I want to create a pagerule to ensure all the incoming http traffic will be converted to https
Here is my rule:
resource "cloudflare_page_rule" "https-only" {
zone = "${var.domain}"
domain = "${var.domain}"
target = "http://*${self.domain}/*"
priority = 1
actions = {
always_use_https = true
}
}
The target line is based on the example provided by terraform
However when I run the terraform file, I get this error
Error: resource 'cloudflare_page_rule.https-only' config: cannot contain self-reference self.domain
Is the example no longer valid? If so, what is the proper syntax?
Related
We are trying to provision azurerm_data_factory_linked_service_data_lake_storage_gen2 and wanted to set the url to a parameterised variable in ADF. It is possible to do this in the Azure Data Factory user interface however, the resource provider's url component forces us to use https: to pass its validation so we cannot put in a parameter.
url = "#Dataset().ST_URL"
Is there a way to disable the url check in terraform for this one field?
resource "azurerm_data_factory_linked_service_data_lake_storage_gen2" "example" {
name = "example"
data_factory_id = azurerm_data_factory.example.id
service_principal_id = data.azurerm_client_config.current.client_id
service_principal_key = "exampleKey"
tenant = "11111111-1111-1111-1111-111111111111"
url = "#Dataset().ST_URL"
}
This line appears to force a requirement for https:
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/datafactory/data_factory_linked_service_data_lake_storage_gen2_resource.go#L55
I'm trying to create some firewall rules in GCP which optionally have the logging turned on or not.
resource "google_compute_firewall" "this" {
name = var.name
project = var.project
network = var.network
source_ranges = var.source_ranges
source_tags = var.source_tags
target_tags = var.target_tags
priority = var.priority
direction = var.direction
allow {
protocol = lower(var.protocol)
ports = var.ports
}
## If log_config is defined, this enables logging. By not defining it, we are disabling logging.
log_config {
metadata = var.log_metadata
}
}
What I need to achieve, and can't figure out, is how to have the log_config block defined when I have var.firewall_logging set to true (or some other string if we can't use a boolean) and not have the log_config block at all when it's set to false. I tried using a dynamic, as in my other question Optional fields in resource however, even when set to false, it's still creating the log_config block.
I am a newbie with terraform so donĀ“t laugh :) I want to deploy a number of instances of a server, then add their IPs to a Route53 hosted zone. I will be using Terraform v0.12.24 no chance of 0.14 at the moment.
So far, I have working the "easy", spaghetti approach:
module server: buys and creates a list of servers
module route53: adds route53 records, parameter=aray of ips
main.tf
module "hostedzone" {
source = "./route53"
ncs_domain = var.ncs_domain
}
module "server" {
source = "./server"
name = "${var.ncs_hostname}-${var.ncs_id}"
hcloud_token = var.server_htk
servers = [
{
type = "cx11",
location = "fsn1",
},
{
type = "cx11",
location = "fsn1",
}
]
}
resource "aws_route53_record" "server1-record" {
zone_id = module.hostedzone.zone.zone_id
name = "${var.ncs_hostname}.${var.ncs_domain}"
type = "A"
ttl = "300"
records = module.server.server.*.ipv4_address
}
and the relevant server resource array:
resource "hcloud_server" "apiserver" {
count = length(var.servers)
# Create a server
name = "${var.name}-${count.index}"
# Name server
image = var.image
# Basic image
server_type = var.servers[count.index].type
# Instance type
location = var.servers[count.index].location
}
So if I run terraform apply, I get the server array created. Cool !
Now, I would like to be able to run this module to create and destroy specific servers on demand, like:
initially deploy the platform with one or two servers.
remove one of the initial servers in the array
add new servers
So, how could I use this incrementally, that is, without providing the whole array of servers everytime? Like just adding one to the existing list, or remove other.
I'm trying to add a an aws_config_config_rule resource with a set of input_parameters, but I keep getting
Error: Error creating AWSConfig rule: Failed to create AWSConfig rule: InvalidParameterValueException: Unknown parameters provided in the inputParameters: {"targetBucket":"mybucket"}.
