#announcements (2018-07)
Cloud Posse Open Source Community #geodesic #terraform #release-engineering #random #releases #docs
This channel is for workspace-wide communication and announcements. All members are in this channel.
Archive: https://archive.sweetops.com
2018-07-01
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Second training repo. No step by step instruction yet. If you have ideas, or suggestions please submit issues. https://github.com/firmstep-public/trainingdaytwo
trainingdaytwo - Day Two: Creating Terraform modules
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
The example module in demo_one is a working module for a web server in an asg. Which I figured was a common desire for the first thing to template for a company.
2018-07-02
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@rohit.verma I was able to reproduce that s3 path issue you were experiencing when mounting the s3 bucket: https://github.com/cloudposse/geodesic/pull/167 - once we have it CR’ed and tested will have a new release with this fix in it. Will keep you posted.
what Add the absolute path to the s3fs script for mounting s3 bucket via goofys. why Fix a bug where pathing issue causes any mount -a invocation to throw an error: /bin/sh: s3fs: not found
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@mcrowe (and possibly @tamsky) also ran into it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
just wondering why the mount
command is not honoring the PATH
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Hi Erik, we had a quick chat on Friday regarding ECS! I would love to know how you do it. The end-goal for me is to be able to use 3rd party deployment software which most likely pushes a docker image based on a GIT-SHA, meanwhile Terraform should be able to run and take the last active task definition ( this part is simple ). Harder part is when I want Terraform to be able to modify the environment variables while keeping the image of the last task definition.
The idea I now have is by taking the image variable length to decide if it’s bootstrapping or keep_image:
# Initial bootstrapping with ecr/repo:tag module “ecs_app” { image = “ecr/repo:tag” }
# after that, a change to keep_image module “ecs_app” { image = “” ( default) }
when image==””, i create datasources to get the current image definition, use that as input for the updated task definition resource.
Not sure if that would all work, and happy to hear your input on that.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
roughly it breaks down like this:
1) deploy ecs service task with container definition. default the container to our default-backend
(~ a 404 page).
2) use codebuild/pipeline to CI/CD all image deployments.
3) define one public ALB per cluster
4) use ingress rules (targets) to route traffic based on host/paths to backend services
the inspiration for the architecture comes from our experience with kubernetes and trying to make it feel more like it.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what I describe above is captured in this module:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-ecs-web-app - Terraform module that implements a web app on ECS and supporting AWS resources.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the CI/CD is here: https://github.com/cloudposse/terraform-aws-ecs-codepipeline (which swaps out the image & tag)
terraform-aws-ecs-codepipeline - Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we programmatically generate the container definition JSON in this module: https://github.com/cloudposse/terraform-aws-ecs-container-definition
terraform-aws-ecs-container-definition - A Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and our ALB modules are in: https://github.com/cloudposse/terraform-aws-alb https://github.com/cloudposse/terraform-aws-alb-ingress
terraform-aws-alb - Terraform module to provision a standard ALB for HTTP/HTTP traffic
terraform-aws-alb-ingress - Terraform module to provision an HTTP style ingress rule based on hostname and path for an ALB using target groups
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
oh, and our “default-backend”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
default-backend - Default Backend for ECS that serves a pretty 404 page
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Does Codebuild allow cross account ECR repos by now ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have 1:1 codebuild/codepipeline/ecr/web app
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
so a different build image for your staging , as for prod ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
aha, for now, we have not orchestrated that.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
in our case, we would promote an image to the prod repo
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but we have not done that yet
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(we’re pretty early in our ECS journey as most of what we use is k8s)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
let me correct that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we currently would rebuild it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but the way I would want to solve it eventually is to promote the image between ECR repos
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
still reading through it..
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I see this working when having an imagename like repo:latest , but not for repo:unique_id or am I missing something
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@sarkis where is an example of our build spec?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we do set a tag
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so for example, it’s possible to only deploy tagged releases
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then it would be repo:tag
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Contribute to docker-php-poc development by creating an account on GitHub.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We should add this example to the web app repo docs
Contribute to docker-php-poc development by creating an account on GitHub.
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
- ill get to this by EOD … added to my tasks for the day
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(we never pin to latest)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
printf '[{"name":"%s","imageUri":"%s"}]' $CONTAINER_NAME $REPO_URI:$IMAGE_TAG > imagedefinitions.json
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@maarten I thought you were doing something similar to this
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so it all comes down to how IMAGE_TAG
is computed
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
yes, but after the building, how is terraform aware of the new IMAGE_TAG, I’m not seeing that.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
oh, the lifecycle of the image:tag is not the job of terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this is our concession
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform is strictly responsible for deploying the infrastructure that powers the service
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
monitoring
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
autoscaling
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
iam permissions, etc
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so i think we ignore changes, right @sarkis?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I agree there, but for me ENV VARS are a sort of grey area
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
SSM
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
+chamber
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Yeah at Blinkist we’re using SSM
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(it doesn’t resolve how to “rollback” envs, but we’ve also conceded that we won’t solve for that)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
But another customer doesn’t want SSM or doesn’t want a wrapper inside his Docker for that..
