#terraform (2024-03)
Discussions related to Terraform or Terraform Modules
Archive: https://archive.sweetops.com/terraform/
2024-03-01
Trying to get a bit more awareness in the Terraform community that state files need to be well secured. If anyone is interested, I’m happy to share some research I published going from state file edit access to code execution in a pipeline.
Is this with native terraform or does the research also mention opentofu?
I read recently opentofu encrypts the state so secrets can be used there somewhat safer than terraform
Here’s the opentofu RFC on client-side state encryption, https://github.com/opentofu/opentofu/issues/874
One of the tofu maintainers reached out so I assume it works similarly.
Question. In atmos.yaml we are using “auto_generate_backend_file: true” and seeing in S3 atmos creating a folder for component then a sub-folder for stack, which it them places the terraform.tf into. When we run the same layout of components/stacks/config against GCP GCS we are seeing only a state file be created, no folders, example core-usc1-auto.tfstate which it is renaming the terraform.tf to which is the name of the stage. Has anyone seen this behaviour or can advise? Thanks
did you correctly configure GCP backend in Atmos manifests? something like this:
terraform:
# Backend
backend_type: gcs
backend:
gcs:
bucket: "xxxxxxx-bucket-tfstate"
prefix: "terraform/tfstate"
(also, just a heads up, atmos is best for these questions)
Anyone with some insight into the Cloudposse AWS modules or routing in S2S VPN Connections in general I posted a question here https://sweetops.slack.com/archives/CDYGZCLDQ/p1709301177485109
Anyone with a good example of how to structure ECS resources in Terraform.
Looking to soon build an AWS ECS Fargate Cluster, numerous services (some utilizing CloudMap) and numerous tasks.
How do I organise the task definitions in the code and make use of templating as much as possible?
My idea was to use the following resource types, but I’m in doubt of the structure and what makes the most sense
data template_file reference .tpl file in another folder
aws_ecs_task_definition -> container_definitions = data.template_file.shop.rendered
aws_ecs_service -> task_definition = aws_ecs_task_definition.shop.arn
aws_appautoscaling_target
aws_appautoscaling_policy
For the external facing containers I guess I’d also need a lot of ALB resources, I was hoping a module could help me here…
Was initially looking towards this module: https://github.com/terraform-aws-modules/terraform-aws-ecs/blob/master/examples/fargate/main.tf
Any other recommendations or perhaps a repo I can peek at or a blogpost or something similar?
These root level components might help
https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs
https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs-service
If you use atmos, you can reuse the code per region-account using yaml inputs
2024-03-02
2024-03-03
Hello everyone,
I’ve encountered an issue with my Terraform configuration for managing an Amazon RDS database. Here’s the situation:
I initially created an RDS instance from a snapshot using Terraform. Now, I need to update the instance size (e.g., change from db.t2.micro to db.t3.medium). However, when I rerun my Terraform script, it destroys the existing RDS instance and creates a new DB.
Is there a way to avoid this behavior? Ideally, I’d like to modify the existing RDS instance without causing unnecessary downtime or data loss.
Any suggestions or best practices would be greatly appreciated!
You can use the nested block lifecycle
, first of all do a terraform plan look for the changes making Terraform think that the RDS resource needs to be replaced and ignore them using the lifecycle nested block
lifecycle {
ignore_changes = [
# Ignore changes to tags, e.g. because a management agent
# updates these based on some ruleset managed elsewhere.
tags,
]
}
Adding deletion_protection = true is always a good practice to prevent the resource destruction
Thanks @HAMZA AZIZ
2024-03-04
Question. Using Atmos, have a single stack, that has a few network components that deployed fine, added a new GCE component, in same stack file, using same imports uses same GCS backend file for terraform.state, and we have atmos.yaml setup for auto state creation and management, seeing weird behaviour where it keeps wanting to destroy all the other components created. This is a standalone component that is no hard dependencies in config of terraform, we do ref the VPC network name and subnet for the GCE by name but not using module.X.selflink etc from the other component. Any ideas as I have spent hours on this. Thanks
can you clarify this :
VPC network name and subnet for the GCE by name
as in data lookup after passing name or ID?
No just hardcoded in stack vars: like “vpc-01” and “subnet-01”
ok
and you say you created like a network component, deployed to the stack and then you added a new component and somehow when planning wants to delete the other components?
Yes. Deployed a few components VPC, Subnet, NAT GW, Router, all fine. Then add to same stack.yaml file a GCE Bastion and wants to destroy all the other components.
Confirmed in describe component it is using the right backend file and workspace name.
that makes no sense unless you used the same name
same name for?
you can’t have the same name for a component in yaml
# (because google_compute_subnetwork.subnetwork is not in configuration)
Diff different names
just says its not in configuration why it wants to destroy it
components:
terraform:
example:
vars:
enabled: true
example:
vars:
enabled: false
that will set example.enabled = false
So I am not using context or component.tf in the component, so not used this enabled: true, could that be an issue?
no that is just an example
are you using terraform state data.source?
no
can you show some of your stack.yaml?
