For all your terraform needs

Resource Shutdown via terraform

anuj — Tue, 22 Aug 2023 13:31:40 +0000

Terraform is often used to destroy environments – which keeps the state file consistent, when the next create event needs to occur.

However, sometimes, instead of destroying resources, all you want to do is shut them down or disable them. This is also doable using remote-exec in terraform

Shutting down an EC2 instance on aws

resource "aws_instance" "app" {
  # ...

  provisioner "remote-exec" {
    when    = "destroy"
    inline = [ "systemctl stop service" ]
  }
}

The post Resource Shutdown via terraform appeared first on For all your terraform needs.

Terraform for IAM resource creation

anuj — Mon, 21 Aug 2023 14:06:43 +0000

Overview

Is terraform a suitable tool for creating and managing cloud IAM resources? The short answer is – no. Especially, if you are going to be dealing with a large number of such creation requests.

Time taken to apply terraform for IAM

Check whether the IAM resource already exists – across all buckets that store state. This could take hours. Can you afford to wait for hours for a simple identity creation or a role assignment?

State drift – Console based roles and assignments

Certain IAM actions performed via the console will cause state drift. The next run of your IAM script will not pick these up – and essentially wipe them out.

Of course, if you have IAM creation etc. locked out for console users, you will not face this particular issue.

Summary

For smaller scoped IAM requests – say you have a dozen or so requests to deal with – terraform for IAM may be a workable solution.

The post Terraform for IAM resource creation appeared first on For all your terraform needs.

Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 — Original Error: context deadline exceeded

anuj — Mon, 13 Feb 2023 04:32:15 +0000

When creating a key vault in Azure using terraform, you may encounter this error

Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts



data "azurerm_client_config" "current" {}

resource “azurerm_key_vault” “my_key_vault” { name = “sample-keyvault-av”

location = azurerm_resource_group.rg_des.location
resource_group_name = azurerm_resource_group.rg_des.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = “standard”
#sku_name = “premium”
enabled_for_disk_encryption = true
#soft_delete_enabled = true
purge_protection_enabled = true

}

}

The issue has been fixed in version 3.3.0 of the azure provider

terraform {

required_providers {

azurerm = {

source = “hashicorp/azurerm”

version = “=3.3.0”

}

Need an experienced Cloud Networking or a Cloud Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

The post Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 — Original Error: context deadline exceeded appeared first on For all your terraform needs.

Retrieving Resource IDs in Terraform – The Terraform Data Block

anuj — Mon, 13 Feb 2023 04:23:30 +0000

Also read – Terraform external data querying

The Terraform Data Block – Retrieving a Project Id for a GCP project

data “google_project” “project” {
}

output "project_number" {
  value = data.google_project.project.number
}

Terraform Destroy and the Data Block

When executing the terraform destroy command on our Terraform configuration, Terraform does not perform a destroy action on the resource called by the data block. It is a read only block.

The data block is also called when executing the terraform plan command, so your external resource must be present before you execute the terraform plan and terraform apply commands.

Searching for Projects using the terraform data block

One can apply a filter to search for specific projects – e.g. projects about to be deleted

data "google_projects" "my-organization-projs" {
  filter = "parent.id:23232323 lifecycleState:DELETE_REQUESTED"
}

data "google_project" "deletion-candidate" {
  project_id = data.google_projects.my-organization-projs.projects[0].project_id
}

Summary

Instead of hard coding IDs of resources, the terraform data block allows dynamic retrieval of resource IDs. It also allows searching / filtering based a filter inside the data block.

The post Retrieving Resource IDs in Terraform – The Terraform Data Block appeared first on For all your terraform needs.

tfvars versus variables.tf

anuj — Tue, 31 Jan 2023 02:24:13 +0000

Prompting a user for Input in Terraform

To me, the primary use case is that I want to prompt a user to provide the value for the input variable. In that case, I HAVE to use variables.tf.. I simply define the variable and leave it’s value blank (of course, within the resource, this variable has to be a REQUIRED value).

