#terraform (2022-08)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2022-08-01

Isaac Campbell avatar
Isaac Campbell

What did I do

• Add detailed monitoring flag to the launch template of EC2 nodes

Why did I do this

• Some compliance tools will flag nodes used by this module because they don’t have detailed monitoring. This also allows metrics to be reported every minute as opposed to five minute intervals

Helpful references

More AWS Documentation

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Please use #pr-reviews

What did I do

• Add detailed monitoring flag to the launch template of EC2 nodes

Why did I do this

• Some compliance tools will flag nodes used by this module because they don’t have detailed monitoring. This also allows metrics to be reported every minute as opposed to five minute intervals

Helpful references

More AWS Documentation

Isaac Campbell avatar
Isaac Campbell

pog ty

2022-08-03

Sam Skynner avatar
Sam Skynner

Any chance this could get merged, it was approved 8 days ago https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert/pull/14 Would be incredibly helpful

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Please use #pr-reviews

Release notes from terraform avatar
Release notes from terraform
05:43:32 PM

v1.3.0-alpha20220803 1.3.0 (Unreleased) NEW FEATURES:

Optional attributes for object type constraints: When declaring an input variable whose type constraint includes an object type, you can now declare individual attributes as optional, and specify a default value to use if the caller doesn’t set it. For example: variable “with_optional_attribute” { type = object({ a = string # a required attribute b = optional(string) # an optional attribute c = optional(number, 127) # an…

Brent Farand avatar
Brent Farand

Hello! Our organization has been making use of your https://github.com/cloudposse/terraform-aws-components as a starting point for our infrastructure. I notice that the iam-primary-roles and iam-delegated-roles components have been replaced by the aws-teams and aws-team-roles components respectively. I was planning on moving to these new components, but it doesn’t look like the account-map component has a module that they refer to - team-assume-role-policy. I also see a reference to an aws-saml component in the documentation and code that also doesn’t appear to be present in the repo.

Is there an ETA on when these pieces will make their way to the main branch of the repo? Thank you!

cloudposse/terraform-aws-components

Opinionated, self-contained Terraform root modules that each solve one, specific problem

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

Sounds like account-map needs to be updated

cloudposse/terraform-aws-components

Opinionated, self-contained Terraform root modules that each solve one, specific problem

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

The aws-saml is the new name for the sso component

Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

account-map/modules/team-assume-role-policy is the new name for account-map/modules/iam-assume-role-policy . Sorry we have not been keeping pace with upgrades to terraform-aws-components. @Erik Osterman (Cloud Posse) what can we say about timelines for that?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

These should be published already, but if not @Dan (CloudPosse) will be publishing them soon.

1
Sean avatar

What are y’all doing these days for feeding data (such as outputs) between root modules?

• a) tagging resources in the source module and using data resources from the target (this works within providers, such as looking up with AWS tags)

• b) remote state

• c) terragrunt

• d) something else

Joe Niland avatar
Joe Niland

All of the above, including SSM param store

Mohammed Yahya avatar
Mohammed Yahya

data sources

Alex Mills avatar
Alex Mills

A and SSM (when required by things like Serverless Framework)

Sean avatar

Tell me more about your use of SSM.

Using a simple config store with outputs pushed to SSM?

2022-08-04

mog avatar

does anyone have any experience setting up GuardDuty in an AWS Org? i’m a bit confused about what the difference is between aws_organizations_delegated_administrator and aws_guardduty_organization_admin_account

Hosfm avatar

Org admin account is the master account in your AWS organisation. Typically used for managing other accounts, SSO and in the past has been used for the master in the master-member model for guardduty and security hub. You can delegate the guardduty admin to an account which is not the org master account to something like a infosec account

2022-08-05

Adarsh Hiwrale avatar
Adarsh Hiwrale

Hi everyone! I am trying to attach multiple load balancer with ECS service ecs-alb-service-task and ecs-container-definition this is the module I am using, is it posible to attach multiple load balancer, application lb for internal use and Network LB for external use??

2022-08-08

Bradley Peterson avatar
Bradley Peterson

Hi! Anyone know how to work around this bug? I hit it when using cloudposse/ecs-web-app/aws , same as the reporter. https://github.com/cloudposse/terraform-aws-alb-ingress/issues/56

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

Despite using terraform 1.0.7, I get “count” error:

│ Error: Invalid count argument
│ 
│   on .terraform/modules/proxy_service.alb_ingress/main.tf line 50, in resource "aws_lb_listener_rule" "unauthenticated_paths":
│   50:   count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns) : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To
│ work around this, use the -target argument to first apply only the resources that the count depends on.