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
So I thought, maybe I can find a way to deal with that using container def. datasources
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i agree that I don’t like the wrapper inside the container as the entrypoint, but it’s become the necessary evil to reduce complexity with terraform.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
wrapper = chamber
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
would be nice to have have ENV VARS defined for the ecs service instead, problem solved
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
something else, which is beautiful, happens if you use SSM though…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
call out to @jamie for introducing us to this pattern
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-ssm-parameter-store - Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you can provision those SSM parameters from outputs of your other modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
users, passwords, hosts, etc
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
yeah I’ve seen that, super cool and will use it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what’s the customer’s counter argument?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…we’ve even started using chamber with kubernetes in place of configmaps and secrets. it makes it much, much easier to manage ACLS+IAM using IAM roles
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Another thing in the chain they don’t know.. I was probably not convincing enough.. first customer after my current employer ..
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha, yea, understood - in the end, if you overwhelm them with all the pros, I think the cons are very minimal.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
the ECS envs are also not encrypted
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
ok, outside environment variables you still have CPU and MEMORY definitions
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
that is an actual terraform argument I think
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
maybe not for Fargate
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that is an actual terraform argument I think
can you elaborate
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
inside the task definition you define the cpu and memory for a task
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Of course you can set these vars during deployment
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
but is this something any developer should do in some conditions, or rather have memory/cpu centrally orchestrated
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
aha, yes, but i don’t think this solution precludes that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we set some defaults
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but the buildspec.yaml
can also override them
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
printf '[{"name":"%s","imageUri":"%s"}]' $CONTAINER_NAME $REPO_URI:$IMAGE_TAG > imagedefinitions.json
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
just add memory
to that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
no?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
you’re right. I’m thinking from a perspective where the CI is circleci and not managed by terraform..
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
aha
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, i can see that some stuff gets more complicated that way
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
But still, circleci can invoke codebuild
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
i guess
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
or a lambda which does nothing but deployment, and terraform manages the parameters for the lambda.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, lambda is the ultimate escape hatch. can probably accomplish it that way.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
That also saves me distributing access keys which can stop services.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Do you a tool for remote command execution, fixing a failed migration etc ?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Thanks anyway, I didn’t find the answer to my solution, but it made it clear that when I control the deployment of ecs I can still control the container definition, be it codebuild or not.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yep! no problem. i think we went down a similar path until we resovled that it wasn’t feasible at this point in time with terraform.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
hrmm… the only migrations we’ve done so far happen in k8s and then we’re able to exec
into the container to perform manual remediations.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@jamie might have some tips
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
ok because the new guy replacing me is working on my old tool which does this:
- Takes current running task, properties, security groups
- Creates keypair
- Starts EC2 ECS Instance with keypair
- Starts task [same iam etc]
- SSH into EC2 instance , creates a socket forward for /var/run/docker.sock ( this is so cool)
- docker exec into task
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that sounds pretty cool
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
on-demand ssh
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i know this is a pattern promoted by Teleport SSH (gravitational)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but haven’t seen it in practice yet with ECS
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
https://github.com/blinkist/skipper it’s dormant now, also because my golang skills are .. but I’m sure he’ll be able to make something nice of it
skipper - Maintenance tool for moving docker containers on ECS.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Anyway, I’ll keep you updated on it, for now it’s focus is on regular EC2, with already SSH access.
For conditions without VPN we can maybe also add a network load balancer to allow outside access to internal ssh
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, what I think could be neat is to have something like this:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that is deployed on demand into the cluster for triaging
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
e.g. fixing failed migrations
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Well it would be nice to be able to completely log it to an S3 bucket, with the private key EC2 generation for the ec2 instance for the specific user (for which it needs MFA ) the extra MFA is probably overkill.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but is ec2 instance access necessary?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what i like about using containers is that it’s still isolated
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I like that too, but when things brake someone wants to have access I suppose..
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
One question, how quick is codebuild now w/r booting up ?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
It’s pretty quick now, but as you can see from the code for the “test app” we are using - it’s really basic.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@sarkis can maybe answer this
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
The idea I have now is this
- Have CircleCI test & build , a lot of startups here are using Circleci
- After build and push to ECR, push textfile to S3 in dev/uat/prod environment with image:tag
- Codebuild just pushes to ECS
- CircleCI loops&polls codebuild result, finishes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yep, that sounds like a good solution to a common use case
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) https://github.com/cloudposse/geodesic/pull/168
What it is Previously this used an old spec that caused newer installations of the this chart to fail. storageSpec has since been updated to just storage See: coreos/prometheus-operator#860 (commen…
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
One question regarding terraform-aws-ecs-web-app Have you ever had issues with the ecs_service being created before the listener_rule was added to the target_group ? I don’t see this dependency being forced in terraform-aws-ecs-web-app and I had this quite a lot and caused me to trick around.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@sarkis
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@maarten we do have that issue - since it’s a one time problem (cold boot) - we are just running terraform apply twice for the time being. I’d like to at some point dig into the provider and see if there is something to be done there, before trying to hack this with depends_on
statements
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Clarify what you mean by twice
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think what you mean is two phases
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Not twice as retrying after failure :)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
well it fails then
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
depends on definition of fail.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
But the hack to mitigate it is .. kind of ugly..
