Maybe someone could help.
We are creating AWS EKS Cluster on our project using Terraform.
I’m working on security groups. I created two security groups, and one is created by eks itself.
The problem is, that this security group is against company’s security policy. I need to change inbound and outbound rules for this security group. All this need to be done using Terraform (or maybe there is other workaround) but everything need to be done automatically.
I was able to get this security groups output, but no luck when tryed to use this id to create rule, and currently no idea how I can delete existing rules.
Sorry, if there is something stupid I have asked, I’m new on this, hope you can give some advice.
I'm doing the same, and my workaround is:
To import the existing SG, and then modify it. It's not nice, because your configuration drifts, but Maybe somebody has some idea to use/update the original statefile. So:
Deploy the eks (I'm not pasting the code here, but I'm using the default aws module)
prepare another module with a security rule as I wish:
resource "aws_security_group_rule" "egress" {
type= "egress"
protocol = -1
from_port = 0
to_port = 0
source_security_group_id = data.aws_eks_cluster.delta-cluster.vpc_config[0].cluster_security_group_id
security_group_id = data.aws_eks_cluster.delta-cluster.vpc_config[0].cluster_security_group_id
}
do a terraform import into another module (notice YOU HAVE TO CHANGE THE APPROPRIATE SG -but just that, the rest is AWS' magic):
terraform import aws_security_group_rule.egress sg-004582110c1572053_egress_all_0_65535_0.0.0.0/0
terraform apply
Related
I'm quite new to Terraform, and struggling with something.
I'm playing around with Redshift for a personal project, and I want to update the inbound security rules for the default security group which is applied to Redshift when it's created.
If I were doing it in AWS Console, I'd be adding a new inbound rule with Type being All Traffic and Source being Anywhere -IPv4 which adds 0.0.0.0/0.
Below in main.tf I've tried to create a new security group and apply that to Redshift, but I get a VPC-by-Default customers cannot use cluster security groups error.
What is it I'm doing wrong?
resource "aws_redshift_cluster" "redshift" {
cluster_identifier = "redshift-cluster-pipeline"
skip_final_snapshot = true terraform destroy
master_username = "awsuser"
master_password = var.db_password
node_type = "dc2.large"
cluster_type = "single-node"
publicly_accessible = "true"
iam_roles = [aws_iam_role.redshift_role.arn]
cluster_security_groups = [aws_redshift_security_group.redshift-sg.name]
}
resource "aws_redshift_security_group" "redshift-sg" {
name = "redshift-sg"
ingress {
cidr = "0.0.0.0/0"
}
The documentation for the Terraform resource aws_redshift_security_group states:
Creates a new Amazon Redshift security group. You use security groups
to control access to non-VPC clusters
The error message you are receiving is clearly staging that you are using the wrong type of security group, and you need to use a VPC security group instead. Once you create the appropriate VPC security group, you would set it in the aws_redshift_cluster resource via the vpc_security_group_ids property.
I had a question about creating a service on AWS ECS using Terraform, and would appreciate any and all feedback, especially since I'm an AWS newbie.
I have several services in the same cluster (each service is a machine learning model). The traffic isn't that high, so I would like the same load balancer to route requests to the different services (based on a request header which specifies the model to use).
I was trying to create the services using Terraform (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) but I'm having a hard time understanding the load_balancer configuration. There is no option to choose the ARN or ID of a specific load balancer, which makes me think that a separate Load Balancer is created for each service - and that sounds expensive :)
Has anyone had any experience with this, who can tell me what is wrong with my reasoning?
Thanks a lot for reading!
Fred, in the link to the documentation you've posted is the answer, let me walk you through it.
Here is how two ECS services can use a one Application Load Balancer Graphically:
The below scenario describes the configuration for one of the services, it is analogous for a second one, the only thing you wouldn't need to repeat is the Load Balancer declaration.
