I am using Terraform to create EKS cluster. The traffic is routed through AWS Application Load Balancer (ALB) - Ingress controller.
I can get the host name through following output
kubernetes_ingress.app.status.0.load_balancer.0.ingress.0.hostname
However, the problem is Ingress and ALB automatically create one security group, which I needed to create AWS API Gateway & VPC Link, how to get that security group's id?
I think the link below might help you, but in case it's unavailable, you can sort of hack an LB object via the name.
You first get your LB hostname (as you already have, except split on the hyphen), then make an 'aws_lb' data type using that name, which should then populate 'aws_lb' as if you had deployed an LB. Or at least enough to be able to query that type of object to get the bits you need.
locals {
lb_name_parts = split("-", split(".", kubernetes_ingress.alb_nginx_primary_ingress.status.0.load_balancer.0.ingress.0.hostname).0)
}
data "aws_lb" "alb_primary_ingress" {
name = join("-", slice(local.lb_name_parts, 0, length(local.lb_name_parts) - 1))
}
(my variable for the hostname is slightly different to yours but you should get the idea)
The clever person who figured it out:
https://github.com/hashicorp/terraform-provider-kubernetes/issues/942
Related
I have two terraform structures, and there is VPC peering between them. Requester VPC should reach some of the applications in Accepter. I created VPC peering in requester's terraform, gave accepter's Route Tables to requester's variables.tf as variables and it's created and functioning properly. When I ran terraform plan in accepter terraform, it was simply trying to delete the routes that I added via requester terraform. To prevent this, I added same routes to accepter route tables in accepter terraform and it's showing no change and everything is fine.
Here is my problem,
I'm trying to do same process for security groups. As I said, some apps should reach from requester to accepter. Since requester is demanding VPC peering, I decided to security group rules in requester terraform for accepter security groups. I added them, after that I ran terraform plan for accepter structure. It's trying to delete stranger rules that was applied via VPC peered structure, this is expected, okay. So I added same rules to accepter terraform to avoid changes. and I ran it. But rather than avoiding the changes as it does in route tables,
It's giving the error below.
Error: InvalidPermission.Duplicate: the specified rule "peer: sg-xx, TCP, from port: xx, to port: xx, ALLOW" already exists status code: 400,
I want to keep these rules defined in both sides because it makes things more clear. Since I have different security groups for different resource types in my structures, these security groups are sort of representing the resource. I want to be able to define these rules to both sides to understand which resource is needed for which VPC-peered component. How can I ignore the error above and make my system work this way?
Any help will be highly appreciated.
Thank you very much.
I am trying to create a rule in the existing Default Route Table in OCI using terraform.
Basically I am trying to add a rule for internet gateway so I can access it using ssh. not sure but I am not able to access TCP till I am not adding rule in default table, new table not working for me..
But In OCI provider the option is available for only create new route table with rule instead of add rule in existing / default route table
I am just able to find below option for route table in oci provider, the rest belongs to DRG.
https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_route_table
I am currently using below terraform code:
resource "oci_core_internet_gateway" "test_internet_gateway" {
#Required
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.test_vcn.id
}
resource "oci_core_route_table" "test_route_table" {
#Required
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.test_vcn.id
#display_name = "Default Route Table for xyz"
route_rules {
#Required
network_entity_id = oci_core_internet_gateway.test_internet_gateway.id
#cidr_block = "0.0.0.0/0"
destination = "0.0.0.0/0"
}
}
Any way around or solution will helps !!!!
Extended the answer of #bmuthuv
The below page have some clue that how we can Manage Default VCN Resources :
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformbestpractices_topic-vcndefaults.htm
I have replace resource oci_core_route_table with oci_core_default_route_table. The strange thing is resource "oci_core_default_route_table" is not present in registry provider document directly, you need to search "Managing Default VCN Resources" on oci register page as below:
https://registry.terraform.io/providers/oracle/oci/latest/docs
resource "oci_core_default_route_table" "this" {
#SOURCE PAGE : https://www.tfwriter.com/oci/r/oci_core_default_route_table.html
manage_default_resource_id = oci_core_subnet.test_subnet.route_table_id
route_rules {
#Required
network_entity_id = oci_core_internet_gateway.test_internet_gateway.id
destination = "0.0.0.0/0"
}
}
The displayed terraform code creates a Route Table and adds a route rule for 0.0.0.0/0. The missing piece is to map this Route Table to the subnet that is housing your VM.
Here are a couple of thoughts:
You create the entire VCN and Compute VM thereby you manage your infrastructure completely. This also enables to create a subnet along side the VCN and map the route table to it.
Use Terraform Resource discovery to generate TF code for existing infrastructure. Once the configuration files are generated, modify it to Map the Route Table to the subnet.
Lastly, please check this page to know about how to modify Default Resources. This could be your quick win.
UPDATE for OCI Provider
To answer your question, the version of OCI provider you are using (4.102.1) may not have the necessary functionality to create a route rules in a default route table in OCI. This could be due to a bug or limitation in the Terraform provider for OCI.
You can check the Terraform provider's documentation and GitHub issues to see if there are any known issues or workarounds for this problem. It's also possible that a newer version of the Terraform provider may have fixed this issue, so you may want to consider upgrading to the latest version if possible.
