#terraform (2023-06)

I’ve got the docs pulled up for atmos’ first AWS environment, and the bootstrap process for tfstate-backend, but there are some knowledge gaps for how to bootstrap multiple accounts to a single backend.

Best place to ask is in refarch

Unfortunately, we do not provide the cold-start documentation publicly at this time. It’s part of our bootcamp, and jumpstart tracks. cloudposse.com/services

Will ask there, thanks!

I think the release notes contain a migration guide. At least we try to do that.

Can you check?

I didn’t see any release note on this repository. But maybe I am blind ^^

Hrmm… seems like it.

@Jeremy G (Cloud Posse)

To be honest, I tried a lot of different things. I cannot figure out multiple. At then end I had issues with aws provider which is used under the hood and the tag system I gave up

@Arthur Unfortunately, v1.0.0 was released accidentally. The current recommended release is v0.18.4. In v0.18.4 or v1.0.0, use additional_security_group_ids instead of security_groups.

Oh ok, nice to know ! Can’t there be a warning somewhere? Also, do you have any advice for silicon apple chip?

I cannot find a way to install tempalte_file provider unfortunately because the 0.20.0 is not surported by arm64 chip

Ok manage to do it by using

export TFENV_ARCH="amd64"

Hrmmm we distribute a arm64 version of template_file

Maybe we didn’t update the module to use our fork.

Thanks, got it work out finally

@Erik Osterman (Cloud Posse) This is one of the modules not yet updated to our current security-group module, which, BTW, needs updating itself.

@Gabriela Campana (Cloud Posse) ticket to update terraform-aws-eks-workers module’s security-group to the latest. Heads up @Arthur, not sure when we will fix it. Just creating a ticket to fix it.

@Erik Osterman (Cloud Posse) @Gabriela Campana (Cloud Posse) Ticket already in backlog (DEV-485)

Hi @Mikhail

We’ll review it

Thank you! Hope it will be fast)

Hi! I saw that previous PR was closed and opened a new one: https://github.com/cloudposse/terraform-aws-ecs-cluster/pull/15 Any info about ETA?

Hi @Mikhail

One of our engineers reviewed PR #9 on the same day and closed it because we need to update to 0.34.2 as @ragumix mentioned.

We will review PR #15

Will have an update today

Ok, thank you! btw, @ragumix - it’s me:)

@Mikhail @Dan Miller (Cloud Posse) commented on PR#15

what about

private_ip  = format("%s.%s", join(".", slice(split(".", data.aws_subnet.sending[k].cidr_block), 0, 3)), split(".", ip)[3])

or similar (the expression is complex and can prob be simplified)

that worked

ok, last question…. I also need to create a list of private ips per host that I can use later in a for_each loop (with the host being the key). I re-used the expression given earlier to convert the external IP to a private IP, but the list being generated doesn’t have a key.

  sending_ips = {
    eis1 = ["44.194.111.252", "44.194.111.254"],
    eis2 = ["44.194.111.253", "44.194.111.255"]
  }

  private_ip_list = [
    for k, v in var.sending_ips : [
      for ip in v : format("%s.%s", join(".", slice(split(".", data.aws_subnet.sending[k].cidr_block), 0, 3)), split(".", ip)[3])
    ]
  ]

the output is

debug = [
  [
    "10.0.234.252",
    "10.0.234.254",
  ],
  [
    "10.0.234.253",
    "10.0.234.255",
  ],
]

Thanks… it was close, I was getting Two different items produced the key "eis2" in this 'for' expression. If duplicates are expected, use the ellipsis (...) after the value expression to enable grouping by key. with that one, I had to flip things around a little.

This did the trick.

  private_ip_list = {
    for k, v in var.sending_ips : k => [
      for ip in v : format("%s.%s", join(".", slice(split(".", data.aws_subnet.sending[k].cidr_block), 0, 3)), split(".", ip)[3])
    ]
  }

Still trying to wrap my head around for loops with terraform, but these examples help a lot for future reference.

glad you found the correct way to do it

Yep. Thanks a lot for the help, it’s a bit clearer to me how these loops work seeing a few working examples.

@Max Lobur (Cloud Posse) maybe you can help

For the tf-cloud - are you configuring the helm provider yourself there? or settings are preset ? Are you also setting helm/k8s versions yourself for cloud?

