Diving DevOps

Terraform State: Why I had to break up with my monolith (and how you can do it too!)

Jan Tymiński — Tue, 01 Jul 2025 17:03:06 GMT

Let’s talk about something every DevOps engineer eventually faces - the moment you realize your Terraform state file has become a monster.
You know, that creeping feeling when terraform plan takes longer than your coffee to brew, and running terraform apply feels like launching a rocket - except you’re not sure where it’ll land.

I’ve been there. Early on, I loved the simplicity of a single state file.
One place to rule them all! But as my infrastructure grew, so did the headaches.
Here’s why I (and probably you, too) needed to split up that Terraform state - whether you’re still running everything in one file, or you’ve already split things up and are wondering if you need to go further.

The monolith: Why one state file feels good… Until it doesn’t

At first, having everything in one state file feels like freedom.
All your resources, all your environments, one command to manage them all.
But then:

Performance Tanks: Suddenly, terraform plan is slow.
So slow, you start checking your WiFi.
But it’s not your connection - it’s the state file, bloated with hundreds (or thousands) of resources.
The “Oh Crap” Moment: Ever accidentally deleted a production resource while working on dev?
With one state file, the blast radius of a mistake is the whole infrastructure.
Definitely not fun.
Team Gridlock: Terraform locks the state file during changes.
So if Victoria is updating a subnet and Leon is tweaking a security group, someone’s waiting.
And waiting.
And waiting…
And… You get the point ;)
Secrets Everywhere: That one state file?
It’s got all your secrets.
Anyone who can read it can see everything.
Not ideal when you want to keep prod secrets, well, secret.
Environments Collide: Mixing dev, staging, and prod in one state is a recipe for disaster.
One wrong move, and your “test” change hits prod.

So, what do you do?
You start splitting.

Already split? Here’s why you might need to split again

Maybe you’ve already broken things up - a state file for networking, another for compute, maybe one per environment.
But the pain isn’t gone:

Still Too Big: Even after splitting, some state files keep growing.
That “networking” state now covers VPCs, subnets, gateways, peering, and more.
Time to split again - maybe VPC in one, subnets in another.
Team Ownership: As teams grow, so do ownership boundaries.
The DB team doesn’t want to wait for the network team to finish their changes.
Or maybe you have split teams and responsibilities?
Give them their own state, let them move fast.
Parallel Deployments: CI/CD pipelines are happiest when they can run in parallel.
Multiple state files mean multiple pipelines, all running at once, no waiting.
Refactoring Time: Infrastructure evolves.
Maybe you want to turn that old-school monolith into shiny new modules.
Moving resources into their own state files makes this possible (and safe).
Compliance & Auditing: Sometimes, it’s not about what you want - it’s what the auditors want.
Need to separate PCI or GDPR workloads?
Split the state.
Complex Dependencies: When you’re referencing resources across modules, things get messy.
Splitting state helps keep dependencies clear and manageable.

My rule of thumb

Start simple.
But as soon as you feel the pain - slow plans, team friction, scary blast radius - split.
And don’t be afraid to split again as your infra grows.
It’s not a sign of bad design - it’s a sign that you’re scaling.
In Poland we say: “Kto to Panu tak spierdolił?”
Don’t think like that…
Something that may seem as poorly designed, worked in past and delivered a value - it just doesn’t necessarily do anymore and it’s time for a refactor.

If you’re using Terragrunt (like I sometimes do), it makes this even easier.
Each module, each environment, its own state.
Clean, fast, and safe.

TL;DR

Splitting Terraform state files isn’t just a best practice - it’s a survival tactic as your infrastructure grows.
It keeps your team moving, your secrets safe, and your weekends free from “terraform panic” moments.

Been there, done that, got the (split) state files to prove it.

You convinced me! So how do I split a Terraform state?

