’s root user which is running terraform job and seems to have all the permission. This folder is created locally in project repo, is that correct?

/secrets is not under project, it’s in root folder

./secrets is local folder

great, that worked

Thanks @Andriy Knysh (Cloud Posse) One more question though, how do you intend to get pem key when running terraform job from CI say something like CircleCI? Push it via artifact to some location from where you can get it?

yes, you can write it to S3 or SSM param store or Secret Manager, for example, using terraform

We have a module for SSM

https://github.com/cloudposse/terraform-aws-ssm-tls-ssh-key-pair

how do people normally deal with security groups here? the ec2 modules only wants a list of them… do you create flat definitions for each purpose, do you make modules for it?

we usually create a security group per module with all the required configurations (especially for backing services like RDS, Elasticsearch, Redis, etc.)

https://github.com/cloudposse/terraform-aws-elasticsearch/blob/master/main.tf#L23

then we specify a list of other security groups and CIDR blocks as ingresses to allow to access the service

I was looking at this : https://github.com/cloudposse/terraform-aws-ssm-parameter-store/blob/master/example/main.tf and is mention in the doc that this works great with Chamber but if a parameter is on terraform and then I use chamber to create a new one then the state file will be out of sync so what will be the recommended way to do it ? just use chamber from the beginning and not declare anything in terraform ?

we use that in a few ways. For example, when creating an RDS cluster, we can generate a database username and password and write them to SSM using the module

then from a CI/CD pipeline, when we build and start the app, we use chamber to read the username and password from SSM and provide it as ENVs to the app

we can manually write some secrets to SSM using chamber, but it’s not related to TF state

I c ok

I have some configs for apps that are going to be running now on ECS so we were thinking to use chamber in a script to write the config keys to parameter store

but I was confused about some examples were segments of config parameter were created using terraform

I don’t want dev to have to run terraform for config changes

and just to make this more confusing , please correct me if I’m wrong : SSM parameter Store uses KMS to encrypt the Secrets and store them in AWS secrets ?

or a parameter store secure string = aws secret encrypted string ?

yes, you can specify SecureString and kms_key_id to encrypt

it is soooo confusing

see this example https://github.com/cloudposse/terraform-aws-ssm-tls-ssh-key-pair/blob/master/examples/complete/main.tf

I seeee ok…

and have you guys played around with credential rotation for RDS ?

I was wondering how that will play out with terraform

example on how to use type=SecureString and KMS Key ID https://github.com/cloudposse/terraform-aws-ecs-atlantis/blob/master/main.tf#L245

I seee ok, make sense

How do you guys deploy ECS tasks/images ? using terraform and push new task def ?

I’m looking at : https://github.com/fabfuel/ecs-deploy

but I’m worry about the TF state getting out of sync

and then an apply breaking things

I was looking for elastic-beanstalk module for terraform version >~ 0.12

https://www.greenreedtech.com/terraform-puppet-provisioner/

planning to develop a GCP DeploymentManager to Terraform tool

and after that a Cloudformation to Terraform tool

:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Jul 31, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)

Hi everyone, I’m looking for a good example to set defaults for complex variable types.

variable dynamic_ordered_cache_behavior {
  description = "Ordered Cache Behaviors to be used in dynamic block"
  type = list(object({
    path_pattern            = string
    allowed_methods         = list(string)
    cached_methods          = list(string)
    target_origin_id        = string
    compress                = bool
    query_string            = bool
    cookies_forward         = string
    headers                 = list(string)
    query_string_cache_keys = list(string)
    whitelisted_names       = list(string)
    viewer_protocol_policy  = string
    min_ttl                 = number
    default_ttl             = number
    max_ttl                 = number
    lambda_function_associations = list(object({
      event_type   = string
      include_body = bool
      lambda_arn   = string
    }))
  }))
  default = []
}

For example I’d like to set headers to [] by default, has anyone done this before?

variable "apply_config_map_aws_auth" {
  type        = "string"
  default     = "false"
  description = "Whether to generate local files from `kubeconfig` and `config_map_aws_auth` and perform `kubectl apply` to apply the ConfigMap to allow the worker nodes to join the EKS cluster"
}