Also, the minimum version should also be updated to 0.14:

terraform-aws-alb-ingress/versions.tf

Line 2 in ab6033c

Expected Behavior

TF shouldn’t complain about “count” and fail.

Steps to Reproduce

Steps to reproduce the behavior:

I’m using alb-ingress indirectly:

module "proxy_service" {
  source  = "cloudposse/ecs-web-app/aws"
  version = "0.65.2"

  launch_type = "FARGATE"
  vpc_id      = local.vpc_id

  desired_count    = 1
  container_image  = module.proxy_ecr.repository_url
  container_cpu    = 256
  container_memory = 512
  container_port   = local.container_port

  codepipeline_enabled = false
  webhook_enabled      = false
  badge_enabled        = false
  ecs_alarms_enabled   = false
  autoscaling_enabled  = false

  aws_logs_region        = data.aws_region.current.name
  ecs_cluster_arn        = aws_ecs_cluster.proxy.arn
  ecs_cluster_name       = aws_ecs_cluster.proxy.name
  ecs_private_subnet_ids = local.public_subnets # misleading name, can be public

  alb_security_group = module.proxy_alb.security_group_id
  alb_arn_suffix     = module.proxy_alb.alb_arn_suffix

  alb_ingress_healthcheck_path                 = "/"
  alb_ingress_health_check_timeout             = 3
  alb_ingress_health_check_healthy_threshold   = 2
  alb_ingress_health_check_unhealthy_threshold = 2
  alb_ingress_health_check_interval            = 30

  # All paths are unauthenticated
  alb_ingress_unauthenticated_paths         = ["/*"]
  alb_ingress_unauthenticated_listener_arns = module.proxy_alb.listener_arns

  context = module.proxy_label.context
}

NOTE: Commenting out alb_ingress_unauthenticated_paths = ["/*"] removes the error, but then no aws_lb_listener_rule is created.

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

% terraform -version

Terraform v1.0.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.60.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/github v3.0.0
+ provider registry.terraform.io/hashicorp/http v2.1.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.2.0

Additional Context

Add any other context about the problem here.

Bradley Peterson avatar
Bradley Peterson

Okay, what worked was to comment out alb_ingress_unauthenticated_paths and deploy everything else (particularly the ALB) and then uncomment that parameter and deploy again.

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

Despite using terraform 1.0.7, I get “count” error:

│ Error: Invalid count argument
│ 
│   on .terraform/modules/proxy_service.alb_ingress/main.tf line 50, in resource "aws_lb_listener_rule" "unauthenticated_paths":
│   50:   count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns) : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To
│ work around this, use the -target argument to first apply only the resources that the count depends on.

Also, the minimum version should also be updated to 0.14:

terraform-aws-alb-ingress/versions.tf

Line 2 in ab6033c

Expected Behavior

TF shouldn’t complain about “count” and fail.

Steps to Reproduce

Steps to reproduce the behavior:

I’m using alb-ingress indirectly:

module "proxy_service" {
  source  = "cloudposse/ecs-web-app/aws"
  version = "0.65.2"

  launch_type = "FARGATE"
  vpc_id      = local.vpc_id

  desired_count    = 1
  container_image  = module.proxy_ecr.repository_url
  container_cpu    = 256
  container_memory = 512
  container_port   = local.container_port

  codepipeline_enabled = false
  webhook_enabled      = false
  badge_enabled        = false
  ecs_alarms_enabled   = false
  autoscaling_enabled  = false

  aws_logs_region        = data.aws_region.current.name
  ecs_cluster_arn        = aws_ecs_cluster.proxy.arn
  ecs_cluster_name       = aws_ecs_cluster.proxy.name
  ecs_private_subnet_ids = local.public_subnets # misleading name, can be public

  alb_security_group = module.proxy_alb.security_group_id
  alb_arn_suffix     = module.proxy_alb.alb_arn_suffix

  alb_ingress_healthcheck_path                 = "/"
  alb_ingress_health_check_timeout             = 3
  alb_ingress_health_check_healthy_threshold   = 2
  alb_ingress_health_check_unhealthy_threshold = 2
  alb_ingress_health_check_interval            = 30

  # All paths are unauthenticated
  alb_ingress_unauthenticated_paths         = ["/*"]
  alb_ingress_unauthenticated_listener_arns = module.proxy_alb.listener_arns

  context = module.proxy_label.context
}

NOTE: Commenting out alb_ingress_unauthenticated_paths = ["/*"] removes the error, but then no aws_lb_listener_rule is created.