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
How did you get it working?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
terraform-aws-airship-ecs-service - Terraform module which creates an ECS Service, IAM roles, Scaling, ALB listener rules.. Fargate & AWSVPC compatible
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
so the listener rules of the alb handling are outputted
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
inputted after into the ecs service module
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
then a null resource .. doing nothing
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
and aws_ecs_service with a depends_on
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
clever
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
but maybe the null_resource could be removed, create a local, and add the local to the count = inside the ecs_service I think now
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
might be a computed count issue
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
well, we don’t have to count it, just evaluate it in someway
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
hm
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
so @maarten looking over your ecs_service/ in more depth - it looks like you need 2 tf runs as well right?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
nope
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
where ?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i guess i’m not seeing where lb_attached gets changed
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
oh nvm i see how you make it wait with null_resource
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
lb_attached is just input for if it is a worker or a web service
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
The ugliest hack you will find here : https://github.com/blinkist/terraform-aws-airship-ecs-service/blob/master/modules/ecs_task_definition/main.tf search for my_random Module has as input key-value pairs which afterwards are turned into Name: Value: pairs for the environment variables of the task definition.. I found out that when “true” runs through a null_resource it will be casted to a 1 ..
terraform-aws-airship-ecs-service - Terraform module which creates an ECS Service, IAM roles, Scaling, ALB listener rules.. Fargate & AWSVPC compatible
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I have no idea how I could fix this otherwise, input very much welcome
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yea typecast hell is real in TF
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
we did something similar for converting TF -> json
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i mean not similar but a similar typecast issue
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
let me find it - it might make you feel better about your hack
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I think the ecs_service can be done without null_resource, add another empty item to the list, grab that item from the list, call it empty_string , and use that empty_string somewhere in ecs_service
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-ecs-container-definition - A Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
lol
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i call that “cost of doing business with terraform”
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
price we have to pay
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
sadly - i was reading through HCL2 didn’t see anything specifically about the typecasting
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
there was a vague mention that types work better or something
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Do you know if your modules will break yes/no ?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
that’s also very vague rigth now - i think they are waiting for the community to do the dirty work
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Wonder what is smart then, just create a new one calling it module-hc2 and go from there
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i was thinking a new branch to start out
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
for example in the ecs_service part i now have 4 x ecs_service with conditionals.. with hcl2 this can be compacted to just one
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
but that might be too optimistic
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
ah yea i hear you though - it’s going to assume you can use the new tf version everywhere too
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
can prob fix this with tags though… go to a new major release for HCL2 (in your modules)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
and then a note in the readme
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
sounds like they are going to support both languages initially, no?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so that provides an upgrade path
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so modules can lay claim to the legacy provider until upgraded
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
hmm how would that work? oh just depends on what provider version you lock?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but i’m definitely nervously biting my nails right now hoping that it won’t be too painful
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have something like 70 modules
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yea and i’m certain we do some interesting workarounds / hacks that are going to be fixed/deprecated in the future
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Night ttyl
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
goodnight!
2018-07-03
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Good morning… new to the channel and not sure where I should / if I should be asking questions here… A while back I saw you guys do a presentation along side Codefresh…I remember being very impressed with the deployment pipeline you guys had set up and I am trying to get something of my own set up. I am curious how you guys connect git tags and pull them through to your dockerhub registry
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I just found this page …. seems like I am on the right track https://docs.cloudposse.com/release-engineering/cicd-process/semantic-versioning/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@cbravo I can share more details a little later today
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Currently afk
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yes that’s a good place to start
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
@Erik Osterman (Cloud Posse) Thank you very much…. I am also scoping out this repo (https://github.com/cloudposse-demo/demo-catalogue) and the build harness repo
Contribute to demo-catalogue development by creating an account on GitHub.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’ve also iterated a lot since that demo
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
would love to get you to try out the new stuff
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
all of our new stuff uses helmfile
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
are you familiar with that?
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I am not
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it simplifies a lot of stuff around working with helm
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
we are just getting our feet wet with helm but the particular project I am currently focused on is just a deployment image (it has aws cli in it and some other tools we use…) and I am trying to come up with a way to keep the git tag inline with the tags in docker hub without having to do a bunch of automated steps
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
codefresh gives you the git hub short revision but no access to the git tags
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
aha, ok - that is a simpler use-case
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
we are slowly ramping up our knowledge of help and kubernetes but we aren’t there yet
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
here’s a more simple codefresh pipeline
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this builds a docker image and tags it with the semantic version generated in a previous step
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s also an example of pushing the image to multiple registries
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Any Datadog users here ?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i think we all have a bit of experience (cloudposse org)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
I’ve not seen a good timeboard module yet, and with locals the population of multiple graphs can be fixed .. at least it looks like it
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i personally have less than others here with datadog - my use case was limited to monitoring kafka
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
@Erik Osterman (Cloud Posse) so is the build harness something that the public should be using? like should I consider using your build harness? or is it something that could change without warning
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
or really something I should just consider taking pieces of and rolling my own solution based off it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we recommend to all of our customers to use the build-harness
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s well maintained and we tag all releases. so if it suits your needs, by all means, leverage it.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
especially with codefresh, the build-harness makes a lot of sense since every step runs in a container
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@cbravo let me know if it would be helpful to take a look at what you have
![cbravo avatar](https://secure.gravatar.com/avatar/49ecccdb93822bf76f733a2a7f0bd12a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
and if we are not currently customers?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
only share what’s not subject to an NDA
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you can DM me
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I am 200 messages behind this chat. Sorry I’ve been afk guys.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
you snooze you lose
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Totally!
