aws-ia / terraform-aws-mwaa Goto Github PK
View Code? Open in Web Editor NEWTerraform module for Amazon MWAA(Apache Airflow)
Home Page: https://registry.terraform.io/modules/aws-ia/mwaa/
License: Apache License 2.0
Terraform module for Amazon MWAA(Apache Airflow)
Home Page: https://registry.terraform.io/modules/aws-ia/mwaa/
License: Apache License 2.0
What's the easiest way to configure the log retention policy on MWAA cloudwatch logs? This module allows users to toggle the logs and configure the level but it doesn't seem to allow us to configure the log retention period, nor does the module output the log group arn.
When we run the mwaa artefact we get below error message :
│ Error: Missing required argument
│
│ with aws_mwaa_environment.mwaa,
│ on main.tf line 23, in resource "aws_mwaa_environment" "mwaa":
│ 23: source_bucket_arn = local.source_bucket_arn
│
│ The argument "source_bucket_arn" is required, but no definition was found.
I have a PR which resolves this dependency. #36
Add an example to trigger a simple python job
samples
under examples
I noticed that the AWS provider version is pinned to 4.20, is there a reason for that?
For context I'm wondering because this conflicts with the version requirement of https://github.com/terraform-aws-modules/terraform-aws-rds/blob/master/modules/db_parameter_group/versions.tf
https://github.com/aws-ia/terraform-aws-mwaa/blob/main/versions.tf
I'm seeing a behavior in aws_mwaa_environment that I was not seeing previously. With hashicorp/aws v4.64.0, every time I deploy, it destroys and recreates the aws_mwaa_environment with this message shown in the terraform apply:
~ network_configuration {
~ security_group_ids = [
- "sg-xxxxxxxxx",
] -> (known after apply)
~ subnet_ids = [ # forces replacement
- "subnet-xxxxxxxxx",
- "subnet-yyyyyyyyy",
] -> (known after apply)
}
}
Even though the subnet_ids are exactly the same every single time, it indicates that they have changed and therefore that is forcing replacement.
Originally these 2 subnet_ids were coming from an aws_subnet data block, with filter that resulted in those 2 exact same subnet_ids every time. Just as a test, I simply hardcoded the 2 subnet_ids in the aws_mwaa_environment resource block:
subnet_ids = ["subnet-xxxxxxxxx", "subnet-yyyyyyyyy"]
But even hardcoded, I get the same behavior.
I see that the lifecycle settings ignore changes to both the requirements and plugins objects
lifecycle {
ignore_changes = [
plugins_s3_object_version,
requirements_s3_object_version
]
}
Is there some kind of bad/unintended behavior if these changes are not ignored? Or is this an intentional decision to encourage these these updates via the console only?
Architecture diagram of the most pertinent services and concepts
Please use Powerpoint and use the official AWS icons: https://aws.amazon.com/architecture/icons/
place both a ppt and a png in images/
See #23. There is a need for MWAA to have access to certain secrets so it can connect to various API's. Granting MWAA access to all secrets would be a security concern, as it should only have access to the secrets it needs, so we should grant it access to secrets under a specified prefix.
Update README for standard template
Can you add output of VPC endpoint if it was create during environment provisioning ?
I want to request a feature to enable setting KMS key for MWAA. It is required to use the same key for both S3 and MWAA instance and there will be some additional IAM policies involved in the creation process.
Using a CMK with MWAA
Permissions involved when setting a CMK
Currently, the terraform resource for MWAA has the capability to create cloudwatch logs using the logging_configuration
block. Our organization would like to be able to output logs to an existing cloudwatch log group by specifying an arn. This would allow us to get access to all of the features available when creating a log group using the aws_cloudwatch_log_group
resource (such as log retention).
Let me know if this is the wrong location for such a feature request - I'd be happy to open it in the appropriate location
When setting var.source_bucket_name
, it turns out that it's only setting the bucket name prefix (see here) and not the actual name of the bucket. I'm not sure why the behavior is different given the variable's name and description. The other name variables, var.name
and var.iam_role_name
, are respected and passed through as the names for those resources, so I'm not sure why it's inconsistent for the s3 bucket. Is this something that y'all would be open to? I am more than happy to contribute this change.
I understand that this proposal will be a breaking change, so we could have another variable var.source_bucket_name_prefix
that preserves the original behavior.
When bringing external iam role with below config
create_iam_role = false
execution_role_arn = data.aws_iam_role.mwaa.arn
iam_role_additional_policies = []
TF throws below error
│ Error: Invalid object key
│
│ on .terraform/modules/mwaa/locals.tf line 14, in locals:
│ 14: iam_role_additional_policies = { for k, v in toset(concat([var.iam_role_additional_policies])) : k => v if var.execution_role_arn != null }
│
Upon verification, terraform-aws-eks uses a similar pattern, but with different variable types
iam_role_additional_policies
in var should be map(string)
rather than list(string)
Also, the if
conditional should not be checking external role, it should be checking create_iam_role
The concact should enclose var.iam_role_additional_policies
with []
. Detail see below screenshot
> { for k, v in toset(concat([[]])) : k => v if "asdf" != null }
╷
│ Error: Invalid object key
│
│ on <console-input> line 1:
│ (source code not available)
│
│ The key expression produced an invalid result: string required.
╵
> { for k, v in toset(concat([[]])) : k => v if null != null }
{}
> { for k, v in toset(concat([])) : k => v if "asdf" != null }
{}
if needed, we can discuss about the detail using aws internal channels.
The mwaa_environment
resource now supports startup_script_s3_path
and startup_script_s3_object_version
.
This would be a nice addition to the provider :)
(note: this issue was created with the intention of making a PR for it myself, I will edit this comment if I cannot do so for some reason)
In the variables.tf, when configuring tags like the following
variable "tags" {
description = "Default tags"
default = {"env": "test", "service": "MWAA Apache AirFlow"}
type = map(string)
}
These will get applied to the VPC resources configured, but not the MWAA resources.
MWAA has "eks:*"
access, but it does not need EKS access by default. It does not need S3 delete permissions by default either. Finally, I don't think it needs batch
permissions.
#23 fixes this.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.