@Doug-North wrote:

concerning the following warning:

Warning: Applied changes may be incomplete

The plan was created with the -target option in effect, so some changes
requested in the configuration may have been ignored and the output values may
not be fully updated. Run the following command to verify that no other
changes are pending:
    terraform plan

Note that the -target option is not suitable for routine use, and is provided
only for exceptional situations such as recovering from errors or mistakes, or
when Terraform specifically suggests to use it as part of an error message.

If you are applying changes to a production environment and want to assure no changes other than the ones relevant to a certain module (say an ecs service you are interested in) occur, target is completely appropriate to use.

For us, modules may not be perfect; an example could be not ignoring changes made dynamically by AWS (desired count for asg’s).

Of course it would be preferable to terraform plan and have the entire environment reflected by your terraform files, but if you are using the -target flag, it is quite likely you are aware of what you are doing and the result of doing it.

Not to mention the time saved of targetting what you are interested in, shaving minutes off the alternative.

My two cents,
Cheers,
Doug

Posts: 1

Participants: 1

Read full topic

@drmudgett wrote:

I have an IAM terraform module that needs to take a list of ARNs as an input and use templatefile() to modify an IAM template. I’m getting an error because terraform lists add a trailing comma which IAM doesn’t like. Is this a limitation of the templatefile() function? If not, how can I use this function with an IAM template?

The error that I am getting is:

Error: "policy" contains an invalid JSON: invalid character ']' looking for beginning of value

  on main.tf line 84, in resource "aws_iam_role_policy" "iam_dynamoDB_policy_rw_list":
  84: resource "aws_iam_role_policy" "iam_dynamoDB_policy_rw_list" {

Here’s the user input:

arn_list = ["arn:aws:dynamodb:*:1234567890:table/taco","arn:aws:dynamodb:*:1234567890:table/taco1","arn:aws:dynamodb:*:1234567890:table/taco2"]

Here’s the relevant portion of the terraform script:

locals {
  arn_fmt         = formatlist("\"%s\",", var.arn_list)
  arn_map         = { arn_list = local.arn_fmt }
}

resource "aws_iam_role_policy" "iam_dynamoDB_policy_rw_list" {
  count  = var.accesstype == "rw_list" ? length(local.role_names) : 0
  name   = "${var.accesstype}-dynamo-${local.policy_name}-${var.aws_region}-${local.aws_account_id}"
  policy = templatefile("${path.module}/files/iam_policy/taco.json.tpl", local.arn_map)
  role   = element(local.role_names, count.index)
}

Here’s the IAM template that I’m trying to modify:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchWriteItem",
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                %{ for arn in arn_list ~}
                ${arn}
                %{ endfor ~}
            ]
        }
    ]
}

Posts: 1

Participants: 1

Read full topic

@cgmo wrote:

Not sure I have the right approach here, but I am trying to craft a conditional statement to a for_each statement to create a set of resources

For example, setting up an ALB I have two variables

create_alb = true
create_https_listener = true

Along with a variable named rule_set defining a map of rule resources

If both of these vars are true, apply a set of aws_lb_listener_rule resources defined in a the var.rule_set map to the https_listener.

If create_https_listener = false, apply the same set of rules to a http_listener

If create_alb = false, don’t create any of these resources

I can do a conditional for something like

count = var.create_alb == true ? length(var.rule_set) : 0

But I’m struggling using my map on the multiple inline blocks for the rules (eg action{} & condition {} for forward rules)

Ideally I would not use count, but use for_each to define the number of rules to create

Something like

for_each =

I see examples of using something like

for_each = {for key, value in var.rule_set:
key => lower(value)
if var.create_alb == true
}

Is there a way to just use the for_each with an if statement? As my map has different data types in it, I can’t use a simple function to do something innocuous

for_each = {var.rule_set: if var.create_alb == true}

I feel like there is something simple I’m just not grasping

Posts: 1

Participants: 1

Read full topic

@sammefford wrote:

Do you have a plan to add support for Auto Scaling Group WeightedCapacity?
https://aws.amazon.com/about-aws/whats-new/2019/11/amazon-ec2-auto-scaling-supports-instance-weighting/

Posts: 1

Participants: 1

Read full topic

@maarek wrote:

I am working with the azurerm provider and trying to update a Kubernetes resource azurerm_kubernetes_cluster. Two arguments on the resource the node count and kubernetes version can only be updated independently. Is there a way for terraform to accept both of these arguments and update them one after another for the same resource?

{
  "code": "OperationNotAllowed",
  "message": "Updating Kubernetes version and agent node scaling are mutually exclusive operations. Please visit https://aka.ms/aks-pending-upgrade for more details."
}

Posts: 1

Participants: 1

Read full topic

@rvandegrift wrote:

I’ve come up with a hack to use each to refer to resources/data even when the target resources are not built with for_each. But it has an annoying extra step. Is there a better solution?

Here’s my ideal use-case:

locals {
root_folders = [
“internal”,
“secure”,
]
}

resource “google_folder” “root” {
for_each = toset(local.root_folders)
display_name = each.value
parent = data.google_organization.my-org.name
}

resource “google_folder_iam_policy” “root” {
for_each = google_folder.root
folder = each.value.name
policy_data = local.root_policies[each.key]
policy_data = data.google_iam_policy[each.key].policy_data # <- problem
}

data “google_iam_policy” “folder_internal” {
…
}

data “google_iam_policy” “folder_secure” {
…
}

I can’t get the line marked “problem” to work. Maybe there is some feature I missed?

My hack is to add another local map:

locals {
root_policies = {
internal = data.google_iam_policy.folder_internal.policy_data
secure = data.google_iam_policy.folder_secure.policy_data
}
}

And then update “problem” to:

policy_data = local.root_policies[each.key]

But this is not a great solution, since later engineers will need to know to update this intermediate map - which itself doesn’t accomplish anything.

Thanks for any bright ideas!

Posts: 1

Participants: 1

Read full topic

@samtiku wrote:

I am trying to setup GitHub Actions for execute a terraform template.

My confusion is - how do I provide *.tfvars file which has aws credentials. (I can’t check-in these files).

What’s the best practice to share the variable’s values expected by terraform commands like plan or apply where they need aws_access_key and aws_secret_key.

Here is my GitHub project - [https://github.com/samtiku/terraform-ec2](GitHub Project)

Can anybody help here.

Posts: 3

Participants: 2

Read full topic

@gowrishec wrote:

Hi Team,

I have installed Terraform CLI on an AWS instance as part of cross platform provisioning need to test few templates on Azure as well.

To get this, Terraform is prompting to install Azure CLI, when I try to install Azure CLI on AWS server were terraform CLI is installed i see below error -

Error: python-libs conflicts with python-virtualenv-1.10.1-4.el7.noarch
Error: Package: python-devel-2.7.5-58.el7.x86_64 (ultra-centos-7.4-base)
Requires: python(x86-64) = 2.7.5-58.el7
Installed: python-2.7.5-68.el7.x86_64 (installed)
python(x86-64) = 2.7.5-68.el7
Available: python-2.7.5-58.el7.x86_64 (ultra-centos-7.4-base)
python(x86-64) = 2.7.5-58.el7

How can I address this. Can we install Azur-CLI on AWS server to make Terraform work.
OS - CentOS Linux release 7.4.1708 (Core)
Please help.

Posts: 2

Participants: 2

Read full topic

@mr-bob wrote:

Trying to pretty much replicate the TF example for random_shuffle to randomly return value from a list. Usecase is the same where I want to have a difference gcp zone returned for a compute instance.

