From c6c20266788e355bd3d33c848ec2a595d5b8f70b Mon Sep 17 00:00:00 2001 From: "docs-sourcer[bot]" <99042413+docs-sourcer[bot]@users.noreply.github.com> Date: Sat, 4 Feb 2023 10:08:43 +0000 Subject: [PATCH 1/2] Updated with the latest changes from the knowledge base discussions. --- docs/discussions/knowledge-base/635.mdx | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs/discussions/knowledge-base/635.mdx diff --git a/docs/discussions/knowledge-base/635.mdx b/docs/discussions/knowledge-base/635.mdx new file mode 100644 index 0000000000..4b022eb012 --- /dev/null +++ b/docs/discussions/knowledge-base/635.mdx @@ -0,0 +1,27 @@ +--- +hide_table_of_contents: true +hide_title: true +custom_edit_url: null +--- + +import CenterLayout from "/src/components/CenterLayout" +import GitHub from "/src/components/GitHub" + + + + + + +Knowledge Base +

Upgrade eks-core-services in CircleCI

+\n

Tracked in ticket #109797

\n\n","bodyHTML":"

Hello all,

\n

i ran into a problem during the EKS cluster upgrade: we recently deployed ECS deploy runner and have not yet experienced with it. When I upgraded the eks-core-service module, the CircleCI pipeline failed with these errors:

\n
[ecs-deploy-runner][2023-01-16T16:42:43+0000] ╷\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ \n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   with module.alb_ingress_controller[\"enable\"].helm_release.aws_alb_ingress_controller,\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   on .terraform/modules/alb_ingress_controller/modules/eks-alb-ingress-controller/main.tf line 48, in resource \"helm_release\" \"aws_alb_ingress_controller\":\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   48: resource \"helm_release\" \"aws_alb_ingress_controller\" {\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ \n[ecs-deploy-runner][2023-01-16T16:42:43+0000] ╵\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] ╷\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ \n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   with module.aws_for_fluent_bit[\"enable\"].helm_release.aws_for_fluent_bit,\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   on .terraform/modules/aws_for_fluent_bit/modules/eks-container-logs/main.tf line 48, in resource \"helm_release\" \"aws_for_fluent_bit\":\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   48: resource \"helm_release\" \"aws_for_fluent_bit\" {\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ \n[ecs-deploy-runner][2023-01-16T16:42:43+0000] ╵\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] ╷\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ \n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   with module.k8s_external_dns[\"enable\"].helm_release.k8s_external_dns,\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   on .terraform/modules/k8s_external_dns/modules/eks-k8s-external-dns/main.tf line 54, in resource \"helm_release\" \"k8s_external_dns\":\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │   54: resource \"helm_release\" \"k8s_external_dns\" {\n[ecs-deploy-runner][2023-01-16T16:42:43+0000] │ \n[ecs-deploy-runner][2023-01-16T16:42:43+0000] ╵\n
\n

My understanding is that ecs-deploy-runner ECS task does not perform Kubernetes authentication and does not have Kubernetes configuration. Does anybody know how to workaround this?