The post tfvars versus variables.tf appeared first on For all your terraform needs.

VS Code does not pick up the latest terraform version

anuj — Wed, 09 Nov 2022 13:26:30 +0000

From a powershell prompt, get the current executable path for terraform using:

Get-Command terraform

If this is pointing to the older terraform version, simply delete the older terraform.exe file.

ReInstall the newer version. Now, do Get-Command again to see the executable path.

VS Code should also pick up whatever version exe is returned by the Get-Command terraform.

The post VS Code does not pick up the latest terraform version appeared first on For all your terraform needs.

VS Code Scripts Error: Cannot be loaded because running scripts is disabled on this system

anuj — Thu, 03 Nov 2022 14:59:31 +0000

VS Code Terminal displays this error

Cannot be loaded because running scripts is disabled on this system

If you want to continue using powershell as the terminal, you will need to tweak settings.json (ctrl shft p and search for settings). Add the following json code to this file.

{

“terminal.integrated.profiles.windows”: {

“PowerShell”: {

“source”: “PowerShell”,

“icon”: “terminal-powershell”,

“args”: [“-ExecutionPolicy”, “Bypass”]

}

“terminal.integrated.defaultProfile.windows”: “PowerShell”,

}

If you can make do with the windows cmd prompt, change the VS Code terminal from powerShell to cmd (cmd already has the privileges for running scripts).

Terminal -> New Terminal –> “Default Shell” –> Windows

That’s it.

The post VS Code Scripts Error: Cannot be loaded because running scripts is disabled on this system appeared first on For all your terraform needs.

Error – ‘registry.terraform.io/hashicorp/local: there is no package for registry.terraform.io/hashicorp/local cached in .terraform/providers’

anuj — Wed, 19 Oct 2022 13:11:20 +0000

Terraform init or terraform init -upgrade or terraform apply fails with this error message:

The installed provider plugins are not consistent with the packages selected in the dependency lock file:
│ – registry.terraform.io/hashicorp/azurerm: the cached package for registry.terraform.io/hashicorp/azurerm x.y.x. (in .terraform\providers) does not match any of the checksums recorded in the dependency lock file
│ – registry.terraform.io/hashicorp/random: there is no package for registry.terraform.io/hashicorp/random 3.4.3 cached in .terraform\providers

Resolution

Step 1 – Look for this lock file (terraform.lock.hcl) in your current module. Delete it.

Step 2 – Re Run terraform init -upgrade

Terraform apply fails

The post Error – ‘registry.terraform.io/hashicorp/local: there is no package for registry.terraform.io/hashicorp/local cached in .terraform/providers’ appeared first on For all your terraform needs.

Using -out with terraform plan – terraform plan -out

anuj — Sun, 18 Sep 2022 12:12:17 +0000

This is a short post – always use the -out option. This saves the current plan – and will execute it exactly as saved (once you pass in the saved plan to terraform apply).

The post Using -out with terraform plan – terraform plan -out appeared first on For all your terraform needs.

Data Block External Data – Querying External Resources in Terraform

anuj — Wed, 14 Sep 2022 16:38:32 +0000

Retrieving External data

Use either the data block or the terraform_remote_state block to retrieve external data.

However, there are scenarios where the data block does not exist in the provider or terraform_remote_state cannot be used, such as when we need to process with an external API or need to use a local tool and process its output.

# Read the JSON payload from stdin
$jsonpayload = [Console]::In.ReadLine()

# Convert JSON to a string
$json = ConvertFrom-Json $jsonpayload
$environment = $json.environment

if($environment -eq "Production"){
$location="westeurope"
}else{
$location="westus"
}

# Write output to stdout
Write-Output "{ ""location"" : ""$location""}"

Retrieving External data

data "external" "getlocation" {
program = ["Powershell.exe", "./GetLocation.ps1"]
query = {
environment = "${var.environment_name}"
  }
}

Summary

External data sources are extremely useful in terraform – the data ‘external’ is defined for just this use case.

The post Data Block External Data – Querying External Resources in Terraform appeared first on For all your terraform needs.