#terraform (2024-07)

terraform Discussions related to Terraform or Terraform Modules

Archive: https://archive.sweetops.com/terraform/

2024-07-01

2024-07-02

Soren Jensen avatar
Soren Jensen

I have created an EC2 instance in terrafrom with a userdata template. In the template I install and setup WireGuard, and defined a few users. But adding/removing users from the user data doesn’t redeploy the instance?! Terraform apply shows 1 change to make and the server is shutdown, AWS shows the updated userdata, but when the server is back up I don’t see any change in users. I have tried to add a step in the user data to delete the config file. Still no change. Is there a way I can force terraform to completely destroy the EC2 instance on every apply?

loren avatar


If the user_data_replace_on_change is set then updates to this field will trigger a destroy and recreate.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#user_data

loren avatar

user data used to be a replacing change, now it is only optionally so. by default changes will only stop/start the instance

loren avatar

there are also ways to get user data to run on every startup, but i think that’s more of a cloud-init or ec2-config thing, and not specifically an aws or terraform thing

Soren Jensen avatar
Soren Jensen

I didn’t know about the user_data_replace_on_change Going to give that a go..

loren avatar

here’s how to setup per-boot scripts with cloud-init, if you want to go that route… https://cloudinit.readthedocs.io/en/latest/reference/modules.html#scripts-per-boot

Soren Jensen avatar
Soren Jensen

Thanks a million :slightly_smiling_face: user_data_replace_on_change did the trick!

1
1

2024-07-03

Release notes from terraform avatar
Release notes from terraform
01:33:27 PM

v1.9.1 1.9.1 (Unreleased) UPGRADE NOTES:

Library used by Terraform (hashicorp/go-getter) for installing/updating modules was upgraded from v1.7.5 to v1.7.6. This addresses CVE-2024-6257. This change may have a negative effect on performance of terraform init or terraform get in case of larger git repositories. Please do file an issue if you find the performance difference noticable. (<a…

Release notes from terraform avatar
Release notes from terraform
02:03:30 PM

v1.9.1 1.9.1 (July 3, 2024) UPGRADE NOTES:

Library used by Terraform (hashicorp/go-getter) for installing/updating modules was upgraded from v1.7.5 to v1.7.6. This addresses CVE-2024-6257. This change may have a negative effect on performance of terraform init or terraform get in case of larger git repositories. Please do file an issue if you find the performance difference noticable. (<a…

Release v1.9.1 · hashicorp/terraformattachment image

1.9.1 (July 3, 2024) UPGRADE NOTES:

Library used by Terraform (hashicorp/go-getter) for installing/updating modules was upgraded from v1.7.5 to v1.7.6. This addresses CVE-2024-6257. This change ma…

2024-07-04

Allan Swanepoel avatar
Allan Swanepoel

anyone here used TerraMaid before? https://github.com/RoseSecurity/Terramaid

RoseSecurity/Terramaid

A utility for generating Mermaid diagrams from Terraform configurations

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think @Michael has

RoseSecurity/Terramaid

A utility for generating Mermaid diagrams from Terraform configurations

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Note, Terramaid is a a very young project under active development.

Michael avatar
Michael

@Allan Swanepoel I created the tool as a learning project, but I’m actively working on it each day, so stay tuned for it to get more mature!

Allan Swanepoel avatar
Allan Swanepoel

thats awesome @Michael

jpalomaki avatar
jpalomaki

:wave: I am wondering if it’d make sense to add support for configuring lambda permissions (i.e. who can invoke the function) directly in the aws-lambda-function module? This is the resource we could add, with a variable (presumably a list) for configuring at least the principal and source_arn attributes for each permission entry. It kinda feels natural to be able to declare the permissions in the lambda config, but I am not sure if we could run into some circular dependency issues this way. In my use case, it’s an S3-triggered function, so the bucket source ARN would be known in advance and this pattern would work. What do you think?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This is an internal debate we struggle with on a regular basis. Where is the line drawn? Typically, modules are used inside of other modules, and things like IAM policies are better expressed as HCL. That said, would you be open to proposing an issue with the hypothetical interface?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We can discuss that and if it looks good, and you’re willing to implement it, then go for it.

