Feedback on getting started with this Tutorial

[robinbowes]

Firstly, I want to say this is a really great resource. However, I had a few issues getting started so I'm feeding them back to you.

Problem: Doesn't work with ruby 2.5.0, but doesn't fail (it installs 0.3.0 of kitchen-terraform which is way old)
Solution: Use ruby < 2.5.0, eg. 2.4.3. I used rbenv to use 2.4.3 locally

Problem: The kitchen.yml example is not valid. It fails with:

>>>>>> Message: Kitchen::Driver::Terraform configuration: variables {:value=>["must be a hash which includes only symbol keys and string values"]}

Solution: Wrap the erb lines in quotes, eg.:

  variables:
    access_key: "<%= ENV['AWS_ACCESS_KEY_ID'] %>"
    secret_key: "<%= ENV['AWS_SECRET_ACCESS_KEY'] %>"

Alternatively, remove both access_key and secret_key entirely. If they are not specified, the aws provider reads them from ~/.aws.credentials directly.

Problem: terraform init is executed against the wrong dir:

$$$$$$ Running command `terraform init -input=false -lock=true -lock-timeout=0s  -upgrade -force-copy -backend=true  -get=true -get-plugins=true  -verify-plugins=true /Users/robin/code/awspec-kitchen-terraform-2

Solution: Wrong parameter in .kitchen.yml. Change directory to root_module_directory:

driver:
  name: terraform
  root_module_directory: tf

Remove terraform.tfstate.d and .terraform, and re-try

Problem: Error: Required variable not set: region
Solution: Set region on the command line

TF_VAR_region=us-west-1 bundle exec kitchen verify

Alternatively, remove region variable and use AWS_DEFAULT_REGION environment variable on the command line:

AWS_DEFAULT_REGION=us-west-1 bundle exec kitchen verify

Problem: I need to switch to a specific IAM profile when running AWS commands.
Solution: Specify this on the command line:

AWS_DEFAULT_REGION=us-west-1 AWS_PROFILE=engineering bundle exec kitchen verify

The tests now function, and I can start working through the exercises.

I've updated my fork of this repo with my changes: https://github.com/yo61/awspec-kitchen-terraform

Hope this is useful to you!

Thanks again for the tutorial.

[robinbowes]

Update: the mechanism to switch role doesn't work. The only way I've got it to work so far is to add an explicit assume_role block to the aws provider.

[robinbowes]

This issue seems to be relevant: hashicorp/terraform-provider-aws#1184

[robinbowes]

Problem: vpc resource name used in subnet resource definition does not match name of vpc resource
Solution: Use correct resource name:

resource "aws_subnet" "subnet" {
  vpc_id     = "${aws_vpc.my-vpc.id}"
  cidr_block = "10.0.1.0/24"

  tags {
    Name = "my-subnet"
  }
}

[longrackslabs]

Thanks @robinbowes ! Per your suggestions:

• removed AWS vars (key, secret key, regoion) from kitchen, tf, etc. in favor of getting from environment
• fixed resource tags & names
• updated deck to match

I am not seeing the 'root_module_directory' issue, then again I am pinned to an older version of terraform required by awspec 0.10.2. I tried to upgrade to 0.11.x a while back and awspec complained.. i'll dig a bit deeper on this one.

g

[robinbowes]

I found the root_module_directory parameter here: http://www.rubydoc.info/github/newcontext-oss/kitchen-terraform/Kitchen/Terraform/ConfigAttribute/RootModuleDirectory

I wonder if it changed since an older version of kitchen-terraform?

[longrackslabs]

I updated to current awspec, and it is still pinned to terraform 0.10.2:

------Exception-------
Class: Kitchen::UserError
Message: Terraform version 0.11.3 is not supported; upgrade to Terraform version ~> 0.10.2

Please see .kitchen/logs/kitchen.log for more details
Also try running kitchen diagnose --all for configuration

/shrug

[robinbowes]

What ruby version?

[longrackslabs]

I use 2.3.1:

ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-darwin15]

I am not precious on this version if there is a newer/better version of ruby you would prefer/ recommend. 2.4.3?

[robinbowes]

I just noticed that ruby 2.5.0 resulted in kitchen-terraform 0.3.0 (ie. very old). I wondered if the version you are using resulted in a similar kitchen-terraform silent pinning?

[longrackslabs]

I am not using / familiar with kitchen-terraform. I am installing these individually:

• brew install ruby
• brew install ruby-dev
• brew install terraform
• gem install bundler --pre
• gem install test-kitchen
• gem install awsecrets
• gem install awspec

I am not a ruby expert so take this with a hefty grain of salt. I added a few notes in README on version particulars.

[robinbowes]

Ohhh, I see.

kitchen-terraform is specified in your Gemfile. You probably just need to upgrade that?

Try: bundle update ?

[longrackslabs]

did a bundle update and all hell broke loose :-) I have some work to put things back right.

[robinbowes]

Oops :)

[longrackslabs]

ok all is well now bundle exec kitchen destroy cleared up my environment.

I made your root_module_directory: tf change and the converge side is working. i need to fix up the test documentation to match and we should be good to go.

[longrackslabs]

I should figure out something other than ec2 to use as an example. AWS holds the terminated instances around for up to an hour, and that confuses awspec to see multiple terminated instances with the same name.

or refactor to include this workaround: k1LoW/awspec#155

[longrackslabs]

ok, i have updated to use the exists but terminated work around and the suggestions above, and updated the code, tests, and deck, and ran through from front to back. I think it is good to go.

I am going to take shot at a similiar exercise using the latest inspec 2.0 which is supposed to support aws resources now rather than the awspec add on. I am also going to drop kitchen in favor of straight tf and inspec via rake.

all good!