#terraform (2022-05)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2022-05-02

Darrin F avatar
Darrin F

Do you use AWS Control Tower, and do you provision that with IaC or do you just ClickOps the initial setup? We’re starting fresh and I’m not sure what to call “Day 0” operations where it doesn’t make sense to automate…

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

We use IaC using terraform to create all of our aws accounts

Darrin F avatar
Darrin F

I agree for the account creation. But to create/enable ControlTower and OU’s, do you use terraform or just make a few clicks in the AWS console?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

We don’t use control tower but we do configure OUs and accounts through our account terraform component

https://github.com/cloudposse/terraform-aws-components/tree/master/modules/account

Soren Jensen avatar
Soren Jensen

We use control tower and have set it up with a philips module. It’s working like a charm

Soren Jensen avatar
Soren Jensen
New – AWS Control Tower Account Factory for Terraform | Amazon Web Servicesattachment image

AWS Control Tower makes it easier to set up and manage a secure, multi-account AWS environment. AWS Control Tower uses AWS Organizations to create what is called a landing zone, bringing ongoing account management and governance based on our experience working with thousands of customers. If you use AWS CloudFormation to manage your infrastructure as […]

Manage AWS Accounts Using Control Tower Account Factory for Terraform | Terraform - HashiCorp Learnattachment image

Use the AWS Control Tower Account Factory for Terraform to create a pipeline for provisioning and customizing AWS accounts in Control Tower. Create a new account and learn more about AWS Control Tower governance.

aws-ia/terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory

2022-05-03

idan levi avatar
idan levi

Hi all! im trying to create self managed node groups on EKS using Terraform eks module and terragrun. I want to add toleration ,taints and labels to each node group, so i tried to use bootstrap_extra_args = "--node-labels=[node.kubernetes.io/lifecycle=spot,node/role=os-client](http://node.kubernetes.io/lifecycle=spot,node/role=os-client)" and

bootstrap_extra_args = <<-EOT
      [settings.kubernetes.node-labels]
      ingress = "allowed"
      EOT 

but none of them create the node group with the labels/taint . someone know what is the right way to do it ? Thanks !!

Matt H. avatar
Matt H.

Hello, I’m using the cloudposse tgw module with terragrunt to create a cross-account transit gateway with attachments. I created a module-of-modules that basically mimics the multi-account example here https://github.com/cloudposse/terraform-aws-transit-gateway/tree/master/examples/multi-account, only I replaced the config with vars that I pass in from terragrunt. When it runs, I get everyone’s favorite error, “The “count” value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created” message from the local for lookup_transit_gateway local. I am trying to understand why that may be. It occurs on the vpc_attachments, which should be evaulating to true/1 based on https://github.com/cloudposse/terraform-aws-transit-gateway/blob/master/main.tf#L10 since I pass in the existing_transit_gateway_id.

Matt H. avatar
Matt H.

It’s odd because there’s not even a resource to target with -target; it’s just checking for variables.

Niv Weiss avatar
Niv Weiss

Hey guys, can someone please help me? :pray:

I’m creating an EKS cluster using Terraform, and part of it, is to create an ALB. When I run terraform destroy it doesn’t work because the vpc is locked due to the ALB that needs to be deleted first. But, because it has been created from my ingress controller I don’t know how to make terraform recognize it… I want to be able to run terraform destroy without the need to manually delete the alb first.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

your ingress controller must be created in diff module, so it needs to be destroyed first

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it should destroy all the AWS resources it created

Niv Weiss avatar
Niv Weiss

@Andriy Knysh (Cloud Posse) I’m using Helm to create the ingress controller. So, I need to do helm uninstall xxx and then it should work? (or of course to use helm inside terraform)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes, you need to use whatever you used to create it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it could be helm, helmfile, terraform helm release, terraform kubernetes resources

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you destroy it first, then run terraform destroy on the EKS cluster

Niv Weiss avatar
Niv Weiss

Thank you!!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you need to destroy (almost) all helm releases (not only ingress)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

b/c many of them create something in AWS, e.g. Route53 records

Niv Weiss avatar
Niv Weiss

I just did it and it didn’t delete the alb I have only 2 helm charts - one that create an alb controller and the other one create an ingress. and still the ALB on aws is active..