jpalomaki avatar
jpalomaki

Yep. In our case, we deploy using terragrunt, so being able to deploy straight off of the terraform registry module (not having to create a wrapper module just to add one resource for the permissions) would actually help. I also kind of like how the author of the lambda config then gets to decide who can invoke it (similar to how they can define the lambda IAM role permissions). Also, this would be optional (for_eached with a default of []), so one could still declare the permissions elsewhere if a more complex setup is needed. I can whip up a simple PR with a proposal to discuss this further. Thanks for the quick response

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Can you run make init && make readme

1
jpalomaki avatar
jpalomaki

I’ve updated the PR with readme updates. I had missed this step on my previous PR, too, so the diff now includes docs for the inline IAM policy feature as well.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy White (Cloud Posse) or @Ben Smith (Cloud Posse) can you do the final sign off?

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

Looks like terratest is failing with complaints about the new s3 bucket resource.

Junk avatar

Hello :party_parrot: I’ve recently become interested in Atmos and am doing a PoC on a small project within my company with Atmos. While using it, I am satisfied with most of the features and it is well documented so I had no problem learning it, however, I have a question about using Template Functions in the data sharing between stacks. Instead of using the terraform native module of cloudposse, I created the necessary root modules myself, so I don’t use the RemoteState method. If the output is a list of strings rather than a simple string, when referenced from another stack, it will be converted to a string and referenced as [item1 item2 item3] or something like that. How do I get it to reference like a list normally?

1
Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)

@Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Hi, I’m testing out atmos v1.81 template functions release: How do I get array element for this one?

- '{{ (atmos.Component "aws-vpc" .stack).outputs.private_subnets }}'
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in short, when you use Go templates, you are manipulating text files (the fact that the files are YAML is not relevant to the templating engine)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and Go templates work with strings only

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so in your files, you have to “shape” the result strings into the correct data types. For example, for lists, you can use the toJson function (since JSON is a subset of YAML), or the range function (see the thread)

Junk avatar

I was lacking a reference, so thank you for explaining it so well. I’ll try to test it out.

1

2024-07-05

Marius Manea avatar
Marius Manea

Hi everyone, Is there a provider function available for the equivalent of this module, by any chance? https://github.com/cloudposse/terraform-null-label I think a provider function might be easier/cleaner to use, than a module.

1
theherk avatar
theherk

We use an internal module context for this, and I actually think it is quite nice. Because we can generate naming standards internally. Like we can use ctx.prefix_global or just get region with ctx.region. Then we can set prefixes to contain or build namespaces automatically based on context. Best of all we can use that across providers. So one can use the same context for both an aws provider and a postgres provider.

Marius Manea avatar
Marius Manea

Interesting! do you have any examples for that, please?

theherk avatar
theherk

I don’t directly, because it is internal, but it is something like this:

module "ctx" {
  source  = "gitlab.internal/foo/context/aws"
  version = ">= 1"

  active    = var.active
  env       = var.env
  erect     = var.erect
  namespace = var.namespace
}

module "core" {
  source  = "gitlab.internal/foo/core/aws"
  version = "~> 2.4"

  azs = var.azs
  env = module.ctx.env
}

locals {
  api_name = "${module.ctx.prefix}-api-int"
}
1
Marius Manea avatar
Marius Manea

thanks for the details, that helps

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, Cloud Posse has a provider

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-provider-context

Terrform provider for managing a context in Terraform.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This example is with atmos

Marius Manea avatar
Marius Manea

that is amazing, exactly what I was looking for, thanks a lot!

1

2024-07-08

Brett L avatar
Brett L

Is Atlantis the best free / foss TACOS?

loren avatar

depends a little on whether you need a taco to provider a runner, or if you want to use runners for gitlab-ci or github-actions… for the former, probably yes. for the latter, you have cli tools like digger/terramate/atmos that integrate with the build system and the repo hosts

1
Brett L avatar
Brett L

seems like atlantis it is for now then. thanks!

2024-07-09

2024-07-10

Bart Coddens avatar
Bart Coddens

Hi All, I want to deploy a cloudformation stackset in parallel over multiple accounts in one region.

