#terraform (2022-08)
Discussions related to Terraform or Terraform Modules
Archive: https://archive.sweetops.com/terraform/
2022-08-01

Got a PR id love for y’all to look at https://github.com/cloudposse/terraform-aws-eks-node-group/pull/125 !
What did I do
• Add detailed monitoring flag to the launch template of EC2 nodes
Why did I do this
• Some compliance tools will flag nodes used by this module because they don’t have detailed monitoring. This also allows metrics to be reported every minute as opposed to five minute intervals
Helpful references

Please use #pr-reviews
What did I do
• Add detailed monitoring flag to the launch template of EC2 nodes
Why did I do this
• Some compliance tools will flag nodes used by this module because they don’t have detailed monitoring. This also allows metrics to be reported every minute as opposed to five minute intervals
Helpful references

pog ty
2022-08-03

Any chance this could get merged, it was approved 8 days ago https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert/pull/14 Would be incredibly helpful
what
• Remove key_algorithm from tls_cert_request
why
• Deprecated
references
• Closes #13 • https://registry.terraform.io/providers/hashicorp/tls/latest/docs • https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request#key_algorithm

Please use #pr-reviews
what
• Remove key_algorithm from tls_cert_request
why
• Deprecated
references
• Closes #13 • https://registry.terraform.io/providers/hashicorp/tls/latest/docs • https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request#key_algorithm

v1.3.0-alpha20220803 1.3.0 (Unreleased) NEW FEATURES:
Optional attributes for object type constraints: When declaring an input variable whose type constraint includes an object type, you can now declare individual attributes as optional, and specify a default value to use if the caller doesn’t set it. For example: variable “with_optional_attribute” { type = object({ a = string # a required attribute b = optional(string) # an optional attribute c = optional(number, 127) # an…

Hello! Our organization has been making use of your https://github.com/cloudposse/terraform-aws-components as a starting point for our infrastructure. I notice that the iam-primary-roles and iam-delegated-roles components have been replaced by the aws-teams and aws-team-roles components respectively. I was planning on moving to these new components, but it doesn’t look like the account-map component has a module that they refer to - team-assume-role-policy
. I also see a reference to an aws-saml
component in the documentation and code that also doesn’t appear to be present in the repo.
Is there an ETA on when these pieces will make their way to the main branch of the repo? Thank you!
Opinionated, self-contained Terraform root modules that each solve one, specific problem

Sounds like account-map needs to be updated
Opinionated, self-contained Terraform root modules that each solve one, specific problem

The aws-saml is the new name for the sso component

account-map/modules/team-assume-role-policy
is the new name for account-map/modules/iam-assume-role-policy
. Sorry we have not been keeping pace with upgrades to terraform-aws-components
. @Erik Osterman (Cloud Posse) what can we say about timelines for that?

These should be published already, but if not @Dan (CloudPosse) will be publishing them soon.

What are y’all doing these days for feeding data (such as outputs) between root modules?
• a) tagging resources in the source module and using data resources from the target (this works within providers, such as looking up with AWS tags)
• b) remote state
• c) terragrunt
• d) something else

All of the above, including SSM param store

data sources

A and SSM (when required by things like Serverless Framework)

Tell me more about your use of SSM.
Using a simple config store with outputs pushed to SSM?
2022-08-04

does anyone have any experience setting up GuardDuty in an AWS Org? i’m a bit confused about what the difference is between aws_organizations_delegated_administrator
and aws_guardduty_organization_admin_account

Org admin account is the master account in your AWS organisation. Typically used for managing other accounts, SSO and in the past has been used for the master in the master-member model for guardduty and security hub. You can delegate the guardduty admin to an account which is not the org master account to something like a infosec account
2022-08-05

Hi everyone! I am trying to attach multiple load balancer with ECS service ecs-alb-service-task and ecs-container-definition this is the module I am using, is it posible to attach multiple load balancer, application lb for internal use and Network LB for external use??
2022-08-08

