#terraform (2021-06)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2021-06-13

MrAtheist avatar
MrAtheist

Questions for terraform-aws-modules/vpc/aws: im switching from single NATGW to multi NATGW setup per AZ. In the plan it’s instructed to destroy the original NATGW that was originally created. This seems fishy to me as it would basically cease the outgoing traffic during which the apply is doing its thing… Anyone knows a way to skip the destroy? or is there a better way to go about this?

Brian Ojeda avatar
Brian Ojeda

Check if the create_before_destroy is set and is true. If it is set and true, then it there is little to no down time downtime.

https://www.terraform.io/docs/language/meta-arguments/lifecycle.html

MrAtheist avatar
MrAtheist

hmm dont think that would work in this case as it would try to create a NATGW with the elastic ip hooked up to the original NATGW…

the problem here is that i have whitelisted the original elastic ip somewhere else and messing with the original NATGW in any way shape of form would break this link

MrAtheist avatar
MrAtheist
Modifying single_nat_gateway destroys existing nat gatway · Issue #506 · terraform-aws-modules/terraform-aws-vpc attachment image

I've created a VPC with single_nat_gateway=true. When attempting to change to single_nat_gateway=false the plan shows the following: # module.vpc.aws_nat_gateway.this[0] must be replaced -/+ re…

Ashish Sharma avatar
Ashish Sharma

Hi Guy ….Do we have any utility like tfenv for windows to use tf version whichver we like ?

2021-06-12

Mohammed Yahya avatar
Mohammed Yahya

https://github.com/tonedefdev/terracreds allow you to store token for TF cloud or similar SaaS like ( env0 - scalr - spacelift) in macos or windows vault instead of plain text, same as aws-vault. I used this between switching TF Cli workflow between TF cloud and Scalr.

tonedefdev/terracreds attachment image

A Terraform Cloud/Enterprise credentials helper. Contribute to tonedefdev/terracreds development by creating an account on GitHub.

3

2021-06-11

Jon Butterworth avatar
Jon Butterworth

Hi all, quick question for sanity’s sake… In the EKS-Workers module where it refers to autoscaling groups.. This is not the same as Cluster Autoscaler? Or is it?

Jon Butterworth avatar
Jon Butterworth

I’ve deployed a cluster using EKS-Workers.. set max nodes to 8 and min nodes to 3.. but when I deploy 20 nginx pods the nodes don’t scale.

Jon Butterworth avatar
Jon Butterworth

Perhaps there’s an input to enable autoscaling? Or do I need to look at writing something myself to enable cluster auto scaling?

Jon Butterworth avatar
Jon Butterworth

I think I’ve answered this myself. I needed to deploy the autoscaler pod

Mohammed Yahya avatar
Mohammed Yahya

I love the feeling when support asked you how you did solve it?

2
1

2021-06-10

Jon Butterworth avatar
Jon Butterworth

In regards to [contex.tf](http://contex.tf) and this module.. can someone tell me where module.this.id is coming from? In specific reference to the aws-ec2-autoscale-group and aws-eks-workers modules. But this seems to be a standard configuration across a lot of modules.

Alex Jurkiewicz avatar
Alex Jurkiewicz

It’s using the null-label module. This is a module which doesn’t create infrastructure, but is designed to create a consistent name based on inputs

Alex Jurkiewicz avatar
Alex Jurkiewicz

the module is instantiated as “this” and id is one of the null-label outputs. Specifically the one that outputs the “consistent name”

Jon Butterworth avatar
Jon Butterworth

I’m having a hard time trying to narrow down the error I’m seeing when I use the eks-workers module.

Jon Butterworth avatar
Jon Butterworth

It calls EC2-Autoscale-Group.

Jon Butterworth avatar
Jon Butterworth

Which has a name prefix, which it gets from module.this.id

Jon Butterworth avatar
Jon Butterworth

However the error I’m seeing suggests it’s getting a no value from module.this.id

Alex Jurkiewicz avatar
Alex Jurkiewicz

there’s no default name. Did you pass in any of the variables used by null-label module?

Jon Butterworth avatar
Jon Butterworth

Starting to see this now.. there’s no namespace, environment or stage.. which are inputs.

Jon Butterworth avatar
Jon Butterworth

I haven’t done anything, I’m just using a CP module.

Alex Jurkiewicz avatar
Alex Jurkiewicz

namespace, environment, stage, name, attributes

Alex Jurkiewicz avatar
Alex Jurkiewicz

yes, this requirement is not well documented

Alex Jurkiewicz avatar
Alex Jurkiewicz

simplest approach is to set name only to specify the name you want to use for the module’s resources

Jon Butterworth avatar
Jon Butterworth

I see.. So I must pass these attributes into the eks-workers module?

Alex Jurkiewicz avatar
Alex Jurkiewicz

yes, you have to pass at least one of them

Jon Butterworth avatar
Jon Butterworth

The confusion came because the offending module is nested

Alex Jurkiewicz avatar
Alex Jurkiewicz

passing multiple of them, and the null label module’s other variables are designed for advanced workflows where you compose or nest multiple labels

Jon Butterworth avatar
Jon Butterworth

Brilliant, thank you. That was a simple fix

Jon Butterworth avatar
Jon Butterworth

I passed name, and now I’m onto the next error! But at least I’m passed that point.

1
Jon Butterworth avatar
Jon Butterworth

Thanks again,

joseodenigbo avatar
joseodenigbo

I am new to terraform I am trying to use cloudposse (git url: https://github.com/cloudposse/terraform-aws-tfstate-backend) to save the state of the terraform on s3 bucket on AWS but I keep getting this error on Jenkins: (

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Error: Failed to get existing workspaces: S3 bucket does not exist.

