I am struggling to find a way to include all load balancers with certain tag value's (e.g. Shield protection = ON) in an aws account.
Currently i have a map of arn's in a variable and running a for loop. This method work's but not in an efficient way; since every time I have to add the ARN of a new Load balancer manually.
resource "aws_shield_protection" "this" {
for_each = var.listofarn
name = "shield protection".each.key
resource_arn = each.key
}
variable listofarn {
type = map(string)
default = {
appx_alb="arn::xxxxx"
appy_alb="arn:yyyyy"
}
}
Is there a way to use data resource "aws_lb".
thanks.
Using data source wouldn't help much. aws_lb data source can only return one alb. You can't use it to get information about all your ALBs. You would have to run the aws_lb data source in a for_loop with tags or some ALB id.
But you could overcome your issue through development of an external data source. Since its a fully custom data source, it can return information about all your ALBs in the form you want.
Related
I'm trying to extend a module that wraps AWS Secrets Manager. Currently it doesn't support replication and I'm trying to add it. I'm using terraform 0.14.
Here's the variable I've added:
variable "replica_regions" {
type = list(string)
description = "A List of Regions"
default = []
}
And here's what I've added inside the "aws_secretsmanager_secret" resource:
dynamic "replica" {
for_each = var.replica_regions
content {
region = replica.value
}
}
This appears to work in that when I add regions it starts to replicate the secret to those regions. And when I remove regions from the list it stops replicating them there. The only issue is when I try to go from 1 region to zero regions, it doesn't seem to do anything and the secret is still be replicated. This happens when I remove replica_regions from the invocation and when I explicitly set it to [].
Any thoughts on why this is?
It is a bug of terraform-provider-aws. If the bug is fixed, it is expected that secret replication will be deleted when variable is in [] state.
This issue should be resolved.
when reading open-source terraform module chgangaraju/terraform-aws-cloudfront-s3-website, I found they use count in Data source. But I didn't find any document about count.
what does it mean in this place?
data "aws_acm_certificate" "acm_cert" {
count = var.use_default_domain ? 0 : 1
domain = coalesce(var.acm_certificate_domain, "*.${var.hosted_zone}")
provider = aws.aws_cloudfront
//CloudFront uses certificates from US-EAST-1 region only
statuses = [
"ISSUED",
]
}
It means same as for resource. The pattern uses that you have is an Conditional Expression:
count = var.use_default_domain ? 0 : 1
The expression with count are often used for optional resources or data sources. Specifically, in your case, if you set use_default_domain to false, the CloudFront distro created in this TF script will be created with your own, custom domain and SSL certificate. For this to happen, the data source acm_cert will fetch information about SSL certificate from ACM for your acm_certificate_domain.
In contrast, when use_default_domain is true, you are going to use default domain and SSL certificate from CloudFront. For that you don't need to have any SSL certificate in ACM. Subsequently, TF will not fetch it.
Technically, if use_default_domain is true, then count is 0 and the data "aws_acm_certificate" "acm_cert" is not executed. But, if count is 1 (when use_default_domain is false), the data source will run and try to fetch information about your custom SSL certificate.
A data source is a query, which is used for getting data from the outside world and making it available to your Terraform configuration
terraform example code
provider "aws" {
region = "us-west-2"
}
data "aws_ami" "example" {
count = 2 // look at this line!
most_recent = true
owners = ["self"]
}
output "amis" {
value = "${data.aws_ami.example.*.id}"
}
when you specify the count in the data source block, it's similar to SQL limit. This can be thought of as equivalent to the following SQL query:
select * from data_source
where owners in ('self')
order by most_recent desc
limit 2; /** <= look at this line! **/
Response
The data source returns two records and sends them to the output.
You will see the following results in your terminal.
amis = [
"ami-0345c0186ced78ce6",
"ami-0345c0186ced78ce6",
]
Terraform Documentation: Multiple Resource Instances
Data resources support count and for_each meta-arguments as defined for managed resources, with the same syntax and behavior.
As with managed resources, when count or for_each is present it is important to distinguish the resource itself from the multiple resource instances it creates. Each instance will separately read from its data source with its own variant of the constraint arguments, producing an indexed result.
Related Question
How can I output a data source that uses count?
I have used Terragrunt to orchestrate the creation of a non-default AWS VPC.
I've got S3/DynamoDB state mgmt, and the VPC code is a module. I have the 'VPC environment' terraform.tfvars code checked into a second repo as per the terragrunt README.md.