When wouldn’t you want to do this (as in whats the use case for it being a setting)?

hi, can i extract data into a locals?

actually having issues with this:

* module.security_group.aws_security_group_rule.egress_with_cidr_blocks: lookup: lookup() may only be used with flat maps, this map contains elements of type list in:

${split(",", lookup(var.egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}

fixed it

variable "groups" {
  description = "Map of groups with members"
  type       ┆= "map"
  default     = {
    "00_disabled"   = ["user1", "user2"]
    "01_group1"     = ["user2", "user3", "user4", "user5"]
    "02_group2"     = ["user3", "user4"]
    "03_group3      = ["user3", "user6"]
    "04_group4"     = ["user5", "user6", "user7"]
    "05_group5"     = ["user5", "user2"]
  }
}

resource "aws_iam_group" "groups" {
  count = "${length((keys(var.groups))}"
  name  = "${element(keys(var.groups), count.index)}"
}

resource "aws_iam_user" "users" {
  count = "${length(distinct(flatten(values(var.groups))))}"
  name  = "${element(distinct(flatten(values(var.groups))), count.index)}"

  depends_on = [aws_iam_group.groups]
}

any workaround for IDX change when adding or removing users? How you manage users with terraform? Seperated module per user and group?

Does anyone know how to read security group correct for AWS_ALB using terraform 0.12, I am building a sg

resource "aws_lb" "gitlab_alb" {
  load_balancer_type = "application"
  security_groups    = aws_security_group.gitlab_alb.id
  ip_address_type    = "ipv4"
  subnets                  = var.public_subnet_id

and I get following error:

  on ../../alb.tf line 3, in resource "aws_lb" "gitlab_alb":
   3:   security_groups    = aws_security_group.gitlab_alb.id

Inappropriate value for attribute "security_groups": set of string required.

use list, [aws_security_group.gitlab_alb.id]

same for subnets subnets = [var.public_subnet_id]

Gotcha, I thought they updated this that it should work without using []

as they said here: https://www.terraform.io/upgrade-guides/0-12.html#referring-to-list-variables

if the input vars are lists, then you don’t need to wrap them in []

aws_security_group.gitlab_alb.id is not a list, it’s a string, so you need []

if var.public_subnet_id is a list (which by its name looks like just a string), then you don’t need []

makes sense, thank you very much!

Public #office-hours with cloud posse starting now! https://zoom.us/s/508587304 join if you have any questions or want to listen in.

Does anyone know how to avoid triggering replacement of launch template when making a change on tags ?

What a tag do you change? Name?

@s2504s no, not name tag

custom tags used for various purposes

i removed some redundant tags from default map and it now forces a new launch template creation

don’t the tags pass thru to the instances, not really the template? and you can’t modify a template just replace it, right? so i don’t think the ask is possible

but it is also possible that it can create a new version of the launch template

have you tried to set the option

  lifecycle {
    ignore_changes = ["tag_specifications"]

i did not try that

Does anyone know a good repository/tutorial to create a php lambda layer with terraform?

hello I’m using : https://github.com/cloudposse/terraform-aws-ecs-alb-service-task and I was trying to do this :

volumes = [
    {
      name      = "pepe"
      host_path = "/mnt/pepe.ramdisk"
    },
    {
      name      = "pepe-incrementals"
      docker_volume_configuration {
        scope         = "task"
        driver = "local"
      }
    }
  ]
}

but I get

 module.ecs_alb_service_task.aws_ecs_task_definition.default: volume.1.docker_volume_configuration: should be a list

I thought that was going to work….

in TF 0.11 (with its loose/weak typing), mostly all blocks are lists, although it’s not clear from the docs

try

docker_volume_configuration = [
{
        scope         = "task"
        driver = "local"
 }]

ohhhhhh

that worked

thanks

Hi guys

I used your terraform-aws-tfstate-backend repo to create remote backend for my tf project. I went ahead and created two separate repos which are deploying using this remote backend (using same s3 bucket and same dynamodb table but different file name). I am getting following error:

Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed
	status code: 400, request id: {some-lock-value}

followed by tf basic state lock error:

Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.