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
If anyone wants to take a look at the basic structure of a datadog timeboard module, feel free to comment.
https://github.com/maartenvanderhoef/terraform-datadog-timeboard/blob/master/examples/main.tf
https://www.terraform.io/docs/providers/datadog/r/timeboard.html
Problem of the datadog_timeboard was that it’s set-up like the cloudfront resource.. many blocks after another inside one resource.. but now with locals it can be modularized a bit. I wanted to be able to create graphs seperatedly from creating the actualy timeboard by creating 2 modules and this seems to be working.
Contribute to terraform-datadog-timeboard development by creating an account on GitHub.
Provides a Datadog timeboard resource. This can be used to create and manage timeboards.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@dave.yu @Daren maybe something interesting for you guys
![dave.yu avatar](https://secure.gravatar.com/avatar/d53c92d6da51c7e2f52617d42eb2a82f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
cool will take a look
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
anyone know how to get the version of a terraform module programmatically? e.g. ${module.version}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
use-case: I want to download artifacts from github release corresponding to the version of the terraform module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(e.g. a lambda zip file)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this appears to work:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
variable "git_ref" {
default = "tag"
}
data "external" "example" {
count = "${var.git_ref == "tag" ? 1 : 0}"
program = ["git", "-C", "${path.module}", "tag", "--points-at", "HEAD", "--format={\"ref\": \"%(refname:lstrip=2)\"}"]
query = {
}
}
output "ref" {
value = "${join("", data.external.example.*.result.ref)}"
}
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
minor nit:
even with a data.external.example
input or output, we can’t use either to instantiate the module:
Terraform does not support interpolations in the source parameter of a module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
outputs:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ref = test-0.1.1
2018-07-04
![mcrowe avatar](https://secure.gravatar.com/avatar/376a37607d4a5672ed16bf47f6df7369.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Hey @Erik Osterman (Cloud Posse) – been looking at aws-cloudfront-s3-cdn. Do you guys have a strategy for a javascript bundled webapp deployed to dev/test/prod via codepipeline?
![mcrowe avatar](https://secure.gravatar.com/avatar/376a37607d4a5672ed16bf47f6df7369.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
I’m wondering: 1) Github -> hook -> CodePipeline (builds app via webpack) and pushes to dev 2) Q/A approves, time to move to test/uat 3) (?????) push dev artifacts to uat 4) Customer approves live 5) (?????) pushes uat artifacts to prod
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we usually use tags for gate control
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so branches = dev
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
merge to master = pre-production
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
tags like release-
go to prod
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have implemented this with codefresh
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
not yet with codepipeline
![mcrowe avatar](https://secure.gravatar.com/avatar/376a37607d4a5672ed16bf47f6df7369.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Maybe I’m over-thinking it. Maybe each one is a codepipeline task off a branch
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
There’s a seriously small cap on the number of pipelines you can make. But because you can pass a lot of data to them you can do a lot. So I suggest making your pipeline as generic per task as you can and making it work for you.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So what you describe is a pretty common pattern. A few of our customers do exactly that. We haven’t packaged that up as a terraform module. Most of them use Codefresh for CI/CD, and then use
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-cloudfront-cdn - Terraform Module that implements a CloudFront Distribution (CDN) for a custom origin.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-s3-website - Terraform Module for Creating S3 backed Websites and Route53 DNS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Here’s a reference implementation https://github.com/cloudposse/terraform-root-modules/tree/master/aws/docs
terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures
2018-07-05
![tom avatar](https://secure.gravatar.com/avatar/8bd5294b1e485a539e8500e7fa1348e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
hey folks, quick question on the prometheus-cloudwatch exporter. When i try to follow the kubernetes instructions (https://github.com/cloudposse/prometheus-to-cloudwatch) the prometheus-to-cloudwatch
pod fails to deploy, saying the image is unavailable. I’m running helm install .
from within the charts
subdirectory so I’m not sure what to do next.
prometheus-to-cloudwatch - Utility for scraping Prometheus metrics from a Prometheus client endpoint and publishing them to CloudWatch
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@tom thanks for the report. I will check into this a bit later today.
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Hello @tom - do you have some more info you can share, namely helm/tiller version while we look into reproducing the issue?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) are you are around to take a look?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@sarkis probably just wrong image tag
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It should correspond to the latest release in the repo
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
ah yea
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i see an old version here: https://github.com/cloudposse/prometheus-to-cloudwatch/blob/master/chart/values.yaml#L21
prometheus-to-cloudwatch - Utility for scraping Prometheus metrics from a Prometheus client endpoint and publishing them to CloudWatch
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i’ll check in after i push through the few tasks i have today - if you haven’t looked yet I can dig into it..