Sure. Where you see XX is just added there to project sensitive of company I work for.
components:
terraform:
vpc:
metadata:
component: vpc
inherits:
- vpc/defaults
vars:
enabled: true
label_key_case: lower
project_id: auto-v1u
region: us-central1
shared_vpc_host: false
subnets:
- subnet_name: subnet-01
subnet_ip: 10.150.2.0/24
subnet_region: us-central1
subnet_private_access: true
subnet_flow_logs: true
subnet_flow_logs_interval: INTERVAL_5_SEC
subnet_flow_logs_sampling: 0.5
subnet_flow_logs_metadata: INCLUDE_ALL_METADATA
secondary_ranges:
XX-glb-vpc-auto:
- ip_cidr_range: "10.158.128.0/17"
range_name: "us-central1-gke-01-pods"
- ip_cidr_range: "10.160.208.0/20"
range_name: "us-central1-gke-01-services"
cloud_nat:
subnetworks:
- name: XX-glb-vpc-auto
gke:
vars:
ip_range_pods: "us-central1-gke-01-pods"
ip_range_services: "us-central1-gke-01-services"
master_ipv4_cidr_block: "10.100.0.0/28"
gke_name: "us-central1-gke-01"
network: "XX-gbl-auto"
project_id: "auto-v1u"
subnetwork: "XX-glb-vpc-auto"
region: "us-central1"
machine_type: "e2-medium"
disk_size_gb: "100"
location: "us-central1"
min_count: "1"
max_count: "100"
local_ssd_count: "0"
The VPC and Cloud NAT deploy perfect. The GKE or GCE components don’t
do you see a {component-name}/terraform.tfstate folder in your state backend?
every component will have it’s own state file in a folder called the sane name as the component ( usually)
So this is interesting in AWS, that is the setup each component has a folder, then another folder for stack. In our GCS here its each stack has a tf state file at moment, so three components here in one state file.
Be really interested as to the why each component needs own state file?
That is how atmos works, it uses workspaces heavily
Thanks. This sounds like the issue then. Is there any links or docs that goes into this in more detail?
That way you can have multiple components in one stack, and they all have their own state file that does not interfere with other components and makes the blast radius smaller
big state files are not a cool thing. they make plans and apply slow and if you think from the point of separation of concerns a bit dangerous too
@Christopher McGill please use atmos
2024-03-06
v1.8.0-beta1 1.8.0-beta1 (March 6, 2024) UPGRADE NOTES: If you are upgrading from Terraform v1.7 or earlier, please refer to the Terraform v1.8 Upgrade Guide.
backend/s3: The use_legacy_workflow argument has been removed to encourage consistency with the AWS SDKs. The backend will now search for credentials in the same order as the default provider chain in the AWS SDKs and AWS CLI.
NEW FEATURES:…
Can someone explain how module.this.enabled is used across your modules? When i try to replicate in my code, terraform says “there is no module named “this””. I see it used a lot throughout your code and it looks really neat, but i’m missing something. https://github.com/cloudposse/terraform-aws-api-gateway/blob/main/main.tf
see eg https://github.com/cloudposse/terraform-aws-components/blob/3727f96af1ed4a81c00445290e23360af3ee0cfe/modules/vpc/context.tf#L23 A generic “mixin” in a self-contained context.tf
coming from cloudposse/terraform-null-label/exports
(we vendor that file explicitly in all of our own components)
(forgive the messed up, left-channel audio)
As explained above, module.this is defined in a drop-in file named [context.tf](http://context.tf) that is vendored in from null-label.
By convention, when module.this.enabled is false, the module should create no resources, and all outputs should be null or empty. This configuration is propagated to Cloud Posse Terraform modules (all of which include [context.tf](http://context.tf)) by the assignment
context = module.this.context
If you want to make a variant of the label (see the video above), you instantiate null-label, passing context = module.this.context, but then also passing in overrides or additions, and then use the context, tags, IDs, etc from that module instantiation going forward.
I hate asking this but are there any user modules besides s3-user or iam-system-user? iam-system-user I ran into a few issues with where it landed the account created, and it’s directly attaching policies. I’m still pretty new to TF, but I think I could make something that matches our compliance requirements with a little work, but I figured I’d ask before I go writing this. Definitely do not want to use the user, but vendor can’t provide trust relationship requirements for a role otherwise. New to the community otherwise, so hi everyone.
I think you need to expand on what you’re trying to do. Sounds like system-user would work for you, but I don’t understand the reason why it won’t from what you shared.
Apologies. I need an access key to let a Cisco product into our environment, and yea system-user ideally should work but it needs to be modified to meet my compliance standards, nothing crazy except that it’s attaching permissions directly to the user/key in where compliance requires whatever access reqs to be part of a role.
I tried using system-user yesterday as well, and it would create a system-user as I wanted, but it was creating it in the account SAML goes through and not in my assumed role account. I believe our module of system-user is modified so I’m unsure if that’s part of the issue, I didn’t have time to go back and try it again yet.
@Ryan – Okay, if I’m understanding correctly, I think what you may need to do is use iam-system-user to create your user resource, use terraform-aws-iam-role to create your role, give the role the right permissions for what Cisco needs to do, and give the system-user the permissions to assume the role. You can do that in a root module that combines those two child modules. Does that make sense and sound like what you need to do?
it was creating it in the account SAML goes through and not in my assumed role account.
The account the resources are created in are dependent on what is in providers.tf, no exact what role you have assumed locally. I would check the logic in your root module and see if that will help.
Awesome response thank you. I’ll dig into this a little bit later today.
You were right no providers. Thank you for setting me down the right path. Definitely a lightbulb moment when I compared provider vs no provider tf, after reading providers.tf code. I’m still getting the hang of atmos and terraform but really enjoying it.
2024-03-07
2024-03-08
Is there a file formatting I can use for “tftpl” template files? Does Jinja2 work? (I’m using Intellij IDE)
@matt @Jeremy White (Cloud Posse)
Not that I know of on VSCode at least.
