Terraform Error : Invalid dot index found - terraform

I am using terraform version 0.11.8
and tried this POC https://github.com/salizzar/terraform-aws-docker
when I do terraform init it throws following error.
I am novice to use terraform. googled a lot and tried reffering terraform module registry to get rid of this error,but in vain.
Can someone please run this POC and point what needs to be changed?
https://github.com/salizzar/terraform-aws-docker/blob/master/main.tf
**ERROR :**
[root#localhost test]# terraform init
There are some problems with the configuration, described below.
The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
Error: Error loading /home/tottally/main.tf: Invalid dot index found: 'var.aws_security_group.sg_count'. Values in maps and lists can be referenced using square bracket indexing, like: 'var.mymap["key"]' or 'var.mylist[1]'. in:
${var.aws_security_group.sg_count}

I think Terraform is not happy with this line:
count = "${var.aws_security_group.sg_count}"
Instead of using this double dot notation, try using square bracket indexing, as Terraform itself suggests in the error message:
count = "${var.aws_security_group[sg_count]}"
By the way, this repo is really old, you can find better and up-to-date examples in the public Terraform registry.

Related

Why all attributes in the access_config becomes require while the documentation said they are optional?

I am new to Terraform and its CDK. I am confuse about the following:
When I try to run the tf.json generated through cdktf synth using cdktf deploy, terraform plan or terraform apply, the console keeps telling me that all attributes inside the access_config are required and emit errors, but I checked the documentation, it is said that these field can be optional.
So, I want to know is it a bug or the documentation is wrong ?
If you are checking the correct version of Terraform documentation and still see in tf plan/apply these attributes as required then you should add these attributes in your config. Might happen that the documentation is not up to date
After discuss with my colleagues, I managed to solve the problem. For the access_config, you have to fill in the attributes while leave them blank if you don't want to give any value to them:
"access_config":[{
"nat_ip":"google_compute_address.some_name.address",
"public_ptr_domain_name":"",
"network_tier":""
}]
The use for access_config is required in terraform cdk in comparison to terraform hcl. In terraform where we use HCL to write the configurations,
access_config can be left empty but for terraform cdk is needs to be populated with parameters which can be left empty.

Terraform - Doesn't show which resource is producing error

For some reason Terraform doesn't show which resource is producing error. It just outputs the errors. Is there a way I can make sure terraform shows which resource is producing the error?
I'm using Terraform v0.12.21.
Terraform plan doesn't produce any errors. The error is during the apply command.
All the resources are in different tf files and I have to go through one by one to figure out which wasn't run and producing error.
In the below error, lb_listener has completed. So I'm not which was next that could be producing the error.
module.Tester_vpc.aws_lb_target_group.nlb_tg_port_80[0]: Creating...
module.Tester_vpc.aws_lb_target_group.nlb_tg_port_80[0]: Creation complete after 1s [id=arn:aws:elasticloadbalancing:ap-south-1:123456:targetgroup/nlbPort80/123456]
module.Tester_vpc.aws_lb_listener.listener[0]: Creating...
module.Tester_vpc.aws_lb_listener.listener[0]: Creation complete after 1s [id=arn:aws:elasticloadbalancing:ap-south-1:123456:listener/net/myNLB/123456/8d51be081230319c]
Error: no matching SecurityGroup found
Error: Your query returned no results. Please change your search criteria and try again.
In this case, I'm fairly sure it's not a resource failing that is causing the error.
Error: Your query returned no results. Please change your search criteria and try again.
This is the error message that a data source gives when it fails. Do you have an aws_security_group data source that's failing?
As to your actual question, how to troubleshoot these sorts of errors. I always reach for TF_LOG (see https://www.terraform.io/docs/internals/debugging.html).
You can set TF_LOG as an environment variable with the value DEBUG (or TRACE) to see detailed debugging information. Often this will include the output of what fails.
Here's an example:
$ TF_LOG=DEBUG terraform apply