There might be some cache in a cloud that holds a different version for you

you can use the EB SG ID to add to your SG rules (https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/main/examples/complete/outputs.tf#L36)

or the other way around, you can add your SG to the EB SG rules https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/main/examples/complete/main.tf#L75

you can fork the module yourself as a temporary workaround

try #terraform-aws-modules for this feedback

Thanks Alex

if you or original author fix the conflicts , I can review

Thats done! thanks! i reached out to him

@jose.amengual I’ve got the original author to fix the conflicts

now we need to update the examples/complete with the new versions of the vpc module

Doesn’t the fix actually match the examples and documentation now? Sorry, I might have missed something there.

terratest runs the example/complete folder

Ahh ok

which instantiates the module, the need to be updated

@Samuel Crudge we will review PR #229

Thank you

Hi @Samuel Crudge Igor requested changes 2 weeks ago on PR #229

Okay thanks, i’ll take a look

Can’t write to repo, i’m not Dawid. can i be added as a contributor?

or you can clone the repo and create your own PR, just make sure you mention this PR

Okay sounds good

Finally did it. My first OS contrib too - hope i did it right

Thanks for everyone’s help on this

trim removes the specified set of characters from the start and end of the given string.

https://developer.hashicorp.com/terraform/language/functions/trim

…………………… ok. tyvm. BASH > Terraform

echo "foo-bar" | tr -d -
foobar

I do see it actually says start and end now. I lazy-eye skimmed right past it. And I know I’ve looked at this in the past.

many languages handle “trim” in different ways i think. can’t take the behavior for granted

That’s fair.

FYI, the Unix tr command is short for translate, not trim

It is a shame for HashiCorp

The company onboarded some incompetent HR/managers during pandemic…

just checked the codes, warm pool is not supported yet

• And warm pool got a limit for EKS: If you try using a warm pool with an Amazon Elastic Kubernetes Service (Amazon EKS) managed node group, instances that are still initializing might register with your Amazon EKS cluster. As a result, the cluster might schedule jobs on an instance as it is preparing to be stopped or hibernated.

yes by default Terraform also sets instance refresh strategy to rolling updates https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#strategy

Thanks @Dan Miller (Cloud Posse) , would the TF property min_healthy_percentage achieve the equivalent behaviour of CFN property MaxBatchSize to have instances replaced in parallel ? Ta

no I believe that would be max_size https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#max_size

The max_size is a property directly on the ASG , it seems achieving the same behaviour through TF would require 2 terraform runs, one to introduce the new batch through a higher max_size once deployed reducing the instance group size. In attempt to mimic CFN Update Policy , out of the box behaviour.

DynamoDB state locking would be costing you cents per month

No s3 feature allows it to provide a sufficient lock guarantee

If you are referring to Terraform state locking, the is no S3 lock feature; you need DynamoDB to provide locks. DynamoDB in pay-per-request mode should cost much less than $5/month and is worth much more than that.

my understanding is that it depends on the provider, and whether they define that argument as a block, or use the special mode that page is talking about, attr-as-block, where the argument is then an attribute…

ugggghhh that would make sense, thanks. I really can’t be bothered to open another issue on the aws provider github so I’ll just make a whole bunch of non-future-proofed boilerplate, as terraform is great at forcing you to write

In the 0.12 days, they were pushing to move more to the block definition of things. But since then, I think they’ve gotten more feedback and pushback that users/providers/developers really like the flexibility of assignment that you get with the attribute syntax. So I think maybe the guidance is shifting again

When it is defined as a block, you can kinda get there using dynamic blocks, and then your module input can be a list or map of things, and the caller can use any arbitrary expression to build up that object

I really hope so. I ranted into the void many times that blocks were a really bad idea to force developers to use. They look great if you’re hardcoding your values, but in the case of wanting to allow any kind of dynamicism you end up with horrific dynamic workarounds.

Can you even generate arbitrary attributes in a block? Like, does this work?

locals {
    settings = {
        metrics_enabled = true
        logging_level = "info"
    }
}

settings {
    for key, value in local.settings : key => value
}

or do I have to manually write support for every potential attribute that can be in the block?

locals {
    settings = {
        metrics_enabled = true
        logging_level = "info"
    }
}

settings {
    metrics_enabled = local.settings.metrics_enabled
    logging_level = local.settings.logging_level
}

dynamic only makes things easier for the caller of the module, not the developer

Sadly I’ve been using it daily since 0.10 and have dozens of modules with horrible hacks to get around blocks. I’m rather hoping I have the opportunity to work with one of the more programmatic IaC solutions in the future…

yeah. The existence of both maps and blocks is a weird HCL wart. I wish they would stop leaning into blocks

Yes, it’s an “AWS Wart”

AWS requires this to be exactly Name for it to appear properly in the Web UI, which is why the behavior.

