Terraform Weekly - Issue #6

Quick question before we get into it: I am trying to decide on a domain name for this newsletter. Which do you think I should use?

  • weekly.tf

  • terraformweek.ly

Modules.tf is a service that allows you to create visual diagrams of infrastructure and convert them to Terraform code.

Does anyone find this sort of tool useful? As a programmer I feel like this is the antithesis of what I want to be using.

A wonderful overview of methods reliably building solid infrastructure with Terraform. Definitely worth reading, but in summary the lessons are:

  • Lesson 1: The Production-Grade Infrastructure Checklist

  • Lesson 2: the toolset

  • Lesson 3: large modules considered harmful

  • Lesson 4: infrastructure code without automated tests is broken

  • Lesson 5: the release process

A simple story about a use case where Terraform really shines– composing multiple cloud services. In this case configuring Datadog to monitor AWS. An 18 step manual process becomes a single Terraform module.

A quick and straightforward guide into adding OPA/conftest to an Atlantis plan run using AWS Lambda.

Notable Releases

We have been trying to fix a bunch of bugs in this provider. If you use SnowflakeDB, check it out.

Changelog, lightly edited–

NOTES:

  • provider: Region validation now automatically supports the new eu-south-1 (Europe (Milan)) region. For AWS operations to work in the new region, the region must be explicitly enabled as outlined in the AWS Documentation. When the region is not enabled, the Terraform AWS Provider will return errors during credential validation (e.g. error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid) or AWS operations will throw their own errors (e.g. data.aws_availability_zones.current: Error fetching Availability Zones: AuthFailure: AWS was not able to validate the provided access credentials). (#12970)

  • provider: Ignore tags functionality across all data sources and resources (except aws_autoscaling_group) via the provider-level ignore_tags configuration block has been enabled and this functionality is no longer considered in preview. (#13039)

FEATURES:

  • New Data Source: aws_backup_plan (#13035)

  • New Data Source: aws_backup_selection (#13035)

  • New Data Source: aws_backup_vault (#13035)

  • New Data Source: aws_ec2_transit_gateway_peering_attachment (#11162)

  • New Resource: aws_ec2_transit_gateway_peering_attachment (#11162)

  • New Resource: aws_guardduty_organization_admin_account (#13034)

  • New Resource: aws_guardduty_organization_configuration (#13034)

ENHANCEMENTS:

  • data-source/aws_cloudtrail_service_account: Support eu-south-1 region (#13061)

  • data-source/aws_ebs_volume: Add outpost_arn attribute (#12439)

  • data-source/aws_elastic_beanstalk_hosted_zone: Support eu-south-1 region (#13061)

  • data-source/aws_elb_hosted_zone_id: Add us-gov-east-1 and us-gov-west-1 region values (#12976)

  • data-source/aws_elb_hosted_zone_id: Support eu-south-1 region (#13061)

  • data-source/aws_elb_service_account: Support eu-south-1 region (#13061)

  • data-source/aws_instance: Add outpost_arn attribute (#12330)

  • data-source/aws_network_interface: Add outpost_arn attribute (#12440)

  • data-source/aws_s3_bucket: Support eu-south-1 region for hosted_zone_id attribute (#13061)

  • data-source/aws_subnet: Add outposts_arn attribute (#12097)

  • provider: Support automatic region validation for eu-south-1 (#12970)

  • provider: Implement ignore tags functionality across all data sources and resources (except aws_autoscaling_group) (#13039)

  • resource/aws_api_gateway_stage: Ignore NotFoundException error on destroy (#12826)

  • resource/aws_db_snapshot: Support import (#12978)

  • resource/aws_default_route_table: Add plan-time validation to cidr_block and ipv6_cidr_block arguments (#12858)

  • resource/aws_default_route_table: Support import (#13030)

  • resource/aws_dms_endpoint: Add kafka_settings configuration block and kafka to engine_name argument validation (#12835)

  • resource/aws_ebs_volume: Add outpost_arn argument (#12439)

  • resource/aws_elasticsearch_domain: Support customizable update timeout (#12916)

  • resource/aws_glue_connection: Support MONGODB for connection_type argument (#13011)