I created a second module which will eventually create hosts in this VPC but for now just aims to output its ID. I have created a separate 'hosts environment' / terraform.tfvars for the instantiation of this module.
I run terragrunt apply in the VPC environment directory - VPC created
I run terragrunt apply a second time in the hosts environment directory - output directive doesn't work (no error, but incorrect, see below).
This is a precursor to one day running a terragrunt apply-all in the parent directory of the VPC/hosts environment directories; my reading of the docs suggest using a terraform_remote_state data source to expose the VPC ID, so I specified access like this in the data.tf file of the hosts module:
data "terraform_remote_state" "vpc" {
backend = "s3"
config {
bucket = "myBucket"
key = "keyToMy/vpcEnvironment.tfstate"
region = "stateRegion"
}
}
Then, in the hosts module outputs.tf, I specified an output to check assignment:
output "mon_vpc" {
value = "${data.terraform_remote_state.vpc.id}"
}
When I run (2) above, it exits with:
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
mon_vpc = 2018-06-02 23:14:42.958848954 +0000 UTC
Questions:
I'm going wrong setting up the code so that the hosts environment is configured to correctly acquire the VPC ID from the already-existing VPC (terraform state file) - any advice on what to change here would be appreciated.
It does look like I've managed to acquire the date of when the VPC was created rather than its ID, which given the code is perplexing - anyone know why?
I'm not using community modules - all hand rolled.
EDIT: In response to Brandon Miller, here is a bit more. In my VPC module, I have an outputs.tf containing among other outputs:
output "aws_vpc.mv.id-op" {
value = "${aws_vpc.mv.id}"
}
and the vpc.tf contains
resource "aws_vpc" "mv" {
cidr_block = "${var.vpcCidr}"
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "mv-vpc-${var.aws_region}"
}
}
As this cfg results in a vpc being created, and as most of the parameters are <computed>, I assumed state would contain sufficient data for other modules to refer to by consulting state (I assumed at first that terraform used the AWS API for this under the bonnet, rather than consulting a different state key).
EDIT 2: Read all of #brendan-miller's answer and following comments first.
Use of periods causes a problem as it confuses terraform (see Brendan's answer for the specification format below):
Error: output 'mon_vpc': unknown resource 'data.aws_vpc.mv-ds' referenced in variable data.aws_vpc.mv-ds.vpc.id
You named your output aws_vpc.mv.id-op but when you retrieve it you are retrieving just id. You could try
data.terraform_remote_state.vpc.aws_vpc.mv.id
but im not sure if Terraform will complain about the additional .. However the format should always be
data.terraform_remote_state.<name of the remote state module>.<name of the output>
You mentioned wanting to be able to get this info with the AWS API. That is also possible by using the aws_vpc data source. Their example uses id, but you can also use any tag you used on your vpc.
Like this:
data "aws_vpc" "default" {
filter {
name = "tag:Name"
values = ["example-vpc-name"]
}
}
Then you can use this for the id
${data.aws_vpc.default.id}
In addition this retrieves all tags set, for example:
${data.aws_vpc.default.tags.Name}
And the cidr block
${data.aws_vpc.default.cidr_block}
As well as some other info. This can be very useful for storing and retrieving things about your VPC.
The Terraform Data Sources documentation tells me what a data source is, but I do not quite understand it. Can somebody give me a use case of data source? What is the difference between it and configuring something using variables?
Data sources can be used for a number of reasons; but their goal is to do something and then give you data.
Let's take the example from their documentation:
# Find the latest available AMI that is tagged with Component = web
data "aws_ami" "web" {
filter {
name = "state"
values = ["available"]
}
filter {
name = "tag:Component"
values = ["web"]
}
most_recent = true
}
This uses the aws_ami data source - this is different than a resource! It will instead just give you information, and not create anything. This example in particular will call out to the describe-images AWS API call, pass in a few --filter options as specified, and return an object that you can get information from - take a look at these attributes!
name
owner_id
description
image_id
... The list goes on. This is really useful if I were, let's say - always wanting to pull the latest AMI matching some tags, and keep a launch configuration up to date with it. I could use this data provider rather than always have to update a variable or hard-code the ID.
Data source can be used for other reasons as well; one of my favorites is the template provider.
Good luck!
Data sources provide information about entities that are not managed by the current Terraform configuration.