I forget if we have a workaround.

@Jeremy G (Cloud Posse)

@Nat Williams @Erik Osterman (Cloud Posse) Sorry, we do not have a workaround or fix for this. In v2 we probably should not have a “name” input, and the “Name” tag would be thoroughly special case.

The fix for this is not that difficult, but since we use it almost literally everywhere, the ripple effect of even a small change is huge. The primary use case for label_key_case is for people using null-label outside of AWS. As such, I do not think it is worth the effort to change it right now. If you want to take the time to open an issue on the topic, that will help ensure the change makes it into the next release (which may not be until next year).

@Jeremy G (Cloud Posse) Is the release schedule for null-label such that even if I put up a PR that everyone loved, it might not get released until next year?

That is ultimately up to @Erik Osterman (Cloud Posse), but I would say “yes”. Updating null-label is just too disruptive, and none of our current or past paying customers have complained about this.

Also, because null-label is so central to our framework and so complicated, we generally do not accept PR s for it anyway. The best contribution you can make is to open an issue with a good example.

OK, good to know. I was on the fence about trying to make this work or just accepting the disgusting idea of title-cased tags.

Out of curiosity are you using AWS or on another cloud?

/* our big picture plan is to overhaul null-label and eliminate any opinionated label parameters or things like this so it's entirely generalized */

I’m using AWS

Hrm… and so I understand your use-case, you do not care for pretty/meaningful resource names in AWS Web Console?

(personally, I love kubernetes style labels, so get the desire to force tags to a given convention; just in this case I also prefer AWS to have meaningful resource names in the UI, or it’s something AWS generates)

I mean, I would say I do care for pretty tag names, in that I want them to all be lower case. But I acknowledge the reality that Name is a special case.

oh, sorry, I misread that

no, I want the good resource names, which, yeah, means setting Name

but otherwise, I like lowercase. Pretty minor stuff all told, I know

it might not be supported. Why do you want this option?

Don’t know about terraform documentdb by cloudposse but I think AWS disabled the option for non_encryption on almost all of the services. You need to use some kms (aws or cmk)

If supported, we would accept a PR to feature-flag it. Post in #pr-reviews

probably should be subscriber['key']?

The error appears from a cloudposse module https://github.com/cloudposse/terraform-aws-config

yeah, the variable passed in should be subscriber['key'] not subscriber

Sorry, I don’t understand. I’m not passing a variable in called subscriber. I have subscribers as an input.

oh can you pass in the variable subscribers directly?

or can try:

Yeah it’s an input variable https://github.com/cloudposse/terraform-aws-config#input_subscribers

I didn’t write the code on the left, it’s a cloudposse module

oh yeah hmm what is the module version being used?

0.18.0

ok, latest one

Looks like an old bug https://github.com/cloudposse/terraform-aws-config/pull/44

Shame this fix wasn’t ever merged

oh yeah, I found the same link lol

Left a comment

oh you can try with the updates from the PR and give it a test

under .terraform folder

@matt @Zinovii Dmytriv (Cloud Posse)

see https://sweetops.slack.com/archives/CB6GHNLG0/p1686844625135499?thread_ts=1686842117.404529&cid=CB6GHNLG0

Thanks for the quick feedback

Anything I can to move the needle on this @Erik Osterman (Cloud Posse)? Will happily take a maintainer role.

@Linda Pham (Cloud Posse) @Gabriela Campana (Cloud Posse)

@Hao Wang @James A fix just got pushed. It was based on that PR ^. Please use latest tag.

Note that as part of this update we also bumped aws provider to v5. Let us know if that conflicts with your current aws provider so we can roll out similar fix that as well.

Great, thanks a lot

Thanks @Zinovii Dmytriv (Cloud Posse)! V5 works great.

left a comment

one ci test failed, but you should just need to run this locally:

  make init
  make readme

I’ve edited the README file directly

Also edited the docs/terraform.md file

great! waiting for tests to pass and then we should be good

would you mind fixing this typo too? it’s not part of your changes, but this is causing the tests to fail https://github.com/cloudposse/terraform-aws-firewall-manager/blob/main/examples/complete/main.tf#L22

should be shield_advanced_policies

Just did

pushed another PR to fix this. I’ll get these tests fix and merged into main shortly https://github.com/cloudposse/terraform-aws-firewall-manager/pull/29

Ok, thanks @Dan Miller (Cloud Posse)

it’s merged now. please merge main into your branch

Done

Whats the up to date module version ? (was 0.3.0 if Im not mistake)

fixed now

it’s 0.4.0

@Dan Miller (Cloud Posse) I need to open another PR with the same thing but now for WAFv2. Will do it later today and ping you.