You can define the following:
# First let's define the Application LB
resource "aws_lb" "unique" {
name = "unique-lb"
internal = false
load_balancer_type = "application"
... #the rest of the config goes here
}
#Now let's create the target group for the service one
resource "aws_lb_target_group" "serviceonetg" {
name = "tg-for-service-one"
port = 8080 #example value
protocol = "HTTP"
... #the rest of the config goes here
}
#Now create the link between the LB and the Target Group
# also will add a rule when to forward the traffic using HTTP path /serviceone
resource "aws_alb_listener" "alb_serviceone_listener" {
load_balancer_arn = aws_alb.unique.arn # Here is the LB ARN
port = 80
protocol = "HTTP"
default_action {
target_group_arn = "${aws_alb_target_group.serviceonetg.arn}" #Here is the TG ARN
type = "forward"
}
condition {
field = "path-pattern"
values = ["/serviceone"]
}
}
#As a last step, you need to link your service with the target group.
resource "aws_ecs_service" "service_one" {
... # prior configuration goes here
load_balancer {
target_group_arn = aws_lb_target_group.serviceonetg.arn # Here you will link the service with the TG
container_name = "myservice1"
container_port = 8080
}
... #the rest of the config goes here
}
As a side note, I would template the repeating part for the services using data structures in a way you can use count or for_each to describe Target Group, Listeners and Services only once and leaving templating engine do the rest. Basically, follow the DRY principle.
I hope this can help you.
I'm new to Terraform, when I run Terraform apply, I git this error:
Error: Error creating Security Group: InvalidGroup.Duplicate: The security group 'xxxxxxx' already exists for VPC 'vpc-xxxxxx'
status code: 400
The script for this part looks like this:
resource "aws_security_group" "xxxxx_security_group" {
name = "xxxxx-security-group-xxxx"
vpc_id = xxxxxxxxxxxxx
egress {
from_port = x
protocol = x
to_port = x
cidr_blocks = ["x.x.x.x/x"]
}
}
Can someone give me some hints? Spent like almost an hour now, still no clue....
It looks like you created the security group in the console already (or with the CLI), so trying to create the security group again in terraform is causing an error because the name already exists.
To fix this, go into the AWS console and look for the security group with the name you're trying to make. Find its ID value, which will look like sg-xxxxxxxxxxxx.
Then in your terminal, import that resource into your terraform state by running:
terraform import aws_security_group.xxxxx_security_group sg-xxxxxxxxxxx
After this, you can run terraform plan or terraform apply and everything should work, because terraform's state knows about the existing resource.
I recently created some new resources with terraform .70 and right after running the apply I run terraform plan again and it says this needs to happen but I haven't made any changes to my main.tf file:
security_groups.#: "0" => "1" (forces new resource)
security_groups.2319596366: "" => "sg-8a7679ec" (forces new resource)
I ran terraform apply again (on a test instance) just to see what it would do and it terminates my original AWS ec2 instance server and creates a new one (good thing I didn't do this in production)...
Is this a bug or am I doing something wrong?
The behaviour of the security_groups attribute (intended for use with non-vpc, classic EC2 security groups) was changed in version 0.6.15, it no longer works properly when used with VPC security groups. You likely need to use the vpc_security_group_ids attribute instead.
Google groups discussion: https://groups.google.com/forum/#!msg/terraform-tool/8UeGuk1PM14/GyE21Dx8EgAJ
Github issue: https://github.com/hashicorp/terraform/issues/6416
Looks like .70 fixed a bug with security groups and now I have to specify security groups with vpc_security_group_ids. I replaced security_groups with vpc_security_group_ids and it is not showing any changes are needed now.
Trying to learn to use Terraform (v 0.3.7) with Amazon Web Services.
When I create a VPC using Terraform via the following:
resource "aws_vpc" "test-vpc" {
cidr_block = "${var.vpc_cidr}"
enable_dns_hostnames = true
tags {
Name = "test-vpc"
}
}
The VPC will have a main routing table and a "default" security group automatically created (I assume by AWS, rather than Terraform); these can be identified by the attributes on the created VPC: main_route_table_id and default_security_group_id.
While following this tutorial it talks about creating your own default security group and routing table - it makes no mention of the default ones that will get created (even if you create your own routing table, the "main" one created by default will just remain sitting there, associated with no subnets or anything).
Shouldn't we be using the default resource that created with a VPC? Especially the routing table, will there be any effects because of not using the "main" routing table?
And if I should be using the default resources, how do I do that with Terraform?
I couldn't see anything in the Terraform documentation about these default resources, and if I try to override them (for example by telling Terraform to create a security group with name default, I get errors).
AWS creates these default routing tables and sec groups. If you don't use them ( I know we don't) they are fine to get deleted.
Terraform throws errors if you require it to create default sec group as probably the group is already there or maybe this sec group name is reserved.
You can create one new resource "aws_security_group" ( https://terraform.io/docs/providers/aws/r/security_group.html )and have a dependency listed on the resource with
depends_on = ["aws_instance.instance-name-from-resource"]
for the instance thus sec group will be created first and then assign sec groups to the instance with "security_groups"