Prerequisites

Ensure your S3 bucket for holding states has versioning enabled.
You don’t want to find out you have no backup in case of messing the state up.
Have a state locking mechanism to avoid external changes in the middle of process.
If you use Atlantis, you’re probably on the safe side.
If you orchestrate Terraform with different CI/CD solution, please ensure it will lock the states.
Be aware that Terraform state may contain sensitive information.
You will download this state locally.
Be very careful so you don’t commit local state file to the repository!
Ensure you remove all the local state files after you finish.

Steps to move resources between Terraform states

Before you begin, a short clarification note - I use current state to refer to the state you already have before split and that will most likely still exist, just with less resources; and I use new state to refer to the state you create and move resources to it.
In case something is not clear, leave me a comment and I will improve the writings.

Create a new state directory in your configuration, with terraform.tf pointing to the new state location in your S3 bucket for states.
Be sure you don’t change state path in current state!
[OPTIONAL] If you use Atlantis, add the new directory to the atlantis.yml file.
Open a PR that will lock both states and ensure nobody will interact with these states during migration.
1. if you use Atlantis, it will create locks. Just make it clear in the PR, that nobody should take the lock down (e.g. add DO NOT TAKE LOCK to the PR title if you don’t have any mechanism that would guarantee nobody takes the lock).
2. If you don’t use Atlantis, ensure how your CI/CD solution can lock the state you work on.
3. If you don’t use any CI/CD for Terraform execution, then clearly communicate with all your Terraform contributors, that you are splitting this particular state and they cannot work with it unless you finish the split.
Move Terraform resources, modules and outputs to the new state, as needed.
Create a terraform_remote_state data source pointing to the new state - the same path you used in new terraform.tf
In the current state refer to the outputs of this new terraform_remote_state, for the resources that you moved
Pull both states locally with terraform state pull > state.backup, respectively in current and new state directories.
Remember: Terraform states may contain highly sensitive information - work with caution!
In both directories make copies of pulled states with cp state.backup modified.state

Now you can move your resources between states with:

 For regular resources:
 terraform state mv -state /path/to/current/state/modified.state -state-out /path/to/new/state/networking/modified.state aws_vpc.my_vpc aws_vpc.my_vpc

 For modules:
 terraform state mv -state /path/to/current/state/modified.state -state-out /path/to/new/state/networking/modified.state module.my_module module.my_module

Moving modules is actually awesome here, as you can move entire module, without moving it’s internal resources one by one - this simplifies a lot!

Push both states, in both directories, with terraform state push modified.state
Plan the new state - you should see no changes to resources if everything went well - but you will see new outputs to be created.
If not, get back to 9. and move what you missed.
Apply the new state so it has the outputs - they are referred in the current state.
Plan the current state - you should see no changes if everything went well so far.
If not, get back to 9. and move what you missed.
Apply the current state.
At this point everything is good, so merge your PR.
Now the process is completed.
Moving resources produced some modified.state.*.backup in both directories - you can now remove them, as well as modified.state and state.backup files.
Search your repositories for other states references to the current state.
On GitHub you can search through your entire Organization.
1. If any state refers to the moved resources, add terraform_remote_state data source pointing to the new state, as in 5.
2. Point relevant resources to that new terraform_remote_state data source
3. Plan that state - you should see no changes.
  If not - verify previous steps, if you haven’t missed or mistaken anything.
4. Apply that state.
5. Repeat for every additional state that referred the state that was split.
The process is over, you have cleaned up the state 💪

If you want to dive deeper, or need help with your own Terraform breakup story, hit me up - always happy to talk about infra (or scuba stories 🤿).

You can also hire me as a consultant if you feel you need support - just drop me a message!

Account Name and Account Alias in AWS are not the same thing!

Jan Tymiński — Mon, 10 Mar 2025 16:09:52 GMT

Did you know that?