Error from TF Plan:

Error: Unsupported attribute
on main.tf line 23, in resource "google_compute_instance" "vm_instance":
23:   zone          = "${random_shuffle.gcp-zones.result}"
|----------------
| random_shuffle.gcp-zones is tuple with 3 elements

This value does not have any attributes.

Seems like it is not processing the result_count option in the random_shuffle resource:

        resource "random_shuffle" "gcp-zones" {
          input         = ["northamerica-northeast1-a", "northamerica-northeast1-b", "northamerica-northeast1-c"]
          result_count  = 1
        }

Thanks!

Posts: 2

Participants: 2

Read full topic

@WebSpider wrote:

Hi!

I’m trying to mimic the following values-file, that works on plain helm, but for some reason using the Helm provider it doesnt:

nextcloud:
  configs:
    s3.config.php: |- <some literal php string here>
    smtp.config.php: |- <some more php here>

What would be the corresponding way to make this work in ‘set’ blocks?

Thanks!

Posts: 1

Participants: 1

Read full topic

@RuyCury wrote:

Hello everyone.

I am writing a script for creating a kubernetes cluster in oracle cloud.
When I run terraform plan, it returns no errors. But when I run terraform apply, it returns me the error:

Error: Invalid template interpolation value: Cannot include the given value in a string template: string required.

I enabled trace and log file generation to try to identify where the problem is, in trace it returns:

2019/11/21 20:31:15 [TRACE] EvalMaybeTainted: null_resource.k8sworker-ad1 [0] encountered an error during creation, so it is now marked as tainted
2019/11/21 20:31:15 [ERROR] : eval: * terraform.EvalApplyPost, err: 1 error occurred:

    Invalid template interpolation value: Cannot include the given value in a template: string required string.

2019/11/21 20:31:15 [TRACE] EvalMaybeTainted: null_resource.k8sworker-ad1 [1] encountered an error during creation, so it is now marked as tainted
2019/11/21 20:31:15 [ERROR] : eval: * terraform.EvalSequence, err: Invalid template interpolation value: Cannot include the given value in a string template: string required.

I believe the problem is in this part of the code:

resource "null_resource" "k8sworker-ad1" {
  count      = var.k8sWorkerAd1Count
  depends_on = [module.instances-k8sworker-ad1]

  triggers = {
    worker_id       = module.instances-k8sworker-ad1.ids[0][count.index]
    build_source_id = null_resource.build_source.id
  }

  provisioner "local-exec" {
    command = "echo 'alias ${var.label_prefix}workerad1-${count.index}=\"ssh -i ${path.root}/generated/instances_id_rsa opc@${element(module.instances-k8sworker-ad1.public_ips, count.index)}\"' >> source.sh"
  }
}

Terraform Version:

Terraform v0.12.16
+ provider.null v2.1.2
+ provider.oci v3.52.0
+ provider.random v2.2.1
+ provider.template v2.1.2
+ provider.tls v2.1.1

Debug Output:

Please help me solve this problem.

Posts: 1

Participants: 1

Read full topic

@grimm26 wrote:

I want to use a variable to control making multiple resources of a different type. For instance, multiple AWS EC2’s or RDS instances. Here’s my test:

locals {
  instances = {
    "t2.large"  = 3
    "t2.medium" = 2
  }
}

output "out" {
  value = [for type, count in local.instances : { for num in range(count) : "${type}_${num}" => type }]
}

This yields:

out = [
  {
    "t2.large_0" = "t2.large"
    "t2.large_1" = "t2.large"
    "t2.large_2" = "t2.large"
  },
  {
    "t2.medium_0" = "t2.medium"
    "t2.medium_1" = "t2.medium"
  },
]

I want to be able to use something like this feeding a for_each for an aws_instance resource but I’m not sure how to have that be a single map/hash for it to work.

Posts: 1

Participants: 1

Read full topic

@castironclay wrote:

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Posts: 1

Participants: 1

Read full topic

@samtiku wrote:

I am trying to setup GitHub Actions for execute a terraform template.