Niv Weiss avatar
Niv Weiss

ok now I see that even after I delete the helm chart the ingress is still remain in k8s

Niv Weiss avatar
Niv Weiss

Another question, when I’m creating my cluster, it’s all the time failing during terraform apply when it’s getting to run things inside my cluster. Is there a way to make terraform to wait a little bit so that the cluster will be online and then it would not fail? I’m getting this error message: Error: Kubernetes cluster unreachable: Get "<http://xxxxxxxxx1682.yl4.us-east-1.eks.amazonaws.com/version>": dail tcp xx.xx.xx.xx:443: i/o timeout

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s better to separate the cluster and things inside the cluster into separate components (root modules) and provision them separately

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you separate TF state and live-cycle

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and you will not have the issue with destroying them

Niv Weiss avatar
Niv Weiss

So, just to make I got it correctly, if I will separate them into 2 different modules the will get different states?

1

2022-05-04

Release notes from terraform avatar
Release notes from terraform
05:13:13 PM

v1.2.0-rc1 1.2.0-rc1 (Unreleased) UPGRADE NOTES:

The official Linux packages for the v1.2 series now require Linux kernel version 2.6.32 or later.

When making outgoing HTTPS or other TLS connections as a client, Terraform now requires the server to support TLS v1.2. TLS v1.0 and v1.1 are no longer supported. Any safely up-to-date server should support TLS 1.2, and mainstream web browsers have required it since 2020.

When making outgoing HTTPS or other TLS connections as a client, Terraform will no…

mfridh avatar

Wow… this is incredibly annoying…

I’m attempting to simplify the data I’m passing around from module to module by wrapping data in more of a predefined “context”, so it can be easier passed to other modules…

but as soon as there is an Unknown value inside, it isn’t included in a dynamic block where I’m ultimately utilizing it… thus making the plan output very confusing (because it’s empty…).

mfridh avatar
output lb_context {
  description = "A context object containing most or all needed information about our style of load balancer."
  value = {
    name = aws_lb.this.name
    node_permit = true
    asg_attach = true
    security_group = aws_security_group.this.id
    target_group = {
      name = aws_lb_target_group.this.name
      arn = aws_lb_target_group.this.arn
      port = aws_lb_target_group.this.port
      health_check_port = aws_lb_target_group.this.health_check[0].port
    }  
  }
}

If I change to security_group = "foo-123" it shows up in the plan output…

mfridh avatar

Output:

Changes to Outputs:
  + dynamic_rules = [
      + {
          + cidr_blocks     = []
          + description     = "bf-test-grpc-pub-ingress-wtf LB to bf-test target port (from terraform-aws-eks-dice LB context)"
          + from_port       = 31390
          + protocol        = "TCP"
          + security_groups = [
              + (known after apply),
            ]
          + self            = false
          + to_port         = 31390
        },

If I include the same object in an output, it’s all there except for that little “(known after apply)” inside …

mfridh avatar

This is how it gets dynamically used in an aws_security_group resource:

resource "aws_security_group" "node_extra" {
  name        = "${var.cluster_name}-node-extra"
  description = "${var.cluster_name} Node Extra Security Group"
  vpc_id      = var.aws_account.vpc_id

  dynamic "ingress" {
    for_each = [
      for i in local.node_security_group_rules : {
        cidr_blocks     = i.cidr_blocks
        description     = i.description
        from_port       = i.from_port
        protocol        = i.protocol
        security_groups = i.security_groups
        to_port         = i.to_port
        self            = i.self
      }
    ]

    content {
      cidr_blocks     = ingress.value.cidr_blocks
      description     = ingress.value.description
      from_port       = ingress.value.from_port
      protocol        = ingress.value.protocol
      security_groups = ingress.value.security_groups
      to_port         = ingress.value.to_port
      self            = ingress.value.self
    }
  }

Not sure if there’s a way around it… except for running terraform twice …

mfridh avatar

As soon as the i.security_groups is replaced with a static string, those blocks show up in the plans as expected.

So, this seems like a very specific case with unknown values and dynamic blocks … it won’t work…

If anyone know otherwise, let me know. wave.

mfridh avatar

I guess the way around it is to migrate this to an aws_security_group_rule with for_each instead of including the dynamic block in a aws_security_group resource.