\n
\n\n

Tracked in ticket #109797

\n","answer":{"body":"Without knowing the full details of your configuration, I'll try my best to explain...\r\n\r\nFor the `ecs-deploy-runner` to be able to interact with the EKS cluster, the IAM Role the runner uses, must be mapped in the `aws-auth` ConfigMap. Had the cluster been created with the IAM Role `ecs-deploy-runner` is using, this would be unnecessary, as EKS implicitly grants admin RBAC for the IAM role that the cluster was created with. I'm assuming the cluster was created with a different role? \r\n\r\nTo fix the issue, the ECS Deploy Runner IAM Role has to be added to `aws-auth` ConfigMap. If you're using the [`eks-aws-auth-merger`](https://github.com/gruntwork-io/terraform-aws-eks/tree/master/modules/eks-aws-auth-merger), you can use the [`eks-k8s-role-mapping`](https://github.com/gruntwork-io/terraform-aws-eks/tree/master/modules/eks-k8s-role-mapping) to create an entry in the `aws-auth` ConfigMap, e.g.\r\n\r\n```\r\nmodule \"ecs_deploy_runner_eks_k8s_role_mapping\" {\r\n source = \"git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-role-mapping?ref=v0.x.x\"\r\n\r\n name = \"ecs-deploy-runner\"\r\n namespace = \"whatever-namespace-you-use-for-auth-merger\"\r\n\r\n eks_worker_iam_role_arns = []\r\n eks_fargate_profile_executor_iam_role_arns = []\r\n\r\n iam_role_to_rbac_group_mappings = {\r\n # I'm assuming you want admin level permissions in the cluster, because you'll be deploying\r\n # RBAC resources, hence the system:masters\r\n \"your-ecs-deploy-runner-iam-role\" = [\"system:masters\"]\r\n }\r\n\r\n config_map_labels = {\r\n eks-cluster = module.eks_cluster.eks_cluster_name\r\n }\r\n}\r\n```\r\nMake sure you're not overwriting the entire `aws-auth` ConfigMap 😅 and check the plan results carefully before applying. Note that you'll have to deploy the module with an IAM Role that has sufficient permissions in the EKS cluster. After the `aws-auth` ConfigMap has been updated, applying with the `ecs-deploy-runner` should work.\r\n\r\nHope this helps!\r\n","bodyHTML":"

Without knowing the full details of your configuration, I'll try my best to explain...

\n

For the ecs-deploy-runner to be able to interact with the EKS cluster, the IAM Role the runner uses, must be mapped in the aws-auth ConfigMap. Had the cluster been created with the IAM Role ecs-deploy-runner is using, this would be unnecessary, as EKS implicitly grants admin RBAC for the IAM role that the cluster was created with. I'm assuming the cluster was created with a different role?

\n

To fix the issue, the ECS Deploy Runner IAM Role has to be added to aws-auth ConfigMap. If you're using the eks-aws-auth-merger, you can use the eks-k8s-role-mapping to create an entry in the aws-auth ConfigMap, e.g.

\n
module \"ecs_deploy_runner_eks_k8s_role_mapping\" {\n  source = \"git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-role-mapping?ref=v0.x.x\"\n\n  name      = \"ecs-deploy-runner\"\n  namespace = \"whatever-namespace-you-use-for-auth-merger\"\n\n  eks_worker_iam_role_arns                   = []\n  eks_fargate_profile_executor_iam_role_arns = []\n\n  iam_role_to_rbac_group_mappings = {\n    # I'm assuming you want admin level permissions in the cluster, because you'll be deploying\n    # RBAC resources, hence the system:masters\n    \"your-ecs-deploy-runner-iam-role\"    = [\"system:masters\"]\n  }\n\n  config_map_labels = {\n    eks-cluster = module.eks_cluster.eks_cluster_name\n  }\n}\n
\n

Make sure you're not overwriting the entire aws-auth ConfigMap 😅 and check the plan results carefully before applying. Note that you'll have to deploy the module with an IAM Role that has sufficient permissions in the EKS cluster. After the aws-auth ConfigMap has been updated, applying with the ecs-deploy-runner should work.

\n

Hope this helps!

"}}} /> + + + + + From e55bb0f056f36dcc80626ea4eb140450de08e5f6 Mon Sep 17 00:00:00 2001 From: "docs-sourcer[bot]" <99042413+docs-sourcer[bot]@users.noreply.github.com> Date: Tue, 7 Feb 2023 14:38:08 +0000 Subject: [PATCH 2/2] Updated with the latest changes from the knowledge base discussions. --- docs/discussions/knowledge-base/137.mdx | 4 ++-- docs/discussions/knowledge-base/661.mdx | 27 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 docs/discussions/knowledge-base/661.mdx diff --git a/docs/discussions/knowledge-base/137.mdx b/docs/discussions/knowledge-base/137.mdx index 2e5c0d1752..fc7c271a35 100644 --- a/docs/discussions/knowledge-base/137.mdx +++ b/docs/discussions/knowledge-base/137.mdx @@ -14,7 +14,7 @@ import GitHub from "/src/components/GitHub" Knowledge Base