My confusion is - how do I provide *.tfvars file which has aws credentials. (I can’t check-in these files).

What’s the best practice to share the variable’s values expected by terraform commands like plan or apply where they need aws_access_key and aws_secret_key.

Here is my GitHub project - [https://github.com/samtiku/terraform-ec2](GitHub Project)

Can anybody help here.

Posts: 3

Participants: 2

Read full topic

@janul wrote:

Hi,
I’m having trouble with “remote-exec” provisioner . I followed documenation but for some reason “host” in “connection block” is not resolved. After the very first apply I’m getting:

null_resource.testinstance (remote-exec): Connecting to remote host via SSH...
null_resource.testinstance (remote-exec):   Host:
null_resource.testinstance (remote-exec):   User: ubuntu
null_resource.testinstance (remote-exec):   Password: false
null_resource.testinstance (remote-exec):   Private key: true
null_resource.testinstance (remote-exec):   Certificate: false
null_resource.testinstance (remote-exec):   SSH Agent: true
null_resource.testinstance (remote-exec):   Checking Host Key: false

The part of my terraform config loooks like:

resource "aws_eip" "ip-test-env" {
  instance = aws_instance.testinstance.id
  vpc      = true
  tags = {
    Name        = "test eip"
    Creator     = var.deployer
    Environment = var.environment
  }
}
resource "aws_instance" "testinstance" {
  ami                    = data.aws_ami.instance_store_ami.id
  instance_type          = "t2.micro"
  vpc_security_group_ids = [aws_security_group.SSH.id, aws_security_group.PING.id]
  tags = {
    Name        = "testinstance"
    Creator     = var.deployer
    Environment = var.environment
  }
  subnet_id = aws_subnet.SUBNET1.id
  key_name  = aws_key_pair.ssh-access-key.id
}
resource "null_resource" "testinstance" {
  depends_on = [aws_eip.ip-test-env, aws_instance.testinstance]
  connection {
    type        = "ssh"
    host        = aws_instance.testinstance.public_ip
    private_key = file(var.private_key)
    user        = var.ansible_user
  }
  provisioner "remote-exec" {
    inline     = ["sudo apt-get -qq install python -y"]
    on_failure = continue
  }
}

Any ideas?

Thanks, Janusz

Posts: 11

Participants: 4

Read full topic

@Jim420 wrote:

I have to attach bucket policy to 10+ buckets. Creating 10+ buckets is not a problem but attacing a policy that the buckets can only be accessed if someone is accessing from vpc endpoints is a challenge( for me). I am pretty sure that experts like @apparentlymart can do some magic by combining aws_s3_bucket_policy with for_each or for

Appreciate your help. Thanks !

creating buckets ( not a problem)

variable "s3_bucket_name" {
  type    = "list"
  default = ["Test_1","Test_2","Test_3"]
}

resource "aws_s3_bucket" "b" { 
  count         = "${length(var.s3_bucket_name)}"
    bucket        = "${var.s3_bucket_name[count.index]}"
    acl           = "private"
    force_destroy = "true"
    }        

But how do I attach the policy dynamically. It will be dumb if I have to type the bucket policy 10+ times. Here is what I am showing for two buckets

resource "aws_s3_bucket_policy" "p1" {
  bucket = "${aws_s3_bucket.b.id}"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "MYBUCKETPOLICY",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::Test_1"
      "Condition": {
         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
      }
    }
  ]
}
POLICY
}




resource "aws_s3_bucket_policy" "p2" {
  bucket = "${aws_s3_bucket.b.id}"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "MYBUCKETPOLICY",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::Test_2"
      "Condition": {
         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
      }
    }
  ]
}
POLICY
}

Posts: 1

Participants: 1

Read full topic

@amitanand-ms wrote:

Terraform documents says we could use it to deploy Bastion

But i am getting error as

terraform apply
var.prefix
Enter a value: testbast

var.resource_group_name
Enter a value: bt

var.resource_location
Enter a value: eastus

Error: Invalid resource type

on vmwithbastion.tf line 92, in resource “azurerm_bastion_host” “vmbastion”:
92: resource “azurerm_bastion_host” “vmbastion” {

Does not appear request even goes to Azure side, fails while running at terraform itself.