Interestingly, I just saw this in the latest jetbrains terraform plugin: https://github.com/JetBrains/intellij-plugins/commit/9c3336ff5ead368e3fb120263479340e701a0f32#diff-05a30b5d16dee0a3b96a[…]5a95f6047f23ec697bd356eR40
I do’t think there’s support for it in a lot of the editors, but jetbrains is giving this area some love
2024-03-11
2024-03-13
Been smashing my head against a wall on this one for a while. We have a set of kubernetes ingresses defined via kubernetes_ingress_v1 resources, using a kubernetes_ingress_class resource, spec’d with the the ingress.k8s.aws/alb controller. I need to update the SSL Policy for the ALB, but I can’t find documentation on how to define it. The only place that seems to be relevant is as an annotation in the ingress definition, but that means I have to define it for every ingress that uses that ingress class - which seems inefficient and prone to problems. What happens if two ingresses define different values here?
Does anyone know how to set the SSL Policy for an ALB ingress class?
I assume you’re using ingress class provided by aws-loadbalancer-controller . If so, here is the schema definition for it. It does have sslPolicy attribute.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: 2024-03-13T15:02:07Z
generation: 1
name: ingressclassparams.elbv2.k8s.aws
resourceVersion: "198995"
uid: 0fd1a62b-d774-423a-89fe-fbc87fe0cda2
spec:
group: elbv2.k8s.aws
names:
plural: ingressclassparams
singular: ingressclassparams
kind: IngressClassParams
listKind: IngressClassParamsList
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
description: IngressClassParams is the Schema for the IngressClassParams API
type: object
properties:
apiVersion:
description: "APIVersion defines the versioned schema of this representation of
an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
<https://git.k8s.io/community/contributors/devel/sig-architectur>\
e/api-conventions.md#resources"
type: string
kind:
description: "Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info:
<https://git.k8s.io/community/contributors/devel/sig-architectur>\
e/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description: IngressClassParamsSpec defines the desired state of
IngressClassParams
type: object
properties:
group:
description: Group defines the IngressGroup for all Ingresses that belong to
IngressClass with this IngressClassParams.
type: object
required:
- name
properties:
name:
description: Name is the name of IngressGroup.
type: string
inboundCIDRs:
description: InboundCIDRs specifies the CIDRs that are allowed to access the
Ingresses that belong to IngressClass with this
IngressClassParams.
type: array
items:
type: string
ipAddressType:
description: IPAddressType defines the ip address type for all Ingresses that
belong to IngressClass with this IngressClassParams.
type: string
enum:
- ipv4
- dualstack
loadBalancerAttributes:
description: LoadBalancerAttributes define the custom attributes to
LoadBalancers for all Ingress that that belong to
IngressClass with this IngressClassParams.
type: array
items:
description: Attributes defines custom attributes on resources.
type: object
required:
- key
- value
properties:
key:
description: The key of the attribute.
type: string
value:
description: The value of the attribute.
type: string
namespaceSelector:
description: NamespaceSelector restrict the namespaces of Ingresses that are
allowed to specify the IngressClass with this
IngressClassParams. * if absent or present but empty, it
selects all namespaces.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The
requirements are ANDed.
type: array
items:
description: A label selector requirement is a selector that contains values, a
key, and an operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid
operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or
NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during
a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in
the matchLabels map is equivalent to an element of
matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The
requirements are ANDed.
type: object
additionalProperties:
type: string
x-kubernetes-map-type: atomic
scheme:
description: Scheme defines the scheme for all Ingresses that belong to
IngressClass with this IngressClassParams.
type: string
enum:
- internal
- internet-facing
sslPolicy:
description: SSLPolicy specifies the SSL Policy for all Ingresses that belong to
IngressClass with this IngressClassParams.
type: string
subnets:
description: Subnets defines the subnets for all Ingresses that belong to
IngressClass with this IngressClassParams.
type: object
properties:
ids:
description: IDs specify the resource IDs of subnets. Exactly one of this or
`tags` must be specified.
type: array
minItems: 1
items:
description: SubnetID specifies a subnet ID.
type: string
pattern: subnet-[0-9a-f]+
tags:
description: Tags specifies subnets in the load balancer's VPC where each tag
specified in the map key contains one of the values in
the corresponding value list. Exactly one of this or
`ids` must be specified.
type: object
additionalProperties:
type: array
items:
type: string
tags:
description: Tags defines list of Tags on AWS resources provisioned for
Ingresses that belong to IngressClass with this
IngressClassParams.
type: array
items:
description: Tag defines a AWS Tag on resources.
type: object
required:
- key
- value
properties:
key:
description: The key of the tag.
type: string
value:
description: The value of the tag.
type: string
subresources: {}
additionalPrinterColumns:
- name: GROUP-NAME
type: string
description: The Ingress Group name
jsonPath: .spec.group.name
- name: SCHEME
type: string
description: The AWS Load Balancer scheme
jsonPath: .spec.scheme
- name: IP-ADDRESS-TYPE
type: string
description: The AWS Load Balancer ipAddressType
jsonPath: .spec.ipAddressType
- name: AGE
type: date
jsonPath: .metadata.creationTimestamp
conversion:
strategy: None
Ok, so I can define this at the load balancer controller? It looks like we implemented that via a helm release. Now to figure out how to override values in that chart…
Thanks!
No problem. If you’re using CloudPosse’s eks/alb-controller , you can add sslPolicy to this section.
Or here if your using their eks/alb-controller-ingress-class…
https://github.com/cloudposse/terraform-aws-components/blob/37d8a5bfa04054231a04bf[…]66a575978352c8/modules/eks/alb-controller-ingress-class/main.tf
ok cool, we are using a kubenetes_manifest resource for the ingress class params. I’m trying this:
resource "kubernetes_manifest" "stack_ingress_public_class_params" {
provider = kubernetes.cluster
manifest = {
apiVersion = "elbv2.k8s.aws/v1beta1"
kind = "IngressClassParams"
metadata = {
name = "stack-ingress-public"
}
spec = {
group = {
name = "stack-ingress-public"
}
sslPolicy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
}
hmm…. I must have the structure wrong.