Sounds good. This time should be much easier now that the module is updated

We are not working on it yet. We are kind of surprised no customer has asked for it. A customer has done the work, but has not upstreamed it yet

Hi @Gabriela Campana (Cloud Posse), We are planing to deploy new AWS Elasticsearch using terraform-aws-elasticsearch. Would you be so kind to share your experience on how customers upgrade to OpenSearch ? As you said above there is no direct way to deploy OpenSearch using that module.

Hi @Sergei

Maybe @Steven Hopkins can share his experience

I only modified the module to install opensearch. Our use-case doesn’t require the data to be persistent as our apps build the data on startup so I cannot comment on migrating data, if that’s the main guidance you are looking for.

Hey @Steven Hopkins, concerning the PR to add opensearch to the Cloud Posse module for ElasticSearch : Do you mind if I go ahead and work on fixing up the tests for this and move it from draft to Ready? We have a customer who finished getting this working and believe we can finalize the change

That would be awesome, if it’s still relevant and useful, absolutely work it

Check if this bucket has any bucket policy and maybe you need to place some control there.

theres this bucket policy, but it doesnt tell much…

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RootAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::terraform-state-1234567890",
                "arn:aws:s3:::terraform-state-1234567890/*"
            ]
        }
    ]
}

nothing in lamba, ecs schedule, or eventbridge rule

Were the logs rewritten to the same S3 bucket? May be checking log settings of this s3 bucket

something is writing to this bucket… and all the settings for this bucket are default or empty

This S3 bucket may be used by cloudwatch somewhere else?

as a log bucket

i dont see it… is there some sort of terraform magic thats constantly checking state files and dumping into a bucket? seems like thats what it’s doing…

Yeah, looks/sounds like access logs, maybe from another s3 bucket?

may search the bucket name in your repo?

no luck, i’ll probably have to dig into the state file and see whats actually getting brewed…

Have you opened any of those objects?

yes, but got denied since the kms used to encrypt the objects is nowhere to be found… im very tempted to just nuke the entire account and forget about this…

then you’ll lose the fun of finding the cause lol

Great to know this feature is implemented, before I had to use a null resource to run a shell command to see if a service is up

Is my answer going to become content for a blog post you are writing? That’s what it feels like

EDIT: I see you work with @ Matt Gowie. Not a blow-in

Yes, we have started using check resources.

So far, I’m using them to check that combinations of input variables are valid. For example, if var.eb_environment_type == "single-instance", ensure that var.eb_asg_max is null.

(Actually, I’m making up this example, our real uses are harder to explain.)

We previously implemented this with a precondition on the aws_elasticbeanstalk_environment resource. preconditions have advantages they stop execution, but it can be confusing to check variable validity on a resource. Especially if the variable gets used in many places. For example we also use var.eb_asg_max in some aws_cloudwatch_alarm resources. Which resource should we put the precondition on?

One problem is that checks don’t stop execution. In our cases that’s generally fine – the check is replicating a validation check in the AWS API that Terraform’s provider doesn’t include, so the check block acts as a time-saver rather than guardrail.

@Hao Wang yeah, that totally makes sense. Thanks!

@Alex Jurkiewicz haha, you’re right! I’m looking for some good examples where the check feature could bring infrastructure validation to the next level or solve a painful issue. I see how it helped you here, thanks for the detailed answer!

Are you testing your Terraform configuration with other tools, i.e. Terratest? If so - do you see check as a potentianl substitution for it?