The referenced S3 bucket must have been previously created. If the S3 bucket
was created within the last minute, please wait for a minute or two and try
again.

Error: NoSuchBucket: The specified bucket does not exist
	status code: 404, request id: RTY8A45R6KR8G72F, host id: yEzmd9hrvPSY3MY3trWfvdtyw4VcJZ+L+hf79QpkOkbSD7GU4Xz9EViWHbDRXiHjTp8k5LgPIzM=

). Any help and guidance will be appreciated thanks.

cloudposse/terraform-aws-tfstate-backend attachment image

Terraform module that provision an S3 bucket to store the terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption. - cloudposse…

Jon Butterworth avatar
Jon Butterworth
Error: NoSuchBucket: The specified bucket does not exist

The bucket doesn’t exist - Create it first

cloudposse/terraform-aws-tfstate-backend attachment image

Terraform module that provision an S3 bucket to store the terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption. - cloudposse…

joseodenigbo avatar
joseodenigbo

when I created the bucket I get this errors:

Acquiring state lock. This may take a few moments...
[31m
[1m[31mError: [0m[0m[1mError locking state: Error acquiring the state lock: 2 errors occurred:
	* ResourceNotFoundException: Requested resource not found
	* ResourceNotFoundException: Requested resource not found



Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.[0m
Jon Butterworth avatar
Jon Butterworth

So you created the bucket and now you’re getting that error from TF?

joseodenigbo avatar
joseodenigbo

I created it from AWS console with the exact name that was expected by the terraform form for storing the state.

Jon Butterworth avatar
Jon Butterworth

That’s an issue with DynamoDB - I’ve not used that module before, but it looks as though it creates the bucket for you if you follow the guide.

Jon Butterworth avatar
Jon Butterworth

cloudposse/tfstate-backend/aws should have created the bucket for you if you followed this?

joseodenigbo avatar
joseodenigbo

yes that what it should do but I don’t know why its not creating that

Jon Butterworth avatar
Jon Butterworth
resource "aws_s3_bucket" "default" {
....

According to the module it does create the bucket.

resource "aws_dynamodb_table"
...

It also sorts the dynamo table.

Jon Butterworth avatar
Jon Butterworth

Step one on the readme… where did you put it?

joseodenigbo avatar
joseodenigbo

I added it in a folder called backend and the created a main.tf and added it there

joseodenigbo avatar
joseodenigbo
08:29:37 AM

this is my terraform structure

joseodenigbo avatar
joseodenigbo
So the first step is in the [main.tf> in the backend folder and then the second step is in the <http://backend.tf backend.tf](http://main.tf)
Jon Butterworth avatar
Jon Butterworth

That’s probably your problem.

Jon Butterworth avatar
Jon Butterworth

add that module to management-site/main.tf

joseodenigbo avatar
joseodenigbo
08:39:17 AM

not sure thats the problem the jenkins deploy job calls it first before the management site.

Jon Butterworth avatar
Jon Butterworth

Have you tried just following the steps in the module first? To see if it works that way? Then moving things around once you know it works?

Jon Butterworth avatar
Jon Butterworth

I’m not sure why you’ve got logic in a script to check whether the bucket exists, and it it doesn’t exist; run the backend module. To me that doesn’t make sense… the whole point of Terraform is that it creates things which don’t exist and doesn’t re-create things which do exist.

Jon Butterworth avatar
Jon Butterworth

What you’ve done won’t work though, you’ve created a backend with no state to put into it.

Jon Butterworth avatar
Jon Butterworth

You need to bin that backend directory and bring the module into your [main.tf](http://main.tf)

Jon Butterworth avatar
Jon Butterworth

Then run terraform init followed by terraform apply followed by terraform init -force-copy

Jon Butterworth avatar
Jon Butterworth

The first init pulls the module down, the apply creates the S3 bucket and the second init copies the backend to the bucket.

joseodenigbo avatar
joseodenigbo

This has been resolved thank you but I didn’t use cloudposse again as the issue persisted even after put all in same file as you advised. thanks for the help.

joseodenigbo avatar
joseodenigbo

This was the one I used to achieve that. https://github.com/stavxyz/terraform-aws-backend

stavxyz/terraform-aws-backend attachment image

A Terraform module for your AWS Backend + a guide for bootstrapping your terraform managed project - stavxyz/terraform-aws-backend

Raja Miah avatar
Raja Miah

hi everyone looking for any ideas or resources that i can use to setup using terraform api gateway with a cognito user pool any help would be much appreciated if you wanna contact me i can explain in more detail our current setup and issues we are facing

Thomas Weiss avatar
Thomas Weiss

Hi there. I run into a weird error with aws provider and wonder if anyone have run into this too:

resource "aws_synthetics_canary" "api" {
  name                 = "test"
  artifact_s3_location = "s3://${aws_s3_bucket.synthetic.id}"
  execution_role_arn   = aws_iam_policy.synthetic.arn
  handler              = "apiCanaryBlueprint.handler"
  runtime_version      = var.synthetic_runtime_version
  zip_file             = data.archive_file.synthetic.output_path

  schedule {
    expression = "rate(60 minutes)"
  }
}

terraform apply and:

│ Error: error reading Synthetics Canary: InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 1, GetCanaryInput.Name.
│ 
│ 
│   with aws_synthetics_canary.api,
│   on monitoring.tf line 94, in resource "aws_synthetics_canary" "api":
│   94: resource "aws_synthetics_canary" "api" {
│ 
╵
Harry avatar
Harry

I’ve got a VPC with some private subnets, and I’m passing those subnet IDs into a module to deploy instances to run an app. I’m also passing in an instance type, but not all instance types are available in all regions and one subnet doesn’t have the instance type I need in it. I’m trying to use the aws_subnet data resource to retrieve the AZs each subnet is in, then use aws_ec2_instance_type_offerings to filter the list of subnets so I only deploy in ones where the instance type is available, but I’m not sure how to create a data resource for each subnet. Can I use foreach here?