Error: Manifest configuration incompatible with resource schema
You may need to check your controller’s (and its CRDs) version. I provided you the CRD schema for the latest (v2.7) aws-loadbalancer-controller . I am not sure when sslPolicy was added.
How did you pull that schema?
kubectl --context <your-kube-context> get ingressclassparams.elbv2.k8s.aws -o yaml
Correction… This is the command.
kubectl --context <your-kube-context> get crd ingressclassparams.elbv2.k8s.aws -o yaml
2024-03-14
Hello, we encounter an issue with the CloudPosse AWS backup vault module. During the destruction of a backup vault, the process trying to remove the backup vault before the recovery points, and due to this sequence, the deployment failed.
• Do we need to update the module to be able to remove the recovery points before the backup vault ?
• Or Could we add a lifecycle in the cloudposse module ?
@Ben Smith (Cloud Posse)
Same issue with the 1.0.0 version
Hi @bessey Is this something you can fix and open PR? Otherwise this should be addressed eventually (can’t give you an eta).
Hi @Gabriela Campana (Cloud Posse) we have decided to replace the module by terraform resources in our next release. We wasted too much time on this subject. Thanks all for your infos and help.
2024-03-15
Hi Guys, is someone of you met this issue too ? https://github.com/cloudposse/terraform-aws-backup/issues/60
IMHO, deleting backups should be hard to do, so I am not bothered by this behavior. What happens if you run terraform destroy with the module enabled?
The issue is still remaining. After upgraded to 1.0.0, issue is the same : Error: deleting Backup Vault (MY_BACKUP_VAULT_NAME): InvalidRequestException: Backup vault cannot be deleted because it contains recovery points.
I noticed that even with a depends_on, the module don’t take into account this option !
Did you tried to run a terraform destroy with at least 1 recovery point inside the backup vault ? I don’t think so, because it’s a requisite to remove a backup vault, it’s mandatory to delete all recovery points before to delete a backup vault
There is similar behavior around deleting S3 buckets: because of the permanent loss of data, extra precautions are in place.
I believe the best approach is to provide a force_destroy option which would override this protection, but I will ask @Ben Smith (Cloud Posse) to look into it, since he is the most familiar with the topic. CC @Erik Osterman (Cloud Posse)
Hi, regarding S3, the issue was due to the versioning, the sequence tried to delete the S3 before the versioning, we have fix the issue with a sleep_time resource to avoid to remove the S3 before to suspend the versioning and it’s working fine, but not with the cloudposse aws backup module
Trying to remove recovery poins from a null_resource and add a depends_on on this null_resource from the module, same issue, even if the recovery points are removed from the AWS console before the backup vault, in Cloudtrail we can see that the backup vault is removed before the recovery points, and it’s failed as well :
For info, the depends_on works fine when we enabled the module, but not when we deactivate it.
One question : in your documentation from https://docs.cloudposse.com/modules/library/aws/backup/ it’s mentioned the below code regarding the retention period : rules = [ { name = “${module.this.name}-daily” schedule = var.schedule start_window = var.start_window completion_window = var.completion_window lifecycle = { cold_storage_after = var.cold_storage_after delete_after = var.delete_after } } ]
But from https://github.com/cloudposse/terraform-aws-backup/blob/1.0.0/docs/migration-0.13.x-0.14.x+.md it’s mentioned the below one :
rules = [
{
schedule = var.schedule
start_window = var.start_window
completion_window = var.completion_window
cold_storage_after = var.cold_storage_after
delete_after = var.delete_after
}
]
With the second code, I noticed that the retention period is “Always” and not my specific value from the AWS console :
Do we need to set the lifecycle block to take into account the retention period for the source AWS backup and recovery points ?
I confirm that the lifecycle block is expected to take into account the delete_after option
Thanks @bessey for pointing this out. Sounds like a bug in our module. I’ll get to this soon so that we can configure the retention period
thanks
2024-03-16
2024-03-17
“HashiCorp has been working with a financial adviser in recent months and has held exploratory talks with other industry players, the report said.”
I’m eager to know who the ‘industry players’ are!
Perhaps they will get beat out by Puppet.
2024-03-18
Any terragrunt users here?
Sadly yes
Haha do you prefer something over terragrunt?
Just Terraform would be nice, but with so many environments and regions it seems Terragrunt does the job we need. I am sure there are other tools like CP’s , but we were already in deep with Terragrunt.
1
Anybody using terraform to manage kubernetes? I’m curious if you’ve found any advantage to terraform as vs any other technology to manage kubernetes objets. …or any other opinions you have about terraform, or other kubernetes Iac solutions.
Yes, we do at Cloud Posse.
Here you can see what we do. https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks
You’ll notice we also deploy ArgoCD…. with Terraform
Since we practice GitOps with Terraform, we get most of the same benefits as we do with ArgoCD. We rely on Terraform predominantly for kubernetes backing services. Things like ALBs, Ingress, Operators/Controllers, etc. Things that rely on other things to exist, which we provision with Terraform. E.g. IAM roles, DNS zones, etc.
Use ArgoCD for your applications.
We’ve considered, but not adopted things like Amazon Controllers for Kubernetes. Happy to answer anything else related to this.
2024-03-19
When I am using cloudposse IAM module , by default it creates namespace,stage & name as prefix to IAM role which do not want..how do I avoid?
Don’t set them
I believe all are nullable
For example, if you have your own naming convention, just use name and set it to your requirements
Let me try..But I remember if namespace not set ..tf apply fails with namespace need to set.