We test modules, but not our root configurations. We do use tflint and otherwise rely on terraform plan

I remember you posting about this earlier:
One problem is that checks don’t stop execution. Why do you think it’s implemented this way?

https://sweetops.slack.com/archives/CB6GHNLG0/p1683331656466299?thread_ts=1683300812.026969&cid=CB6GHNLG0

I asked Martin “Terraform dev” Atkins in another Slack. Let me pull up his reply

My understanding is that some folks reported that they don’t want to use preconditions and postconditions for certain situations because they just want to know that the thing is failed but not be blocked from making changes unrelated to the thing that failed.
If you do want it to fail then preconditions and postconditions are still there for you.
—
The sort of use-cases I heard about were things like TLS certificate expiration where something unavoidably “changes outside of Terraform” (in this case, the current time is what’s changed, which of course Terraform cannot control!) and for some teams it’s desirable to not be blocked by a surprising failure if they were intending to apply something unrelated to it.
(Certificate expiration is probably not the best example but it was the one that came to my mind first)

Checks don’t run at any particular defined time in Terraform’s execution. They are treated as just another block for scheduling according to the dependency graph.

So if they did halt execution, they would halt it at indeterminate times during execution. Hence, they are only used as warnings.

According to the docs Terraform should evaluate assertions as the last step of the operation:
assert blocks, which execute at the end of the plan and apply stages and produce warnings to notify you of problems within your infrastructure. So the checks serve more like recommendatory tool - that was my understanding. @Alex Jurkiewicz have you noticed another behaviour in terms of execution?

Thanks for the info! I haven’t read the official docs page yet That link doesn’t work though. I haven’t tested this myself, I was paraphrasing another comment from Martin:
Raising an error isn’t super useful if you can’t control what gets guarded by the error. Preconditions and postconditions can do this because they have a well-defined position in the sequence of operations – either before or after the action for a particular object – so you can make sure the error gets raised before taking whatever harmful action you were trying to prevent.

These new check blocks cannot “guard” anything so it would be questionable for them to raise an error because the bad thing would already have happened anyway and so it wouldn’t be any different than a warning.

Sorry - fixed the link

That all makes sense - thanks a lot for sharing!

good correction, thanks too!

maybe something for #office-hours

interesting argument, I agree with it overall. Terraform is mature technology in cloud native orgs, CDKs have no adoption, and developers in general are learning AWS but not Terraform.

I don’t see a world where public clouds invest in their IaC story. What customer does it bring? Newbies don’t care about IaC and advanced users don’t migrate workloads between clouds.

I also don’t see a world where Terraform is replaced. IMO, terraform’s moat is the AWS provider. AWS have shown no interest in the “cloud control API” to get rid of this moat. Terraform will live as long as the public clouds do

The vision of a transactional AWS Console is enticing. I would love that.

I’ve often thought about giving devs full access to manage resources in a dev environment, with an IAM condition to ensure new resources have a service tag defined. You can then periodically run terraformer to generate per-service IaC definitions for production

Whether or not one thinks Hashicorp’s HCL is good at expressing infrastructure, it is in the least, a very limited language, which makes it hard to write convoluted code agree to disagree… imo HCL is the most convoluted way to repeat yourself without external libs to help you out…

https://deezer.io/terragrunt-dont-repeat-your-terraform-variables-358-times-b6cdb4e09e9f

Terragrunt introduces yet another tool just to help manage the dependency graph of multi module terraform projects. I don’t like it though, I would use makefile or atoms to manage such projects.

Repetition is the opposite of convolution terragrunt adds complexity

After reading this article, it made me think of cloudformation templates that are publicly facing which can be pasted via clickops into aws cloudformation console. You can then enter any parameters you want, hit the deploy button, and the infrastructure is spun up.

I don’t know how I feel about ClickOps, but the first half of the article seems dead on the money.

I worked with CDKTF which is admittedly still alpha, the solutions we produced “worked”, but were basically impossible to read and understand. Partly because our code wasn’t amazing, but mainly because the code abstracts away the logic too much.

Terraform is great because HCL is really easy to read.

I’ve recently started using Terraspace and it’s honestly fantastic. You write regular HCL and then add in some Ruby glue. I’ve used to it create an AWS Organisation with member accounts, something that is incredibly difficult to do elegantly with vanilla HCL.

you can test it with null_resources. But the answer is Terraform won’t modify the resources

Tested with null_resource and there is no change if switching the sequence:

In the example you’ve shared it won’t do anything

Thanks sorry for stupid question, could’ve tested it myself

I think you were probably confusing for_each with count. for_each in this example is safe, but count is based on numeric indexes and could cause unintended changing in the infrastructure especially if the list size changes.

remember there is a project someone mentioned in office hour, but found this one, https://github.com/cycloidio/inframap

oh yeah, this is the one lol

I tried this, but it didn’t work well for modules - I ran into this issue where it would generate empty graphs. oh well

What command did you use?

I came across this the other day. https://github.com/asannou/tfmermaid-action

Haven’t tried it yet, but want to.