Bart Coddens avatar
Bart Coddens

Currently I use:

Bart Coddens avatar
Bart Coddens

resource “aws_cloudformation_stack_set_instance” “this” { operation_preferences { max_concurrent_percentage = 50 region_concurrency_type = “PARALLEL” }

Bart Coddens avatar
Bart Coddens

but it does not scale over 1 deployment

Bart Coddens avatar
Bart Coddens

anyone knows how to do this ?

Release notes from terraform avatar
Release notes from terraform
11:33:35 AM

v1.9.2 1.9.2 (July 10, 2024) BUG FIXES:

core: Fix panic when self-referencing direct instances from count and for_each meta attributes. (#35432)

Fix missing validation for count and for-each meta-arguments by liamcervante · Pull Request #35432 · hashicorp/terraformattachment image

This PR fixes a crash that occurs when self-referencing direct instances from the count and for_each meta arguments. The same behaviour was also happening within the import blocks. These have been …

2024-07-11

Release notes from terraform avatar
Release notes from terraform
10:03:35 AM

v1.9.1 1.9.1 (July 3, 2024) UPGRADE NOTES:

Library used by Terraform (hashicorp/go-getter) for installing/updating modules was upgraded from v1.7.4 to v1.7.5. This addresses CVE-2024-6257. This change may have a negative effect on performance of terraform init or terraform get in case of larger git repositories. Please do file an issue if you find the performance difference noticable. (<a…

Michael avatar
Michael

Anyone utilizing Hashicorp Sentinel for Policy-as-Code in your pipelines? We’ve been thinking about different ways to incorporate policies into pipelines to make approval processes smoother for infra provisioning and curious if anyone had any recommendations

2024-07-12

2024-07-17

Release notes from terraform avatar
Release notes from terraform
09:43:31 AM

v1.10.0-alpha20240717 1.10.0-alpha20240717 (July 17, 2024) EXPERIMENTS: Experiments are only enabled in alpha releases of Terraform CLI. The following features are not yet available in stable releases.

ephemeral_values: This language experiment introduces a new special kind of value which Terraform allows to change between the plan phase and the apply phase, and between plan/apply rounds….

Release v1.10.0-alpha20240717 · hashicorp/terraformattachment image

1.10.0-alpha20240717 (July 17, 2024) EXPERIMENTS: Experiments are only enabled in alpha releases of Terraform CLI. The following features are not yet available in stable releases.

ephemeral_values…

Terraform Settings - Configuration Language | Terraform | HashiCorp Developerattachment image

The terraform block allows you to configure Terraform behavior, including the Terraform version, backend, integration with HCP Terraform, and required providers.

andrew_pintxo avatar
andrew_pintxo

Hello, can anybody please point out to a simple workable solution of implemanting a maintanance page for Beanstalk application behind ALB. Thank you

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Depends a little bit about your requirements

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

One option is using route53 health checks and failing over to another service which could be your maintenance page

andrew_pintxo avatar
andrew_pintxo

In requirments is a possibility for devs to turn on and off maintenance mode

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It depends though at what level. e.g. if you want to work on the load balancer, it needs to be at a higher level.

2024-07-18

george.m.sedky avatar
george.m.sedky

Heyoo, It’s me again I just published this comparing 5 LLMs on a specific Terraform code generation tasks (and ofcourse included ourselves at the end )

We’re trying to figure out how to improve IaC workflows in general, code generation alone is not enough, as you all know writing terraform is not the worst part.

I really appreciate your feedback, or if you’d like to share more edge-cases where an LLM screwed up so we could add to the benchmark we’re working on

https://youtu.be/9lQftToWifk?si=4WzEYjscenf_rIfq

3
1
george.m.sedky avatar
george.m.sedky

thanks @Erik Osterman (Cloud Posse) we keep experimenting and pushing the DX to be 10x better than a code editor, I’m betting that an IDE plugin is a piece of the puzzle but so much more is needed. I’ll post more on that as things come up.

2024-07-21

Mehak avatar

Hi Everyone, Any idea what is the api rate limit for terrasnek cancel run or discard run APIs?

    keyboard_arrow_up