Questions tagged with Terraform
Content language: English
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
Hello everyone! I'm using Terraform to create a simple Application Load Balancer (ALB), but I keep encountering an error when running terraform apply. The error message seems to concatenate the ARN of the ELB Listener with the ARN of the AWS ACM Certificate, which I find strange. I've searched my entire project for any incorrect variable usage but couldn't find any issues. I'm hoping someone can help guide me through this problem.
Here's the error message I'm getting:
```
Error: reading ELB (Elastic Load Balancing) Listener Certificate (arn:aws:elasticloadbalancing:us-east-1:{id}:listener/app/my-lb/###############/###############_arn:aws:acm:us-east-1:############:certificate/####################################): ListenerNotFound: One or more listeners not found
```
And here's a simplified version of my Terraform code:
```
terraform {
required_providers {
archive = {
source = "hashicorp/archive"
}
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 1.4.2"
}
resource "aws_lb" "main" {
name = "my-lb"
load_balancer_type = "application"
subnets = [some var]
security_groups = [some var]
}
resource "aws_lb_target_group" "main" {
name = "tg-main"
vpc_id = [vpcid]
port = 80
target_type = "ip"
protocol = "HTTP"
health_check {
healthy_threshold = 3
interval = 100
timeout = 30
}
#depends_on = [var.sh.main_alb]
}
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.main.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = data.terraform_remote_state.global.outputs.certificate_arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.tg-main.arn
}
}
```
I'd really appreciate any guidance or suggestions to help me understand and resolve this issue. Thank you!
Can Cloud Intelligence Dashboards be implemented with Terraform? Is there is any templates that customers can use to deploy the dashboards using Terraform instead of CloudFormation?
asked 3 days ago
I need to create a lambda function without putting any source, so that terraform script will just create a lambda. This will be in infra repo you can say that where I am just provisioning the services.
Then in another repo which will be used by developers where we will have a application code which needs to be deployed in that lambda.
So when I am creating the lambda using terraform in Infra repo, then source_path seems mandatory... please suggest how I can achieve this.
I am working on IaC EKS using terraform.
[https://www.ahead.com/resources/automate-iam-role-mapping-on-amazon-eks]()
I receive below error.
Error: creating IAM Role (eks_admin): MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::xxxxxxxxxxx:user/eks-test-usr"
status code: 400
```
resource "aws_iam_role" "eks_admin" {
name = "eks_admin"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal: { "AWS" : "${var.assume_role}" }
},
]
})
inline_policy {
name = "eks_admin_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["eks:DescribeCluster"]
Effect = "Allow"
Resource = "*"
},
]
})
}
}
I pass the variable as
assum_role=["eks-test-dev","eks-test-admin"]
```
HI! I have this project on terraform where I need to create an assumerole and assign it with permission/policy that can spin up and spin down Opensearch. I tried to do it first in AWS console manually so I can understand the concept and I selected Opensearch Service on full-access but I can't still create the Opensearch Domain, it just load endlessly but when I assigned AdminAccess to the IAM user it created the domain instantly.
I would like to ask if what other services do I need to allow in order to successfully create the Opensearch Domain without Admin access?
Hi,
We registered a domain using AWS and now we are trying to configure ACM and Route53 in order to use it. The certificate is stuck in "Pending Validation" status even if the validation CNAMEs are present the Route53 hosted zone.
The hosted zone (and other resources) has been created later (not at the moment of the domain registration) with Terraform using the working code from a previous project. It has been created with different name servers than what I see in the console at the domain details page. Do name servers have to be the same?
In order to test the DNS, we added a CNAME record to route test.<domain-name>.com to google.com but it doesn't work. This test works instead with another domain (<domain-name>.live) that is also registered in AWS and managed via Route53.
We also tried to run an nslookup on <domain-name>.com and test.<domain-name>.com but it looks like this domain doesn't exist.
I already had the same issue with the previous domain because it hasn't been confirmed and then suspended, so my supposition is that there's something wrong with the domain registration process, also because this time the domain has been activate without email confirmation. Is it normal?
How can we check if everything is okay with the domain registration, that the domain is active and validate the certificate?
Thank you.
