terraform-aws-secure-vpc
terraform-aws-secure-vpc copied to clipboard
nozaq
Can't create a VPC.
Hi,
Good day.
Not sure if I should create resources before this?
This is my code:
module "secure-vpc" {
source = "nozaq/secure-vpc/aws"
version = "0.0.1"
aws_account_id = var.aws_account_id
cidr_block = "10.0.0.0/24"
flow_logs_group_name = "flow_logs"
flow_logs_iam_role_name = "FlowRole"
flow_logs_retention_in_days = "7"
tags = {
Name = "Test"
}
}
Error:
Warning: "log_group_name": [DEPRECATED] use 'log_destination' argument instead
on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-3da2c28/flow_log.tf line 93, in resource "aws_flow_log" "all":
93: resource "aws_flow_log" "all" {
Error: Missing resource instance key
on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-3da2c28/nat.tf line 20, in resource "aws_network_acl" "nat":
20: subnet_ids = ["${aws_subnet.nat.id}"]
Because aws_subnet.nat has "count" set, its attributes must be accessed on
specific instances.
For example, to correlate with indices of a referring resource, use:
aws_subnet.nat[count.index]
Error: Missing resource instance key
on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-3da2c28/private.tf line 10, in resource "aws_route_table" "private":
10: nat_gateway_id = "${aws_nat_gateway.gw.id}"
Because aws_nat_gateway.gw has "count" set, its attributes must be accessed on
specific instances.
For example, to correlate with indices of a referring resource, use:
aws_nat_gateway.gw[count.index]
Thanks for the help thus far.
Regards.
Hi @jarrettj , thanks for reporting the issue. It seems the error happed because 0.0.1 was designed for Terraform 0.11 or lower.
I've pushed a new version(0.1.1) which upgraded codebase to Terraform 0.12+, could you try again?
Cool, I tried the updated version, new error:
Error: "name" must match [\w+=,.@-]
on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-485afb2/flow_log.tf line 50, in resource "aws_iam_role" "flow_logs_publisher":
50: resource "aws_iam_role" "flow_logs_publisher" {
Hi @jarrettj,
The error indicates the IAM role name contains invalid characters(something doesn't match [\w+=,.@-]). It is defined here using flow_logs_iam_role_name variable passed to secure-vpc module.
Could you check the value you set to flow_logs_iam_role_name?
Thanks, I read the description wrong, thought it required an arn. Added a name and it has progressed to the following:
Error: Creating CloudWatch Log Group failed: AccessDeniedException: The specified KMS key does not exist or is not allowed to be used with LogGroup 'arn:aws:logs:eu-west-1:579906027743:log-group:vpc_deepracer_flow_logs'
status code: 400, request id: 7ce485af-b4e5-48fb-8090-09f4cfff80d9 'vpc_deepracer_flow_logs'
on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-485afb2/flow_log.tf line 43, in resource "aws_cloudwatch_log_group" "flow_logs":
43: resource "aws_cloudwatch_log_group" "flow_logs" {
Error: Error creating route: MissingParameter: The request must contain exactly one of gatewayId, natGatewayId, networkInterfaceId, vpcPeeringConnectionId, egressOnlyInternetGatewayId, transitGatewayId or instanceId
status code: 400, request id: 3338b2cb-083d-4cbd-80cd-bfb3ba8ba759
on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-485afb2/private.tf line 5, in resource "aws_route_table" "private":
5: resource "aws_route_table" "private" {
@jarrettj I'm not sure why the first error occurred though, it might be the case that the KMS key creation was still in progress when the log group was being created. Could you try again and see if the same error still happens?
Second one said you need to specify nat_subnet_cidr_blocks variable, otherwise your instances in private subnets can not connect outside this VPC.