Updated to latest terraform build but no luck.

Posts: 1

Participants: 1

Read full topic

@aricwilisch wrote:

Just recently added a line to my aws_instance to make it grab the same private IP everytime it spins up.

I tainted the instance, then I’m trying to do a targeted plan/apply for the aws_eip_association so it will rebuild the instance and apply the EIP. However whenever I try to apply I get InvalidIPAddress.InUse:

Shouldn’t it destroy the instance before trying to rebuild? Anyone know how to get around this other than doing the instance and eip association separately?

Appreciate the help.

Posts: 2

Participants: 2

Read full topic

@Tolgor wrote:

Hi,

I’m trying to upload an archive when it changes.

In the configuration below:
The “null_resource.server_build” generates a build.
The “data.archive_file.server_bundle” makes an archive of the build output directory.
The “null_resource.server_bundle_upload” uploads the archive.

My problem is that the “null_resource.server_bundle_upload” is always triggered.

Does anyone have an idea of what’s wrong?

resource null_resource server_build {
  triggers = {
    timestamp = timestamp()
  }

  provisioner local-exec {
    working_dir = "server"
    command     = "node build-server"
  }
}

data archive_file server_bundle {
  depends_on = [
    local_file.server_env,
    null_resource.server_build
  ]

  type        = "zip"
  source_dir  = "${path.module}/../server/build"
  output_path = "${path.module}/${local.serverBundleFileName}"
}

resource null_resource server_bundle_upload {
  triggers = {
    server_bundle_hash = data.archive_file.server_bundle.output_base64sha256
  }

  connection {
    (...)
  }

  provisioner file {
    source      = data.archive_file.server_bundle.output_path
    destination = "/tmp/${local.serverBundleFileName}"
  }

  provisioner remote-exec {
    (...)
  }
}

Posts: 3

Participants: 2

Read full topic

@FernandoMiguel wrote:

locals {
  customer_env = [
    for key, customer_env in var.customer_env : {
      key          = key
      customer_env = customer_env
    }
  ]
  domain_names = [
    for key, domain_names in var.domain_names : {
      key          = key
      domain_names = domain_names
    }
  ]

  customer_env_x_domain_names = [
    for pair in setproduct(local.customer_env, local.domain_names) : {
      customer_env = local.customer_env[pair[0].key].customer_env
      domain_names = local.domain_names[pair[1].key].domain_names
    }
  ]
}


resource "aws_route53_record" "record" {
  for_each = var.env == "prod" ? {
    for i in local.customer_env_x_domain_names : "${i.customer_env}.${i.domain_names}" => i
  } : []

  zone_id = data.aws_route53_zone.zone[each.value.domain_names].zone_id
  name    = "${each.value.customer_env}-${var.ec2-region-short}.${var.env}.${each.value.domain_names}"
  type    = "A"

  alias {
    name                   = aws_lb.lb[0].dns_name
    zone_id                = aws_lb.lb[0].zone_id
    evaluate_target_health = true
  }
}

Error: Inconsistent conditional result types

  on route53.tf line 123, in resource "aws_route53_record" "record":
 123:   for_each = var.env == "prod" ? {
 124:     for i in local.customer_env_x_domain_names : "${i.customer_env}.${i.domain_names}" => i
 125:   } : []
    |----------------
    | local.customer_env_x_domain_names is tuple with 2 elements
    | var.env is "foo"

The true and false result expressions must have consistent types. The given
expressions are object and tuple, respectively.

Posts: 2

Participants: 2

Read full topic