#terraform (2024-12)
Discussions related to Terraform or Terraform Modules
Archive: https://archive.sweetops.com/terraform/
2024-12-01
Not sure which channel to post this. If this isn’t correct spot, just let me know and I’ll move it.
When disabling a transit gateway by setting enabled: false in hub.yaml and spoke.yaml - if the tgw already exists, we’re seeing the following error:
│ Error: stack name pattern '{tenant}-{environment}-{stage}' includes '{environment}', but environment is not provided
│
│ with module.vpc["plat--dev-vpc"].data.utils_component_config.config[0],
│ on .terraform/modules/vpc/modules/remote-state/main.tf line 1, in data "utils_component_config" "config":
│ 1: data "utils_component_config" "config" {
If we trace this back to components/terraform/tgw/[hub/spoke]/.terraform/modules/vpc/modules/remote-state/main.tf
Then to [context-always.tf](http://context-always.tf)
module "always" {
source = "cloudposse/label/null"
version = "0.25.0" # requires Terraform >= 0.13.0
enabled = true
namespace = var.namespace
tenant = var.tenant
environment = var.environment
stage = var.stage
name = var.name
delimiter = var.delimiter
attributes = var.attributes
tags = var.tags
additional_tag_map = var.additional_tag_map
label_order = var.label_order
regex_replace_chars = var.regex_replace_chars
id_length_limit = var.id_length_limit
label_key_case = var.label_key_case
label_value_case = var.label_value_case
descriptor_formats = var.descriptor_formats
labels_as_tags = var.labels_as_tags
context = var.context
}
var.environment is not defined. However this is nested deep into CP terraform. Have you all seen this issue in the past?
I believe this is a bug with the component and with the remote-state call in particular: https://github.com/cloudposse-terraform-components/aws-tgw-spoke/blob/main/src/remote-state.tf#L12-L19
This module is missing enabled handling. When not enabled, we don’t care about the remote reference, so we can bypass it like this:
https://github.com/cloudposse-terraform-components/aws-eks-cluster/blob/main/src/remote-state.tf#L19
2024-12-02
2024-12-03
2024-12-04
v1.10.1 1.10.1 (December 4, 2024) BUG FIXES:
cli: Complex variables values set via environment variables were parsed incorrectly during apply (#36121) config: templatefile would panic if given and entirely unknown map of variables (<a href=”https://github.com/hashicorp/terraform/issues/36118” data-hovercard-type=”pull_request”…
Hey all! Looking for some suggestions on upgrading Terraform modules, more specifically the CloudPosse AWS RDS Cluster module. I’m currently using 1.12.0, which is good and all.
I’d like to upgrade to 1.14.0 which has a bug fix in an output that I’d like to utilize. BUT a PR merged for 1.13.0 is causing the DB instance to recreate due to the way the attribute is defined (even if the end result value isn’t changing). See that PR here. What’s the best way to go on about this without recreating the DB? (we all know that recreating a database is a PITA). hopefully wouldn’t have to maintain a fork either
See the related conversation here https://sweetops.slack.com/archives/CUJPCP1K6/p1733335296282389?thread_ts=1731100868.609129&cid=CUJPCP1K6
cc @Andriy Knysh (Cloud Posse) since he was the approver on #236 + likely has opinions here.
Personally, I’m not sure there is an easy way to make that new set of keepers not trigger a rebuild of that random_pet resource and therefore cause a rebuild of the cluster…
Now is that a breaking change… Probably?
@Jeremy G (Cloud Posse)
@Yangci Ou This is a complicated issue and will take significant time to resolve, if it can be resolved at all. My best guess is a solution will involve some kind of hack.
All of which is to say, please be patient, and stick with v1.12.0 for now.
cross reference to other thread https://sweetops.slack.com/archives/CUJPCP1K6/p1733518995283919?thread_ts=1731100868.609129&cid=CUJPCP1K6
This message was deleted.
2024-12-05
If you are using the default terraform installation in GitHub actions then this update will affect you. Basically, terraform is being removed from the ubuntu-latest image…
A better approach to using the default version is using the hashicorp/setup-terraform action and pinning to a specific version:
@Erik Osterman (Cloud Posse) @Igor Rodionov any action item here?