Passing variables between Terragrunt and Terraform

- resource \"aws_ebs_volume\" \"this\" {\r\n> availability_zone = \"ap-southeast-2a\"\r\n> size = 20\r\n> }\r\n> \r\n> resource \"aws_volume_attachment\" \"this\" {\r\n> device_name = \"/dev/sdh\"\r\n> volume_id = aws_ebs_volume.this.id\r\n> instance_id = \r\n> }\r\n> \r\n\r\nterragrunt.hcl\r\n\r\n> locals {\r\n> environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\r\n> env = local.environment_vars.locals.environment\r\n> \r\n> project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))\r\n> project = local.project_vars.locals.project_name\r\n> application = local.project_vars.locals.application_name\r\n> \r\n> }\r\n> \r\n> include {\r\n> path = find_in_parent_folders()\r\n> }\r\n> \r\n> terraform {\r\n> source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\r\n> }\r\n> ``\r\n> dependency \"sg\" {\r\n> config_path = \"../sg-ec2\"\r\n> \r\n> mock_outputs = {\r\n> security_group_id = \"sg-xxxxxxxxxxxx\"\r\n> }\r\n> }\r\n> \r\n> inputs = {\r\n> \r\n> \r\n> name = \"ui01-${local.project}-${local.application}-${local.env}\"\r\n> description = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"\r\n> \r\n> \r\n> ami = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10\r\n> instance_type = \"c5.large\"\r\n> key_name = \"key-test\" # This key is manually created\r\n> monitoring = true\r\n> iam_instance_profile = \"AmazonSSMRoleForInstancesQuickSetup\"\r\n> \r\n> \r\n> vpc_id = \"vpc-xxxxxxx\" \r\n> subnet_id = \"subnet-xxxxxxxx\" \r\n> \r\n> \r\n> vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]\r\n> \r\n> }\r\n\r\n\r\n\r\nIs it possible to use the output of the instance and pass this parameter/object to the ebs.tf file so that the ebs volume gets attached to the instance on the fly?\r\n\r\nAnother question is, is it possible for the *.tf files to use the variables defined in the .hcl files?\r\n\r\ne.g.\r\nIf you call in terragrunt \r\n\r\n> locals {\r\n> environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\r\n> env = local.environment_vars.locals.environment\r\n> }\r\n> \r\n> env.hcl is:\r\n> locals {\r\n> environment = \"dev\"\r\n> }\r\n> \r\n\r\nyou can use the variable env as ${local.env} for your inputs\r\nCan you call this variable in the .tf file in some way?\r\n","bodyHTML":"

I am trying to create an EC2 instance with an EBS volume attached to the said instance.
\nI have the code to create the EC2 instance using terragrunt, and it works fine.

\n

However, to create the EBS volume and attach it to the instance I need to use some terraform code.

\n

e.g.

\n

Layout tree is:

\n

dev
\n-ec2
\n--terragrunt.hcl
\n--ebs.tf

\n

In the ebs.tf file we can have

\n
\n

resource \"aws_ebs_volume\" \"this\" {
\navailability_zone = \"ap-southeast-2a\"
\nsize = 20
\n}

\n

resource \"aws_volume_attachment\" \"this\" {
\ndevice_name = \"/dev/sdh\"
\nvolume_id = aws_ebs_volume.this.id
\ninstance_id = <instance.parameter.from.terragrunt>
\n}

\n
\n

terragrunt.hcl

\n
\n

locals {
\nenvironment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))
\nenv = local.environment_vars.locals.environment

\n

project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))
\nproject = local.project_vars.locals.project_name
\napplication = local.project_vars.locals.application_name

\n

}

\n

include {
\npath = find_in_parent_folders()
\n}

\n

terraform {
\nsource = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"
\n}
\n``
\ndependency \"sg\" {
\nconfig_path = \"../sg-ec2\"