Terraform error Invalid count argument after upgrade from TF 0.11 to 0.12

After upgrade from 0.11 to 0.12 something that worked before starting failing due to dependencies:
Error: Invalid count argument
on ../modules/app-web/fargate.tf line 289, in resource "aws_security_group_rule" "proxy2target_group_1":
289: count = var.allow_security_group_id == "" ? 0 : 1
The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.
which indeed depends on another resource: allow_security_group_id = module.repl-ssm-tunnel-proxy.this_security_group_id
But is really the only solution to find all such resources and run TF multiple times with -target ? Why did it work before? Can I get it working without multiple TF runs?
Update: I have tried the suggested solution, running terraform apply -target=aws_codepipeline.codepipeline_prod -target=aws_codepipeline.codepipeline_stage_from_github -target=aws_codepipeline.codepipeline_stage_from_ecr -target=module.repl-ssm-tunnel-proxy -target=module.direct-connect.aws_route_tables.private which did not fail but also has not applied anything. Perhaps because all these are inside modules (i.e. production.tf -> modules/myapp -> modules/helper-XY) and since I did not target the top-level module (myapp) nothing was applied?
And of course if I try to add the top-level module, it fails again because of the original count problem: terraform apply ... -target=module.direct-connect.aws_route_tables.private -target module.direct_connect Catch 22? :-(
Upgrading from 0.12 to 0.13 removed a number of these warnings and the remaining one was easy to fix by changing the code.

Azure policy Terraform import '' expected type 'string', got unconvertible type '[]interface {}'

Created Azure policy to Enforce labels on pods in Kubernetes cluster as below.
Policy Name: Enforce labels on pods in Kubernetes cluster
I am trying to import policy using below command
terraform import azurerm_policy_set_definition.test /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policySetDefinitions/<Id>
Whenever I am trying to import resource using terraform, getting below error.
Error: setting `policy_definition_reference`: policy_definition_reference.0.parameters.labelsList: '' expected type 'string', got unconvertible type '[]interface {}'
Any help much appreciated.
It's similar to the issue in Github. I also think it looks like the parameters need to be fixed. You can see the policy_definition_reference.0.parameters is a mapping of the parameter values for the referenced policy rule and each member needs a string value. But the Policy Set Definition in Azure, the parameters property is an object in the JSON format like this:
Maybe it cannot convert from an object into a string in Terraform.
And I think you also need to change the format you input in the Azure portal, it should be the same as the namespace, without quotes and separated with the character ;.
If you hover over the ⓘ for List of labels it gives you a hint about how to submit values to the field. You need to have labels separated with a ;. I suspect terraform is incorrectly interpreting the values as JSON.
EDIT: I misspoke, this bug was fixed sooner than I thought. It was fixed in azurerm 2.29.0
This could be because of this bug in the azurerm provider. A fix is in the works but they mention it will likely not be released until the next major release of the azurerm provider (3.0).
I ran into this issue and had to change existing initiative definitions to have parameters at the initiative level, rather than per policy inside of policy_definition_reference and have the policy parameters reference the parameters of the initiative.
Not sure if this is the best way to get around this as modifying initiative parameters requires that that the initiative has no policy assignments.

Terraform replace function doesn't work in conditional

I have a code which checks if key in the loop has word Ops and if yes then assigns value to provider either aws.peer or aws.default.
provider = "${replace(each.key, "Ops", "") != each.key ? "aws.peer" : "aws.default"}"
After I run it it returns:
Error: Invalid provider reference
On ../../modules/Stack/Peering/main.tf line 13: Provider argument requires a provider name followed by an optional alias, like "aws.foo".
Not sure why
Provider selection is not allowed to be dynamic in Terraform. If you share more of your script, we might be able to give you a workaround that is specific to the solution you are building.
Provider selections cannot be dynamic like this. Although it didn’t produce an error in Terraform 0.11, it also didn’t work: Terraform 0.11 just ignored it and treated it as a literal string, just as the terraform 0.12upgrade tool showed. Terraform 0.12 has an explicit validation check for it to give you better feedback that it’s not supported.
The connections between resources and their providers happens too early for Terraform to be able to evaluate expressions in that context, because the provider must be known in order to understand the other contents of the block.
Resource w/ possible work around:
https://discuss.hashicorp.com/t/defining-provider-aliases-with-string-interpolation-not-working-in-terraform-0-12/1569/4

Resources