I was surprised when I found out…

I was about to implement an Organization wide solution with AWS Control Tower Account Factory for Terraform (AFT) that, in my case, is using Account Name for further resources creation.
As I don’t read Account Aliases often with Terraform, I googled and the first result I got was this article from StackOverflow.
I became a bit worried about how it could affect my solution, but I decided to proceed.
And - unfortunately - I confirmed this is true.

Account Name vs. Account Alias

I want to briefly describe how Account Name and Account Alias differ from each other.

As they are different things, they don’t have to be equal and it may require proper handling depending on the situation.

Account Name

The Account Name in AWS is a name that is used by AWS Organizations and it is organized within the scope of AWS Organizations.

The details regarding AWS Organizations are available only to the Root Account of the AWS Organization, therefore reading it with the aws_organizations_account data source requires configuring Terraform to access that account first to read the details.
This is not straightforward, as it requires reading two accounts at once - technically possible with separate AWS providers to connect to different accounts, but this is not necessarily an optimal approach and may not be possible in some organizations due to additional constraints.
It is also possible to overcome this by storing the Account Name in AWS SSM Parameter Store for each account in the Organization, but we would be already building a solution that requires maintenance, so it may not be suitable option.

Because Account Name exists in terms of AWS Organization, it doesn’t have to be unique across the whole AWS - it only needs to be unique in your Organization.

Contradictory to the Account Alias, Account Name has to be set, it is required.

You can read more about accounts in AWS Organizations in Managing member accounts with AWS Organizations User Guide.

Account Alias

The Account Alias is a different thing.

An AWS Account doesn’t have to be a part of an AWS Organization - so the Account Name for this account may not exist.
Yet every AWS Account can have the Account Alias.

The Account Alias is used to identify a particular AWS Account.
It is optional, so it doesn’t have to be set for an account, but if it is, it has to be unique.
The Account Alias is used to uniquely identify the account and it may be used instead of Account ID to log in to the AWS Console.
The Account Alias is easy to remember and many organizations and individuals use Aliases for simplification.

The Account Alias can also be deleted

My scenario

In my scenario Account Name is different from Account Alias for at least a subset of accounts.
Therefore I could not rely on data source below without additional modifications:

data "aws_iam_account_alias" "current" {}

Luckily I could resolve this, as in my case there is a pattern, so I could manipulate the data.aws_iam_account_alias.current.account_alias value at later step to achieve my goal.

For my scenario it was creating buckets following a certain pattern for logs of one of the landing zone components and I needed to have a unification across the whole Organization.
The optimal solution would be to use aws_s3_bucket data source to read the bucket from each account, when configuring logs that should be pointed to there - but aws_s3_bucket data source doesn’t support wildcards at the moment, full bucket name is required - so this is not a solution for me, it doesn’t simplify anything.

There is an open issue for aws_s3_bucket data source to enable retrieving a list of buckets matching a particular filter, which would work in my scenario really well, but the issue is open since October 2020 and doesn’t seem to be prioritized.
And this is especially frustrating that there was a PR with this feature submitted already!

Luckily, the S3 ARN doesn’t contain any unique IDs, it is in form of arn:aws:s3:::${BUCKET_NAME} and my buckets didn’t require any random ID to be unique, so it was easy to just manipulate the Account Alias accordingly to achieve the final goal.

And I am writing all that because as it was a case for me, it may be as well a case for you!
I work in IT field long enough to see that people follow similar patterns although they have never met each other - some details may differ, but there still can be similar patterns used - and with these patterns, you might fail at some point into this issue, just as I did.

AWS EKS - Error: You must be logged in to the server (the server has asked for the client to provide credentials)

Jan Tymiński — Mon, 30 Dec 2024 12:22:39 GMT

Today I was working on a PoC to try out the new Amazon EKS Auto Mode feature announced on re:Invent 2024.
I wanted to make a very quick PoC, so I took the least effort approach to set up my cluster.