\n

mock_outputs = {
\nsecurity_group_id = \"sg-xxxxxxxxxxxx\"
\n}
\n}

\n

inputs = {

\n

name = \"ui01-${local.project}-${local.application}-${local.env}\"
\ndescription = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"

\n

ami = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10
\ninstance_type = \"c5.large\"
\nkey_name = \"key-test\" # This key is manually created
\nmonitoring = true
\niam_instance_profile = \"AmazonSSMRoleForInstancesQuickSetup\"

\n

vpc_id = \"vpc-xxxxxxx\"
\nsubnet_id = \"subnet-xxxxxxxx\"

\n

vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]

\n

}

\n
\n

Is it possible to use the output of the instance and pass this parameter/object to the ebs.tf file so that the ebs volume gets attached to the instance on the fly?

\n

Another question is, is it possible for the *.tf files to use the variables defined in the .hcl files?

\n

e.g.
\nIf you call in terragrunt

\n
\n

locals {
\nenvironment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))
\nenv = local.environment_vars.locals.environment
\n}

\n

env.hcl is:
\nlocals {
\nenvironment = \"dev\"
\n}

\n
\n

you can use the variable env as ${local.env} for your inputs
\nCan you call this variable in the .tf file in some way?

","answer":{"body":"OK so I have this almost working fully, well in fact it does work, I can grab the instance id and attach an ebs volume to this instance, but at the same time the ebs directory tries to create a new ec2 instance. This is not what I want as I have a ec2 directory looking after the entire ec2 instance creation.\r\n\r\n\r\n├── ebs\r\n│ ├── ebs.tf\r\n│ └── terragrunt.hcl\r\n└── ec2-instance\r\n └── terragrunt.hcl\r\n\r\n\r\nebs.tf\r\n```\r\nvariable \"instance_id\" {\r\n type = string\r\n}\r\n\r\nresource \"aws_ebs_volume\" \"this\" {\r\n availability_zone = \"ap-southeast-2a\"\r\n size = 20\r\n}\r\n\r\nresource \"aws_volume_attachment\" \"this\" {\r\n device_name = \"/dev/sdh\"\r\n volume_id = aws_ebs_volume.this.id\r\n instance_id = \"${var.instance_id}\"\r\n}\r\n```\r\n\r\n\r\nterragrunt.hcl\r\n\r\n```\r\nlocals { }\r\n\r\ninclude {\r\n path = find_in_parent_folders()\r\n}\r\n\r\nterraform {\r\n source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\r\n}\r\n\r\ndependency \"ec2-linux-ui\" {\r\n config_path = \"../ec2-linux-ui\"\r\n mock_outputs = {\r\n instance_id = \"12345\"\r\n }\r\n}\r\n\r\ninputs = {\r\n instance_id = dependency.ec2-linux-ui.outputs.id\r\n}\r\n```\r\n\r\n\r\n\r\nterragrunt.hcl for the ec2 instance\r\n\r\n```\r\nlocals {\r\n environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\r\n env = local.environment_vars.locals.environment\r\n project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))\r\n project = local.project_vars.locals.project_name\r\n application = local.project_vars.locals.application_name\r\n}\r\n\r\ninclude {\r\n path = find_in_parent_folders()\r\n}\r\n\r\nterraform {\r\n source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\r\n}\r\n\r\n# Need the output of the correct Security Group ID to attach to the RDS instance\r\ndependency \"sg\" {\r\n config_path = \"../sg-ec2\"\r\n\r\n mock_outputs = {\r\n security_group_id = \"sg-xxxxxxxxxx\"\r\n }\r\n}\r\n\r\ninputs = {\r\n\r\n # Naming\r\n name = \"ui01-${local.project}-${local.application}-${local.env}\"\r\n description = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"\r\n\r\n # EC2 Config\r\n ami = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10\r\n instance_type = \"c5.large\"\r\n key_name = \"xxxxxxx\" \r\n monitoring = true\r\n\r\n\r\n # Networking\r\n vpc_id = \"xxxxxxx\" \r\n subnet_id = \"xxxxxxxx\"\r\n\r\n # Security Group\r\n vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]\r\n\r\n}\r\n```\r\n\r\nNot sure why the ebs/terragrunt.hcl file wants to create a new instance when I can successfully get the instance id returned from the ec2-linux-ui dependency? If I can fix that, we are done.","bodyHTML":"