  • resource/aws_key_pair: Support tag-on-create (#12962)

  • resource/aws_instance: Add outpost_arn attribute (#12330)

  • resource/aws_mq_broker: Support import (#11841)

  • resource/aws_network_interface: Add outpost_arn attribute (#12440)

  • resource/aws_placement_group: Support tag-on-create (#12963)

  • resource/aws_route_table: Add plan-time validation to cidr_block and ipv6_cidr_block arguments (#12858)

  • resource/aws_route53_health_check: Support plan-time validation for reference_name argument (#12873)

  • resource/aws_s3_bucket: Support eu-south-1 region for hosted_zone_id attribute (#13061)

  • resource/aws_spot_fleet_request: Add launch_template_config configuration block (Support EC2 Launch Templates) (#12732)

  • resource/aws_spot_fleet_request: Support import (#12767)

  • resource/aws_storagegateway_gateway: Add gateway_vpc_endpoint argument (#9966)

  • resource/aws_storagegateway_smb_file_share: Add path attribute (#12623)

  • resource/aws_subnet: Add outposts_arn argument (#12097)

  • resource/aws_wafregional_xss_match_set: Add plan-time validation for xss_match_tuple configuration block arguments (#13024)

BUG FIXES:

  • data-source/aws_api_gateway_rest_api: Prevent error with VPC Endpoint configured APIs (#12825)

  • resource/aws_appautoscaling_scheduled_action: Prevent error on refresh with multiple resources using the same scheduled action name (#12699)

  • resource/aws_batch_job_queue: Prevent panic when ComputeEnvironmentOrder is updated outside Terraform (#12632)

  • resource/aws_default_route_table: Proper tag on resource creation (#12858)

  • resource/aws_efs_file_system: Prevent panic with empty lifecycle_policy configuration block (#12640)

  • resource/aws_fsx_windows_file_system: Prevent panic when update includes self_managed_active_directory settings (#12630)

  • resource/aws_glue_catalog_table: Prevent various panics with empty configuration blocks (#12611)

  • resource/aws_kinesis_firehose_delivery_stream: Prevent panic with empty processing_configuration configuration block (#12613)

  • resource/aws_kms_external_key: Prevent MalformedPolicyDocumentException errors on creation by retrying for up to 2 minutes to wait for IAM change propagation (#12863)

  • resource/aws_kms_key: Prevent MalformedPolicyDocumentException errors on creation by retrying for up to 2 minutes to wait for IAM change propagation (#12863)

  • resource/aws_lb_listener: Prevent panics on creation and refresh when API throttled (#12617)

  • resource/aws_route53_zone: Prevent panic with APIs missing ChangeInfo during creation (best effort fix for LocalStack) (#12634)

  • resource/aws_storagegateway_gateway: Perform multiple connectivity checks after activation to wait if the underlying server (e.g. EC2 Instance) is automatically rebooted (#12772)

  • resource/aws_storagegateway_gateway: Retry 504 status code on activation (#12773)

  • resource/aws_wafregional_xss_match_set: Prevent crash with xss_match_tuple configuration block since version 2.59.0 (#13024)

A bug fix for resource_pagerduty_service and new data source pagerduty_priority.

As we talked about previously, the plugin SDK is getting a major update soon. This tool, which previously helping you migrate to the SDK can now help you migrate to v2.

Changelog–

  • Introduce v2upgrade command, which migrates the provider from v1 to v2 of the SDK (#40)

  • deps: Switch to upstream golang.org/x/mod (#39)

Changelog–

FEATURES:

  • Allow disabling binary testing via TF_DISABLE_BINARY_TESTING environment variable. (#441)

BUG FIXES:

  • More accurate results for schema.ResourceData.HasChange when dealing with a Set inside another Set. (#362)

DEPRECATED:

  • helper/encryption: In line with sensitive state best practices, the helper/encryption package is deprecated. (#437)

Changelog–

ENHANCEMENTS:

  • Better error messaging when indexing into TypeSet for test checks, while the binary driver is enabled (currently not supported) (#417)

  • Prevent ConflictsWith from self referencing and prevent referencing multi item Lists or Sets (#416] [#423] [#426)