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

% terraform -version

Terraform v1.0.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.60.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/github v3.0.0
+ provider registry.terraform.io/hashicorp/http v2.1.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.2.0

Additional Context

Add any other context about the problem here.

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

Basically a targeted apply and then a full apply

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

We see this issue come up a lot. Its a limitation in terraform. There are some methods to get around it but they are tricky. Several functions will set it off like length(), distinct, sort. I think in this case, its length.

Bradley Peterson avatar
Bradley Peterson

Yes, the error message tells you what to do, but it was hard for me to figure out what I needed to target in the apply.

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

Eh, I disagree. It doesn’t actually solve the root problem. The root problem is that the module cannot decipher how many arns are passed in before the dependent module is fully applied. There is a way to do it but I’m not the best at solving them.

cc: @Jeremy G (Cloud Posse) @Andriy Knysh (Cloud Posse) any ideas/guidance on how to fix the The "count" value depends on resource attributes that cannot be determined until apply error for terraform-aws-alb-ingress ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

this is a tough case. Sometimes count works (if it does not use the collection functions that can change the list items, like distinct()), sometimes for_each works

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we “solved” the issue before in some of the modules by providing an explicit var e.g. arn_count and use it in count (if you know the number of ARNs, you can do it, but terraform does not know it)

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we had the issue in even 2017-2018, and it’s not solved yet by TF b/c it’s not possible to solve for all cases even in theory

The fix:

Remove dynamic counts (provide explicit counts if possible)
Or remove maps from counts
Or try to remove the data source (could work in some cases)
apply in stages with -target (not a pretty solution)
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what

• Document the error
module.ec2_instance.module.label.null_resource.tags_as_list_of_maps: null_resource.tags_as_list_of_maps: value of ‘count’ cannot be computed

• Document Terraform issues with counts in maps

why

Terraform (in the current incarnation) is very sensitive to these two things:

  1. Dynamic counts across modules - when you have a dynamic count (calculated by some expression with input params) in one module and then use the module from other modules
  2. It does not especially like those dynamic counts in maps and lists

Some know issues about that:
hashicorp/terraform#13980
hashicorp/terraform#10857
hashicorp/terraform#12570
hashicorp/terraform#17048

I know this issue has been discussed time and again (Ex: #12570) and that if a module has a map variable and has interpolation inside this map variable, count inside a module results in value of ‘count’ cannot be computed. What puzzles me is that this error occurs when terraforming a new environment but not any existing environment!

In our case:

Here the count depends on the map and the input var.tags
https://github.com/cloudposse/terraform-null-label/blob/master/main.tf#L23

And here var.tags depends on the map, the other inputs and on the data provider
https://github.com/cloudposse/terraform-aws-ec2-instance/blob/master/main.tf#L68

This circular dependency breaks TF.

It’s very difficult to say for sure what’s going on, because it could work in some cases and in some environments, but not in the others.
(see the complains above).

I know this is not a good explanation, but they have been discussing the issue for years and can’t explain it eigher.
Because nobody understands it.

The fix:

  1. Remove dynamic counts (provide explicit counts if possible)
  2. Or remove maps from counts
  3. Or try to remove the data source (could work in some cases)
  4. apply in stages with -target (not a pretty solution)
Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

The solution is to ensure that Terraform can compute the length of the variables at plan time:

length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns)

All 3 are lists by design, so you do not need to know the values at plan time, but you need to know how many paths and hosts and listener ARNs there are. This means you need to create the lists without applying functions like compact, distinct, or (due to a design flaw) sort on the lists.

2022-08-09

Adam Kenneweg avatar
Adam Kenneweg

Hi for <https://github.com/cloudposse/terraform-aws-eks-cluster> is there a way to automatically update my kubeconfig? (like: aws eks update-kubeconfig) so I can apply kubectl manifests later?

I manually made a resource

resource "null_resource" "updatekube" {
  depends_on = [module.eks_cluster]
  provisioner "local-exec" {
    command = format("aws eks update-kubeconfig --region %s --name %s", var.region, module.eks_cluster.eks_cluster_id)
  }
}

but it breaks because eks_cluster.eks_cluster_id is delayed in it’s creation and the value is wrong so it takes mutliple terraform applies to work, messing up the rest of my terraform stuff

    keyboard_arrow_up