If that happens, let me know which module.
add this
label_order = ["name"]
and only include the attributes you want
that will limit the name to a concatenated list of whatever is in label_order, while still adding the other attributes to tags
Hi all, I’m trying to create some custom IAM policies through terraform. I don’t see a dedicated iam-policy component, but it looks like it might be doable through the iam-role component? I don’t quite understand how to use the policy_documents variable though. Can anyone shed some light on this? https://github.com/cloudposse/terraform-aws-components/blob/main/modules/iam-role/README.md#input_policy_documents
@Dan Miller (Cloud Posse) can maybe shed some light on this one
In our reference architecture we don’t use a IAM policy component. What we have is a little bit different. In the simple use case when we need some policy for a particular component, we just include that policy with the given component directly.
However in the more complex use case where we need an advanced policy or role, we use our AWS Team and Team Roles design. This is part of our reference architecture, but in short Team Roles are IAM roles that are deployed to any number of accounts and grant permission there.
What you see with the iam-role component is an exception. We had a customer that had a specific requirement that went against our recommendation. If we need a role, it should be more consistent with our design to use the aws-team-roles component instead
What is the use case for an IAM policy + role that you’re considering? perhaps I can give a better idea of what we’d recommend
I have an ECS service that I would like to grant access to an S3 bucket
so I see where I can add policies to the task_role and have done that a successfully with a policy that I click-ops’d
but I would like to be able to define IAM policies in terraform so I can assign them to the roles for ECS/EC2/etc
@Dan Miller (Cloud Posse)
In that case I would create the policy with the ecs-service component. You can use iam_policy_statements and define the policy in YAML with the component catalog
@Dan Miller (Cloud Posse) thanks for this! Can I see some examples on how this is used? I tried inserting a JSON policy with this but wasn’t able to get it working properly
How about something like this? Since it’s in the YAML file you have to either convert it to YAML or inline the JSON
vars:
iam_policy_statements:
ListMyBucket:
effect: "Allow"
actions:
- "s3:ListBucket"
resources:
- "arn:aws:s3:::test"
conditions:
WriteMyBucket:
effect: "Allow"
actions:
- "s3:PutObject"
- "s3:GetObject"
- "s3:DeleteObject"
resources:
- "arn:aws:s3:::test/*"
conditions:
2024-03-20
Does anyone have a link to a list of new features available on OpenTofu since it’s fork?
More concisely maintained than their release notes.
also try opentofu
I’m new to terraform and wanted to get some feedback on what is the best way of dealing with passwords in terraform files. Hypothetical case… We geneated an api key from another 3 party service. We want to add the api key to our aws secrete manger so that our services are able to use it. How would I go about getting the secrete into aws secrete manager with out committing the secrete in plain text in my terraform file? Thanks in advance
@Dan Miller (Cloud Posse)
I would create kms encrypted secrets to add them on tf files
I prefer to use AWS SSM parameter store for secrets personally, but SOPS and AWS Secret Manager are both great as well
well depends on the secret
v1.8.0-rc1 1.8.0-rc1 (March 20 2024) If you are upgrading from Terraform v1.7 or earlier, please refer to the Terraform v1.8 Upgrade Guide. NEW FEATURES:
Providers can now offer functions which can be used from within the Terraform configuration language. The syntax for calling a provider-contributed function is provider::function_name(). (<a…
2024-03-21
Has anyone heard when Terraform stacks will go GA?
They haven’t set a date yet. I would expect that Oct would be the earliest it could possibly be.
Wow, I was hoping it would be sooner but that’s wild
2024-03-22
When using modules in Terraform where would I add the lifecycle ignore_changes meta-argument?
For resources it’s pretty simple - https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes
A bit of searching around led me to this Terraform issue https://github.com/hashicorp/terraform/issues/27360 Seems like it cannot be done.. :disappointed:
I’m using https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn and one of the created buckets has since had its bucket policy changed because of a migration of contents into it.. While this policy is temporary it’s not something Terraform should remove/reverse…
Already tried https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn?tab=readme-ov-file#input_override_origin_bucket_policy set to false, but it doesn’t change anything.. And I want the module to be in charge of creating the bucket..
Any workarounds, tips, comments?
I guess another approach is to try https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn?tab=readme-ov-file#input_additional_bucket_policy
as you pointed out, it’s not supported natively in modules. We could handle lifecycle rules as an input and then create different resources conditionally by the enabled lifecycle setting.
However, that’s is very extreme, as you can see with this module: https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/blob/main/main.tf
As for your use case with terraform-aws-cloudfront-s3-cdn, would you be able to update your input bucket policy to match what you’ve changed?
Or if you want to use override_origin_bucket_policy but you already deploy the bucket policy initially with Terraform, then you could set override_origin_bucket_policy to true and then remove the old policy from Terraform state
terraform state rm module.your_module_name.aws_s3_bucket_policy.default
terraform plan
does anyone know how I can delete the auto generated domain created by aws when deploying a cognito resource. I’m trying to add a custom domain to the cognito resource and my terraform plan fails because it needs to removed the auto generated domain first before making the change. I’m not 100% sure how to manage or refrence the domain that is auto generated by aws when deploying the cognito resource.
resource "aws_cognito_user_pool_domain" "ee_domain" {
domain = "${var.login_url}"
user_pool_id = aws_cognito_user_pool.ee_user_pool.id
}
terraform apply
aws_cognito_user_pool.ee_user_pool: Destroying... [id=us-east-dafda]
╷
│ Error: deleting Cognito user pool (us-east-1dafdasfa): InvalidParameterException: User pool cannot be deleted. It has a domain configured that should be deleted first.