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@tom
![tom avatar](https://secure.gravatar.com/avatar/8bd5294b1e485a539e8500e7fa1348e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Ah yeah that was it. Thanks for your help
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
great!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
For our use case, it’s so we can download a zip artifact for a lambda function from the module GitHub release page.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what Do not set Name and Namespace why When we try to set the tags "Name" and "Namespace" the second deployement fails (the first one is ok). example * module.front-elastic-…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@jamie any idea how we can change this to only apply Name
and Namespace
on first apply?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
apparently, all applys after the first one fail if these are set
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Yo
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
just a moment ill look
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thx
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
well, yeah
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
lifecycle { ignore_changes = [“tags”]}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
might do it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ah, yea, I think that’s a better fix
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I’m not set up to test that it will fix it though
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
are you able to?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i’ll ask that they try it out
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
if not… then its possible to do their fix… or strip “Name” and “Namespace” tags back out
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
but i think their solution is .. tidier then removing two map items from a map
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
by having a data lookup the existing tags on the elb
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
and only apply the extra tags
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ok, my response: https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/pull/37#pullrequestreview-134777928
what Do not set Name and Namespace on Elastic Beanstalk Environment why When we try to set the tags "Name" and "Namespace" the second deployement fails (the first one is ok)….
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
since you can reference resources directly
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
so you could do { if lookup(this.resource.tags, “Name”, “NAME_NOT_EXISTS”) != “NAME_NOT_EXISTS”} add full list of tags { else } add subset of tags {end}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
^psudocode
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Thanks for thinking of me
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, that will simplify so many things in complex terraform modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thanks!
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
As part of the lead up to the release of Terraform 0.12 later this summer, we are publishing a blog post each week highlighting a new feature. The post this week is on first-class …
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i should start constructing a sed expression to replace “${var…}” to var…. and post to the cloudposse blog
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
no need i think
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
they will have a conversion method
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
oh like a HCL 1->2?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so all the standard stuff will convert as easily as something like terraform fmt .
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
nice
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
thats true this should be a fmt change
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(also, I’m not sure if fmt
is the action they will use, but I read that they will provide a means of automatically upgrading code)
2018-07-06
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
https://github.com/kubernetes/kops/issues/2537 (via @Daren)
I noticed a few instances where if a pod is hung in ContainerCreating state, or some other state and won’t go into Evicted state Kops hangs forever waiting for it during a rolling-update.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Max Moon @dave.yu heads up
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
there’s an issue with kops 1.9 where it has trouble detecting failed pod evictions
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Good looking out, thank you!
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
We hit it on every node with nginx-ingress-controller
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Dang, I upgraded worker node size yesterday and fortunately it went smoothly
2018-07-09
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@dave.yu @Max Moon heads up: https://github.com/cloudposse/geodesic/pull/172/
what Replace sets with inline values Rewrite values files with inline values (except files with comments that used to override values) why #169
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’re planning on merging this soon.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it uses inline values.yaml
to make it easier to maintain
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks @Erik Osterman (Cloud Posse)
2018-07-10
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Hey i have a tip for you guys when dealing with ecs
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
in many cases the service, the containers, and the metrics all want the cluster name, not the arn
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
but the resource doesn’t provide a name, just the arn
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
but you can do this:locals { cluster_name = "${basename(aws_ecs_cluster.default.arn)}"}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
to get the name
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s a good one! like the use of basename(...)
for this
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I was doing
locals { cluster_name = "${element(split("/",(aws_ecs_cluster.default.arn), 1)}"}
Before.
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
really nice tip - thanks @jamie i was trying to figure out last week how to get the name with just the ARN (was looking at data source, but some sources don’t have name available :()
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I thought it would be up your alley
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I have grown to dislike “terraform_remote_state” data provider
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
hmmm - not good in practice?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
how come?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It requires a lot of details to collect details from a remote state
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It has meant that when writing code that depends on other modules
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
you have to pass in “workspace”, “s3 bucket name”, “state path”, and use shit like:
### For looking up info from the other Terraform States
variable "state_bucket" {
description = "The bucket name where the chared Terraform state is kept"
}
variable "state_region" {
description = "The region for the Terraform state bucket"
}
variable "env" {
description = "The terraform workspace name."
}
locals {
state_path = "${var.env == "default" ? "" : "env:/${var.env}/" }"
}
### Look up remote state info
data "terraform_remote_state" "vpc" {
backend = "s3"
config {
bucket = "${var.state_bucket}"
key = "${local.state_path}vpc/state.tfstate"
region = "${var.state_region}"
}
}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
That locals hack to get around the non-conformance that it has with workspaces
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
hrmm… yes… fwiw, here’s what we’ve recently done
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
data "terraform_remote_state" "backing_services" {
backend = "s3"
config {
bucket = "${module.identity.namespace}-${module.identity.stage}-terraform-state"
key = "backing-services/terraform.tfstate"
}
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we have a module that keep track of a lot of constants
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that can be reused
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i think just stay clear of workspaces
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we don’t love it
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Workspaces were so good when I discovered them
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yea because you’d think it would help DRY
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
With one command I could switch from the ecs container task that has jenkins deploying, to the nginx container, to the node container
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
all the same code, but dif vars
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Yeah, but when it comes to state management and workspaces
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
there is a lot to be desired
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
If only terraform_remote_state
wasn’t the only data source with a default
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I’d be using parameter_store, or an api call.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
\/whinge
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
One last gripe….!