When I wanted to start deploying the app proposed by AWS in their article about this feature, I was hit by the following error when running any kubectl command:

E1230 11:20:11.743615    4991 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E1230 11:20:12.438833    4991 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E1230 11:20:13.117818    4991 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E1230 11:20:13.804336    4991 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E1230 11:20:14.477604    4991 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
error: You must be logged in to the server (the server has asked for the client to provide credentials)

The error message is not really meaningful and helpful, it can be caused by various factors, what I found out when I was googling for a solution, I found this SO question, but the accepted answer was not really covering my case (and it links to AWS re:Post article which is hidden by a premium support paywall).

As my setup was supposed to be really quick, I took the example from Terraform eks_cluster resource docs.

I was diving deeper into the problem and then I finally found out what was going on - my user was missing permissions to the cluster!

So I added the following configuration:

data "aws_iam_user" "jan_tyminski" {
  user_name = "diving.devops"
}

resource "aws_eks_access_entry" "jan_tyminski" {
  cluster_name  = aws_eks_cluster.my_cluster.name
  principal_arn = data.aws_iam_user.jan_tyminski.arn
  type          = "STANDARD"
}

resource "aws_eks_access_policy_association" "jan_tyminski_AmazonEKSAdminPolicy" {
  cluster_name  = aws_eks_cluster.my_cluster.name
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
  principal_arn = aws_eks_access_entry.jan_tyminski.principal_arn

  access_scope {
    type = "cluster"
  }
}

resource "aws_eks_access_policy_association" "jan_tyminski_AmazonEKSClusterAdminPolicy" {
  cluster_name  = aws_eks_cluster.my_cluster.name
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
  principal_arn = aws_eks_access_entry.jan_tyminski.principal_arn

  access_scope {
    type = "cluster"
  }
}

diving.devops is not a real user, this is just my Instagram profile and my YouTube channel.
And this resolved my issue, I could finally start using kubectl, yay!

I have also answered the SO question with my own solution, based on this answer - I showed the Terraform way and added the AmazonEKSAdminPolicy and AmazonEKSClusterAdminPolicy there to be used with note regarding working on PoC in this scenario - so that readers are aware of this issue.

Of course this is just one of the possible scenarios for this error, that was my scenario - it may or may not work for you depending on the underlying issue you have - if that is not your case, I am linking again to the SO question - check it for more solutions.

Is it possible to use a custom certificate issued by a private certificate authority with custom origin behind CloudFront?

Jan Tymiński — Wed, 02 Oct 2024 20:00:42 GMT

One day an engineer in my team came up with this question.

There was no quick answer available, so I started digging and here's what I found.

CloudFront's docs on CNAMEs and HTTPS requirements say:

CloudFront supports all types of certificates issued by a trusted certificate authority.

CloudFront to Custom Origin setup can only work with trusted third-party CAs:

For origins other than Elastic Load Balancing load balancers, you must use a certificate that is signed by a trusted third-party certificate authority (CA), for example, Comodo, DigiCert, or Symantec.

And in more details CloudFront docs explain that they support the same CAs that Mozilla supports:

When CloudFront uses HTTPS to communicate with your origin, CloudFront verifies that the certificate was issued by a trusted certificate authority. CloudFront supports the same certificate authorities that Mozilla does. For the current list, see Mozilla Included CA Certificate List. You can’t use a self-signed certificate for HTTPS communication between CloudFront and your origin.

AWS also emphasizes in the docs that:

Important
If the origin server returns an expired certificate, an invalid certificate, or a self-signed certificate, or if the origin server returns the certificate chain in the wrong order, CloudFront drops the TCP connection, returns HTTP status code 502 (Bad Gateway) to the viewer, and sets the X-Cache header to Error from cloudfront. Also, if the full chain of certificates, including the intermediate certificate, is not present, CloudFront drops the TCP connection.

Summarising the above - No, it is not possible to set up CloudFront with Custom Origin using a certificate issued by a private Certificate Authority or Self Signed Certificate.

But why do I need to know that?