│
│
╵
Exited with code exit status 1
2024-03-23
2024-03-25
Hi All… I am bootstratting a fresh AWS environment with the intention to do as much via Terraform as possible. I am aware of higher-level tooling such as Terragrunt and Atmos but I am attempting to gain a good understanding about how everything is held together so holding off on these for now.
I have created a fresh aws root account and enabled IAM Identity Centre via the aws console… this automatically enabled AWS Organisations so my Org structure is Root (OU) - > Management (Account).
I have manually created an iam user called terraform_bootstrap via the Console and I believe having the management account and iam user is enough to do everything else in Terraform.
It is my intention that the first Terraform project run using the terraform_bootstrap user credentials to create the subsequent OUs (e.g. Core) and accounts (e.g. Identity) and then I guess each one of these accounts would have its own terraform project.
I am aiming for a single S3 bucket to store Terraform state… I’ve seen debate about whether this is the case but Cloud Posse seem ok with it… and from what I can tell I can always create a policy to restrict access to specific state files to different sub-sets of users.
Where does this S3 bucket for state files live (i.e. under which account is it created) ?
I have seen a suggestion in the #aws channel that Cloud Posse just create the S3 bucket under the root account. Based on the Org structure above I am not sure wha that means (perhaps the naming conventions are outdated)… Is it good practice to create the S3 bucket under the Management Account and have all the subsequent Terraform projects for sub-accounts store their state there? Is there a security downside to storing in the Management Account?
@Jeremy White (Cloud Posse)
Was there a better channel for me to ask this in ?
@Ben Smith (Cloud Posse)
I think you asked on the right channel
We call it the root account (your Management account) under an OU we call Core (your Root)
Our structure thus looks like
Core/
- Root
- Security
- Auto
Platform/
- Dev
- Staging
- Prod
yours can look similar with different names, depends on needs and how you want to name things.
we recommend the terraform state bucket live in your management account core-root or root-management for you.
Is it good practice to create the S3 bucket under the Management Account and have all the subsequent Terraform projects for sub-accounts store their state there? Is there a security downside to storing in the Management Account?
So theres pros and cons to having the state bucket live in one account vs many.
Essentially the reason we recommend 1 state bucket, is usually the reason you chose terraform is so that your components of terraform and know about eachother and reference state. it becomes A LOT less complex to maintain.
The times we would recommend hierarchical state buckets is when you have extremely tight security requirements and usually a big team that requires segmented access.
https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tfstate-backend is how we recommend (and ourselves do) deploy tfstate backend, it integrates with our aws-teams) and aws-team-roles for user based access
Thank you @Ben Smith (Cloud Posse). I think the confusion is that AWS created my ‘root’ and ‘management account’ when I let it automatically enable ‘aws organisations’ when I activated IAM.
So, if I understand correctly, the account for which you create the S3 folder is not the aws created management account (shown in the screenshot) but you create a separate OU and account outside of the actual aws management account ?
Or, did I misunderstand, and what AWS created for me is the same as what you have but under different names and the ‘aws mangement account’ is the mangement account in which you create the S3 bucket. People seem to say not to store stuff in the ass management account hence my confusion.
what AWS created for me is the same as what you have but under different names
this
usually what we do is get a root accout with no AWS Org setup (so a single account). We then deploy tfstatebackend (component linked above) this will generate a s3 bucket and dynamodb lock table in your management account.
Then we deploy the accounts component [link] which will create and manage your org for you (beware aws has a 10 account limit but you can increase with a quota increase)
so essentially this then sets up your various accounts as your different needs. we usually have
core/
- root - this is the management account, it only has accounts and tfstatebackend deployed to it
- identity - aws-teams and aws-team-roles which define how your users login
- auto - automation and overhead tooling
- network - transit gateways, dns how things connect
platform/
- dev/staging/sandbox/prod - where your apps live
what you’ve got is correct just named differently than our typical setup - though theres nothing wrong with that, just need to keep a mental note of how we will generally refer to it
Brilliant, thank you… Given the sensitivity around use of the management account (link) I was not sure I should be storing state there and given the difference in names i’ve ended up with it added to the confusion but what you have laid out makes perfect sense - thank you.
Hello, another ECS terraform question
I’m trying to create a new ECS cluster, and it’s mostly working, but it’s getting stuck when trying to create the S3 buckets for the ALB access logs
│ Error: creating S3 Bucket (ORGNAME-plat-use1-sandbox-CLUSTERNAME-private-alb-access-logs) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: TPTA013GT569ETAX, HostID: N6C6f+Limdwsdty86tsEnIKUGmQ212aT4okjJnN10GcQaG/NlfUOkHCplpsu3caLOHeCo=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│
│ with module.alb["private"].module.access_logs.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0],
│ on .terraform/modules/alb.access_logs.s3_bucket.aws_s3_bucket/main.tf line 148, in resource "aws_s3_bucket_acl" "default":
│ 148: resource "aws_s3_bucket_acl" "default" {
│
╵
╷
│ Error: creating S3 Bucket (ORGNAME-plat-use1-sandbox-CLUSTERNAME-public-alb-access-logs) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: TPTDW2SVGHQWBJ9P, HostID: C5vrCU0oWsnSNy/hlDREWtFYp+/zMKd2VXatYruvJ/opNd3FrMtXRtJklQ/drOyr28=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│
│ with module.alb["public"].module.access_logs.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0],
│ on .terraform/modules/alb.access_logs.s3_bucket.aws_s3_bucket/main.tf line 148, in resource "aws_s3_bucket_acl" "default":
│ 148: resource "aws_s3_bucket_acl" "default" {
│
╵
exit status 1
if I the terraform deploy again, it’s able to finish creating the remaining resources and works properly
the ALB creates correctly, and the ACLs get set on the corresponding S3 buckets
so we have a workaround, but it would be great to figure out why it’s failing to set ACLs the first time around
Looks like you are using the refarch ecs components?
