Pretty new to Terraform. I am in the process of migrating an existing 3 VPC infrastructure into terraform. Items like aws_iam_role are reused in some VPCs, so i created them in aglobal module and import it in the root module and child modules that require it.
I have the instance imported with
terraform import module.instances.aws_instance.devjump01 i-XXXXXXXXXXX
Then i import the aws_iam_role with
terraform import module.global.aws_iam_role.devfoo devfoo
There is also an output value that contains:
Blockquote
output “iam_role_devfoo” {
value = aws_iam_role.devfoo.name
}
if i run terraform plan -target=module.global.aws_iam_role.devfoo
It shows no changes
if i run terraform plan -target=module.instances.aws_instance.devjump01
it shows module.instances.module.global.aws_iam_role.devfoo will be created
I thought that by adding iam_instance_profile = module.global.iam_role_devfoo, in instances.tf, against the appropriate instance it would both adhere to the dependency, which it does, but also not create it b/c it exists at that path.
It doesn’t seem to be an issue with using -target on terraform plan as it shows up in a global plan as well.
I’m happy to provide more details as i’m working my way though understanding everything, which has been pretty simple until this. I assume i’m doing something wrong.
Thanks in advance
1 Like
IAM roles are defined at the subscrition level, not at the VPC level.
My suggestion is to have a separate configuration for the global resources like IAM users, roles and group
And then use terraform_remote_state in the VPC configuration https://www.terraform.io/docs/providers/terraform/d/remote_state.html
You can do this using modules as well but in my opinion you end up spending too much time on the module interfaces and too little on the resources.
Thanks for the input. That is actually how i have it laid out,
- vpc
- dev
- instances.tf
- network.tf
- etc
- global
from instances.tf I’m trying to get the relationship inferred so its treated as a dependency, which seems to work well, but when i run a plan it wants to create them twice.
I had deleted a post from last night b/c my initial issue had been fixed in an upgrade from .12.8 to .12.17…and then I got distracted.
with the aws_iam_instance having a variable that ties them together as such:
iam_instance_profile = module.global.iam_role_devfoo
I have more research to do this morning, but i wanted to reply b/c i had gotten a bit further, but didn’t update my question.
I had created all of the resources with the terraforming gem and then reorganized them into vpc (3 in total) resources and global resources.
I also intend to use the remote state, but right now I’m just working locally.
Ultimately this may be a new question. Given that they want to be created twice, i may have a circular dependency, or similar issue.
Thanks again, i was going to delete the question, but since it was liked by someone, i didn’t want to pursue that. I’ll update when i figure out what i’ve done.
EDIT: I did have a circular dependency. This is now working nearly as expected and i’m sure the nearly is more work i have to do. Considering this closed for now.
Just wanted to say thanks again, i did end up moving to using remote_state and unlinked what was both a data module and execution target, when using as a data module, i use terraform_remote_state. Really would like to get the other way to work, but your thought was exactly what i needed.
2 Likes