@managedkaos @Gabriela Campana (Cloud Posse) @Erik Osterman (Cloud Posse) I think no. We already install Terraform explicitly with the action
Thanks for the info. My “you” statement in the original post was more of a PSA than a call out to the Cloud Posse team
But i do appreciate the follow up!
12024-12-06
2024-12-09
Hi there! Anybody had an error like this one? When I add a new context value (‘environment’ in my particular case) to an existing stack and try to deploy, I get: … template: … executing … at <.environment>: map has no entry for key “environment
Is this an atmos question?
This is a relatively small change that shouldn’t break existing functionality. Is this PR okay? (Also, is this the right place to ask about it?) https://github.com/cloudposse/terraform-aws-dynamic-subnets/pull/217
@Jeremy G (Cloud Posse)
@John Seekins For future reference, requests like this should go in #pr-reviews, as this channel is for more general Terraform questions, but we can keep this particular thread here.
This is an unusual use case, as evidenced by no one asking for it before now, even though IPv6 support was added over 2 years ago. As such, I’m hesitant to add these variables, as they can cause confusion. We already had a “master switch” in ipv6_enabled, and now we are adding suppression switches to limit it. @Michael is correct that the Cloud Posse standard is for feature flags to end with _enabled, but whether we use enabled or disabled, it is still confusing to me that you have the private and public features that have no effect unless the master feature is enabled.
I know the proposal I’m about to make is more obscure and a bit trickier to implement, but in some ways I prefer that for such a rare use case.
How about we do not add any new variables, but instead leverage the ipv6_cidrs object, adding optional private_enabled and public_enabled booleans defaulting to true? We can do the same for ipv4_cidrs and maintain feature parity between IPv4 and IPv6.
It’s true that we are still adding 2 (or 4) boolean suppression flags, but by keeping them somewhat buried, I think we make it easier for people to ignore them and not worry about them or expect too much from them.
I see what you’re asking, and that does make sense. My only pushback would be that if people ignore these new variables, the current behavior doesn’t change.
Why is that pushback?
Well…I’m just saying that we could leave these variables as-is and no one would notice the change unless they read the updated docs.
I’m not understanding your concern. My concern is that the module is already complex, and people using the module for the first time seeing:
• ipv6_enabled
• private_ipv6_enabled
• public_ipv6_enabled will be confused about the interaction among them, and wonder why there are no corresponding IPv4 flags.
Ah. Fair. I was thinking mostly about existing users.
Okay. I’ll see if I can add some settings inside the cidr objects.
Thanks for the feedback!
2024-12-10
2024-12-11
v1.11.0-alpha20241211 1.11.0-alpha20241211 (December 11, 2024) ENHANCEMENTS:
init: Provider installation will utilise credentials configured in a .netrc file for the download and shasum URLs returned by provider registries. (https://github.com/hashicorp/terraform/pull/35843)
EXPERIMENTS: Experiments are only enabled in alpha releases of Terraform CLI. The following features are not yet available in stable releases.
terraform…
v1.10.2 1.10.2 (December 11, 2024) BUG FIXES:
cli: variables in an auto-loaded tfvars file which were overridden during plan incorrectly show as changed during apply [<a class=”issue-link js-issue-link” data-error-text=”Failed to load title” data-id=”2727752663” data-permission-text=”Title is private” data-url=”https://github.com/hashicorp/terraform/issues/36180” data-hovercard-type=”pull_request” data-hovercard-url=”/hashicorp/terraform/pull/36180/hovercard”…
Has anyone used Nginx as an API proxy with some mechanism to update the config to ingest OpenApi Docs? I saw this https://gist.github.com/nginx-gists/37ce65292a06219ff8d35d293c05e0b5#file-oas2nginx-sh I the related article https://www.f5.com/company/blog/nginx/deploying-nginx-plus-as-an-api-gateway-part-1 and is all very manual ( and yes, no nginx plus or NGXSaas) ( I will be deploying with Terraform)
Terraform is for deploying infrastructure, not configuring nginx. All this is doable using Ansible . You do anything that’s automatable with Ansible. Or Saltstack or Puppet……. etc
2024-12-12
2024-12-13
What are ppl using to get existing infrastructure into terraform? My team has inherited a couple of click-ops accounts and looking for the least painful way to get this work done. I’m aware of the import command and terraformer, but haven’t used the latter yet. There’s no standardized tagging right now, but I was planning on using terraformer’s import by tag feature after tagging the resources that I want to include, move the generated files to a module and use import blocks to import/reconcile the state
in the trenches
only gotta do it once. grin and bear it
Yeah, just a bunch of busy work honestly
takes longer to try and find some magic tool than to just get it done
I bet and it’s not gonna adhere to our standards… tagging, organization, etc
exactly
Curious about this also.
