Hi!
After following this guide, I encountered some issues that could be prevented by placing a note or a warning.
There should be a note to make sure to run terraform destroy
with the same flags that were used for terraform apply
e.g. terraform destroy -var aws_region=us-west-1
The backstory that prompted me to flag this:
I managed to get a small charge on AWS due to the NAT gateways that are defined in the config.
The problem is the shortcomings of the aws provider itself, when it comes to changing regions. As it turns out, it’s a known issue - but I didn’t know this at the time.
Since the tutorial instructs to run terraform apply -var aws_region=us-west-1
on the VPC workspace while the config file states us-east-1
, the resources are naturally deployed in us-west-1
. But what I didn’t know (as I’m still learning) is that I should actually destroy the resources with the -var aws_region=us-west-1
flag as well. (Yes, looking back, I see that it’s written in the tutorial, but I don’t copy-paste everything)
For some reason I assumed the terraform destroy
will be based on the state file. But it isn’t, and once ran, it notifies me that all resources will be destroyed and clears the state file - as it should.
Days later I check my AWS billing and I see that I had quite a few hours of NAT gateway usage, that prompted me to investigate, and lo and behold, I had the NAT gateways still running, despite me thinking they have been destroyed days ago. So I check CloudTrail, and there was no API call ever made for the removal of them. It got me thinking what could’ve gone wrong, so I ran a few tests with debug mode and came to the conclusion that is stated in the issue I referenced previously.
I can see how others could come to the mistake of just running terraform destroy
without the flag and racking up some unforeseen charges.
Hence asking you to add a note to the tutorial where the reader is instructed to “Apply this configuration, setting the value of aws_region
to us-west-1
.” to make sure the terraform destroy
is ran the same way.
The other thing that could be done is to simply get rid of the NAT gateways and private subnets in the configuration and put the app instances into the public subnets. So there would be no charge at all, even if the tutorial is being followed word by word.
I’d like to stress that I don’t blame anyone, but myself for the mistake. I just think that these changes could save some trouble for others