Hi! Anyone know how to work around this bug? I hit it when using cloudposse/ecs-web-app/aws
, same as the reporter. https://github.com/cloudposse/terraform-aws-alb-ingress/issues/56
Found a bug? Maybe our Slack Community can help.
Describe the Bug
Despite using terraform 1.0.7, I get “count” error:
│ Error: Invalid count argument
│
│ on .terraform/modules/proxy_service.alb_ingress/main.tf line 50, in resource "aws_lb_listener_rule" "unauthenticated_paths":
│ 50: count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns) : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To
│ work around this, use the -target argument to first apply only the resources that the count depends on.
Also, the minimum version should also be updated to 0.14:
terraform-aws-alb-ingress/versions.tf
Line 2 in ab6033c
Expected Behavior
TF shouldn’t complain about “count” and fail.
Steps to Reproduce
Steps to reproduce the behavior:
I’m using alb-ingress
indirectly:
module "proxy_service" {
source = "cloudposse/ecs-web-app/aws"
version = "0.65.2"
launch_type = "FARGATE"
vpc_id = local.vpc_id
desired_count = 1
container_image = module.proxy_ecr.repository_url
container_cpu = 256
container_memory = 512
container_port = local.container_port
codepipeline_enabled = false
webhook_enabled = false
badge_enabled = false
ecs_alarms_enabled = false
autoscaling_enabled = false
aws_logs_region = data.aws_region.current.name
ecs_cluster_arn = aws_ecs_cluster.proxy.arn
ecs_cluster_name = aws_ecs_cluster.proxy.name
ecs_private_subnet_ids = local.public_subnets # misleading name, can be public
alb_security_group = module.proxy_alb.security_group_id
alb_arn_suffix = module.proxy_alb.alb_arn_suffix
alb_ingress_healthcheck_path = "/"
alb_ingress_health_check_timeout = 3
alb_ingress_health_check_healthy_threshold = 2
alb_ingress_health_check_unhealthy_threshold = 2
alb_ingress_health_check_interval = 30
# All paths are unauthenticated
alb_ingress_unauthenticated_paths = ["/*"]
alb_ingress_unauthenticated_listener_arns = module.proxy_alb.listener_arns
context = module.proxy_label.context
}
NOTE: Commenting out alb_ingress_unauthenticated_paths = ["/*"]
removes the error, but then no aws_lb_listener_rule
is created.
Screenshots
If applicable, add screenshots or logs to help explain your problem.
Environment (please complete the following information):
% terraform -version
Terraform v1.0.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.60.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/github v3.0.0
+ provider registry.terraform.io/hashicorp/http v2.1.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.2.0
Additional Context
Add any other context about the problem here.

Okay, what worked was to comment out alb_ingress_unauthenticated_paths
and deploy everything else (particularly the ALB) and then uncomment that parameter and deploy again.
Found a bug? Maybe our Slack Community can help.
Describe the Bug
Despite using terraform 1.0.7, I get “count” error:
│ Error: Invalid count argument
│
│ on .terraform/modules/proxy_service.alb_ingress/main.tf line 50, in resource "aws_lb_listener_rule" "unauthenticated_paths":
│ 50: count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns) : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To
│ work around this, use the -target argument to first apply only the resources that the count depends on.
Also, the minimum version should also be updated to 0.14:
terraform-aws-alb-ingress/versions.tf
Line 2 in ab6033c
Expected Behavior
TF shouldn’t complain about “count” and fail.
Steps to Reproduce
Steps to reproduce the behavior:
I’m using alb-ingress
indirectly:
module "proxy_service" {
source = "cloudposse/ecs-web-app/aws"
version = "0.65.2"
launch_type = "FARGATE"
vpc_id = local.vpc_id
desired_count = 1
container_image = module.proxy_ecr.repository_url
container_cpu = 256
container_memory = 512
container_port = local.container_port
codepipeline_enabled = false
webhook_enabled = false
badge_enabled = false
ecs_alarms_enabled = false
autoscaling_enabled = false
aws_logs_region = data.aws_region.current.name
ecs_cluster_arn = aws_ecs_cluster.proxy.arn
ecs_cluster_name = aws_ecs_cluster.proxy.name
ecs_private_subnet_ids = local.public_subnets # misleading name, can be public
alb_security_group = module.proxy_alb.security_group_id
alb_arn_suffix = module.proxy_alb.alb_arn_suffix
alb_ingress_healthcheck_path = "/"
alb_ingress_health_check_timeout = 3
alb_ingress_health_check_healthy_threshold = 2
alb_ingress_health_check_unhealthy_threshold = 2
alb_ingress_health_check_interval = 30
# All paths are unauthenticated
alb_ingress_unauthenticated_paths = ["/*"]
alb_ingress_unauthenticated_listener_arns = module.proxy_alb.listener_arns
context = module.proxy_label.context
}
NOTE: Commenting out alb_ingress_unauthenticated_paths = ["/*"]
removes the error, but then no aws_lb_listener_rule
is created.
Screenshots
If applicable, add screenshots or logs to help explain your problem.
Environment (please complete the following information):
% terraform -version
Terraform v1.0.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.60.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/github v3.0.0
+ provider registry.terraform.io/hashicorp/http v2.1.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.2.0
Additional Context
Add any other context about the problem here.