Michael Dizon avatar
Michael Dizon
Aurora postgres iam_roles failing to apply · Issue #129 · terraform-aws-modules/terraform-aws-rds-aurora attachment image

When passing iam db role to iam_roles variable, e.g. iam_roles = [<db_role_arn>] , it fails to apply role to Aurora postgres db cluster with following error - Error: InvalidParameterValue: Th…

Michael Dizon avatar
Michael Dizon

trying to provide iam_roles but get this error: Error: InvalidParameterValue: The feature-name parameter must be provided with the current operation for the Aurora (PostgreSQL) engine.

Andy Miguel (Cloud Posse) avatar
Andy Miguel (Cloud Posse)

@here We’re having a [special edition> of #office-hours next week and will be joined by @Taylor Dolezal</strong](https://sweetops.slack.com/archives/CHDR1EWNA/p1623371431095200) who is a Senior Developer Advocate at HashiCorp. Please queue up any questions (or gripes) you have about Terraform on this thread and we’ll have Taylor review them live on the call, thanks!

@here we have another special edition of Office Hours next week Wednesday June 16th!

@Taylor Dolezal will be joining us! Taylor is a Senior Developer Advocate at HashiCorp and we’ll be talking to him about an array of topics including: his role, what’s it like to be a developer at HashiCorp, what we can expect next for Terraform, Nomad vs Kubernetes, security considerations with custom providers, and answering live Q&A from anyone who joins! Hope to see you there

1
2
Taylor Dolezal avatar
Taylor Dolezal
12:35:16 AM

@Taylor Dolezal has joined the channel

2021-06-09

Jon Butterworth avatar
Jon Butterworth

I posted a question for module support yesterday and it’s lost in the scroll back. Is this the best place for module support? Or should I raise a github issue? TIA.

Alex Jurkiewicz avatar
Alex Jurkiewicz

Here is good

Jon Butterworth avatar
Jon Butterworth

Thanks, I’ve reshared.

Jon Butterworth avatar
Jon Butterworth
07:54:48 AM

Reshared here so it doesn’t get lost in scrollback

Hi all. QQ if I may.. I’m seeing the following error

Error: "name_prefix" cannot be less than 3 characters

This is coming from the eks-workers module. Looks as though it’s then coming from the ec2-autoscale-group module and then from the label/null module.

Full Error:

│   on .terraform/modules/eks_workers.autoscale_group/main.tf line 4, in resource "aws_launch_template" "default":
│    4:   name_prefix = format("%s%s", module.this.id, module.this.delimiter)

I can’t seem to see why it’s not getting an id.. FYI, I’ve changed nothing. Just calling the eks-workers module…

module "eks_workers" {
  source = "./modules/eks-workers"

  cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data
  cluster_endpoint                   = module.eks_cluster.eks_cluster_endpoint
  cluster_name                       = module.eks_cluster.eks_cluster_id
  cluster_security_group_id          = module.eks_cluster.security_group_id
  instance_type                      = "t3.medium"
  max_size                           = 8
  min_size                           = 4
  subnet_ids                         = module.vpc.public_subnets
  vpc_id                             = module.vpc.vpc_id

  associate_public_ip_address        = true
}

NB: Although the module is local, it was cloned this morning so is up to date.

MrAtheist avatar
MrAtheist

Does anyone know if theres a way to ignore changes to the entire module? Ive got this tgw module originally deployed, but it has been messed with manually a couple of times that i dont know if i could salvage it by monkey patching the tf code, hence this question…

Jon Butterworth avatar
Jon Butterworth

Resources have the lifecylce meta-argument, with which you can use ignore_changes - I know this doesn’t answer your question, but the reason for me mentioning is; https://www.terraform.io/docs/language/modules/syntax.html - This mentions that the lifecycle argument is reserved for future releases.. so perhaps lifecycle is/will (be) available for modules

Jon Butterworth avatar
Jon Butterworth
│ Error: Unsupported argument
│ 
│   on main.tf line 19, in module "vpc":
│   19:   lifecycle = {
│ 
│ An argument named "lifecycle" is not expected here.
MrAtheist avatar
MrAtheist

sadly just stumbled upon this.. hopefully it’ll get incorporated somehow

https://www.reddit.com/r/Terraform/comments/mrzsbg/how_to_use_lifecycle_feature_with_ec2instance/

How to use lifecycle feature with ec2-instance module with terraform?

In a terraform task, created an ec2_instance creation module module “ec2_instance” { source =…

MrAtheist avatar
MrAtheist

any other shady hacks for this? or am i doomed to monkey patch this mess…?

Jon Butterworth avatar
Jon Butterworth

Could you use terraform state mv to move resources into a new module which represents what is in state?

MrAtheist avatar
MrAtheist

thanks, checking it out, im pretty newb when it comes to tf…

MrAtheist avatar
MrAtheist

slight update: i ended up messing with the state file instead of monkey patching the tf code… im not endorsing my actions in anyway shape of form lol

paultath81 avatar
paultath81

Running into issue creating aks cluster in azure when using manage identity and private dns zones. Hoping to find anyone who worked with AKS and possibly provide some guidance please

Dias Raphael avatar
Dias Raphael

Hi Team, I would like to create a hosted zone in aws through terraform…Can you suggest me a terraform module which does the same or any guidance would be helpful.

jose.amengual avatar
jose.amengual
Announcing HCP Packer attachment image

HCP Packer is a new cloud service designed to bridge the gap between image creation and deployment with image-management workflows. The service will be available for beta testing in the coming months.