make sure there’s no acl = private or something of tyhat sort in your code.
https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
all newly created buckets in the Region will by default have S3 Block Public Access enabled and access control lists (ACLs) disabled
yeah we’re using the refarch ecs component
we haven’t changed anything about the ACL settings from the reference architecture
it looks like the default behavior of the terraform is to try to set the ACL
actually looks like this was fixed in a terraform component version update. we were on 1.388.0 and updating to 1.419.0 worked
@Jeremy White (Cloud Posse) @Dan Miller (Cloud Posse)
actually looks like this was fixed in a terraform component version update. we were on 1.388.0 and updating to 1.419.0 worked
great! I believe this was a fix in the terraform-aws-alb module that’s included in that component
also as a general tip since you’re using our reference architecture, you should get a quicker response for reference architecture specific questions with the refarch channel (around 100 members). Whereas the #terraform channel is intended for anything related to Terraform as a topic (around 8000 members)
2024-03-26
Hey Folks, anyone using aws eks cluster module v4.0.0.? I can’t seem to get terraform to pick up my access_entry_map… terraform plan never notices it or any changes I make to it. Pretty simple setup:
module "eks_cluster" {
source = "cloudposse/eks-cluster/aws"
version = "4.0.0"
// <https://github.com/cloudposse/terraform-aws-eks-cluster>
name = var.name
namespace = var.namespace
region = var.region
stage = var.stage
cluster_encryption_config_enabled = true
cluster_encryption_config_kms_key_enable_key_rotation = true
oidc_provider_enabled = true
access_config = var.access_config
access_entry_map = var.access_entry_map
addons = var.addons
addons_depends_on = [module.eks_node_group_main, module.eks_node_group_secondary]
endpoint_private_access = var.endpoint_private_access
endpoint_public_access = var.endpoint_public_access
enabled_cluster_log_types = var.enabled_cluster_log_types
kubernetes_version = var.kubenetes_version
public_access_cidrs = var.public_access_cidrs
subnet_ids = module.subnets.public_subnet_ids
tags = var.tags
}
sandbox.tfvar:
..
..
..
access_entry_map = {
(data.aws_iam_session_context.current.issuer_arn) = {
access_policy_associations = {
ClusterAdmin = {}
}
}
}
..
..
my var.access_config:
variable "access_config" {
description = "Access configuration for the EKS cluster."
type = object({
authentication_mode = string
bootstrap_cluster_creator_admin_permissions = bool
})
default = {
authentication_mode = "API"
bootstrap_cluster_creator_admin_permissions = false
}
}
so weird, I’ll keep at it and see what i’m missing, felt like posting in here as I may be missing something obvious
hang tight, I think its my jenkins pipeline. I’ll let you all know what i find out, its gotta be on my end now that i saw some weirdness when I ran my build pipeline
ok it was my pipeline, and I see that I can’t use the data source in my tfvar too.. rookie mistakes here.. nothing to see carry on
has anyone who is using ECS clusters successfully deployed a second cluster without messing up the ACM certificates and existing clusters?
• we now have three (3) certificates in ACM and two (2) of them contain duplicates for <environment>.<stage>.<tenant>.<domain>.<tld>
• however now our envs can no longer deploy to the platform cluster
very strange, def think we’re missing something, and could not find any documentation about it
@Dan Miller (Cloud Posse) @Ben Smith (Cloud Posse)
Is this referring to the ecs component with our reference architecture? If so, then the ACM cert should be created with the acm component, not with the ecs component. You might have a specific component called ecs/platform/acm (likely defined in your stack catalog, maybe in stacks/catalog/ecs/clusters/default.yaml) that creates the certs. You will need a unique domain for each ~cluster~ service you want to deploy. You can do this with a different name or set of attributes
I can create a quick example if that sounds right
I think that sounds right, could you post a quick example, I would like to compare what I have vs what may be ideal/BP
I put together an example but it quickly got out of hand. So I put it into this google doc. Let me know if this makes sense to you: https://docs.google.com/document/d/1I6QM_f10T-xG3z1Hyef6t6oXNQqIzANecnTttdGtHzo/edit?usp=sharing
Also I recently updated our setup steps for ECS as part of our reference arch. docs. These may be helpful to skim https://docs.cloudposse.com/reference-architecture/setup/ecs/
Also please let me know if this solves your issue or if you have any other questions about it, because then I can upstream it to our website for future reference for others as well
Thanks @Dan Miller (Cloud Posse) reviewing them now
2024-03-27
Back from a very long winter break 
, hi everyone. Is AWS Control Tower Account Factory for Terraform (AFT) the preferred way for bootstrapping our AWS accounts now, or is there something better ?
current engagement is using Spacelift as an “account factory”. feels a lot cleaner and more transparent than AFT
Hi Loren, I can’t use ext dependencies with this one. Is AFT too cumbersome for something like : cross acct roles , oidc roles, state bucket / ddb ? What transparency is it lacking ?
Yeah understood. AFT just feels like a black box to me. An overly complicated, typical AWS solution architecture. I wouldn’t want to sign up to troubleshoot failures.
