search

hashicorp / learn-terraform-data-sources-vpc

https://learn.hashicorp.com/tutorials/terraform/data-sources?in=terraform/configuration-language
Mozilla Public License 2.0
5 stars 28 forks source link

Suggestion for an important note #1

Closed meshi-va closed 3 months ago

meshi-va commented 2 years ago

Hi!

After following this guide, I encountered some issues that could be prevented by placing a note or a warning.

There should be a note to make sure to run terraform destroy with the same flags that were used for terraform apply e.g. terraform destroy -var aws_region=us-west-1

The backstory that prompted me to flag this:

I managed to get a small charge on AWS due to the NAT gateways that are defined in the config. The problem is the shortcomings of the aws provider itself, when it comes to changing regions. As it turns out, it’s a known issue - but I didn’t know this at the time.

Since the tutorial instructs to run terraform apply -var aws_region=us-west-1 on the VPC workspace while the config file states us-east-1 , the resources are naturally deployed in us-west-1 . But what I didn’t know (as I’m still learning) is that I should actually destroy the resources with the -var aws_region=us-west-1 flag as well. (Yes, looking back, I see that it’s written in the tutorial, but I try to not copy-paste everything) For some reason I assumed the terraform destroy will be based on the state file and won't need any more options to destroy every resource. But it isn’t, and once ran, it notifies me that all resources will be destroyed and clears the state file - as it should.

Days later I check my AWS billing and I see that I had quite a few hours of NAT gateway usage, that prompted me to investigate, and lo and behold, I had the NAT gateways still running, despite me thinking they have been destroyed days ago. So I check CloudTrail, and there was no API call ever made for the removal of them. It got me thinking what could’ve gone wrong, so I ran a few tests with debugging on, and came to the conclusion that is stated in the issue I referenced previously. I can see how others could come to the mistake of just running terraform destroy without the flag and racking up some unforeseen charges. Hence asking you to add a note to the tutorial where the reader is instructed to “Apply this configuration, setting the value of aws_region to us-west-1 .” to make sure the terraform destroy is ran the same way.

The other thing that could be done is to simply get rid of the NAT gateways and private subnets in the configuration and put the app instances into the public subnets. So there would be no charge at all (considering the user is still within the free-tier limits), even if the tutorial isn't being followed word by word.

I’d like to stress that I don’t blame anyone, but myself for the mistake. I just think that these changes could save some trouble for others who aren't familiar with the AWS provider :)

robin-norwood commented 3 months ago

Added a note to mention this!