Zach avatar


While HCP Packer is not “Packer in the cloud,”
Too late, its 100% going to be branded “Packer in the cloud”

pjaudiomv avatar
pjaudiomv

I created a module for Route 53 Resolver DNS Firewall using the cloudposse scaffolding if anyone wants to kick the tires on it https://github.com/pjaudiomv/terraform-aws-route53-resolver-dns-firewall

pjaudiomv/terraform-aws-route53-resolver-dns-firewall attachment image

Terraform module to provision AWS DNS firewall resources. - pjaudiomv/terraform-aws-route53-resolver-dns-firewall

Alex Jurkiewicz avatar
Alex Jurkiewicz

nice, in Terraform 1.0, terraform destroy -help states only that it’s an alias for terraform apply -destroy. But terraform apply -help doesn’t mention -destroy

Alex Jurkiewicz avatar
Alex Jurkiewicz

I think it’s because’s -destroy comes from plan

1

2021-06-08

Thomas Hoefkens avatar
Thomas Hoefkens

Hi all, I am using the helm provider to deploy a chart… but when adding a template in the helm chart, the tf deployment does not detect the fact that I added a yaml file… how can this be resolved?

Brian Ojeda avatar
Brian Ojeda

https://registry.terraform.io/ - Anyone else having issues reaching the site?

Partha avatar
Partha

i can access

Partha avatar
Partha

the site

Partha avatar
Partha

@

Brian Ojeda avatar
Brian Ojeda

me too now.

1
Brian Ojeda avatar
Brian Ojeda
Announcing HashiCorp Terraform 1.0 General Availability attachment image

Terraform 1.0 — now generally available — marks a major milestone for interoperability, ease of upgrades, and maintenance for your automation workflows.

Release notes from terraform avatar
Release notes from terraform
11:43:37 AM

v1.0.0 1.0.0 (June 08, 2021) Terraform v1.0 is an unusual release in that its primary focus is on stability, and it represents the culmination of several years of work in previous major releases to make sure that the Terraform language and internal architecture will be a suitable foundation for forthcoming additions that will remain backward compatible. Terraform v1.0.0 intentionally has no significant changes compared to Terraform v0.15.5. You can consider the v1.0 series as a direct continuation…

9
Mohammed Yahya avatar
Mohammed Yahya

at last

Matt Gowie avatar
Matt Gowie

Feels unexciting as there isn’t much new being released, but at least we’ll finally stop hearing jokes about terraform not being 1.0

1
Mohammed Yahya avatar
Mohammed Yahya

exactly

Chris Fowles avatar
Chris Fowles

it’s important to know that we can now stop having to consider a version upgrade as a major activity - which is nice

bp avatar

you called it @Erik Osterman (Cloud Posse) !

1
bp avatar

wonder if terraform test is still beta in v1.0 or staying with v0.15

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


@Chris Fowles
it’s important to know that we can now stop having to consider a version upgrade as a major activity - which is nice
Yes/no.

Now we’re back to 0.11 and 0.12 style version upgrades - the kind that happen every year and are scary.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

With regular breaking changes, we got much better at handling them.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


but at least we’ll finally stop hearing jokes about terraform not being 1.0
But now I lose my excuse for why cloudposse modules are 0.x

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Jon Butterworth avatar
Jon Butterworth

Hi all. QQ if I may.. I’m seeing the following error

Error: "name_prefix" cannot be less than 3 characters

This is coming from the eks-workers module. Looks as though it’s then coming from the ec2-autoscale-group module and then from the label/null module.

Full Error:

│   on .terraform/modules/eks_workers.autoscale_group/main.tf line 4, in resource "aws_launch_template" "default":
│    4:   name_prefix = format("%s%s", module.this.id, module.this.delimiter)

I can’t seem to see why it’s not getting an id.. FYI, I’ve changed nothing. Just calling the eks-workers module…

module "eks_workers" {
  source = "./modules/eks-workers"

  cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data
  cluster_endpoint                   = module.eks_cluster.eks_cluster_endpoint
  cluster_name                       = module.eks_cluster.eks_cluster_id
  cluster_security_group_id          = module.eks_cluster.security_group_id
  instance_type                      = "t3.medium"
  max_size                           = 8
  min_size                           = 4
  subnet_ids                         = module.vpc.public_subnets
  vpc_id                             = module.vpc.vpc_id

  associate_public_ip_address        = true
}

NB: Although the module is local, it was cloned this morning so is up to date.

Jon Butterworth avatar
Jon Butterworth

Anyone got any thoughts on this? Would a GH Issue be more suitable for this?

Brij S avatar
Brij S

Hey all, Im using the terraform eks community module. Im trying to tag the managed nodes with the following:

      additional_tags = {
        "k8s.io/cluster-autoscaler/enabled"             = "true"
        "k8s.io/cluster-autoscaler/${var.cluster_name}" = "true"
        "Name"                                          = var.cluster_name
      }

In addition to this i’m trying to merge the tags above with var.tags with minimal success - does anyone know how to do that?

I tried the following with no luck

      additional_tags = {
        merge(var.tags, 
          "k8s.io/cluster-autoscaler/enabled"             = "true"
          "k8s.io/cluster-autoscaler/${var.cluster_name}" = "true"
          "Name"                                          = var.cluster_name
        )
      }
Avenia avatar
Avenia
 tags = merge(
    {
      "Name" = format("%s", var.name)
    },
    local.tags,
  )
}
Avenia avatar
Avenia

i think your issue is the { } missing around your 3 bottom tags.