Since GitHub supports Mermaid natively in markdown, this seems the most promising to me.

while researching i bumped into https://github.com/renovatebot/renovate/discussions/22779 which suggest 2nd bullet point won’t work with hosted app, devils in details

You can’t upgrade child of child modules with renovate. You need to use renovate on the repo containing child module instead

  "hostRules": [ 
     { 
       "matchHost": "spacelift.io", 
       "encrypted": { 
         "token": "xxx" 
       } 
     }

This works for us

Note that you can use an encrypted blob for the password in renovate.json

i see, thank you Alex

Hi @Alex Jurkiewicz I stumbled upon this and cant seem to get spacelift working with renovate. Is this still working for you?

Yes 0

Check the renovate debug logs perhaps

You could try asking Spacelift to figure it out and add a page to their docs

I think renovate was just being weird – i got it working now. Also I think the API key must have Admin not just Reader

If I remove instance-state-name it works but finds a terminated instance.

seems you will need to bring up an instance somewhere else

Well the instance is indeed running. And yet it fails to find it. All tags are correct. Strange!

Can you confirm it works with filtering with aws cli

On the same tags

i don’t think the tacos necessarily block local execution… ought to be able to do both, gated basically only by permissions the user has to the providers and the backends

Very true, that’s not necessary - but it is one of our goals. We want to avoid provisioning advanced AWS privileges to every developer - let the tacos tool have those privileges instead, and gate merges behind peer or admin review.

ok? then you know how to get to both… lol. so, what’s the real question?

Yeah, you’re right. I’ll clarify. I guess I have three questions:

1. Have others run into situations where debugging terraform code via git PRs is inefficient/unusable?
2. If my devops team, for example, have the ability to run terraform by hand, will our workload increase as we find lots of cases where it’s needed?
3. If we allow this for some users, will we run into problems keeping the git workflows working? How careful do we need to be about who has this access, and when/how it is used?

i personally think it is prudent to restrict permissions to prod environments, but like to have one or more dev/test environments where i can exercise my terraform configs/updates/upgrade manually. especially when it comes to changes that require moved or import blocks

these days, terraform does a pretty decent job of telling me what i screwed up in the plan (way better than in the past). of course, i still have to read and interpret the messages correctly (true regardless whether it’s local or PR output). but i do find that devops teams still tend to open a PR and then disappear, and leave it to a reviewer to tell them something failed. it’s a little more in their face when it fails locally

i’m not sure there are great solutions for such things, other than trying to build the team culture over time, and guiding/correcting folks towards the desired workflow

when terraform’s messaging is not sufficient to debug, yes, it is quite valuable to be able to escalate permissions to get access for local execution

have you looked into tooling/workflows for temporarily elevating permissions?

• https://aws.amazon.com/blogs/security/temporary-elevated-access-management-with-iam-identity-center/

• https://www.commonfate.io/blog/granted-approvals-release

Oh, here’s the doc page on temporary elevated access. I knew I had seen this recently…

• https://docs.aws.amazon.com/singlesignon/latest/userguide/temporary-elevated-access.html

Thanks @loren! Yeah, we have been considering temporary elevation. It’s on the project list to tackle someday. I hadn’t considered it specifically in the scope of this project. I’ll have to think on that.

Thanks for your insight!

Curious if anyone else has a different perspective, or different experiences working with TACOS.

seems we got the similar feelings when using Terraform or opensource projects, troubleshooting takes most of time

Have others run into situations where debugging terraform code via git PRs is inefficient/unusable? Speaking as an atlantis user, I don’t really hit this.. If I’m developing a module, I point my module definition to the local path on disk, terraform plan my through the development, and then when I’m ready for code review I’ll update the source = ".." bit to the git ref, get a coworkers review, and then promote up.
If my devops team, for example, have the ability to run terraform by hand, will our workload increase as we find lots of cases where it’s needed? We have a sandbox AWS account that we give power-users the ability to run terraform plan/apply locally. We do a “per-env-per-app” state, so when they are running terraform against their sandbox app, the blast radius is small. To get anything out of the sandbox account it has to be tagged/reviewed/applied via atlantis.

Also, if your terraform plan fails and it posts it to the PR, that now means you can share the PR around with a full error log and the context in which that error was produced, so it’s easier to help or get help from other folks

We use Spacelift.
Is troubleshooting complex changes via PR comments painful Spacelift doesn’t post plans as comments (by default), there’s a pretty UI which shows the plan. It’s no harder to troubleshoot in this environment than normal.