Basically a targeted apply and then a full apply

We see this issue come up a lot. Its a limitation in terraform. There are some methods to get around it but they are tricky. Several functions will set it off like length(), distinct, sort. I think in this case, its length.

Yes, the error message tells you what to do, but it was hard for me to figure out what I needed to target in the apply.

Eh, I disagree. It doesn’t actually solve the root problem. The root problem is that the module cannot decipher how many arns are passed in before the dependent module is fully applied. There is a way to do it but I’m not the best at solving them.
cc: @Jeremy G (Cloud Posse) @Andriy Knysh (Cloud Posse) any ideas/guidance on how to fix the The "count" value depends on resource attributes that cannot be determined until apply
error for terraform-aws-alb-ingress
?

this is a tough case. Sometimes count
works (if it does not use the collection functions that can change the list items, like distinct()), sometimes for_each
works

we “solved” the issue before in some of the modules by providing an explicit var e.g. arn_count
and use it in count
(if you know the number of ARNs, you can do it, but terraform does not know it)

we had the issue in even 2017-2018, and it’s not solved yet by TF b/c it’s not possible to solve for all cases even in theory
The fix:
Remove dynamic counts (provide explicit counts if possible)
Or remove maps from counts
Or try to remove the data source (could work in some cases)
apply in stages with -target (not a pretty solution)

what
• Document the error
module.ec2_instance.module.label.null_resource.tags_as_list_of_maps: null_resource.tags_as_list_of_maps: value of ‘count’ cannot be computed
• Document Terraform issues with counts
in maps
why
Terraform (in the current incarnation) is very sensitive to these two things:
- Dynamic
counts
across modules - when you have a dynamic count (calculated by some expression with input params) in one module and then use the module from other modules - It does not especially like those dynamic
counts
inmaps
andlists
Some know issues about that:
hashicorp/terraform#13980
hashicorp/terraform#10857
hashicorp/terraform#12570
hashicorp/terraform#17048
I know this issue has been discussed time and again (Ex: #12570) and that if a module has a map variable and has interpolation inside this map variable, count inside a module results in value of ‘count’ cannot be computed. What puzzles me is that this error occurs when terraforming a new environment but not any existing environment!
In our case:
Here the count
depends on the map
and the input var.tags
https://github.com/cloudposse/terraform-null-label/blob/master/main.tf#L23
And here var.tags
depends on the map
, the other inputs and on the data
provider
https://github.com/cloudposse/terraform-aws-ec2-instance/blob/master/main.tf#L68
This circular dependency breaks TF.
It’s very difficult to say for sure what’s going on, because it could work in some cases and in some environments, but not in the others.
(see the complains above).
I know this is not a good explanation, but they have been discussing the issue for years and can’t explain it eigher.
Because nobody understands it.
The fix:
- Remove dynamic counts (provide explicit counts if possible)
- Or remove
maps
fromcounts
- Or try to remove the
data
source (could work in some cases) apply
in stages with-target
(not a pretty solution)

The solution is to ensure that Terraform can compute the length of the variables at plan time:
length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns)
All 3 are lists by design, so you do not need to know the values at plan time, but you need to know how many paths and hosts and listener ARNs there are. This means you need to create the lists without applying functions like compact
, distinct
, or (due to a design flaw) sort
on the lists.
2022-08-09

Hi for <https://github.com/cloudposse/terraform-aws-eks-cluster>
is there a way to automatically update my kubeconfig? (like: aws eks update-kubeconfig) so I can apply kubectl manifests later?
I manually made a resource
resource "null_resource" "updatekube" {
depends_on = [module.eks_cluster]
provisioner "local-exec" {
command = format("aws eks update-kubeconfig --region %s --name %s", var.region, module.eks_cluster.eks_cluster_id)
}
}
but it breaks because eks_cluster.eks_cluster_id is delayed in it’s creation and the value is wrong so it takes mutliple terraform applies to work, messing up the rest of my terraform stuff