Terraform: Error configuring the backend “s3”: RequestError: send request failed caused by: Post https://sts.amazonaws.com/: EOF

I recently got this when doing a terragrunt init(i.e. basically a terraform init):

Initializing the backend…

Error configuring the backend “s3”: RequestError: send request failed
caused by: Post https://sts.amazonaws.com/: EOF

Please update the configuration in your Terraform files to fix this error.
If you’d like to update the configuration interactively without storing
the values in your configuration, run “terraform init”.

Could be related to this?

https://github.com/hashicorp/terraform/issues/10779

Running it a second time was successful.

Here’s what happened when I repeated it 10 times:

1x

Error loading state: RequestError: send request failed
caused by: Get https://<s3 bucket name>.s3-us-west-2.amazonaws.com/?prefix=env%3A%2F: net/http: TLS handshake timeout

1x

Error loading state: RequestError: send request failed
caused by: Get https://<s3 bucket name>.s3-us-west-2.amazonaws.com/?prefix=env%3A%2F: EOF

8x

Terraform has been successfully initialized!

 

Curiously, I then ran it 100 times with no Errors.

 

Terraform: Data Sources

data source lets data be fetched or computed and used elsewhere in Terraform’s configuration.

Note: every data source is mapped to a provider based on the longest prefix matching. E.g. aws_ami data source would map to the aws provider.

Using the example Terraform provide here:

https://www.terraform.io/docs/configuration/data-sources.html

i.e.

(the code inside the top {} is the Configuration block)

and a resource that uses this data source:

(the code inside the top {} is the Attributes block).

The ami it will use will be the value (i.e. the id) returned by our data source. i.e. data.aws_ami.web.id

Our data source finds this by doing a query on the provider awsfor aws_ami (see https://www.terraform.io/docs/providers/aws/d/ami.html ) and filtering on state, the Componenttag and most recent.

Configuration block

Note that the configuration depends on the data source as specified in the providersdocs on Terraform. See Argument Reference for that data source. E.g. for aws_amiit would be:

Argument Reference: https://www.terraform.io/docs/providers/aws/d/ami.html#argument-reference

(i.e. filter, most_recent).

Attributes block

To reference attributes of the data source you access attributes.

i.e. data.aws_ami.web.id

https://www.terraform.io/docs/providers/aws/d/ami.html#attributes-reference

Meta parameters

Data sources are basically a read-only subset of resources so support the same meta-parameters as resources. The only exception being that, as they’re read-only, they don’t support the lifecycle configuration block.

Meta-parameters: e.g. count, depends_on, provider

Lifecycle configuration block: e.g. create_before_destroy

Data Source Lifecycle

If data instance refers to resources that haven’t been created then these values won’t be available till the apply phase and will show computed in the plan.

If it refers to already existing resources then they will show up in the refresh (prior to plan) and therefore plan phases.

Terragrunt Interpolation syntax

Terragrunt allows you to use Terraform interpolation syntax (i.e. ${...} ) to call Terragrunt-specific functions.

These only work within a terragrunt = { ... } block.

Also, these interpolations do not work in a .tfvars file.

Terragrunt functions:

  • get_env(NAME, DEFAULT)

get_envreturns the environment variable named NAMEif it exists. If it does not exist then it returns the value specified by DEFAULT. E.g. this would return $BUCKETif it exists otherwise it returns my-terraform-bucket.

Note also, Terraform will read in environment variables starting with TF_VAR_ so one way of sharing a variable named foo between Terraform and Terragrunt would be to set its value as the environment variable TF_VAR_foo and read it using this get_env function.

For others see: https://github.com/gruntwork-io/terragrunt

Terraform and Azure

Notes

  • Azure will let you create your own custom Dashboards
  • ARM templates (aka Azure Resource Management) – predefined infrastructure using JSON
  • E.g. using Azure Cloud Shell (which includes terraform, git, etc): git clone https://github.com/scarolan/azure-terraform-beginners
  • Edit terraform.tfvars
    • resource_group
    • hostname (dashes OK, probably not underscores)
    • location: get a list using az account list-locations --output table
    • az vm list-skus -l westindia --output table | grep Standard_A0
  • terraform init: gets workspace ready, pulls in plugins and modules
  • terraform plan
  • terraform apply
  • See it being built in real-time in resource groups

Notes on the code: https://github.com/scarolan/azure-terraform-beginners

  • main.tf:
    • azurerm_resource_group: Azure must have a resource group
    • azurerm_virtual_network
    • azurerm_subnet
    • azurerm_network_security_group
    • azurerm_network_interface
    • provisioner “remote-exec” – simple remote exec. Could use Ansible, Chef

 

Beginner’s Guide to IAM: IAM, Roles, Policies, Policy Attachments with Terraform

IAM is short for Identity and Access Management.

  1. What’s the difference between an IAM user and role?

An IAM user has long term credentials and directly interacts with AWS services. An IAM role does not have any credentials and don’t directly access AWS services. IAM roles are assumed by entities (such as users, applications or services like EC2).

https://aws.amazon.com/iam/faqs/

2. What’s an IAM Policy?

An IAM Policy allows access  -i.e. they define permissions. You create a policy then attach it to an IAM identity or AWS resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

3. what’s an IAM Role Policy Attachment?

This can be found in Terraform. e.g.

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

It attaches an IAM Policy to an IAM role and typically looks like this:

resource “aws_iam_role_policy_attachment” “test-attach” {
role = “${aws_iam_role.role.name}”
policy_arn = “${aws_iam_policy.policy.arn}”
}

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

4. Principal

The Principalelement specifies the AWS user, account, service that is allowed or denied access to a resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

5. assume_role_policyis very similar but slightly different than a standard IAM policy

https://www.terraform.io/docs/providers/aws/r/iam_role.html

6. Service Roles are IAM roles that can be assumed by an AWS service

e.g.

Note how there are 2 Services listed. The Service key must be unique. So it’s value must be a list.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

and a list of Services that work with IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

 

Using Terraform to set up AWS Route 53 Hosted Zones

  1. What’s an AWS Route 53 Hosted Zone?

A Hosted Zone is basically a domain. i.e. a single zone file with all domain information.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html

See also https://stackoverflow.com/questions/12664671/amazon-route-53-what-do-hosted-zones-and-queries-mean-exactly

 

2.

https://medium.com/@maxbeatty/using-terraform-to-manage-dns-records-b338f42b50dc

Terraform: security_groups vs vpc_security_group_ids

Basically, just use vpc_security_group_ids.

  • security_groups – (Optional, EC2-Classic and default VPC only) A list of security group names to associate with.