#terraform-tool

Trying to break out to multi-environments and the ability to embed vars in vars is a must.

whats the syntax for creating a larger ebs root device for an instance.. seems everything i try doesn't work

like my stock ami is 20gig.. and i want to create one with 100gig

ok figured out my issue.. branch i was using didn't have something in it

guess not

* Error launching source instance: InvalidBlockDeviceMapping: logicalType cannot be modified on root device

hey, has anybody set up CI for packer+terraform? just thinking about how to break this up

right now I have a job that builds an rpm, which triggers a packer job that builds an AMI

I could make the packer job just an "infra" job, the builds the AMI and runs terraform with a variable set to the new AMI, and does "terraform apply"

then have some custom script magick to spin up new instances and spin down old ones

rhelmer: that sounds pretty close to what atlas does ;)

phinze: lulz yes I was thinking that

phinze: one thing that's a little tricky is we'd like to automate the "terraform apply" and the followup scripting

phinze: when code is pushed to master, but when tags are pushed we want to take the latest AMI ID and apply that on prod

ah interesting

phinze: having to review a terraform plan in the Atlas UI wouldn't be a big deal

if you have a use case, we'd love to hear it so we can consider tweaking atlas to support it if it doesn't already

phinze: cool, yeah I think we have a pretty solid idea now, I am prototyping it right now

so far we just make changes manually, but I can't be trusted to type the same commands over and over

(the support@ email address is probably best to start the conversation since we all have access to it then)

phinze: sounds good

phinze: see my question earlier about scopes ordering :)

phinze: ditto to my question about variable interpolation :-D

any bets on if terraform 0.5 supports vault as a secure storage backend? ;)

heh. Wouldn’t be surprised.

;)

This is annoying :( http://pastie.org/pastes/10118981/text

I noticed the state file is versioned in addition to serialized. Can I rely on non-breaking changes in the state files output for a given version, or is that version something different? I know the serial is incremented with each change

Quick question..... For requests and questions, where is the right place for it?

ranmanh: depends, requests should probably be filed as github issues, questions can be asked here and/or on the google group

I am using split() to pass a list to a module, but specifying an empty list by passing an empty string isn't working. Splitting an empty ["${split(",", "")}"] seems to result in [""], instead of [].

solarce: ranmanh: we also are happy to field questions as issues too

Spark: i say sort 'em!

cvvs: terraform does "state migration" on a per-resource basis to facilitate non-breaking changes to the state between versions

iamchrisf: ahh you want interp in names... i can see why you'd want it... might be a little hard to implement given current evaluation order

svend: interesting i seem to recall a conversation about split() where we concluded the behavior should be the opposite - let me look it up

phinze: yea, but otherwise we are left hard-coding and creating a lot of duplicate code :(

oh yeah we should definitely make it work - it's just a question of how much effort and when we can put it in. feels like something we probably have an existing issue for - let me see

phinze: thx

phinze: Thanks for checking

svend: ahh yes, because you're already in brackets. split(",", "") yields "", but "" ends up as a member of the list

svend: ah here's what i was looking for https://github.com/hashicorp/terraform/pull/149...

tl;dr - we need a compact()

phinze: this is close: https://github.com/hashicorp/terraform/issues/353

iamchrisf: ahh here we go https://github.com/hashicorp/terraform/issues/718

not quite "wontfix" but "wontfixsoon - use module namespacing in the meantime"

phinze: ugh yea.. that means I’m going to have to have stg uat prod qa etc env dirs and 20-30 sub-dirs for each piece of my stack. It’s going to be super messy :(

i see 1 module per env... but why 20-30 sub dirs?

Each environment has 20-30 separate pieces.

in each can't you just invoke module "thing_type" { source "../thing_type" }

ec. webapp1(module) webworker(module) webapi(module) webapidb(module) etc..

and if the collection of 20-30 is the same per env each env is just module "collection" { source "../collection", env = "prod" }

each piece would be its own module and hence it’s own subdir. I don’t want to plan and apply the entire stack. Just a piece at a time. Want to mitigate the risk.

ah gotchya

so ... 20-30 statefiles per env?

correct.

I was looking ar writing a wrapper script that would change the remote location based on the environment var.

use the same templated stack, but unfortunately until that interpolation works I’m going to have a full stack for each environment.

for my money, `terraform plan` already mitigates the risk, so i'd just stitch everything together.

but that doesn't invalidate your plan as a use case

"until that interpolation works I’m going to have a full stack for each environment" <-- why is this the case? seems like with everything isolated you wouldn't have name collisions

plan have some major annoyances for me. especially this

everytime I make security group changes I sweat bullets

fair point - seems reportable as an issue

also worth noting that we're pulling up security_group_rule into a top-level resource for that reason - managing the whole collection of rules in one shot makes some scenarios impossible (like adding single rules across module boundaries, or dynamically)

Yea we really need to be able to add single ingress egress rules to existing security groups. I’m having to open ports to the entire damn VPC CIDR .. (no no no no) until that comes around.

Here’s an example on full stack per env: http://pastie.org/pastes/10119125/text

Here’s how I wanted to set it up: http://pastie.org/pastes/10119129/text

iamchrisf: so your wrapper would append the proper `-state=${ENV}.tfstate` arg to the terraform run?

phinze: it would acctually do a remote config with a new path use1/ENV-web-app

seems like you could still do that - just invoke the same modules and have separate ENV.tfvars and ENV.tfstate

ah sure

in other words what changes between tf/use1/stg/web-app/main.tf and tf/use1/qa/web-app/main.tf that can't be captured in a parameter

But I need to layer things. Example: first thing I am working on is security groups. I need to pass the output to other stacks. I can’t use a variable in the output so I’m stuck right off the bat http://pastie.org/pastes/10118981/text

but why does the TF name of the resource need to be interpolated? it's all namespaced - just call it use "use1_service_sg"

then it's namespaced by module when you reference it - call the output just "id" and reference it by "${module.use1_service_sg_foo.id}"

phinze: but the resource in aws needs to be “use1_stg_service”

unless I’m missing something

sure interpolate in the Name tag, but not the TF resource

the TF resource name has no bearing on the remote resource's name

hrm… good point :0

if it's all in a module and you don't reference it from outside, heck, call it "sg"

gotcha. as long as I’m loading the proper remote state I’m all good.

yep

damn. this might be doable. thx phinze

:D

should I open an issue for that security group output discrepancy?