Brij S avatar
Brij S

let me try adding the { }

Avenia avatar
Avenia
additional_tags = {
        merge(var.tags, {
          "k8s.io/cluster-autoscaler/enabled"             = "true"
          "k8s.io/cluster-autoscaler/${var.cluster_name}" = "true"
          "Name"                                          = var.cluster_name
        })
      }
Brij S avatar
Brij S

that results in

  50:       additional_tags = {
  51:         merge(var.tags, {
  52:           "k8s.io/cluster-autoscaler/enabled"             = "true"
  53:           "k8s.io/cluster-autoscaler/${var.cluster_name}" = "true"
  54:           "Name"                                          = var.cluster_name
  55:         })
  56:       }

Expected an attribute value, introduced by an equals sign ("=")
Avenia avatar
Avenia

= ${var.cluster_name}” ?

Avenia avatar
Avenia

it shouldnt need that. but thats odd.

Brij S avatar
Brij S

still the same error

Avenia avatar
Avenia

what version is this?

Avenia avatar
Avenia

Ohj

Avenia avatar
Avenia

you still ahve a syntax error

Brij S avatar
Brij S

14.10

Avenia avatar
Avenia
additional_tags = merge(var.tags, {
          "k8s.io/cluster-autoscaler/enabled"             = "true"
          "k8s.io/cluster-autoscaler/${var.cluster_name}" = "true"
          "Name"                                          = var.cluster_name
        })
Avenia avatar
Avenia

try that.

Brij S avatar
Brij S

An argument or block definition is required here.

Brij S avatar
Brij S

additional_tags is map(string) value so that should work

Avenia avatar
Avenia

turn your tags into a local and see if it works then

Avenia avatar
Avenia
locals {
  #Instance Tagging
  tags = {
    "service"   = var.service_name
    "env"       = var.environment
    "stackname" = "${var.environment}-${var.application_name}"
  }
}

etc

Avenia avatar
Avenia

then do locals.tags in the merge.

Brij S avatar
Brij S

hmm I’ll try - the thing is, var.tags are picked up from various *.tfvars files

Brij S avatar
Brij S

so locals might make it so i duplicate some tags

Avenia avatar
Avenia

are you outputting them?

Brij S avatar
Brij S

the tags? no

Avenia avatar
Avenia

Threading this to reduce noise.

Brij S avatar
Brij S

good call

Avenia avatar
Avenia

so your vars are in multiple files?

Brij S avatar
Brij S

yeah

Brij S avatar
Brij S

for different environments

Avenia avatar
Avenia

How exactly are you structuring your terraform?

each app/env should have its own set of terraform.tfvars files

something like

app –terraform – dev – terraform.tfvars – main.tfoutputs.tfvariables.tf – stage – terraform.tfvars – main.tfoutputs.tfvariables.tf – prod – terraform.tfvars – main.tfoutputs.tfvariables.tf

(your experience may vary this is what we use basically)

Or use something like terragrunt where you can define them all in a single place and it keeps it a bit more DRY.

you should be able to import your module in the main.tf call, and expose the locals to the module there, where it can generate the local tags.

Brij S avatar
Brij S
      additional_tags = merge(var.tags, {
        Name                                            = var.cluster_name
        "k8s.io/cluster-autoscaler/enabled"             = "true"
        "k8s.io/cluster-autoscaler/${var.cluster_name}" = "true"
      }, )
Brij S avatar
Brij S

that seems to have worked, however my instances dont have any of the tags after apply

Brij S avatar
Brij S

the plan didnt show a change either

Thomas Hoefkens avatar
Thomas Hoefkens

Hi all, I am using the helm provider to deploy a chart… but when adding a template in the helm chart, the tf deployment does not detect the fact that I added a yaml file… how can this be resolved?

Adnan avatar
Adnan

I am not sure if there is a clean way to make it work with terraform. a hack/workaround could be to determine if there are changes some other way, if yes taint/replace the resource. or just handle helm separately :D

Thomas Hoefkens avatar
Thomas Hoefkens

@ So is this a known “side-effect” of using the helm provider? That is a big issue imo…

Adnan avatar
Adnan

yes, i think its a known issue https://github.com/hashicorp/terraform-provider-helm/issues/372 not aware if it has been fixed somewhere

Values modified outside of terraform not detected as changes · Issue #372 · hashicorp/terraform-provider-helm attachment image

Terraform Version Terraform v0.12.12 Helm provider Version ~> 0.10 Affected Resource(s) helm_resource Terraform Configuration Files resource &quot;helm_release&quot; &quot;service&quot; { name =…

2021-06-07

Adnan avatar
Adnan

Hi All, terraform plan does already some validation like duplicate variables but what is missing is duplicate validation for the contents of maps and lists does anyone know of a way/tool to validate .tfvars files duplicates including duplicates inside maps and lists?

Brian A. avatar
Brian A.

https://github.com/terraform-linters/tflint might be able to do what you need @

terraform-linters/tflint attachment image

A Pluggable Terraform Linter. Contribute to terraform-linters/tflint development by creating an account on GitHub.

2
Gene Fontanilla avatar
Gene Fontanilla

is it possible to pass outputs a inputs for variables?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, you can pass outputs from modules as inputs to other modules

Rhys Davies avatar
Rhys Davies

hey guys this is probably a FAQ so sorry if so: What’s a good article or series for writing CI for Terraform? Specifically I now have a small team of people all working on a project together, what’s a good resource to follow on how to test. deploy and not step on each other’s toes?

*We use CircleCI and Terraform, no PaaS (yet)

Hemanth Gokavarapu avatar
Hemanth Gokavarapu

You can use the terraform cloud if you are looking for a Paid service… https://www.hashicorp.com/blog/learn-ci-cd-automation-with-terraform-and-circleci

If you don’t want terraform cloud, you can try something like this..

https://victorops.com/blog/a-ci-cd-template-for-terraform

Learn CI/CD Automation with Terraform and CircleCI attachment image

Get started automating Terraform in CI/CD with a new tutorial that walks you through deploying a web app and its underlying infrastructure using the same CircleCI workflow.

