is this still maintained?

[isbkch]

The idea is awesome but what I think what we have now is far from the promise.

I've been struggling since yesterday, solving all kind of issues and I'm wondering whether it's still maintained

I'm on latest TF v1.1.4

[petewilcock]

Yes @isbkch it's still maintained and when I have time there will be more improvements - but what issues are you facing and needing to solve? This is valuable feedback.

[isbkch]

@petewilcock the first question is to know if it supports the latest Terraform v1.1.4 ? Upgrading to 1.x broke all our TF modules where I work, and with this repo I'm getting errors around entities that already exist for example..
I'll give it another go today and share the exact errors

[petewilcock]

@petewilcock the first question is to know if it supports the latest Terraform v1.1.4 ?

I've just run a plan against an existing deployment of this with v.1.1.4 and saw no issues - but let me know if you have specifics and I'll investigate.

[isbkch]

This is an error that keeps coming back

Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/lambda/us-east-1.mytest_redirect_index_html' already exists.
│
│   with module.mytest_website.module.cloudfront.aws_cloudwatch_log_group.object_redirect_ue1_local,
│   on .terraform/modules/mytest_website/modules/cloudfront/main.tf line 14, in resource "aws_cloudwatch_log_group" "object_redirect_ue1_local":
│   14: resource "aws_cloudwatch_log_group" "object_redirect_ue1_local" {

I tried importing the resource, also tried deleting it before the execution

[petewilcock]

Hmmm, this might be a race condition. The log group gets created automatically, but the module attempts to create it ahead of time to be able to set retention period on the logs. This might just required a depends_on added to ensure the order of creation is deterministic. I'll add it as an improvement.

[isbkch]

Thank you!
Btw, I've used the config under examples and changed variables. Then I run

terraform init
terraform plan -out "stable" 
terraform apply "stable"

This gives me the following error

 Error: Invalid for_each argument
│
│   on ecs.tf line 92, in resource "aws_efs_mount_target" "wordpress_efs":
│   92:   for_each        = toset(module.mytest_vpc.subnet_ids)
│     ├────────────────
│     │ module.mytest_vpc.subnet_ids is set of string with 6 elements
│
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how
│ many instances will be created. To work around this, use the -target argument to first apply only the resources that the
│ for_each depends on.

Notice how I replaced the line for_each = toset(var.subnet_ids) by for_each = toset(module.mytest_vpc.subnet_ids) because I create the VPC dynamically

And

 Error: Invalid for_each argument
│
│   on .terraform/modules/mytest_website/ecs.tf line 92, in resource "aws_efs_mount_target" "wordpress_efs":
│   92:   for_each        = toset(var.subnet_ids)
│     ├────────────────
│     │ var.subnet_ids is a list of dynamic, known only after apply
│
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how
│ many instances will be created. To work around this, use the -target argument to first apply only the resources that the
│ for_each depends on.

Should I do something else?

Maybe you can share your configs?

[isbkch]

I wanted to start from scratch so I run terraform destroy only to get this error:

│ Error: error deleting Lambda Function (mytest__redirect_index_html): InvalidParameterValueException: Lambda was unable to delete arn:aws:lambda:us-east-1:XXXXXX:function:mytest__redirect_index_html:1 because it is a replicated function. Please see our documentation for Deleting Lambda@Edge Functions and Replicas.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "c6ec3e0d-2db8-49fd-9ac1-e5e380ca9b05"
│   },
│   Message_: "Lambda was unable to delete arn:aws:lambda:us-east-1:XXXX:function:mytest__redirect_index_html:1 because it is a replicated function. Please see our documentation for Deleting Lambda@Edge Functions and Replicas."
│ }

[petewilcock]

The VPC example has been broken by terraform but it's not a core part of the module. It's there as an example but it's now outdated. You can switch this out for another module that specifically creates VPCs, or provide subnet IDs of a VPC that already exists.

The issue with the deletion of the lambda is because it's a global function. This is a known Terraform issue: hashicorp/terraform-provider-aws#1721 - potential workarounds for this may exist, I'll consider this also.

[isbkch]