Because large enterprise companies may have internal CAs for internal purposes and they can be trusted on the company devices and you might be instructed to use a certificate issued by such CA by someone that is not aware of the above.

This short article can help you easily provide required documentation for others in case you are asked if that's possible or requested to implement own certificate in such scenario.

InvalidParameterValue: DBName must begin with a letter and contain only alphanumeric characters

Jan Tymiński — Thu, 23 May 2024 13:00:28 GMT

❗

TL;DR: Don't use hyphen (-) for DBName.

And if you want to understand the reasons behind that, keep reading further.

You are creating an RDS instance with Terraform.

You have coded the instance, executed terraform plan and all looks great!

That's great!
Now you can apply the changes!

So you run terraform apply, Terraform starts calling AWS API and suddenly you get an error:

InvalidParameterValue: DBName must begin with a letter and contain only alphanumeric characters

But why?
You wonder!

And I also wonder!

I have seen this a couple of times already...
But I always forget why this happens...
Mostly I solve this issue once at the beginning of setting up naming convention in the organization and then I forget about this issue...

Now recently I have also forgotten about that, but I was asked by my teammate to help them with the issue.

After a couple of minutes I have finally got it!

We were deploying Postgres!

The problem here is more complex than just AWS or Terraform constraints.
Terraform is supposed to manage AWS resources and AWS provides many different services, some of them are well known open source technologies that can have their own limitations.

Postgres doesn't allow to use hyphens (-) in the database name!
Only underscores (_)!

By the Postgres docs:

SQL identifiers and key words must begin with a letter (a-z, but also letters with diacritical marks and non-Latin letters) or an underscore (_). Subsequent characters in an identifier or key word can be letters, underscores, digits (0-9), or dollar signs ($). Note that dollar signs are not allowed in identifiers according to the letter of the SQL standard, so their use might render applications less portable.

But you didn't set up Postgres?

Apparently MySQL doesn't seem to support hyphens too:

Permitted characters in unquoted identifiers:

ASCII: [0-9,a-z,A-Z$_] (basic Latin letters, digits 0-9, dollar, underscore)

Extended: U+0080 .. U+FFFF

And MS SQL Server too:

The first character must be one of the following:

A letter as defined by the Unicode Standard 3.2. The Unicode definition of letters includes Latin characters from a through z, from A through Z, and also letter characters from other languages.

The underscore (_), at sign (@), or number sign (#).

I'm neither databases nor SQL expert, but looks like hyphen is not allowed as database name in the most popular SQL engines.

I cannot confirm that for sure, as I cannot find any sort of official SQL Language reference manual in the Internet, but it seems like it is a limitation of SQL for identifiers and database name is an identifier.
Vendors of SQL engines can follow the SQL standard more or less strictly, so there may be engines that could work with hyphens (-) in database name, but this would be an exception to what I have seen in past and during research for this post.

If, by any chance, you know more on that matter, feel free to share your thoughts in a comment!
I'm always happy to hear from you and learn from you!

Global Accelerator behind Cloudfront

Jan Tymiński — Wed, 07 Feb 2024 09:06:20 GMT

Intro

I made a PoC that used Global Accelerator behind Cloudfront.

I haven't found any article regarding such solution being possible, AWS docs also didn't clearly state such scenario is possible.
AWS Console didn't help - I couldn't select Global Accelerator as the origin from the dropdown menu and entering it's domain didn't suggest anything, so I felt that adding custom origin is not possible - but it is!

I needed to find a way to serve 2 separate environments in different VPCs for the customer that wanted to bring up a brand new infrastructure based on EKS, but being able to use both old and new environment on the testing phase - to ensure that EKS environment works identically as the old application setup.
Application Load Balancer couldn't serve this purpose for different VPCs.

Cloudfront doesn't let you configure different origins with the same weight in a single Cloudfront Distribution - you can only configure a failover origin - that didn't support my case.

