nozaq / terraform-aws-secure-vpc

A terraform module to create a VPC with secure default configurations.
MIT License
17 stars 13 forks source link

Can't create a VPC. #7

Open jarrettj opened 5 years ago

jarrettj commented 5 years ago

Hi,

Good day.

Not sure if I should create resources before this?

This is my code:

module "secure-vpc" {
  source  = "nozaq/secure-vpc/aws"
  version = "0.0.1"
  aws_account_id = var.aws_account_id
  cidr_block = "10.0.0.0/24"
  flow_logs_group_name = "flow_logs"
  flow_logs_iam_role_name = "FlowRole"
  flow_logs_retention_in_days = "7"
  tags = {
    Name = "Test"
  }
}

Error:

Warning: "log_group_name": [DEPRECATED] use 'log_destination' argument instead

  on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-3da2c28/flow_log.tf line 93, in resource "aws_flow_log" "all":
  93: resource "aws_flow_log" "all" {

Error: Missing resource instance key

  on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-3da2c28/nat.tf line 20, in resource "aws_network_acl" "nat":
  20:   subnet_ids = ["${aws_subnet.nat.id}"]

Because aws_subnet.nat has "count" set, its attributes must be accessed on
specific instances.

For example, to correlate with indices of a referring resource, use:
    aws_subnet.nat[count.index]

Error: Missing resource instance key

  on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-3da2c28/private.tf line 10, in resource "aws_route_table" "private":
  10:     nat_gateway_id = "${aws_nat_gateway.gw.id}"

Because aws_nat_gateway.gw has "count" set, its attributes must be accessed on
specific instances.

For example, to correlate with indices of a referring resource, use:
    aws_nat_gateway.gw[count.index]

Thanks for the help thus far.

Regards.

nozaq commented 5 years ago

Hi @jarrettj , thanks for reporting the issue. It seems the error happed because 0.0.1 was designed for Terraform 0.11 or lower.

I've pushed a new version(0.1.1) which upgraded codebase to Terraform 0.12+, could you try again?

jarrettj commented 5 years ago

Cool, I tried the updated version, new error:

Error: "name" must match [\w+=,.@-]

  on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-485afb2/flow_log.tf line 50, in resource "aws_iam_role" "flow_logs_publisher":
  50: resource "aws_iam_role" "flow_logs_publisher" {
nozaq commented 5 years ago

Hi @jarrettj,

The error indicates the IAM role name contains invalid characters(something doesn't match [\w+=,.@-]). It is defined here using flow_logs_iam_role_name variable passed to secure-vpc module.

Could you check the value you set to flow_logs_iam_role_name?

jarrettj commented 5 years ago

Thanks, I read the description wrong, thought it required an arn. Added a name and it has progressed to the following:

Error: Creating CloudWatch Log Group failed: AccessDeniedException: The specified KMS key does not exist or is not allowed to be used with LogGroup 'arn:aws:logs:eu-west-1:579906027743:log-group:vpc_deepracer_flow_logs'
    status code: 400, request id: 7ce485af-b4e5-48fb-8090-09f4cfff80d9 'vpc_deepracer_flow_logs'

  on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-485afb2/flow_log.tf line 43, in resource "aws_cloudwatch_log_group" "flow_logs":
  43: resource "aws_cloudwatch_log_group" "flow_logs" {

Error: Error creating route: MissingParameter: The request must contain exactly one of gatewayId, natGatewayId, networkInterfaceId, vpcPeeringConnectionId, egressOnlyInternetGatewayId, transitGatewayId or instanceId
    status code: 400, request id: 3338b2cb-083d-4cbd-80cd-bfb3ba8ba759

  on .terraform/modules/vpc.secure-vpc/nozaq-terraform-aws-secure-vpc-485afb2/private.tf line 5, in resource "aws_route_table" "private":
   5: resource "aws_route_table" "private" {
nozaq commented 5 years ago

@jarrettj I'm not sure why the first error occurred though, it might be the case that the KMS key creation was still in progress when the log group was being created. Could you try again and see if the same error still happens?

Second one said you need to specify nat_subnet_cidr_blocks variable, otherwise your instances in private subnets can not connect outside this VPC.