OK so I have this almost working fully, well in fact it does work, I can grab the instance id and attach an ebs volume to this instance, but at the same time the ebs directory tries to create a new ec2 instance. This is not what I want as I have a ec2 directory looking after the entire ec2 instance creation.

\n

├── ebs
\n│ ├── ebs.tf
\n│ └── terragrunt.hcl
\n└── ec2-instance
\n└── terragrunt.hcl

\n

ebs.tf

\n
variable \"instance_id\" {\n  type = string\n}\n\nresource \"aws_ebs_volume\" \"this\" {\n  availability_zone = \"ap-southeast-2a\"\n  size              = 20\n}\n\nresource \"aws_volume_attachment\" \"this\" {\n  device_name = \"/dev/sdh\"\n  volume_id   = aws_ebs_volume.this.id\n  instance_id = \"${var.instance_id}\"\n}\n
\n

terragrunt.hcl

\n
locals { }\n\ninclude {\n  path = find_in_parent_folders()\n}\n\nterraform {\n  source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\n}\n\ndependency \"ec2-linux-ui\" {\n  config_path = \"../ec2-linux-ui\"\n  mock_outputs = {\n    instance_id = \"12345\"\n  }\n}\n\ninputs = {\n      instance_id = dependency.ec2-linux-ui.outputs.id\n}\n
\n

terragrunt.hcl for the ec2 instance

\n
locals {\n  environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\n  env              = local.environment_vars.locals.environment\n  project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))\n  project      = local.project_vars.locals.project_name\n  application  = local.project_vars.locals.application_name\n}\n\ninclude {\n  path = find_in_parent_folders()\n}\n\nterraform {\n  source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\n}\n\n# Need the output of the correct Security Group ID to attach to the RDS instance\ndependency \"sg\" {\n  config_path = \"../sg-ec2\"\n\n  mock_outputs = {\n    security_group_id = \"sg-xxxxxxxxxx\"\n  }\n}\n\ninputs = {\n\n  # Naming\n  name        = \"ui01-${local.project}-${local.application}-${local.env}\"\n  description = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"\n\n  # EC2 Config\n  ami                  = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10\n  instance_type        = \"c5.large\"\n  key_name             = \"xxxxxxx\" \n  monitoring           = true\n\n\n  # Networking\n  vpc_id    = \"xxxxxxx\"   \n  subnet_id = \"xxxxxxxx\"\n\n  # Security Group\n  vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]\n\n}\n
\n

Not sure why the ebs/terragrunt.hcl file wants to create a new instance when I can successfully get the instance id returned from the ec2-linux-ui dependency? If I can fix that, we are done.