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I would prefer that blocks that only have one entry in them were put all in one line when you formatted.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha devops therapy sessions
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
how does that make you feel?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
resource "aws_thing" "default" {
tags = { managedby = "Terraform"}
}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
output "thing" { value = "the thing i mentioned" }
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
IMO, I don’t like that. I agree it’s concise, but in most language frameworks I’ve dealt with, they are strict about how braces are used. Typically, they enforce one of:
if (...) {
....
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
or
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if (...)
{
...
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but never
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if (...) { ... }
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Where’s the Terraform yaml option!
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Okay… gripe done ;-D
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
heh, would be interesting to see what TF would look like in YAML
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
data:
template_file:
example:
template: '${hello} ${world}!'
vars:
hello: goodnight
world: moon
output:
rendered:
value: '${data.template_file.example.rendered}'
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
variable:
count:
default: 2
hostnames:
default:
'0': example1.org
'1': example2.net
data:
template_file:
web_init:
count: '${var.count}'
template: '${file("templates/web_init.tpl")}'
vars:
hostname: '${lookup(var.hostnames, count.index)}'
resource:
aws_instance:
web:
count: '${var.count}'
user_data: '${element(data.template_file.web_init.*.rendered, count.index)}'
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
AKA
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
data "template_file" "example" {
template = "${hello} ${world}!"
vars {
hello = "goodnight"
world = "moon"
}
}
output "rendered" {
value = "${data.template_file.example.rendered}"
}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
and
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
variable "count" {
default = 2
}
variable "hostnames" {
default = {
"0" = "example1.org"
"1" = "example2.net"
}
}
data "template_file" "web_init" {
// here we expand multiple template_files - the same number as we have instances
count = "${var.count}"
template = "${file("templates/web_init.tpl")}"
vars {
// that gives us access to use count.index to do the lookup
hostname = "${lookup(var.hostnames, count.index)}"
}
}
resource "aws_instance" "web" {
// ...
count = "${var.count}"
// here we link each web instance to the proper template_file
user_data = "${element(data.template_file.web_init.*.rendered, count.index)}"
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
can’t help but feel like it’s “cloudformation” when seeing it in YAML format
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
it feels like they just “borrowed” the golang approach to { }
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
now thats a nice positive rant
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i’ve noticed he does these multiple tweets a lot lol
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s cool
2018-07-11
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I’m mid module writing for handling ecs instance draining for spot instances, but I want it to handle ASG standard istances as well…
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
so now it looks like im making another module for my module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
how are you implementing the draining?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Modifies the status of an Amazon ECS container instance.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Good question
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
boto3
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
on asg instance termination sns alert
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
i get the instance id
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
And currently i grab the list of all ecs clusters, then in each cluster, i list all container_instances, and then i compare my instance id to the container instance id.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Once I have that i change state to draining
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I don’t know how heavy those requests are when there are 100 clusters with 10000 instances on each
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
but it works for mine
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I expect a faster lookup would be: tag each instance on creation with its cluster name
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
then, use the tags to get the cluster name from the id.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
But then it involves an extra step on creation.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Whereas this way, i don’t need access to the ASG resource, just the asg name
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I am still in POC stage with it really
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I can see many ways to smooth it out, break it in to smaller reusable chunks and so on
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
but … maybe once I get the functions and permission sets all working
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I can split the modulerisation of it with Sarkis or something
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Well, it works
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
terraform-aws-ecs-launch-template - Terraform module for generating an AWS Launch Template for ECS that handles draining on Spot Termination Requests
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It now also handles draining on scale in
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Next it likely needs the lambda function rewritten to trim all of the junk off it, and set up a step function, so that a 5 or 10 second delay can be added between checking if the tasks have drained.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
at the moment it just loops with no delay, between sns -> lambda -> sns ->lambda etc
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
until it finishes draining the tasks
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@jamie the upstream tf PR was merged to support the launch templates?