Global Accelerator can route the traffic to various endpoints like Application Load Balancers, Network Load Balancers or EC2 instances directly.

I had all the things configured, so I only needed to add Global Accelerator between Cloudfront Distribution and ALBs and configure ACM Certificate for my testing domain used in this scenario.

How to set this all up

We need the following resources:

Global Accelerator (pricing)
ACM Certificate for Global Accelerator
Cloudfront (pricing)
ACM Certificate for Cloudfront
Route53 records to route the traffic to Cloudfront
Route53 records to route the traffic to Global Accelerator
Ingresses for target environments (Application Load Balancers of both environments in my scenario)

My traffic flow for this case looks like in the following diagram:

I purposely didn't use AWS icons for the resources as I want you to focus on just the solution without being distracted by the icons - not everyone is fluent with them.
I might add another diagram using the icons in the future.

We need to do the following:

Set up Global Accelerator - Standard accelerator will work here
Configure the ACM Certificates for the Global Accelerator - they need to be in the same region as the Global Accelerator
Set up Cloudfront distribution (if you don't have one) and point it to Global Accelerator
Configure the ACM Certificates for this Cloudfront distribution (they need to be in us-east-1 as Cloudfront distributions are located there)
Add our endpoints to the Global Accelerator and configure weights for them - mine were the same, I wanted even amount of traffic to reach both environments - your scenario can differ and you can change the weights over time, depending on how confident you are with the new infrastructure.
Point our domain with Route53 (or any other DNS actually, but let's keep all in AWS) to Cloudfront (if you don't have one)
Test if everything works as expected

The guide assumes you have some AWS experience already and not everything is clearly stated here.

Did you know such scenario is possible?
Do you have any other interesting cases for Global Accelerator?
I will be happy for your comments!

AWS Security Groups are tricky!

Jan Tymiński — Tue, 02 Jan 2024 12:30:03 GMT

Recently I was configuring a security group for a service that uses TCP and UDP ports for ingress connectivity.

Security Groups are an Amazon Web Services feature for Amazon VPC (virtual private cloud) to set up a stateful firewall.

I used Terraform (Terragrunt actually, but that's a detail) to configure the security group's ingress rules.

I wanted to be a smart guy, so I have set the protocol to -1 which means "all protocols", so I didn't need to specify separate rules for TCP and UDP for the same port.

Here comes my surprise, according to the AWS documentation:

Use -1 to specify all protocols. If you specify -1 or a protocol other than tcp, udp, or icmp, traffic on all ports is allowed, regardless of any ports you specify.

I was not aware of that and you might not be aware too!

Honestly, I would expect the AWS API to return an error, or at least a warning, when trying to set a configuration that is impossible to set - it either didn't happen or was silenced in the Terraform provider for AWS (I didn't verify, I suspect the AWS API doesn't give any feedback about that).

It was caught by my workmate who eventually made separate entries for TCP and UDP to get the configuration right - shortcuts, although tempting, are not always good solutions.

Terraform - MalformedPolicyDocument: The policy failed legacy parsing

Jan Tymiński — Sun, 10 Dec 2023 19:48:37 GMT

I was affected by a bug in the AWS provider for Terraform recently.

I've got the following error when applying Terraform changes:

Error: creating IAM Policy (MyPolicyName): MalformedPolicyDocument: The policy failed legacy parsing

According to the AWS docs the policy for sts:AssumeRole should look like the following:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account-id:role/Test*"
  }
}

It works that way in AWS Console and with AWS CLI (I have personally tried that in AWS Console and people on the Internet reported that it works in AWS CLI).

But not with Terraform!

The bug in the provider requires an array to be used for the Statement, like this:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account-id:role/Test*"
  }]
}

Regardless of a single statement being used in the policy.

When I was trying to google the error without the Terraform keyword, the results were showing that I may be missing the Version statement, which I copied from AWS docs, or that it could be missing !Sub directive in my CloudFormation Stack, which I didn't have at all.