"}}} /> + resource \"aws_ebs_volume\" \"this\" {\r\n> availability_zone = \"ap-southeast-2a\"\r\n> size = 20\r\n> }\r\n> \r\n> resource \"aws_volume_attachment\" \"this\" {\r\n> device_name = \"/dev/sdh\"\r\n> volume_id = aws_ebs_volume.this.id\r\n> instance_id = \r\n> }\r\n> \r\n\r\nterragrunt.hcl\r\n\r\n> locals {\r\n> environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\r\n> env = local.environment_vars.locals.environment\r\n> \r\n> project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))\r\n> project = local.project_vars.locals.project_name\r\n> application = local.project_vars.locals.application_name\r\n> \r\n> }\r\n> \r\n> include {\r\n> path = find_in_parent_folders()\r\n> }\r\n> \r\n> terraform {\r\n> source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\r\n> }\r\n> ``\r\n> dependency \"sg\" {\r\n> config_path = \"../sg-ec2\"\r\n> \r\n> mock_outputs = {\r\n> security_group_id = \"sg-xxxxxxxxxxxx\"\r\n> }\r\n> }\r\n> \r\n> inputs = {\r\n> \r\n> \r\n> name = \"ui01-${local.project}-${local.application}-${local.env}\"\r\n> description = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"\r\n> \r\n> \r\n> ami = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10\r\n> instance_type = \"c5.large\"\r\n> key_name = \"key-test\" # This key is manually created\r\n> monitoring = true\r\n> iam_instance_profile = \"AmazonSSMRoleForInstancesQuickSetup\"\r\n> \r\n> \r\n> vpc_id = \"vpc-xxxxxxx\" \r\n> subnet_id = \"subnet-xxxxxxxx\" \r\n> \r\n> \r\n> vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]\r\n> \r\n> }\r\n\r\n\r\n\r\nIs it possible to use the output of the instance and pass this parameter/object to the ebs.tf file so that the ebs volume gets attached to the instance on the fly?\r\n\r\nAnother question is, is it possible for the *.tf files to use the variables defined in the .hcl files?\r\n\r\ne.g.\r\nIf you call in terragrunt \r\n\r\n> locals {\r\n> environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\r\n> env = local.environment_vars.locals.environment\r\n> }\r\n> \r\n> env.hcl is:\r\n> locals {\r\n> environment = \"dev\"\r\n> }\r\n> \r\n\r\nyou can use the variable env as ${local.env} for your inputs\r\nCan you call this variable in the .tf file in some way?\r\n","bodyHTML":"

I am trying to create an EC2 instance with an EBS volume attached to the said instance.
\nI have the code to create the EC2 instance using terragrunt, and it works fine.

\n

However, to create the EBS volume and attach it to the instance I need to use some terraform code.

\n

e.g.

\n

Layout tree is:

\n

dev
\n-ec2
\n--terragrunt.hcl
\n--ebs.tf

\n

In the ebs.tf file we can have

\n
\n

resource \"aws_ebs_volume\" \"this\" {
\navailability_zone = \"ap-southeast-2a\"
\nsize = 20
\n}

\n

resource \"aws_volume_attachment\" \"this\" {
\ndevice_name = \"/dev/sdh\"
\nvolume_id = aws_ebs_volume.this.id
\ninstance_id = <instance.parameter.from.terragrunt>
\n}

\n
\n

terragrunt.hcl

\n
\n

locals {
\nenvironment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))
\nenv = local.environment_vars.locals.environment

\n

project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))
\nproject = local.project_vars.locals.project_name
\napplication = local.project_vars.locals.application_name

\n

}

\n

include {
\npath = find_in_parent_folders()
\n}

\n

terraform {
\nsource = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"
\n}
\n``
\ndependency \"sg\" {
\nconfig_path = \"../sg-ec2\"

\n

mock_outputs = {
\nsecurity_group_id = \"sg-xxxxxxxxxxxx\"
\n}
\n}

\n

inputs = {

\n

name = \"ui01-${local.project}-${local.application}-${local.env}\"
\ndescription = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"

\n

ami = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10
\ninstance_type = \"c5.large\"
\nkey_name = \"key-test\" # This key is manually created
\nmonitoring = true
\niam_instance_profile = \"AmazonSSMRoleForInstancesQuickSetup\"

\n

vpc_id = \"vpc-xxxxxxx\"
\nsubnet_id = \"subnet-xxxxxxxx\"

\n

vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]

\n

}

\n
\n

Is it possible to use the output of the instance and pass this parameter/object to the ebs.tf file so that the ebs volume gets attached to the instance on the fly?

\n

Another question is, is it possible for the *.tf files to use the variables defined in the .hcl files?

\n

e.g.
\nIf you call in terragrunt

\n
\n

locals {
\nenvironment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))
\nenv = local.environment_vars.locals.environment
\n}

\n

env.hcl is:
\nlocals {
\nenvironment = \"dev\"
\n}

\n
\n

you can use the variable env as ${local.env} for your inputs
\nCan you call this variable in the .tf file in some way?