Can I not use same s3 bucket and dynamodb table for two different projects? I thought this should be fine because I am using different file names so a different lock will be created for each tfstate file.

yes, you can definitely use the same bucket for multiple projects.

just make sure you vary the key

Looks like that is just the s3 object path

Been a while since I’ve used this

Hi, I.m using: https://github.com/cloudposse/terraform-aws-ec2-autoscale-group but I need my instances to have a 500GB root volume and I’m guessing that can’t be specify ? but in this modeule : https://github.com/cloudposse/terraform-aws-ec2-instance it can, can somehow use both ?

@jose.amengual you can attach extra drives with block device mapping, however I don’t think the launch template gives you the option for root disk size: https://www.terraform.io/docs/providers/aws/r/launch_template.html

Unsure off top of my head if that is a TF limitation or AWS one. So your only option if you want autoscaling may be to modify the AMI.

block_device_mappings var

that that will anything but the root

this is a ECS instance

I will have to change the ECS agent config so docker images are store in a different volume

root is specified by the AMI

I was hoping I will have the option like when you do it in the console when it gives you the option for a bigger root volume

@jose.amengual do you have that option when creating an EC2 instance or launch template?

when creating an Instance

Yea this is why it’s available in aws-ec2-instance module and not in launch template/asg one. Only option if using latter is to modify your AMI to the 500gb volume

I was using a ECS optimized instance

I thought I could just define the size of the root volume

I guess when you use the wizard and change the root volume size it creates a new AMI ID

since the original AMI can’t be modified

:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.

This is an opportunity to ask us questions on terraform and get to know others in the community on a more personal level. Next one is Aug 07, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)

Hey Folks, Trying to find some Terraform Modules related to AWS - app stream service ( for creating fleets and stacks) any help appreciated

Has anyone here referenced remote state output in 0.12 using Terraform Cloud remote state storage? I’m following their reference example at https://www.terraform.io/docs/backends/types/remote.html but it’s bailing with Expected an equals sign ("=") to mark the beginning of the attribute value. on the workspaces {} block.

@sweetops how are you liking terraform cloud for state storage? easy?

well, the initial configuration was super easy. But referencing remote state data/output using the docs, appears to be broken.

Is there a separate channel for tf 0.11 -> 0.12 upgrade woes?

haha, just teh #terraform-0_12

We have many interlinked modules that use lots of shared state. We aren’t even sure how to get there from here.

s/shared state/remote state lookups/

i would move the shared state look ups to to values instead stored in SSM

icky

that would better decouple them from current/future compatibility issues

yikes

That’s a spicy meatball!

and that’s not the result of code generation?

This is a beautiful large organic code base

you’ve been very busy

Yeah.

I feel like Hashicorp let us down by not having remote state compatibility

To provide flexibility when upgrading decomposed environments that use terraform_remote_state, Terraform v0.11.14 introduced support for reading outputs from the Terraform v0.12 state format, so if you upgrade all of your configurations to Terraform v0.11.14 first you can then perform v0.12 upgrades of individual configurations in any order, without breaking terraform_remote_state usage. Oh, hmm

Maybe we had issues because we didn’t yet have 0.11.14 remote state

maybe a terraform refresh everywhere will save us

Oh wow, hope that works!

report back…

Hi everyone! I am facing issues while trying to provision each ec2 instance with the below TF connection block:

connection {
    type     = "winrm"
    host     = "${aws_instance.ec2instance.*.private_ip[count.index]}"
    user     = "${var.username}"
    password = "${var.admin_password}"
    timeout  = "${var.timeout_tf}"
  }

The issue is with host = "${aws_instance.ec2instance.*.private_ip[count.index]}" line. I have tried all the below modifications however still get the same error message Error: Cycle: aws_instance.ec2instance[1], aws_instance.ec2instance[0]

1. host = "${aws_instance.ec2instance.*.private_ip}"
2. host = "${ element(aws_instance.ec2instance.*.private_ip, count.index) }"
3. host = "${aws_instance.ec2instance.*.private_ip[count.index]}"

Any pointers will be greatly appreciated.

Additional information: I have the count set to 2. From the above point#1, If I put in host = “${aws_instance.ec2instance.1.private_ip}”, It does not give me the error message however doesnt provision both the instances. Just provisions the instance with count.index=1.