A CI/CD Template for Terraform

Use our CI/CD template for Terraform to learn how you can use Infrastructure-as-Code (IaC) to improve CI/CD processes. This template will show you exactly how to implement and maintain a CI/CD pipeline with Terraform.

Hemanth Gokavarapu avatar
Hemanth Gokavarapu

if you want to validate and find configuration issues of your terraform in the CI process.. you can use our free product https://get.soluble.cloud/

Soluble: Secure your cloud infrastructure attachment image

Automated Infrastructure as Code (IaC – Terraform, CloudFormation, Kubernetes) static security testing for developers

Rhys Davies avatar
Rhys Davies

awesome! I’ll do some reading, thank you

1
Matt Gowie avatar
Matt Gowie

I’d suggest against Terraform Cloud. They’re getting better, but are still fairly behind their competitors. Scalr or Spacelift are the way to go IMO:

https://scalr.com/

https://spacelift.io/

Collaboration and Automation for Terraform | Scalr

Scalr is a remote state & operations backend for Terraform with access controls, policy as code, and many quality of life features.

The best CI/CD for Infrastructure as Code

Enable collaboration. Ensure control and compliance. Customize and automate your workflows.

Hemanth Gokavarapu avatar
Hemanth Gokavarapu

Spacelift has quite few disadvantages compared to scalr and Terraform cloud… I like the terraform cloud triggers which I use a lot that doesn’t exist in Scalr but if you are more into OPA, shared modules, Custom policies .. scalr might be a good fit..

ohad avatar

You can check out our product ( disclaimer - i am CEO of env0) at www.env0.com which allows you to do much more than Terraform Cloud imho.

You can check out this video which presents all 4 solutions - Terraform Cloud, env0, Scalr, Spacelift https://youtu.be/4MLBpBqZmpM

2
Michael Warkentin avatar
Michael Warkentin

We use the Fargate module for deploying atlantis: https://www.runatlantis.io

Terraform Pull Request Automation | Atlantis

Atlantis: Terraform Pull Request Automation

2021-06-06

Alex Jurkiewicz avatar
Alex Jurkiewicz
  on .terraform/modules/apigw_certificate/main.tf line 37, in resource "aws_route53_record" "default":
  37:   name            = each.value.name

A reference to "each.value" has been used in a context in which it
unavailable, such as when the configuration no longer contains the value in
its "for_each" expression. Remove this reference to each.value in your
configuration to work around this error.

Started seeing this error with cloudposse> / [terraform-aws-acm-request-certificate> . Anyone familiar with this Terraform error? I’ve never seen it before and can’t quite understand it <i class=”em em-thinking_face”</i](https://github.com/cloudposse)

cloudposse/terraform-aws-acm-request-certificate attachment image

Terraform module to request an ACM certificate for a domain name and create a CNAME record in the DNS zone to complete certificate validation - cloudposse/terraform-aws-acm-request-certificate

pjaudiomv avatar
pjaudiomv

did you upgrade this module from a previous version, also is this happening on plan or apply

cloudposse/terraform-aws-acm-request-certificate attachment image

Terraform module to request an ACM certificate for a domain name and create a CNAME record in the DNS zone to complete certificate validation - cloudposse/terraform-aws-acm-request-certificate

Alex Jurkiewicz avatar
Alex Jurkiewicz

on plan. I figured it out – if you pass in a hostname with uppercase letters, you get this error

pjaudiomv avatar
pjaudiomv

ahh good to know

Alex Jurkiewicz avatar
Alex Jurkiewicz
1
Zach avatar

quite the weird error

2021-06-04

Raja Miah avatar
Raja Miah

hi anyone have any good resources or links for terraforming a aws api-gateway ??

rms1000watt avatar
rms1000watt

Can I get some upvotes on this? lol for some reason it’s been sitting there for a long time, but adding S3 Replication Time Control would be very valuable from Terraform https://github.com/hashicorp/terraform-provider-aws/pull/11337

original issue I think https://github.com/hashicorp/terraform-provider-aws/issues/10974

Add replication time control by rebrowning · Pull Request #11337 · hashicorp/terraform-provider-aws attachment image

Community Note Please vote on this pull request by adding a reaction to the original pull request comment to help the community and maintainers prioritize this request Please do not leave &quot;…

2
2
matt.bernard2006 avatar
matt.bernard2006

Hey all. Is this still under review? I’m manually editing the module with this PR and it’s working well so far. Any idea on a new release? https://github.com/cloudposse/terraform-aws-sso/pull/13

issue 12 possible fix by innominatus · Pull Request #13 · cloudposse/terraform-aws-sso attachment image

what a.permission_set_arn is providing a unique value to the account_assignment name. However the permission_set_arn can not be determined until after the apply of the permission sets. Using a.per…

matt.bernard2006 avatar
matt.bernard2006

Any updates on this yet?

issue 12 possible fix by innominatus · Pull Request #13 · cloudposse/terraform-aws-sso attachment image

what a.permission_set_arn is providing a unique value to the account_assignment name. However the permission_set_arn can not be determined until after the apply of the permission sets. Using a.per…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@RB (Ronak) (Cloud Posse) and @Andriy Knysh (Cloud Posse) I think are taking a look at this right now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(we encountered this as well)

2021-06-03

emem avatar

hi guys who has gotten around resolving this terraform import issue before

nil entry in ImportState results. This is always a bug with
the resource that is being imported. Please report this as
a bug to Terraform
Henry Course avatar
Henry Course

guess this might be the right place to put this, got a contribution PR that should now be ready for review: https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster/pull/22