EDIT:
When I run nslookup.io with the root of the *.live domain that is working I can see the name servers:
But when I try with the new one, the name servers don't show up:
AFT Version: 1.9.1
terraform version: 0.15.5
terraform providers: AWS
Description:-
We have deployed control tower and AFT for terraform in a separate AFT account using Terraform, aft version 1.9.1. After deploying aft new account request is working fine, it is running pipeline for creating the account whenever we add new account request terraform code in our AFT account request repository.
But account customisation is not working and even we can't see the state machine for account-provisioning-customization as well as no pipeline for any of the account created for account customisation.
When we try to run the aft-invoke-customization step function then we are getting below error.
Note: The logs mentions about account creation but the account is already existing and we are making customisation through account-customization.
{
"Cause": "An error occurred while executing the state 'run_create_pipeline?' (entered at the event id #33). Invalid path '$.Input.account_provisioning.run_create_pipeline': The choice state's condition path references an invalid value.",
"Error": "States.Runtime",
"ExecutionArn": "arn:aws:states:us-east-2:<aft-account-id>:execution:aft-account-provisioning-framework:e5c48973-f6fa-4def-beaf-55ca11e33ba2",
"Input": "{\"account_info\":{\"account\":{\"id\":\"<shared-account-id>\",\"email\":\"shared_acct@email\",\"name\":\"shared-account\",
\"joined_method\":\"CREATED\",\"joined_date\":\"2023-03-09 07:51:44.747000+00:00\",\"status\":\"ACTIVE\",\"parent_id\":\"ou-38lh-9att8jja\",\"parent_type\":\"ORGANIZATIONAL_UNIT\",
\"type\":\"account\",\"vendor\":\"aws\"}},\"control_tower_event\":{},\"account_request\":{\"custom_fields\":\"{\\\"group\\\":\\\"prod\\\"}\",\"change_management_parameters\":
{\"change_reason\":\"Create new ControlPlane account shared-account\",\"change_requested_by\":\"shared_acct@email.com\"},\"id\":\"shared_acct@email.com\",\"control_tower_parameters\":
{\"AccountEmail\":\"sharedservices-account@email\",\"SSOUserFirstName\":\"-sharedservices-account\",\"SSOUserLastName\":\"sharedservices-account\"
,\"ManagedOrganizationalUnit\":\"controlplane-ou\",\"AccountName\":\"shared-account\",\"SSOUserEmail\":\"shared_acct@email.com@email\"},\"account_tags\":
{\"Environment\":\"prod\",\"Owner\":\"sharedservices-account sharedservices-account\",\"Project\":\"xyz\",\"Vended\":\"true\",\"created_by\":\"
sharedservices-account@email\"},\"account_customizations_name\":\"shared-customizations\"},\"account_provisioning\":{\"run_create_pipeline\":\"true\"},
\"customization_request_id\":\"c0bb8f9a-9f82-4c30-a62c-96119a391b53\"}",
"InputDetails": {
"Included": true
},
"Name": "e5c48973-f6fa-4def-beaf-55ca11e33ba2",
"StartDate": 1679307003825,
"StateMachineArn": "arn:aws:states:us-east-2:<aft-account-id>:stateMachine:aft-account-provisioning-framework",
"Status": "FAILED",
"StopDate": 1679307036829
}
To Reproduce:-
Steps to reproduce the behavior:
1. Add terraform code in account-customization repository under account_customization_name valued folder
2. Run the Step function with below input
{
"include": [
{
"type": "accounts",
"target_value": [
"<target account id>"
]
}
]
}
I have a terraform setup on a private local server with no internet access , I have an organization AWS account, I want to provision resources on that AWS account and its child account using that terraform server, what should i do? Can AWS Direct connect help with that?
While creating an FMS WAFv2 policy using Terraform I receive the following error:
```
Firehose name prefix is not valid: arn:aws:firehose:us-east-1:xxxx:deliverystream/test-stream-name
```
However firehose seems a valid arn, so what gives?
asked 16 days ago
Hello,
Per the attached, when I ran the terraform plan for AZ EU-West-1, I get that error.
Kindly assist.
Oluwasegun Ojeyinka
using terraform.
Is possible to remove any kind of autostart feature on CodePipeline? I have 2 action in source stage, one from Codecommit and one from S3 and both generate automatically 2 different CloudWatch rules that trigger my pipeline. I also need to remove the autostart at resource creation, actually i'm using terraform to build the pipeline but in the documentation i didn't find anything related. Thanks for help!