","answer":{"body":"OK so I have this almost working fully, well in fact it does work, I can grab the instance id and attach an ebs volume to this instance, but at the same time the ebs directory tries to create a new ec2 instance. This is not what I want as I have a ec2 directory looking after the entire ec2 instance creation.\r\n\r\n\r\n├── ebs\r\n│ ├── ebs.tf\r\n│ └── terragrunt.hcl\r\n└── ec2-instance\r\n └── terragrunt.hcl\r\n\r\n\r\nebs.tf\r\n```\r\nvariable \"instance_id\" {\r\n type = string\r\n}\r\n\r\nresource \"aws_ebs_volume\" \"this\" {\r\n availability_zone = \"ap-southeast-2a\"\r\n size = 20\r\n}\r\n\r\nresource \"aws_volume_attachment\" \"this\" {\r\n device_name = \"/dev/sdh\"\r\n volume_id = aws_ebs_volume.this.id\r\n instance_id = \"${var.instance_id}\"\r\n}\r\n```\r\n\r\n\r\nterragrunt.hcl\r\n\r\n```\r\nlocals { }\r\n\r\ninclude {\r\n path = find_in_parent_folders()\r\n}\r\n\r\nterraform {\r\n source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\r\n}\r\n\r\ndependency \"ec2-linux-ui\" {\r\n config_path = \"../ec2-linux-ui\"\r\n mock_outputs = {\r\n instance_id = \"12345\"\r\n }\r\n}\r\n\r\ninputs = {\r\n instance_id = dependency.ec2-linux-ui.outputs.id\r\n}\r\n```\r\n\r\n\r\n\r\nterragrunt.hcl for the ec2 instance\r\n\r\n```\r\nlocals {\r\n environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\r\n env = local.environment_vars.locals.environment\r\n project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))\r\n project = local.project_vars.locals.project_name\r\n application = local.project_vars.locals.application_name\r\n}\r\n\r\ninclude {\r\n path = find_in_parent_folders()\r\n}\r\n\r\nterraform {\r\n source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\r\n}\r\n\r\n# Need the output of the correct Security Group ID to attach to the RDS instance\r\ndependency \"sg\" {\r\n config_path = \"../sg-ec2\"\r\n\r\n mock_outputs = {\r\n security_group_id = \"sg-xxxxxxxxxx\"\r\n }\r\n}\r\n\r\ninputs = {\r\n\r\n # Naming\r\n name = \"ui01-${local.project}-${local.application}-${local.env}\"\r\n description = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"\r\n\r\n # EC2 Config\r\n ami = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10\r\n instance_type = \"c5.large\"\r\n key_name = \"xxxxxxx\" \r\n monitoring = true\r\n\r\n\r\n # Networking\r\n vpc_id = \"xxxxxxx\" \r\n subnet_id = \"xxxxxxxx\"\r\n\r\n # Security Group\r\n vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]\r\n\r\n}\r\n```\r\n\r\nNot sure why the ebs/terragrunt.hcl file wants to create a new instance when I can successfully get the instance id returned from the ec2-linux-ui dependency? If I can fix that, we are done.","bodyHTML":"

OK so I have this almost working fully, well in fact it does work, I can grab the instance id and attach an ebs volume to this instance, but at the same time the ebs directory tries to create a new ec2 instance. This is not what I want as I have a ec2 directory looking after the entire ec2 instance creation.