Added support for incoming SASL/IAM auth by hcourse-nydig · Pull Request #22 · cloudposse/terraform-aws-msk-apache-kafka-cluster attachment image

what Added support for the incoming (AWS provider 3.43.x) SASL/IAM auth method. why Allows access control to an MSK cluster via IAM instead of requiring SCRAM secret management. references AWS…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Added support for incoming SASL/IAM auth by hcourse-nydig · Pull Request #22 · cloudposse/terraform-aws-msk-apache-kafka-cluster attachment image

what Added support for the incoming (AWS provider 3.43.x) SASL/IAM auth method. why Allows access control to an MSK cluster via IAM instead of requiring SCRAM secret management. references AWS…

Pierre-Yves avatar
Pierre-Yves

Hello, when using terraform cloud, how do you provide terraform init argument ? I didn’t find a way to do it I am used to provide variable to connect to the remote state like this : terraform init -reconfigure -backend-config="login=$TF_VAR_login" ...

tim.davis.instinct avatar
tim.davis.instinct

Hey there, you should be able to pass CLI args using the TF_CLI_ARGS as a variable: https://www.terraform.io/docs/cli/config/environment-variables.html#tf_cli_args-and-tf_cli_args_name

Environment Variables - Terraform by HashiCorp

Terraform uses environment variables to configure various aspects of its behavior.

1
ms16 avatar

I’m consulting a customer to not use TF cloud. The business plan costs an arm and a leg

tim.davis.instinct avatar
tim.davis.instinct

@ms16 We’d love for you and your customers to check out our pricing models at env0 if the TFC quotes have your head spinning

https://www.env0.com/pricing

Disclaimer: I’m the DevOps Advocate at env0

Note: The Enterprise tier pricing isn’t listed because these are 100% customized agreements from top to bottom, so we don’t know what one looks like until we spec out what is needed.

1
managedkaos avatar
managedkaos

Have you seen something like this where you know there are changes (made manually in the console), terraform knows there are changes, and yet there is no plan to revert the changes?

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following
plan may include actions to undo or respond to these changes.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.
loren avatar
loren

They’ve been tracking that, I think… Patched some instances in 0.15.5, but sounds like there are still some occasions… https://github.com/hashicorp/terraform/issues/28776

"Objects have changed outside of Terraform" but no actual changes are shown · Issue #28776 · hashicorp/terraform attachment image

I have a configuration I&#39;ve just updated to 0.15.4 and now terraform plan/apply always reports the following: Note: Objects have changed outside of Terraform Terraform detected the following ch…

pjaudiomv avatar
pjaudiomv

my plans got worse after 0.15.5

Vijay LL avatar
Vijay LL

Hello Guys, Is anyone using Terraform API driven runs? curl -s –header “Content-Type: application/octet-stream” –request PUT –data-binary @${config_dir}.tar.gz “$upload_url” I am trying to understand and use this. I’d like to do this through Go or Python

Alex Jurkiewicz avatar
Alex Jurkiewicz

Terraform Cloud, I’m assuming

Vijay LL avatar
Vijay LL

Yes or Terraform Enterprise

marcoscb avatar
marcoscb

Hello, I’m trying to update the AMI on an EKS cluster created with terraform-aws-eks-cluster-0.38.0 module and terraform-aws-eks-node-group-0.19.0 setting create_before_destroy = true in the eks_node_group module but pods are not relocated to the new nodes and the node group keeps modifying and times out. Anybody using this kind of rolling updates with this modules? Any hint about how to orchestrate this rollings? Thanks.

Hao Wang avatar
Hao Wang

do you mean rolling update in ASG or k8s deployment?

2021-06-02

Luis avatar

Does anyone have an example on how to use the “kubelet_additional_options” variable for the terraform-aws-eks-node-group module? I am testing it like this without any luck so far. Thanks

kubelet_additional_options = "--allowed-unsafe-sysctls=net.core.somaxconn,net.ipv4.ip_local_port_range=1024 65000"
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The space here 1024 65000 is suspcicious

1
Release notes from terraform avatar
Release notes from terraform
06:13:43 PM

v0.15.5 0.15.5 (June 02, 2021) BUG FIXES: terraform plan and terraform apply: Don’t show “Objects have changed” notification when the detected changes are only internal details related to legacy SDK quirks. (#28796) core: Prevent crash during planning when encountering a deposed instance that has been removed from the configuration. (<a…

emem avatar

hi guys anyone has an idea how to resolve this currently defined in cloudflare terraform module. I first thought i should set the attribute for paused: true. But its still does not seem tot work. Plese help

➜  staging git:(BTA-6363-Create-a-terraform-code-base-for-cloudflare) ✗ terraform plan
Acquiring state lock. This may take a few moments...

Error: Unsupported attribute

  on ../../cloudflare/modules/firewall.tf line 6, in locals:
   6:       md5(rule.expression),

This object does not have an attribute named "expression".
managedkaos avatar
managedkaos

@ I’m not familiar with cloudflare resources but I’m wondering, what is the resource/variable/object/etc named rule? Seems as though your are not referencing it correctly… :thinking_face:

Is rule a value that you are creating or is this from a third party module you are using?

emem avatar

thanks @ was able to find the issue

managedkaos avatar
managedkaos

no problem! glad you worked it out

emem avatar

have u encountered this before

nil entry in ImportState results. This is always a bug with
the resource that is being imported. Please report this as
a bug to Terraform
Chris Fowles avatar
Chris Fowles

i’m hitting a problem with the way some of our modules are designed now that we’re starting to switch to AWS SSO for auth. we use data "aws_caller_identity" "current" {} a bit to get the current account id rather than having to pass it in, unfortunately when using SSO it looks like this is the root account rather than the account you’re applying against. does anyone have an easy way around this or do i need to go on an adventure?