This may include:
Configuration data from Consul
Information about the state of manually-configured infrastructure components
In other words, data sources are read-only views into the state of pre-existing components external to our configuration.
Once you have defined a data source, you can use the data elsewhere in your Terraform configuration.
For example, let's suppose we want to create a Terraform configuration for a new AWS EC2 instance. We want to use an AMI image which were created and uploaded by a Jenkins job using the AWS CLI, and not managed by Terraform. As part of the configuration for our Jenkins job, this AMI image will always have a name with the prefix app-.
In this case, we can use the aws_ami data source to obtain information about the most recent AMI image that has the name prefix app-.
data "aws_ami" "app_ami" {
most_recent = true
filter {
name = "name"
values = ["app-*"]
}
}
Data sources export attributes, just like resources do. We can interpolate these attributes using the syntax data.TYPE.NAME.ATTR. In our example, we can interpolate the value of the AMI ID as data.aws_ami.app_ami.id, and pass it as the ami argument for our aws_instance resource.
resource "aws_instance" "app" {
ami = "${data.aws_ami.app_ami.id}"
instance_type = "t2.micro"
}
Data sources are most powerful when retrieving information about dynamic entities - those whose properties change value often. For example, the next time Terraform fetches data for our aws_ami data source, the value of the exported attributes may be different (we might have built and pushed a new AMI).
Variables are used for static values, those that rarely changes, such as your access and secret keys, or a standard list of sudoers for your servers.
Good examples up there!
The main difference between Terraform data source, resource and variable is :
Resource: Provisioning of resources/infra on our platform. Create, Update and delete!
Variable Provides predefined values as variables on our IAC. Used by resource for provisioning.
Data Source: Fetch values from our infra/provider and and provides data for our resource to provision infra/resource.
Examples are well explained above :)
Data sources are used to fetch the data from the provider end, so that It can be used as configuration in .tf files, Instead of hardcoding it. Example: Below code fetches the AWS AMI ID and uses it to launch AWS instance.
data "aws_ami" "std_ami" {
most_recent = true
owners = ["amazon"]
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
}
resource "aws_instance" "myec2" {
ami = data.aws_ami.std_ami.id
instance_type = "t2.micro"
}
I have a module with in my terraform file that created some Database servers that does a few things.
First, it creates an auto scaling group to use a specific image, then it creates some EBS volumes and attaches them and then adds some lambda code so on launch the instances get registered to route 53. So in all about 80 lines of text.
Extract
module "systemt-sql-db01" {
source = "localmodules/tf-aws-asg"
name = "${var.envname}-sys-db01"
envname = "${var.envname}"
service = "dbpx"
ami_id = "${data.aws_ami.app_sqlproxy.id}"
user_data = "${data.template_cloudinit_config.config-enforcement-sqlproxy.rendered}"
#subnets = ["${module.subnets-enforcement.web_private_subnets}"]
subnets = ["${element(module.subnets-enforcement.web_private_subnets, 1)}"]
security_groups = ["${aws_security_group.unfiltered-egress-sg.id}", "${aws_security_group.sysopssg.id}", "${aws_security_group.system-sqlproxy.id}"]
key_name = "${var.keypair}"
load_balancers = ["${var.envname}-enf-dbpx-int-elb"]
iam_instance_profile = "${module.iam_profile_generic.profile_arn}"
instance_type = "${var.enforcement_instancesize_dbpx}"
min = 0
max = 0
}
And I then have two parameter files one that I call when launching to pre production and one called when launching to production. I don't want these to contain anything other than variables.
The problem is that for production I need to call the module twice, but for production I need it called three times.
People talk about a count function for modules but I don't think this is possible as yet. Can anyone suggest any other ways to do this? What I would like is to be able in my parameter file to set a list variable of all the DB ASG names, and then loop through this calling the module each time.
I hope that makes sense?
thank you
EDIT Looping in modules is in beta for Terraform 0.13 (https://discuss.hashicorp.com/t/terraform-0-13-beta-released/9555).
This is a highly requested feature in Terraform and as mentioned it is not yet supported. Later releases of Terraform v0.12 will introduce this feature (https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each).
I had a similar problem where I had to create multiple KMS keys for multiple accounts from a base KMS module. I ended up creating a second module that uses the core KMS module, this second module had many instances of the core module, but only required me to input the account details once.
This is still not ideal, but it worked well enough without over complicating things.