I hope you find that useful and if you are affected too, feel free to upvote the issue!

Terraform archived template provider and what now?

Jan Tymiński — Sun, 19 Nov 2023 20:46:30 GMT

What has happened actually?

Terraform used to have a template provider in past. It was deprecated with Terraform 0.12 and archived on the 9th of October 2020.
Although it was more than 3 years ago, some of you might still be using it!

It provided the following data sources:
template_file
template_cloudinit_config
And they were used a lot in the past.

template_file was used for prototyping files, e.g. with variables passed from the Terraform code to these files.

template_cloudinit_config was used to generate the Cloud-init configuration consumable by other resources, e.g. aws_instance as user_data / user_data_base64 or other resources that can be configured with Cloud-init.

There's quite a chance you have used it in past or will use it in the future, e.g. following some tutorials available on the Internet.

So did I, as I was unaware of the issue - and I would probably still be, but my workmate faced an issue that the binary for template provider is not available for Mac M1 and newer ARM-based Macs.
And there's a chance that you have also followed some old tutorials with the old code and are facing the same issues on your shiny new computer!
Or you are good, but your teammate has the issue!

But there's a solution for that - with newer Terraform we can use cloudinit provider that comes with cloudinit_config data type that can utilize templatefile() function inside.
I have prepared an example on how to transform from the deprecated code to the modern one, as I haven't found a clear, simple example on how to do that.

The code

This is an example of how did the code look like with the deprecated template provider:

data "template_file" "example" {
  template = file("${path.module}/templates/example.yml")

  vars = {
    EXAMPLE_VAR = var.example_var
  }
}

data "template_cloudinit_config" "config" {
  gzip          = true
  base64_encode = true

  part {
    filename     = "example.yml"
    content_type = "text/cloud-config"
    content      = data.template_file.example.rendered
  }
}

Here's how the code would look like after refactoring to the cloudinit provider.

data "cloudinit_config" "config" {
  gzip          = true
  base64_encode = true

  part {
    filename     = "example.yml"
    content_type = "text/cloud-config"
    content = templatefile("${path.module}/templates/example.yml", {
      EXAMPLE_VAR = var.example_var
    })
  }
}

I have tested the refactored code so you don't have to make it out on your own!

And yes, I also needed the refactored code for the infrastructure I manage.

RDS Auto Minor Version Upgrade does not work as you could probably expect!

Jan Tymiński — Thu, 20 Jul 2023 07:05:22 GMT

I was quite surprised when I found out!

The RDS Auto Minor Version Upgrade doesn't always automatically update the minor version!

Especially since the documentation is misleading with this, saying at the beginning:

A minor engine version is an update to a DB engine version within a major engine version. For example, a major engine version might be 9.6 with the minor engine versions 9.6.11 and 9.6.12 within it.

If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database.

And in their blog post regarding this feature:

Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available.

And I haven't found any single hint regarding the updates needing to meet any additional conditions to be performed...

So when does the RDS Auto Minor Version Upgrade perform the upgrade?

There are two cases:

The minor version that you currently have is completely deprecated by AWS
The minor version has the AutoUpgrade: True attribute set by AWS

The AutoUpgrade: True attribute is set by AWS under some special circumstances when the new one contains very important cumulative bug fixes and an upgrade is absolutely necessary.

How can you check which minor was tagged with AutoUpgrade: True?
By executing this command:

aws rds describe-db-engine-versions --region YOURREGION --output=table --engine YOURENGINE

You will see that most of the minor versions have the AutoUpgrade: False attribute set. Your current version should be either the newest with AutoUpgrade: True or the one you have manually chosen - depending on which is newer.

Could this be automated?
Probably yes - with Lambda function to seek the most recent minor version and calling RDS API to upgrade to that version in the next maintenance window.

Is it worth automating?
In most cases - no.
The most important bug fixes and security patches will be applied automatically.