2018-07-12
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Not for spot fleets.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So while waiting for that, I made the template module handle both spot fleets, asg on demand, and asg spot.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
That’s just the launch template module
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
The other module which I’m making with you in mind is the auto scaling spot fleet one.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
And that requires the merge first
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![attachment image](https://techcrunch.com/wp-content/uploads/2018/07/GettyImages-985192456.jpg?w=600)
Your typical cloud monitoring service integrates with dozens of service and provides you a pretty dashboard and some automation to help you keep tabs on how your applications are doing. Datadog has long done that but today, it is adding a new service called Watchdog, which uses machine learning to …
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I like writing modules because it makes me do less work in the long term.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Question for the ones who worked with K8S before, I have not really. How does it compare to ECS for you. I see small startups offering jobs to devops for their to-be-configured k8s cluster ( on AWS) and I really think, why not just ecs ? It’s so much hype.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
feature velocity of k8s is insane. huge ecosystem of tools, much lager than for ECS. IMO, it’s easier to deploy complex apps on kubernetes than on ECS. ECS needs something like Helm. Not sure if “terraform” is the answer for that. ECS has evolved leaps and bounds from when I first looked at it (e.g. DNS service discovery), but it still feels rather primitive coming from an kubernetes background. I think one big thing ECS has going for it is that it is simpler, but in being simpler lacks a lot of the cool features of kubernetes.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
charts - Curated applications for Kubernetes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
There’s no signficant library of apps for ECS like there is for kubernetes. That to me is a little bit of a redflag.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(that I’m aware of)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
True, but tbh, how many of the cool features do you really need. And will some cool features like persistent storage let people make decisions which are contrary to the reason for moving to AWS, like, having AWS taking care of your stateful services.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The idea is to represent as much of the infrastructure as possible so that i can be easily deployed without involving ops
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
with ECS, that’s not really possible.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
with k8s, you can almost do everything but IAM roles/policies
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
volumes, load balancers, ingress, namespaces, secrets, configmaps, replicasets, deployments, pods, etc.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
automatic TLS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
automatic DNS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so basically a single helm chart is capable of provisioning a web app with a dynamic TLS certificate, automatic public DNS registration, pulling secrets and exposing them as envs, mounting configmaps as files on the filesystem, provisioning EBS volumes for scratch storage, and more…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we use these features all the time.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
CI/CD of this is very easy with Kubernetes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
few orgs actually do CI/CD of terraform
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
ok, but when connected to AWS in ways of networking, iam, .. then you do get terraform after all
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
persistent storage doesn’t have to be “persistent”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but you need it for big data applications like cassandara or HDFS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and for staging environments, we run apps like postgres
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so having attached storage is necessary since the host machine is limited
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so kubernetes cannot exist without terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s why it’s so central still to everything we do visible in our github
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but kubernetes is headed in the right direction
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’d love to see a kind: Terraform
in kubernetes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then it would truly allow everything
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
for what resources then ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
IAM roles, policies
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
RDS databases
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
elasicache instances
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
EFS filesystems
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
etc.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…so fully managed services
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Here’s a POC presented at HashiConf: https://github.com/kris-nova/terraformctl
terraformctl - Running Terraform in Kubernetes as a controller
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The other thing about k8s, is it’s more like like a framework (like “rails”) for how to do cloud automation. It provides the interfaces, scheduling, state, service discovery. Then makes it extensible to add anything else on top of it. So for more complex applications, e.g. “postgres”, in order to run it in a containerized environment, you need an “application aware” controller. Something that knows instinctively how to manage postgres. How to do updates, upgrades, rollbacks, etc.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So people are developing operators like this: https://github.com/CrunchyData/postgres-operator
postgres-operator - PostgreSQL Operator Creates/Configures/Manages PostgreSQL Clusters on Kubernetes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
etcd-operator - etcd operator creates/configures/manages etcd clusters atop Kubernetes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
for running complex applications that aren’t just stateless webapps
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Sure, but having seen a few meetups with pains of guys running stateful inside k8s..
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Didn’t we move to AWS to not have state anymore
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i agree that not dealing with state is the “ideal” situation
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and we encourage our customers to push that off as long as possible
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but I would rather have a platform capable of handling that in addition to all the stateless apps
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
at somepoint, someone needs to manage the state.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
aws doesn’t provide state management for every application
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thus some apps do need to handle that.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
true, although, there are so many providers who offer services through vpc peering now
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
mongo atlas for example
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, i would love to see more of that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i think that’s a cool direction
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, we’re still in the wee early days of k8s, but look how far & fast it’s come?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
totally, in the end this is about not having 24/7 shifts, and not needing a 100% devops
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
With ECS I think this is possible, with self managed k8s, maybe less
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, so back to perhaps your original question
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
but I don’t know k8s enough
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
to really judge there
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
companies who don’t have any dedicated devops, i would recommend considering ECS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
smaller shops, with 1-4 people, ECS is probably better/simpler.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
also with fargate then.. just great
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
i came from 80, but also only devops .. so ECS is perfect then
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i think we’re coming at this from 2 differnet backgrounds. i spent the last 3 years working with k8s and 2 months with ECS.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so I don’t yet fully appreciate perhaps ECS.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
you will, let’s just wait for that one k8s update hehe
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
haha
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i really want to start working on our TF modules for EKS.
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
having deployed both - i do prefer k8s - something about it just appeals to me - i think it’s mostly the fact that i can do everything out of the box via command line - i.e. kubectl
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
def possible for ecs i bet but aws-cli is meh
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
for example - so easy to cat out the logs for ingress and describe a pod etc… for ECS i still find myself in the AWS web console - i know I am doing it wrong - but aws doesn’t make it a no brainer task like k8s for cli equivalents
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
so in a 20 developer situation how many people have kubectl and can do damage ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
RBAC addresses that concern
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, you can give those developers carte blanche for a namespace, so they can triage their own stuff.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
speeds up itertations, removes bottlenecks
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yea good point - not ideal in production
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
and imo kubectl is the emergency hatch - so whoever is dealt the devops card in the 20 dev group
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
large companies definitely are dealing with it though and as far as I know, love the RBAC support within kubernetes.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
ok
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i.e. knows what they are doing
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
hehe
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
As part of the lead up to the release of Terraform 0.12 (https://www.hashicorp.com/blog/terraform-0-1-2-preview), we are publishing a series of feature preview blog posts. The post…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) uploaded a file: Pasted image at 2018-07-12, 6:49 PM
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This is awesome, but I find the formatting awkward without additional indention
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Kubernetes and related technologies, such as Red Hat OpenShift and Istio, provide the non-functional requirements that used to be part of an application server and the additional capabilities described in this article. Does that mean application servers are dead?