This thread reminded me of this tool https://github.com/GoogleCloudPlatform/terraformer
But I haven’t personally used it before
Ok first crack at this and I was able to generate the resource code by first creating the import blocks of what I wanted to track, then used the terraform binary’s “generate-config-out” flag to specify where I wanted the resources to land in the workspace. Doing an apply brought the state up to date, then did a move block to move the resource into a newly created module. It wouldn’t let me import directly into the module. More to come, but probably in blog form
Hey @Joe Perez we import your entire Cloud and convert it into Terraform. Like Terraformer but we have implemented it from scratch as Terraformer doesn’t work well with the new plugin versions and provider versions www.opslycloud.com
2024-12-14
2024-12-17
Thumbs up please! https://github.com/grafana/terraform-provider-grafana/issues/1965
2024-12-18
v1.11.0-alpha20241218 1.11.0-alpha20241218 (December 18, 2024) ENHANCEMENTS:
init: Provider installation will utilise credentials configured in a .netrc file for the download and shasum URLs returned by provider registries. (https://github.com/hashicorp/terraform/pull/35843) New command modules -json: Displays a full list of all installed modules in a working directory, including whether each module is currently referenced by…
2024-12-23
I’ve released tfmv, a CLI to refactor Terraform resource names. It renames Terraform resources, fixes their references, and creates moved blocks. For instance, to replace hyphens (-) with underscores (_), you can run:
tfmv -r '-/_'
For more details, please check out the blog post and the repository: https://dev.to/suzukishunsuke/refactor-terraform-resource-names-by-one-command-4amh
Any chance you would also allow local state file manipulation?
I ran into an issue the other day where i needed to convert workspaces into a non workspace state so i needed to download 2 different states, dump all the resources names of each one to move it to a different address e.g. move from * (root) to module.green.*.
Your utility like it might be able to help if there’s a way to target a state file.
Very cool tool btw, good work
Maybe tfmigrator is what you want.
• CLI: https://github.com/tfmigrator/cli?tab=readme-ov-file
• Go library: https://github.com/tfmigrator/tfmigrator
I archived these repositories as I have no plan to use them in near future, but I guess they still work.
I developed tfmigrator before Terraform supported moved blocks.
tfmigrator runs commands such as terraform state mv and terraform state rm instead of creating moved blocks.
Oh very nice. But since they are archived, for the problem case that i described, isn’t it possible to accomplish the same with move blocks?
Exactly.
Does moved block support moving resources across states?
I don’t believe so :(
State manipulation from workspace to workspace doesn’t seem possible
However if i could create moved blocks on a copied state then i could move resources from root * to module.example.* easily
Is it possible to generate move blocks using your tool to generate those?
Sorry. I don’t understand the meaning. As README shows, tfmv can edit resource names and create moved blocks like this.
-resource "github_repository" "example-1" {
+resource "github_repository" "example_1" {
name = "example-1"
}
data "github_branch" "example" {
- repository = github_repository.example-1.name
+ repository = github_repository.example_1.name
branch = "example"
}
moved {
from = github_repository.example-1
to = github_repository.example_1
}
create moved blocks on a copied state What does it mean?
Sorry maybe im not explaining right.
Can you move say all the resources from the parent root address to a module.xyz address using your tool to generate the moved blocks ?
No. For now tfmv supports renaming only resource names, meaning x.y => x.z or module.x => module.y .
tfmv modifies *.tf, but if we move resouces from the parent root address to a module.xyz address, how should tfmv modify *.tf?
That would be tricky. I was thinking perhaps for that use case the tool could skip modifying existing resources ? Or maybe it’s the wrong tool for the job ? Idk. Im trying to avoid doing it by hand lol
I have already accepted that i need to manually create a module
I see. Thank you for your feedback. Indeed, sometimes we want to move resources across modules (a.b => module.c.a.d). So I’ll consider creating only moved blocks in that case.