Unless you are sure you need this or you already have a stable mechanism to reuse, you will most likely spend more time automating it than you will benefit from the most recent minor.
Remember, that there's always an alternative cost of doing something - not doing something else.

I haven't automated this as in my case the implementation costs outperform potential benefits.

Will there be more storytelling?
Maybe.
I think it doesn't fit into every blog post (like this one), but it may be continued for some in the future - stay tuned!

Sources:

https://repost.aws/questions/QUqLHWCC0mRDiRLutC6pMHbA/rds-instances-do-not-auto-upgrade-minor-versions

https://repost.aws/questions/QUT0JuX6IhSAyXaSdQK5SW3A

Migrate from CloudFormation to Terraform

Jan Tymiński — Tue, 13 Jun 2023 22:17:03 GMT

The Tale of the CloudFormation

A long time ago, in a land far, far away, there was a DevOps dojo.
The dojo trained young padawans in DevOps craftsmanship.
Many of them were ambitious and wanted to use their skills in practice as soon as possible.
They were given quests.

Quests varied in their toughness, but many of them had a common ground - the fate of the young padawans.
They were sent to accomplish missions and fight evil creatures in the lands of the AWS CloudFormation.

AWS CloudFormation is one of the toughest lands in the Clouds universe.
Many adventurers have failed to accomplish quests in these lands.
Many have lost their lives fighting the creatures called Stacks.
Many have lost their minds to the riddles of Change Sets.
New DevOpses were coming, they were moving further, but with all the burden they couldn't conquer the lands of the Cloudformation.

One day the dojo sent two of their most experienced DevOpses.
They have seen the scenes nobody wants to see.
They have seen the defeat of their mentees.
They have seen a disaster.

With a plan, they started picking up battles, tackling them with a balance between efforts and benefits.
It took months, but the strategy paid off.
The Team of Two DevOpses visited hundreds of villages of the CloudFormation lands.
Although they didn't conquer the kingdom, they have secured peace in the Clouds universe.

One day a team of three DevOps Ninjas arrived at the CloudFormation lands.
They came from the kingdom of the Terraform.
They were not pleased with what they found.

The DevOps Ninjas have tightly cooperated with the Dojo Masters.
They needed to understand all the situation and politics of the CloudFormation lands.
Months passed by...
The Dojo Masters left the CloudFormation lands, leaving them in the hands of the brave DevOps Ninjas to continue on the journey.
And months passed by...

The DevOps Ninjas were already sure that only with the powers of the Terraform Kingdom they can bring everlasting peace to these lands.
The authority of the CloudFormation Kingdom must come to an end.

And so the biggest war in the universe began!

Migrating the infrastructure

I hope you enjoyed this little introduction, now let's get to the technical part.

The process is pretty simple, I have made a simple PoC with a CloudFormation template provided by AWS.
I have chosen WordPress scalable and durable template to ensure the behaviour around the RDS database that was crucial for me.
I recommend you to try it on your own to ensure what will happen, test for a scenario you have - you might want to seek for another template to better simulate your case.

The process is pretty simple and consists of two separate processes described by AWS and I will list it with links to AWS articles so you can easily ensure the steps:

Set up DeletionPolicy: Retain to all resources you want to retain when CloudFormation Stack is removed (link)
Upload new CloudFormation Stack definition
Import these resources to your Terraform code
Delete the CloudFormation Stack (link)

And that's it!

Deleting CloudFormation Stack might fail if there are resources in it that miss the DeletionPolicy: Retain and they are connected with resources retained, e.g. there's a subnet without this attribute that is related to an RDS which is retained - AWS will try to remove this subnet and fail as it cannot be removed as long as RDS uses it - this situation is good for us, we will not accidentally remove resources that we need for other resources to work.
The CloudFormation Stack can then be forcibly removed, ignoring the fact it cannot delete some resources.

I hope you find this post useful and that you enjoyed the little story in the beginning - the fairy tale is based on a real life situation.