If I have a module for the resources I want in the new account, then it’s easy enough to have a directory per account with a simple terraform config that uses that module. And a template to simplify new account creation. Each new account, copy the template, update tfvars, deploy with ci/cd
Right, but which state bucket and role to use ?
i don’t think AFT solves that either
What do you think of using stackset with a bit of CF using the default cross-account roles within the org ?
i use terragrunt for that part. and a lambda in the management account to create an “automation” role in every new account. account creation then is just a single command:
aws organizations create-account --email "$email" --account-name "$name" --iam-user-access-to-billing ALLOW --role-name "$account_access_role"
but yeah, a stackset works to create the “automation” role also
I meant using the role “aws organizations” is creating, then create the specific ( least privilege roles ) with the stack set and the rest.
the stackset doesn’t need to “use” another role, i don’t think. if you’re comfortable using the role aws organizations creates, and having your automation run from the organization account to assume that role, then your terraform config can create all extra roles no problem
I’ll dive in, thanks !
The important thing to know about AFT is that it was a co-development effort between AWS and HashiCorp. It originated with the AWS Professional Service team and was taken over as an actual product delivered by the Service Catalogue/Control Tower team. The reason Control Tower now has APIs is because of this project/product.
Generally speaking, if folks are going to use TF for Landing Zones, this is the suggested method from both AWS and HashiCorp.
Now, all that said, we have had some customers that have had to do some larger customizations to integrate with existing automation, generally through their pipelines. I’m actually trying to get one of them to talk about this at HashiConf this year.
2024-03-28
Hey Folks, anyone using terraform private package registry of some kind for the purpose of module versioning vs using git tag ref? I wonder are there any pros and cons of switching to leverage private registry at some point.
Can someone help me,
Im trying to pass a secret which is stored in akeyless,
data "akeyless_secret" "secret" {
path = "/GCP/Secrets/cf-triggers/tf-cf-triggers"
}
provider "google" {
project = "cf-triggers"
credentials = data.akeyless_secret.secret
}
resource "google_pubsub_topic" "example" {
name = "akeyless_topic"
message_retention_duration = "86600s"
}
❯ terraform apply
data.akeyless_secret.secret: Reading...
data.akeyless_secret.secret: Read complete after 1s [id=/GCP/Secrets/cf-triggers/tf-cf-triggers]
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Incorrect attribute value type
│
│ on main.tf line 38, in provider "google":
│ 38: credentials = data.akeyless_secret.secret
│ ├────────────────
│ │ data.akeyless_secret.secret is object with 4 attributes
│
│ Inappropriate value for attribute "credentials": string required.
is there a way to resolve this ?
Been working with TF a few months, had a few questions/discussion to get into based on a SO post . Been getting a lot of errors 403 and 409, using terraform on gcp (even on a fresh project), where I have to manually enable an API upon apply and manually delete a resource upon destroy, not always related to a service that maybe dependant or instantiated on a child resource, like SQL and then a db. I read that there is a Terraform resource definition called “google_project_service” that allows auto-enable api service. This is documented at google_project_service. Apparently resource “google_project_service” “project”, only one service argument can be taken so would have to loop over a list of services, but will this resolve the issue, I am yet to try to loop, or the other suggestions. Any have this issue and resolve it?
resource "google_project_service" "project" {
project = "your-project-id"
service = "iam.googleapis.com"
timeouts {
create = "30m"
update = "40m"
}
disable_dependent_services = true
disable_on_destroy = true
}
Below is what I used now but I have to manually enable some apis and destroy some and not just ones with dependants. When I added the disable on destroy I get less destroy errors. Getting these errors isn’t an issue unless provisioned resources are not terminate, which most times isnt the case, but has been the case a few times leaving chargable cloud resources.
resource "google_project_service" "iam" {
service = "iam.googleapis.com"
# disable_on_destroy = true
}
did you authenticate ?
have a separate module for to enable the apis, and apply them first
for example, if you are working with cloudfunctions gen2, there are some pre api need to be enabled for example, cloudbuild, artifactregistry, eventarc etc..
Yes with a service account json key. which is in credentials field in variable.tf, then used file(var.credentials). It wouldnt provision without authentication, but you could be right that maybe there is other permissions needed. How ever not all resources are affected by these errors.
have org level project and make it as pre-requisite step to enable apis for each project
i would say isolate that api enabling separately
as that would be a onetime process
Yes this is what was recommended in the SO post, splitting the TF.
correct
I will try it but unfortunately wont have time in project right now to deep dive, so will try a work around which is what most oss fixes seem to be
I know some people don’t recommend auto api enabling but from an automation standpoint of TF, seems counter intuitive.
have something like this
org/{projects}/{project_id}.yaml
project:
- 'your-project-id'
apis:
- 'cloudfunctions'
- 'bigquery'
-
.
.
In our company we have something like this
we raise a pr to public_cloud team and then it wil enable api for that project, then we can focus on tf code
Yes and having disable on destroy and disable dependant services important
I toggled the “run.googleapis.com/cpu-throttling” = true option to terminate time based charging to bring down costs rather using request based option. It switches between “CPU is always allocated” to “CPU is only allocated during request processing”, as I intended, I got it to work here and there but most of the time the service becomes idle, then when a request is made by app to run some code, it stays idle with no return on anything, any idea why? I have to keep CPU always allocated to get consistent work loads. (edited).
I toggled the “run.googleapis.com/cpu-throttling” = true option to terminate (always on) time based charging to bring down costs rather using request based option. It switches between “CPU is always allocated” to “CPU is only allocated during request processing”, as I intended, I got it to work here and there but most of the time the service becomes idle, then when a request by my app, the app just keeps hangs. I have to keep CPU always allocated to get consistent work loads. I think this has something to do with cold start and 15 min timeout after requests, but it seems that max is 60 mins. Basically it seems to take advantage of less costs of “CPU is only allocated during request processing”, you can only work with a 60 min window. Is there any other way to get around this 60 mins max timeout?