One thing which changes is your iteration times goes up. It’s slower to push and wait for TACOS to notice/init/plan than to simply re-run plan locally. I don’t really notice this as painful. But sometimes we do run plan locally as I’ll describe below.
Do you allow any “power users” to run terraform manually when needed Yes, absolutely. For two reasons:

1. We want to be able to run Terraform if our TACOS breaks, and to be able to eject from our TACOS if needed
2. Some things we run on the stack aren’t plans. They might be imports or other statefile manipulation, or they might be diagnostic (terraform state show ...) More broadly, I don’t see TACOS as being a useful security gate. If you can write Terraform code, you can do anything because TF will happily run arbitrary logic provided to it during planning. If people can submit PRs, they can do anything they wanted.

I do see TACOS as a useful governance/policy gate. It’s nice to give developers access to see the TF runs for their infra, and to submit PRs changing eg RDS instance class. But for the ops/SRE/whatever team, I don’t think it’s useful to try to enforce TACOS as “the only way to run Terraform”. You can only make it much more convenient so they do so 99% of the time.

I’ve spent a lot of time over the past 4-5 months importing legacy infra into Terraform, and dealing with the tweak-plan-revise-repeat cycle you describe. I’ve never really found that the 30secs added to iteration time by TACOS is significant. Terraform is so slow in the first place. It’s not like running make test and waiting 5 seconds. It’s more like 2 vs 2.5mins – I’ve context switched anyway.

@Andy Wortman I’d also encourage you to check out Terrateam https://terrateam.io if you like the Atlantis-style workflow. We can also do custom features if that’s a thing you want.

Wow! very cool project @loren https://github.com/common-fate/common-fate

Their granted-cli is a great project also. And they have a responsive slack channel for questions

here’s my example code:

module "firewall_manager" {
  source  = "cloudposse/firewall-manager/aws"
  version = "0.4.0"

  providers = {
    aws.admin = aws.admin
    aws       = aws
  }
  security_groups_usage_audit_policies = []

  waf_v2_policies = [
    {
      name               = "linux-policy"
      resource_type_list = ["AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ApiGateway::Stage"]
      include_account_ids = {
        accounts = ["1234567890", "2345678901"]
      }

      policy_data = {
        default_action                        = "allow"
        override_customer_web_acl_association = false
        pre_process_rule_groups = [
          {
            "managedRuleGroupIdentifier" : {
              "vendorName" : "AWS",
              "managedRuleGroupName" : "AWSManagedRulesLinuxRuleSet",
              "version" : null
            },
            "overrideAction" : { "type" : "NONE" },
            "ruleGroupArn" : null,
            "excludeRules" : [],
            "ruleGroupType" : "ManagedRuleGroup"
          }
        ]
      }
    },
    {
      name               = "cloudfront-policy"
      resource_type_list = ["AWS::CloudFront::Distribution"]
      include_account_ids = {
        accounts = ["1234567890", "2345678901"]
      }

      policy_data = {
        default_action                        = "allow"
        override_customer_web_acl_association = false
        pre_process_rule_groups = [
          {
            "managedRuleGroupIdentifier" : {
              "vendorName" : "AWS",
              "managedRuleGroupName" : "AWSManagedRulesLinuxRuleSet",
              "version" : null
            },
            "overrideAction" : { "type" : "NONE" },
            "ruleGroupArn" : null,
            "excludeRules" : [],
            "ruleGroupType" : "ManagedRuleGroup"
          }
        ]
      }
    }
  ]
}

This error is because of the use of resource_type_list with a list of 1. the API seems to support both, but the module doesn’t.

╷
│ Error: Invalid value for input variable
│ 
│   on main.tf line 69, in module "firewall_manager":
│   69:   waf_v2_policies = local.waf_v2_policies
│ 
│ The given value is not suitable for
│ module.firewall_manager.var.waf_v2_policies declared at
│ .terraform/modules/firewall_manager/variables.tf:204,1-27: all list
│ elements must have the same type.
╵

here’s my modified code (swapping out resource_type_list for resource_type

module "firewall_manager" {
  source  = "cloudposse/firewall-manager/aws"
  version = "0.4.0"

  providers = {
    aws.admin = aws.admin
    aws       = aws
  }
  security_groups_usage_audit_policies = []