# Enables access logging for the CloudTrail S3 bucket
resource aws_config_config_rule cloudtrail-s3-bucket-logging-enabled {
name = "cloudtrail-s3-bucket-logging-enabled"
description = "Checks whether logging is enabled for your S3 buckets."
source {
owner = "AWS"
source_identifier = "S3_BUCKET_LOGGING_ENABLED"
}
scope {
compliance_resource_id = aws_s3_bucket.mybucket.arn
compliance_resource_types = ["AWS::S3::Bucket"]
}
input_parameters = jsonencode({"targetBucket":"${aws_s3_bucket.mybucket.id}"})
}
I figured I could use the jsonencode function https://www.terraform.io/docs/configuration/functions/jsonencode.html. I came across a github issue: https://github.com/hashicorp/terraform/issues/14074, but it is different from what I'm experiencing. Any help would be greatly appreciated.
I was using the wrong input parameters for this rule. This works
# Ensures that the S3 bucket used by CloudTrail is not publicly accessible
resource aws_config_config_rule cloudtrail-s3-bucket-not-publicy-accessible {
name = "cloudtrail-s3-bucket-not-publicy-accessible"
description = "Checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item."
source {
owner = "AWS"
source_identifier = "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS"
}
scope {
compliance_resource_id = aws_s3_bucket.mybucket.id
compliance_resource_types = ["AWS::S3::Bucket"]
}
input_parameters = "{\"IgnorePublicAcls\":\"True\",\"BlockPublicPolicy\":\"True\",\"BlockPublicAcls\":\"True\",\"RestrictPublicBuckets\":\"True\"}"
}
I am using Terraform + Cloudflare provider.
I created a page rule the fist time I ran terraform plan + terraform apply.
Running the same command a second time returns the error:
Error: Failed to create page rule: error from makeRequest: HTTP status 400: content "{"success":false,"errors":[{"code":1004,"message":"Page Rule validation failed: See messages for details."}],"messages":[{"code":1,"message":".distinctTargetUrl: Your zone already has an existing page rule with that URL. If you are modifying only page rule settings use the Edit Page Rule option instead","type":null}],"result":null}"
TLDR: How can I make Terraform to update an existing page rule only by changing the definition in this file? Isn't it how this was supposed to work?
This is the terraform.tf file:
provider "cloudflare" {
email = "__EMAIL__"
api_key = "__GLOBAL_API_KEY__"
}
resource "cloudflare_zone_settings_override" "default_cloudflare_config" {
zone_id = "__ZONE_ID__"
settings {
always_online = "on"
always_use_https = "off"
min_tls_version = "1.0"
opportunistic_encryption = "on"
tls_1_3 = "zrt"
automatic_https_rewrites = "on"
ssl = "strict"
# 8 days
browser_cache_ttl = "691200"
}
}
resource "cloudflare_page_rule" "rule_bypass_wp_admin" {
target = "*.__DOMAIN__/*wp-admin*"
zone_id = "__ZONE_ID__"
priority = 2
status = "active"
actions {
always_use_https = true
always_online = "off"
cache_level = "bypass"
disable_apps = "true"
disable_performance = true
disable_security = true
}
}
Add the following line in your Page rule definition:
lifecycle {
ignore_changes = [priority]
}
This will instruct Terraform to ignore any changes in this field. That way when you run a terraform apply Terraform picks up the changes as an update to the existing resources as opposed to creating new resources.
In this case, Terraform tries to create a new Page rule which conflicts with Cloudflare limitation that you cannot have multiple page rules acting on the same resource path
TIP: Run terraform plan -out=tfplan this will print out the plan that will be applied on screen and to file. You then get some insight into the changes that Terraform will make and a chance to spot some unintended changes.
I still can't update via Terraform, so I used Python to delete it before recreating.
# Delete existing page rules using API before readding with Terraform
# For some reason, it I could not update then with Terraform without deleting first
# https://stackoverflow.com/questions/63942345/cloudflare-page-rules-using-terraform-cloudflare-provider-does-not-update-page-r
page_rules = cf.zones.pagerules.get(zone_id)
print(page_rules)
for pr in page_rules:
cf.zones.pagerules.delete(zone_id, pr.get('id'))
page_rules = cf.zones.pagerules.get(zone_id)
if page_rules:
exit('Failed to delete existing page rules for site')
Try removing the always_use_https argument so your actions block looks like this:
actions {
always_online = "off"
cache_level = "bypass"
disable_apps = "true"
disable_performance = true
disable_security = true
}
Today I discovered that there is some issue with this argument, it looks like a bug.