Bit of a gotcha though.. had actually expected Terraform to not silently hide a block. Let me worry about the potential failure, ok? …

mfridh avatar

Same issue there… for_each also requires values to be known.

using count is the only thing that works… which is annoying because if a list of things change - everything is reordered on next apply.

2022-05-05

Grummfy avatar
Grummfy

question, when you have several terraform project, what’s your prefered way to get some ressources ccreated by another? using data to search after a given ressource, reading terraform state? writing afile somewhere and read it?

Soren Jensen avatar
Soren Jensen

We use a combination. Read the state when the resource created got a random name e.g. for S3 buckets as they got to be globally unique. For other resources there can have the same name across all accounts like a VPC, we make a data look up on the resource.

mfridh avatar

Data source is my number 1 go to.

Grummfy avatar
Grummfy

thanks

Dan Herrington avatar
Dan Herrington

hey all, have an arch/folder layout question. We have customer websites deployed in production isolated onto separate instances, but in dev they reside on the same instance. I had started to design the terraform folder structure around application->customer app1, customer app 2, customer app 3, etc. Environment (dev,qa,prod) was defined in tfvars. If I do this though, DEV is going to have different code than QA and Prod. I’m figuring others have run into this similiar issue, and wondering how you setup your terraform code and modules to handle this type of structure?

Tyler Jarjoura avatar
Tyler Jarjoura

Would it be feasible to change dev so that it matches the architecture of prod/qa? Otherwise yeah you would just have separate code for dev. If each app is wrapped in a module then you could do a separate module for the “single-instance” version. Or you could have a variable in the module which changes whether the application is deployed on a new instance or not.

There are a number of options really without knowing the specifics..

Dan Herrington avatar
Dan Herrington

Thanks @Tyler Jarjoura Yeah, I’m looking into coding some branching if we’re in DEV this, in PROD this, but I think that introduces fragility into the code. I agree, modifying so envs match is the best way. I’ll need to cost that option out to make the case though, but by managing active instances that should work.

loren avatar

Popped in my feed today, seems interesting… https://link.medium.com/1YOv5hToNpb

Introducing Terramate — An Orchestrator and Code Generator for Terraformattachment image

Terramate is a tool for managing multiple Stacks containing Terraform code supporting change detection and code generation .

1
Soren Martius avatar
Soren Martius

Thanks for sharing

Introducing Terramate — An Orchestrator and Code Generator for Terraformattachment image

Terramate is a tool for managing multiple Stacks containing Terraform code supporting change detection and code generation .

2022-05-06

Grummfy avatar
Grummfy

a comparison with terraspace could be cool

Soren Martius avatar
Soren Martius

Hey @Grummfy - sure will come up with that

Soren Martius avatar
Soren Martius

Hey Community! We just launched a new open-source orchestrator and code generator Terramate for Terraform.

We’ve built Terramate to solve issues when handling Terraform on scale that we experienced during our day-to-day work with customers.

To mention some of the features that Terramate ships with:

Stacks: Splitting up your state into isolated units. A stack is a runnable Terraform Root Module that operates on a subset of the infrastructure’s resources and has its own state.

Keep you code DRY: Avoid duplication by easily sharing data across your project.

Code Generation: Generate valid Terraform Code to ensure that you can always enter a stack to run plain Terraform commands.

Stack Change detection: Only execute commands in stacks that have been changed in the current branch or since the last merge.

Module Change detection: Enhanced Change Detection allows to identifying stacks that have changes in local modules.

Execute Any Command: Terramate is not a wrapper of Terraform but can execute any commands in (changed) stacks.

Execution Order: Explicitly define an order of execution of stacks.

Forced Stack Execution: Ensure specific stacks are run alongside other stacks.

Pure HCL: All configuration of Terramate can be supplied in the well-known Hashicorp Configuraltion Language (HCL). We’d love to hear your feedback! Thanks!

2
loren avatar

the medium article mentioned terragrunt, but didn’t actually compare anything to terragrunt or mention why you felt terragrunt didn’t meet the need. can you expand on that?

1
jose.amengual avatar
jose.amengual

and how is this compare to atmos?

2022-05-08

Steve Wade (swade1987) avatar
Steve Wade (swade1987)

Does anyone know of a terraform to cloud formation tool?

    keyboard_arrow_up