More circular dependencies

Error: failed creating IAM Role (mytest_WordpressTaskRole): EntityAlreadyExists: Role with name mytest_WordpressTaskRole already exists.
│ 	status code: 409, request id: 28127b0a-b3cf-4338-a538-98179441da7a
│
│   with aws_iam_role.wordpress_task,
│   on ecs.tf line 56, in resource "aws_iam_role" "wordpress_task":
│   56: resource "aws_iam_role" "wordpress_task" {
│
╵
╷
│ Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/ecs/mytest-serverless-wordpress-container' already exists.
│
│   with aws_cloudwatch_log_group.wordpress_container,
│   on ecs.tf line 99, in resource "aws_cloudwatch_log_group" "wordpress_container":
│   99: resource "aws_cloudwatch_log_group" "wordpress_container" {
│
╷
│ Error: failed creating IAM Role (mytest_CodeBuildServiceRole): EntityAlreadyExists: Role with name mytest_CodeBuildServiceRole already exists.
│ 	status code: 409, request id: 1a1e45bb-821d-4ccc-833e-8fac1696177d
│
│   with module.codebuild.aws_iam_role.codebuild_service_role,
│   on modules/codebuild/main.tf line 48, in resource "aws_iam_role" "codebuild_service_role":
│   48: resource "aws_iam_role" "codebuild_service_role" {
│
╵
╷
│ Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/codebuild/mytest-serverless-wordpress-docker-build' already exists.
│
│   with module.codebuild.aws_cloudwatch_log_group.wordpress_docker_build,
│   on modules/codebuild/main.tf line 80, in resource "aws_cloudwatch_log_group" "wordpress_docker_build":
│   80: resource "aws_cloudwatch_log_group" "wordpress_docker_build" {
│
╵
╷
│ Error: failed creating ECR Repository (mytest-serverless-wordpress): RepositoryAlreadyExistsException: The repository with name 'mytest-serverless-wordpress' already exists in the registry with id 'XXXXXX'
│
│   with module.mytest_website.aws_ecr_repository.serverless_wordpress,
│   on .terraform/modules/mytest_website/ecr.tf line 3, in resource "aws_ecr_repository" "serverless_wordpress":
│    3: resource "aws_ecr_repository" "serverless_wordpress" {
│
╵
╷
│ Error: error creating IAM policy mytest_WordpressBucketAccess: EntityAlreadyExists: A policy called mytest_WordpressBucketAccess already exists. Duplicate names are not allowed.
│ 	status code: 409, request id: 95cc220e-4730-432e-bbc5-84e17ffcddeb
│
│   with module.mytest_website.aws_iam_policy.wordpress_bucket_access,
│   on .terraform/modules/mytest_website/ecs.tf line 45, in resource "aws_iam_policy" "wordpress_bucket_access":
│   45: resource "aws_iam_policy" "wordpress_bucket_access" {
│
╵
╷
│ Error: error creating Security Group (mytest_efs_sg): InvalidGroup.Duplicate: The security group 'mytest_efs_sg' already exists for VPC 'vpc-07bceb28a9e486118'
│ 	status code: 400, request id: 96df5ca2-b33c-46e0-88b3-d40cfd543dc0
│
│   with module.mytest_website.aws_security_group.efs_security_group,
│   on .terraform/modules/mytest_website/ecs.tf line 75, in resource "aws_security_group" "efs_security_group":
│   75: resource "aws_security_group" "efs_security_group" {
│
╵
╷
│ Error: error creating Security Group (mytest_wordpress_sg): InvalidGroup.Duplicate: The security group 'mytest_wordpress_sg' already exists for VPC 'vpc-07bceb28a9e486118'
│ 	status code: 400, request id: 4eae36f5-bfaf-4db0-b574-09ce0e21ab26
│
│   with module.mytest_website.aws_security_group.wordpress_security_group,
│   on .terraform/modules/mytest_website/ecs.tf line 153, in resource "aws_security_group" "wordpress_security_group":
│  153: resource "aws_security_group" "wordpress_security_group" {
│
╵
╷
│ Error: error creating Security Group (defi-test.click_aurora_mysql_sg): InvalidGroup.Duplicate: The security group 'defi-test.click_aurora_mysql_sg' already exists for VPC 'vpc-07bceb28a9e486118'
│ 	status code: 400, request id: 753e18c2-8892-419d-845f-e52cab01027f
│
│   with module.mytest_website.aws_security_group.aurora_serverless_group,
│   on .terraform/modules/mytest_website/rds.tf line 7, in resource "aws_security_group" "aurora_serverless_group":
│    7: resource "aws_security_group" "aurora_serverless_group" {
│
╵
╷
│ Error: Error creating DB Subnet Group: DBSubnetGroupAlreadyExists: The DB subnet group 'mytest_main' already exists.
│ 	status code: 400, request id: 9ea9d1ea-ad04-40d5-b50d-50f7eab47430
│
│   with module.mytest_website.aws_db_subnet_group.main_vpc,
│   on .terraform/modules/mytest_website/rds.tf line 23, in resource "aws_db_subnet_group" "main_vpc":
│   23: resource "aws_db_subnet_group" "main_vpc" {
│
╵
╷
│ Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/rds/cluster/mytest-serverless-wordpress/error' already exists.
│
│   with module.mytest_website.aws_cloudwatch_log_group.serverless_wordpress,
│   on .terraform/modules/mytest_website/rds.tf line 37, in resource "aws_cloudwatch_log_group" "serverless_wordpress":
│   37: resource "aws_cloudwatch_log_group" "serverless_wordpress" {
│
╵
╷
│ Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/lambda/us-east-1.mytest_redirect_index_html' already exists.
│
│   with module.mytest_website.module.cloudfront.aws_cloudwatch_log_group.object_redirect_ue1_local,
│   on .terraform/modules/mytest_website/modules/cloudfront/main.tf line 14, in resource "aws_cloudwatch_log_group" "object_redirect_ue1_local":
│   14: resource "aws_cloudwatch_log_group" "object_redirect_ue1_local" {
│
╵
╷
│ Error: error creating Security Group (mytest_codebuild_sg): InvalidGroup.Duplicate: The security group 'mytest_codebuild_sg' already exists for VPC 'vpc-07bceb28a9e486118'
│ 	status code: 400, request id: 251b5a22-5218-46d9-adcc-f4b75741876a
│
│   with module.mytest_website.module.codebuild.aws_security_group.codebuild_security_group,
│   on .terraform/modules/mytest_website/modules/codebuild/main.tf line 65, in resource "aws_security_group" "codebuild_security_group":
│   65: resource "aws_security_group" "codebuild_security_group" {

[petewilcock]

These aren't circular persay, if you're going through lots of destroy/create cycles in this, you may see anomalies with resources which are created as defaults - Log Groups being one of them. There should not be an issue with the SG however unless your destroy did not complete cleanly.

[isbkch]

Will you be able to update the example file in the repo with your latest working example please?

[petewilcock]

I'll update the examples on the next release, but I think your issues mostly stem from a possible race condition (which I'll try to mitigate) and the issues of subsequent destroy/creates particularly with replicated lambda functions which terraform doesn't handle well.