\n

├── ebs
\n│ ├── ebs.tf
\n│ └── terragrunt.hcl
\n└── ec2-instance
\n└── terragrunt.hcl

\n

ebs.tf

\n
variable \"instance_id\" {\n  type = string\n}\n\nresource \"aws_ebs_volume\" \"this\" {\n  availability_zone = \"ap-southeast-2a\"\n  size              = 20\n}\n\nresource \"aws_volume_attachment\" \"this\" {\n  device_name = \"/dev/sdh\"\n  volume_id   = aws_ebs_volume.this.id\n  instance_id = \"${var.instance_id}\"\n}\n
\n

terragrunt.hcl

\n
locals { }\n\ninclude {\n  path = find_in_parent_folders()\n}\n\nterraform {\n  source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\n}\n\ndependency \"ec2-linux-ui\" {\n  config_path = \"../ec2-linux-ui\"\n  mock_outputs = {\n    instance_id = \"12345\"\n  }\n}\n\ninputs = {\n      instance_id = dependency.ec2-linux-ui.outputs.id\n}\n
\n

terragrunt.hcl for the ec2 instance

\n
locals {\n  environment_vars = read_terragrunt_config(find_in_parent_folders(\"env.hcl\"))\n  env              = local.environment_vars.locals.environment\n  project_vars = read_terragrunt_config(find_in_parent_folders(\"project.hcl\"))\n  project      = local.project_vars.locals.project_name\n  application  = local.project_vars.locals.application_name\n}\n\ninclude {\n  path = find_in_parent_folders()\n}\n\nterraform {\n  source = \"git::git@github.com:terraform-aws-modules/terraform-aws-ec2-instance.git?ref=v3.3.0\"\n}\n\n# Need the output of the correct Security Group ID to attach to the RDS instance\ndependency \"sg\" {\n  config_path = \"../sg-ec2\"\n\n  mock_outputs = {\n    security_group_id = \"sg-xxxxxxxxxx\"\n  }\n}\n\ninputs = {\n\n  # Naming\n  name        = \"ui01-${local.project}-${local.application}-${local.env}\"\n  description = \"UI 01 ${local.project} ${local.application} Instance for ${local.env}\"\n\n  # EC2 Config\n  ami                  = \"ami-0bd2230cfb28832f7\" # Amazon Linux kernel 5.10\n  instance_type        = \"c5.large\"\n  key_name             = \"xxxxxxx\" \n  monitoring           = true\n\n\n  # Networking\n  vpc_id    = \"xxxxxxx\"   \n  subnet_id = \"xxxxxxxx\"\n\n  # Security Group\n  vpc_security_group_ids = [\"${dependency.sg.outputs.security_group_id}\"]\n\n}\n
\n

Not sure why the ebs/terragrunt.hcl file wants to create a new instance when I can successfully get the instance id returned from the ec2-linux-ui dependency? If I can fix that, we are done.

"}}} /> @@ -22,6 +22,6 @@ import GitHub from "/src/components/GitHub" diff --git a/docs/discussions/knowledge-base/661.mdx b/docs/discussions/knowledge-base/661.mdx new file mode 100644 index 0000000000..e6dc257be4 --- /dev/null +++ b/docs/discussions/knowledge-base/661.mdx @@ -0,0 +1,27 @@ +--- +hide_table_of_contents: true +hide_title: true +custom_edit_url: null +--- + +import CenterLayout from "/src/components/CenterLayout" +import GitHub from "/src/components/GitHub" + + + + + + +Knowledge Base +

I can't delete VPCs using cloud-nuke

+\n

Tracked in ticket #109877

\n\n","bodyHTML":"

When I try to delete a VPC using cloud-nuke I see an error

\n
InvalidParameterValue: Network interface 'eni:2ad435344fe31c' is currently in use.'\n
\n
\n\n

Tracked in ticket #109877

\n","answer":{"body":"We believe this is a problem with eventual consistency within AWS. After removing any eni resources within the VPC it takes a significant period of time before the VPC becomes eligible for deletion. As part of Gruntwork operations we typically run cloud-nuke multiple times to ensure VPCs are destroyed. We find that retrying after 30 minutes typically resolves the issue.","bodyHTML":"

We believe this is a problem with eventual consistency within AWS. After removing any eni resources within the VPC it takes a significant period of time before the VPC becomes eligible for deletion. As part of Gruntwork operations we typically run cloud-nuke multiple times to ensure VPCs are destroyed. We find that retrying after 30 minutes typically resolves the issue.

"}}} /> + + + + +