Alternatively, you may be able to add route rules in a default route table in OCI using other tools or methods, such as the OCI CLI or the OCI console.
I want to whitelist the ip addresses of an App Service Plan on a managed Sql Server.
The problem is, the resource azurerm_app_service_plan exposes its ip addresses as a comma-separated value, on the attribute possible_outbound_ip_addresses.
I need to create one azurerm_sql_firewall_rule for each of these ips.
If I try the following approach, Terraform gives an exception:
locals {
staging_app_service_ip = {
for v in split(",", azurerm_function_app.prs.possible_outbound_ip_addresses) : v => v
}
}
resource "azurerm_sql_firewall_rule" "example" {
for_each = local.staging_app_service_ip
name = "my_rules_${each.value}"
resource_group_name = data.azurerm_resource_group.example.name
server_name = var.MY_SERVER_NAME
start_ip_address = each.value
end_ip_address = each.value
}
I get then the error:
The "for_each" value depends on resource attributes that cannot be
determined until apply, so Terraform cannot predict how many instances
will be created. To work around this, use the -target argument to
first apply only the resources that the for_each depends on.
I'm not sure how to work around this.
For the time being, I have added the ip addresses as a variable, and am manually setting the value of the variable.
What would be the correct approach to create these firewall rules?
I'm trying to deal with the same issue. My way around it is to perform multi-step setup.
In the first step I run terraform configuration where it creates database, app service, api management and some other resources. Next I deploy the app. Lastly I run terraform again, but this time the second configuration creates sql firewall rules and api management api from deployed app swagger definition.
I want to provision my infrastructure with terraform and to have some shared infrastructure. For example, to have 1 shared application gateway and multiple application specific webapps sitting behind it.
Is it possible to provision this with separate terraform projects?
terraform project that would be for a shared infrastructure - to create an empty/default app gateway.
other projects that would create a webapp and some extra configuration for that shared app gw - backend_address_pool, probe, backend_http_settings, etc.
Could not find how can you do it in documentation. There is this - application_gateway example where everything is provided in 1 go and then this - network_interface_application_gateway_backend_address_pool_association where you can make a assotiation between app gw and a network interface, but not a webapp.
EDIT
To expand a bit on what I want to achieve - the application gateway will be one application gateway for the whole non-prod environment (hence "shared") and it is there to save the cost. Behind it I want to configure multiple applications for multiple environments, for example, "Accounts.DEV", "Accounts.UAT", "Calculator.Dev", etc. Hope this makes my intentions a bit clearer.
For now I am trying to create empty Application gateway in the shared project (with a default pool, front-end config and rules). And then, after each application deployment to run some extra az cli logic (documentation).
It is possible to provision the application gateway and web apps separately.
By default, this application_gateway example creates an empty backend pool without any targets with one default HTTP setting, one listener for 80 port, and a basic rule for this backend pool. When you want to associate your backend web apps behind this application gateway, you need to target default_site_hostname of your web app to the backend pool and modify some specific configurations to match your backend web apps.
For example,
In the azurerm_app_service project, you can add the value of default_site_hostname for an app service at the provision time or use the data source to access an existing app service.
output "default_site_hostname" {
value = "${azurerm_app_service.test.default_site_hostname}"
}
In the azurerm_application_gateway project, you can add the value of default_site_hostname to the fqdns, then associate the backend pool with them.
# since these variables are re-used - a locals block makes this more maintainable
locals {
backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"
frontend_port_name = "${azurerm_virtual_network.test.name}-feport"
frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"
listener_name = "${azurerm_virtual_network.test.name}-httplstn"
request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"
redirect_configuration_name = "${azurerm_virtual_network.test.name}-rdrcfg"
fqdns = ["${azurerm_app_service.test.default_site_hostname}","${data.azurerm_app_service.example.default_site_hostname}"]
...
backend_address_pool {
name = "${local.backend_address_pool_name}"
fqdns = "${local.fqdns}"
}
Currently this is not possible with terraform due the fact that Azure API does not allow creating an App Gateway step by step. If this is an issue for you and would like it to change, please vote for this and this feature request.
Source: https://github.com/terraform-providers/terraform-provider-azurerm/issues/727
I have one resource group that I set up with the portal and another that I tried to configure the same way using Terraform.
Each group contains
Application Gateway with Web App Firewall
Virtual networks and subnets
VMs and associated storage
Public IPs, NSGs, NIC etc
Is there a way for me to compare the two sets of configurations?
For you, I assume you want to create the same resources with the same configurations in another group through Terraform. On my side, there are not many things you need to care about. Just according to the configuration of the resources to create the terraform script.
each resource region
the public IP and the NIC allocation method
NSG rules
vnet and the subnet address prefix
application gateway properties and the rules
The above points are that I think you need to care about. And the properties of the resources in Terraform also need to according to. I think there is no other way to compare two sets of configurations. If you really want, you can compare the template of each group when you create them. The group template shows below:
No, i dont think there is a reasonable straight forward way of doing this, you can create a powershell script that would get resources in each resource group and then try and compare properties, but its hard to give some sort of estimation how accurate it would be, there is a Compare-Object cmdlet in powershell, which might help you with that.