  waf_v2_policies = [
    {
      name          = "linux-policy"
      resource_type = "AWS::ElasticLoadBalancingV2::LoadBalancer"

      include_account_ids = {
        accounts = ["1234567890", "2345678901"]
      }

      policy_data = {
        default_action                        = "allow"
        override_customer_web_acl_association = false
        pre_process_rule_groups = [
          {
            "managedRuleGroupIdentifier" : {
              "vendorName" : "AWS",
              "managedRuleGroupName" : "AWSManagedRulesLinuxRuleSet",
              "version" : null
            },
            "overrideAction" : { "type" : "NONE" },
            "ruleGroupArn" : null,
            "excludeRules" : [],
            "ruleGroupType" : "ManagedRuleGroup"
          }
        ]
      }
    },
    {
      name          = "cloudfront-policy"
      resource_type = "AWS::CloudFront::Distribution"

      include_account_ids = {
        accounts = ["1234567890", "2345678901"]
      }

      policy_data = {
        default_action                        = "allow"
        override_customer_web_acl_association = false
        pre_process_rule_groups = [
          {
            "managedRuleGroupIdentifier" : {
              "vendorName" : "AWS",
              "managedRuleGroupName" : "AWSManagedRulesLinuxRuleSet",
              "version" : null
            },
            "overrideAction" : { "type" : "NONE" },
            "ruleGroupArn" : null,
            "excludeRules" : [],
            "ruleGroupType" : "ManagedRuleGroup"
          }
        ]
      }
    }
  ]
}

and here’s the second error:

╷
│ Error: creating FMS Policy: InvalidInputException: Resource ["AWS::CloudFront::Distribution"] can not be used in region: us-east-2.
│ 
│   with module.firewall_manager.aws_fms_policy.waf_v2["cloudfront-policy"],
│   on .terraform/modules/firewall_manager/waf_v2.tf line 11, in resource "aws_fms_policy" "waf_v2":
│   11: resource "aws_fms_policy" "waf_v2" {
│ 
╵

it seems like this is because the WAF resources need to be created in us-east-1 because that’s where CloudFront is managed from, but I don’t know how to do that since you can only have one waf_v2_policies config block and there doesn’t seem to be a way to set the region in that config block

I think you maybe need to instantiate the module twice

once with a provider for us-east-1 , then do your regions

cool - I will give that a try and report back

quick follow-up here - I was able to get it working using a second provider against us-east-1. thanks for your suggestion @jose.amengual!

awesome , glad to hear

did you have to instantiate twice the module or just one?

apologies for the delay - twice did the trick, with mostly the same options in my case.

yes, it’s lambda, but packaged in neat terraform module

you have atmos.yaml in the wrong place

please see https://atmos.tools/quick-start/configure-cli

and https://github.com/cloudposse/atmos/tree/master/examples/complete

@Andriy Knysh (Cloud Posse) Thank you. I created atmos.yaml on my mac /usr/local/etc/atmos/atmos.yaml removed the file from above location. I am hitting now above error.

@Radhika you can DM me your code, I’ll review it (it would be much faster to find any issues)

Thank you. Sent you DM.

github is down

https://downdetector.com/status/github/

Uffs.

Thanks

https://www.githubstatus.com/

Github is notorious for taking forever to update their status page

What are the input variable values?

vpc_id = "vpc-0c429383ahdheb"

subnets = ["subnet-0129838abdvvh", "subnet-0e2dsb7dsdv97", "subnet-073bs7dvcsjk"]

allowed_security_groups = ["sg-02aadbbbahh", "sg-0000aaa0sss"]

availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]

instance_type = "cache.t3.medium"

cluster_size = 2

family = "redis6.x"

engine_version = "6.x"

maintenance_window = "wed:03:00-wed:04:00"

zone_id = "ZZZZZZZZZZ"

cluster_mode_enabled = false

apply_immediately = true

automatic_failover_enabled = true

at_rest_encryption_enabled = true

transit_encryption_enabled = true

cloudwatch_metric_alarms_enabled = false

@Hao Wang

@Andriy Knysh (Cloud Posse) can you look at this ?

seems both rules and rules_map are not defined

^^ in sg module

in redis module, additional_security_group_rules is also be used, can we try give it a value?

or use aws provider version 4, instead of version 5?

did you try the example https://github.com/cloudposse/terraform-aws-elasticache-redis/tree/main/examples/complete ?

(it’s automatically provisioned on AWS on each PR)

@Ashish Singh did you try the example? If you did, did it produce the same error?