https://cloudposse.com logo
Join Slack
Powered by
Hi, I’m using <https://github.com/cloudposse/terra...
# terraform
m
Hi, I’m using https://github.com/cloudposse/terraform-aws-ecs-web-app/tree/0.65.2 and I face a strange problem. I’m doing it the way that is presented in “without_authentication”
Copy code
alb_security_group                              = module.alb.security_group_id
  alb_target_group_alarms_enabled                 = true
  alb_target_group_alarms_3xx_threshold           = 25
  alb_target_group_alarms_4xx_threshold           = 25
  alb_target_group_alarms_5xx_threshold           = 25
  alb_target_group_alarms_response_time_threshold = 0.5
  alb_target_group_alarms_period                  = 300
  alb_target_group_alarms_evaluation_periods      = 1

  alb_arn_suffix = module.alb.alb_arn_suffix

  alb_ingress_healthcheck_path = "/"

  # Without authentication, both HTTP and HTTPS endpoints are supported
  alb_ingress_unauthenticated_listener_arns       = module.alb.listener_arns
  alb_ingress_unauthenticated_listener_arns_count = 2

  # All paths are unauthenticated
  alb_ingress_unauthenticated_paths             = ["/*"]
  alb_ingress_listener_unauthenticated_priority = 100
error I got
Copy code
Error: Invalid count argument
│ 
│   on .terraform/modules/gateway.alb_ingress/main.tf line 50, in resource "aws_lb_listener_rule" "unauthenticated_paths":
│   50:   count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns) : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform
│ cannot predict how many instances will be created. To work around this, use the -target argument to first
│ apply only the resources that the count depends on.
By chance you may know what I’m doing wrong here?
r
It’s most likely because of this 
alb_ingress_unauthenticated_listener_arns
if you do a targetted apply of 
-target module.alb
first, it should work
m
that helped a bit since after that I got this error:
Copy code
│ Error: error creating application Load Balancer: InvalidSubnet: VPC vpc-024b08d14c04aa553 has no internet gateway
│       status code: 400, request id: a5e9dd93-d1a3-49bf-a8d3-0748dcb1afe7
│ 
│   with module.alb.aws_lb.default[0],
│   on .terraform/modules/alb/main.tf line 64, in resource "aws_lb" "default":
│   64: resource "aws_lb" "default" {
with this vpc/subnets code
Copy code
module "vpc" {
  source  = "cloudposse/vpc/aws"
  version = "0.28.1"

  name = "microservices"

  cidr_block                       = "20.0.0.0/16"
  assign_generated_ipv6_cidr_block = true

  context = module.this.context
}

## Subnets

module "subnets" {
  source  = "cloudposse/dynamic-subnets/aws"
  version = "0.39.7"

  name = "microservices"

  availability_zones = var.availability_zones
  vpc_id             = module.vpc.vpc_id
  igw_id             = module.vpc.igw_id
  cidr_block         = module.vpc.vpc_cidr_block

  nat_gateway_enabled      = true
  nat_instance_enabled     = false
  aws_route_create_timeout = "5m"
  aws_route_delete_timeout = "10m"

  context = module.this.context
}
by my understanding nat_gateway_enabled: true in that case it means internet gateway, right?
r
try setting 
enable_internet_gateway = true
in the vpc module
m
same thing
added both 
internet_gateway_enabled
and 
enable_internet_gateway
but I see that internet gateway was not created
same goes for nat gateway
r
is the alb module using the same vpc from the vpc module ?
m
yes
r
can you try a completely fresh terraform module and only provision the vpc and show the plan ?
m
yeah, gimme few min since i need to manuallyu clear all resources
since tdestroy doesn’t work with -target
r
it might help to create a new directory
and then create a new 
<http://main.tf|main.tf>
file within that directory
that 
<http://main.tf|main.tf>
should only consume the vpc module
then check the plan and see if it makes sense ( it should show the igw is going to be created)
m
so the case here, might be that I’m using several files ?
r
i have no idea what it could be, but if you follow the steps above, you take out a lot of variables
if you can verify the plan above shows the igw then we know the issue is not related to the vpc module.
m
yea, there’s igw
but with plan for module.alb target there’s no
same goes for subnets
r
ok so in the new module, now copy over the alb and have it use the vpc module
in the new module, also provision the subnets. do it one at a time.
m
so one at a time passed
r
perfect!
then the issue isn’t with the upstream modules, the issue must be with your other root module directory
m
yeah maybe as well because I’ve got there a 2 modules for different microservices?
and on the other hand the thing I also wanted to ask is how to enable ALB just for a single service rather than for all of them
since communication between them is done through queue
r
one of the terraform principles is to keep modules (directories) as small as possible are you putting more than once service in the same terraform directory ?
m
nope, each service got it own directory
👍 1
then only two modules where in in gateway service where alb module existed
r
and on the other hand the thing I also wanted to ask is how to enable ALB just for a single service rather than for all of them
it depends on how you have it setup. are you using 1 ALB and multiple services via different listener arns ? or 1 ALB per service ?
m
1 ALB for gateway, other microservices doesn’t have a listener anr because they use rabbitmq for communication between each other
r
enabling an ALB for a service 🤔 i think you want to create alb listeners for only your api services and no listener arns for your non-api services ?
m
yeah
r
what are you using to create the listener arns on the alb ?
raw resource or module ? if module, which one ?
m
hmm i don’t have a listener
the only thing I’ve added for a gateway service was
Copy code
# Without authentication, both HTTP and HTTPS endpoints are supported
  alb_ingress_unauthenticated_listener_arns       = module.alb.listener_arns
  alb_ingress_unauthenticated_listener_arns_count = 1

  # All paths are unauthenticated
  alb_ingress_unauthenticated_paths             = ["/*"]
  alb_ingress_listener_unauthenticated_priority = 100
on a module which use 
cloudposse/ecs-web-app/aws
r
oh ok so ecs-web-app cp module, uses ecs-service-task cp module
if you want to disable the listener arn, youd have to use the ecs-service-task cp module directly as the ecs-web-app (with web in the name) implies that the service is an http service
that will make the service task and will not set the ingress on the alb (like you want)
m
ok so that one should be used on services that I don’t want to use ALB right?
r
exactly
m
but auto scalling for taht one would have to be handled on my own, right?
r
the ecs service task handles auto scaling i believe
oh wait no i dont see autoscaling in the ecs service task
yes i suppose youll have to handle yourself
you can see how this module and other modules are used directly in the ecs web app module https://github.com/cloudposse/terraform-aws-ecs-web-app/blob/ce7c53a7eb0c75592b67098a043ebe71eab7ab3c/main.tf#L220-L222
🙌 1
Open in Slack
PreviousNext
Powered by