Brian Ojeda avatar
Brian Ojeda

Something isn’t right. That should return the respective account’s id. I use it all the time. I also use the aws-cli implementation of the same command all the time to check the current account.

aws sts get-caller-identity --profile dev
aws sts get-caller-identity --profile prod
1
Chris Fowles avatar
Chris Fowles

do you use AWS SSO?

Brian Ojeda avatar
Brian Ojeda

Here is a quick to test…

provider "aws" {
  region  = "us-east-1"
  profile = "sandbox"
}

data "aws_caller_identity" "current" {}

output "account_id" {
  value = data.aws_caller_identity.current.account_id
}

output "id" {
  value = data.aws_caller_identity.current.id
}
Brian Ojeda avatar
Brian Ojeda

Yes. I have for 2-3 years.

Brian Ojeda avatar
Brian Ojeda

AWS SSO (not old school SSO via IAM).

Chris Fowles avatar
Chris Fowles

yeh ok - i’ll do some more digging then

Brian Ojeda avatar
Brian Ojeda
[profile default]
sso_start_url = <https://yourcompany.awsapps.com/start>
sso_region = us-east-1
sso_account_id = 000000000000
sso_role_name = AdministratorAccess
region = us-east-1

[profile sandbox]
sso_start_url = <https://yourcompany.awsapps.com/start>
sso_region = us-east-1
sso_account_id = 000000000000
sso_role_name = AdministratorAccess
region = us-east-1

[profile dev]
sso_start_url = <https://yourcompany.awsapps.com/start>
sso_region = us-east-1
sso_account_id = 111111111111
sso_role_name = AdministratorAccess
region = us-east-1

[profile prod]
sso_start_url = <https://yourcompany.awsapps.com/start>
sso_region = us-east-1
sso_account_id = 222222222222
sso_role_name = AdministratorAccess
region = us-east-1
# sso login (using default profile)
aws sso login
# now have access to all profile despite only "login" to "default profile
aws sts get-caller-identity
aws sts get-caller-identity --profile dev
aws sts get-caller-identity --profile prod
Chris Fowles avatar
Chris Fowles

you are correct - i was looking at this at 11pm last night and came to the wrong conclusion when i saw something change

Chris Fowles avatar
Chris Fowles

it was another issue

Chris Fowles avatar
Chris Fowles

thanks for diving so deep on this to help me out

Brian Ojeda avatar
Brian Ojeda

Np

2021-06-01

loren avatar
loren

I forget who else was looking for this, but the new aws provider release has support for aws amplify… https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.43.0

1
Matt Gowie avatar
Matt Gowie

Me. For way too long. Found out about this a week or two back — Stoked it finally shipped party_parrot

1
Alex Jurkiewicz avatar
Alex Jurkiewicz

Ditto. We have long given up and moved to self managed S3 + CloudFront

Michael Warkentin avatar
Michael Warkentin

I opened the initial issue, so yeah I’ve been waiting.

1
Michael Warkentin avatar
Michael Warkentin

Sucks that there’s no integration for env vars with param store / secret mgr (in amplify) so moving to terraform would mean committing some tokens to source..

Matt Gowie avatar
Matt Gowie
@Michael Warkentin Use [sops> + the <https://github.com/carlpett/terraform-provider-sops sops provider](https://github.com/mozilla/sops). Better way of dealing with secrets then PStore or secrets manager IMO.
mozilla/sops attachment image

Simple and flexible tool for managing secrets. Contribute to mozilla/sops development by creating an account on GitHub.

carlpett/terraform-provider-sops attachment image

A Terraform provider for reading Mozilla sops files - carlpett/terraform-provider-sops

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Matt Gowie will you be joining us for #office-hours today?

Matt Gowie avatar
Matt Gowie

Yeah @Erik Osterman (Cloud Posse) — I’ll be on.

Harry avatar
Harry

Does anyone know of a good terraform module for creating an S3 bucket set up to host a static site?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-s3-website attachment image

Terraform Module for Creating S3 backed Websites and Route53 DNS - cloudposse/terraform-aws-s3-website

Harry avatar
Harry

oh perfect, thanks @Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-cloudfront-s3-cdn attachment image

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

see examples folders

robschoening avatar
robschoening

For those of you using terraform static analysis and plan verification tools (Sentinel, Snyk, tfsec, checkov, etc.), it would be great to hear your thoughts on what features are missing or what approach you see working/not working? Do you see this as something that should be coupled with PR process, CI/CD, TACOS platform, all of above or something else entirely? In full transparency, I’m the founder of https://soluble.ai which integrates a variety of static analysis tools into a ?(free) GitHub App. But the question is just honest discovery, useful to all. Curious what you all think and what your experiences have been.

Soluble: Secure your cloud infrastructure

Secure your cloud infrastructure – Infrastructure as Code (IaC) – Terraform, CloudFormation, Kubernetes

Pierre-Yves avatar
Pierre-Yves

hello Rob, I am using tfsec as a pre commit to validate my terraform code before pushing to Azure. I didn’t integrate it in CICD “yet” but will do it

Soluble: Secure your cloud infrastructure

Secure your cloud infrastructure – Infrastructure as Code (IaC) – Terraform, CloudFormation, Kubernetes

robschoening avatar
robschoening

Curious if it is just you authoring, one team, many teams? Does tfsec do about what you need? Are you writing a lot of custom policy?

Pierre-Yves avatar
Pierre-Yves

one team but I have split code in several repos. default tfsec rules fits to me and yes I am authoring mainly for our infra team . for now tfsec is just taken as a warning and will not block the ci/cd. When it will then it should be in the cicd

    keyboard_arrow_up