2018-07-13
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@Erik Osterman (Cloud Posse) /@sarkis Within geodesic wrapper we are publishing geodesic port and binding kubernetes_api_port to it, can you tell why we are doing this
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
also how can I proxy something out of container to host
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
say for example kubernetes-dashboard
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yep! This is for kubectl proxy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So you can do exactly what you want to do
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also, for dashboard you can do something else
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But I am on my way to bed. Can demo our portal for you tomorrow or next week
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It uses bitly oauth2 proxy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
kubectl proxy –port=0.0.0.0:8080
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
its seems not working as expected, so if I do kubectl proxy –port=$GEODESIC_PORT
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
From inside geodesic
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
No
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
yes thats what i am doing
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
okay
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You are not binding to 0.0.0.0
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
By default it is 127.0.0.1
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Docker port forwarding does not work to local host
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Actually, arg is diff
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
kubectl proxy --port=0.0.0.0:8080
gives invalid port syntax exception
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
—addresss=0.0.0.0
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
okay
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
sorry, on phone so hard to type
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
thats working
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
thanks
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I have Kubernetes running on a VM on my dev box. I want to view the Kubernetes dashboard from the VM host. When I run the following command: kubectl proxy –address 0.0.0.0 –accept-hosts ^/.* …
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Might need to add this too
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I will document this too
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It’s a good question
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Anyways thanks a lot, it was an instant resolution, cheers
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Haha welcome! :)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Hi, someone with spare time and wants to help me out with something. I’m passing a list with maps to a resource. This works as long as there is no interpolation happening with a variable from an external source. When I do it fails and the resource complains certain keys are missing from the map.
But when I output that structure, the structure is the same, just in a different order, I can’t figure out what is wrong with it.
https://gist.github.com/maartenvanderhoef/83047f578486dce8f5995d3c728b99d3
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Can you share the precise error
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Error: datadog_timeboard.this: “graph.0.request”: required field is not set
Error: datadog_timeboard.this: “graph.0.title”: required field is not set
Error: datadog_timeboard.this: “graph.0.viz”: required field is not set
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This sounds familiar. @Andriy Knysh (Cloud Posse) I think ran into this in one of our other modules, but I don’t remember which one
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Have you tried not using a local?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
For the data structure
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Have you tried removing the brackets here:
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Then it does work, but that wouldn’t work for my module ..
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
graph = [”${local.not_working_graph}”]
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
let me try
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
the thing is, i’m passing a list of maps there normally, not just one, so it’s an actual list..
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
but let me try just a single one.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Actually, I misread your local
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thought it was already in a list
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
What if you put the local in a list
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I don’t have any ideas other than to try all kinds of permutations of what you are attempting to do
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(On my phone)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
first attempt “datadog_timeboard.not_working: graph: should be a list”
the datadog_timeboard can have multiple graph { } blocks, so it must be a list.
haha, thanks , i’ll try the other option
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
2nd option, same problem as initial error. When outputted I have this:
not_working = {
request = [map[style:map[type:solid width:normal palette:dog_classic] q:avg:aws.applicationelb.target_response_time.p95{targetgroup:targetgroup/qa-web-backend-web/123} aggregator:avg type:line]]
title = not_working
viz = timeseries
}
working = {
request = [map[q:avg:aws.applicationelb.target_response_time.p95{targetgroup:targetgroup/qa-web-backend-web/123} aggregator:avg type:line style:map[palette:dog_classic type:solid width:normal]]]
title = working
viz = timeseries
}
I’ll wait for the new terraform I think.
2018-07-14
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@Erik Osterman (Cloud Posse) I think there is some issue with git::<https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=master>
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
What’s the problem?
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
I have create
module "rds_mysql" {
source = "git::<https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=master>"
engine = "aurora-mysql"
cluster_size = "${var.MYSQL_CLUSTER_SIZE}"
cluster_family = "aurora-mysql5.7"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.MYSQL_DB_NAME}"
admin_user = "${var.MYSQL_ADMIN_NAME}"
admin_password = "${var.MYSQL_ADMIN_PASSWORD}"
db_name = "${var.MYSQL_DB_NAME}"
instance_type = "${var.MYSQL_INSTANCE_TYPE}"
vpc_id = "${module.vpc.vpc_id}"
availability_zones = ["us-west-2b", "us-west-2c"]
security_groups = ["${aws_security_group.store_pv.id}"]
subnets = ["${module.subnets.private_subnet_ids}"]
zone_id = "${var.zone_id}"
cluster_parameters = [
{
name = "character_set_client"
value = "utf8"
},
{
name = "character_set_connection"
value = "utf8"
},
{
name = "character_set_database"
value = "utf8"
},
{
name = "character_set_results"
value = "utf8"
},
{
name = "character_set_server"
value = "utf8"
},
{
name = "lower_case_table_names"
value = "1"
apply_method = "pending-reboot"
},
{
name = "skip-character-set-client-handshake"
value = "1"
apply_method = "pending-reboot"
},
]
}
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
but if I run terraform apply
, 2 nd time it recreates the instance
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
-/+ module.rds_mysql.aws_rds_cluster.default (new resource required)
id: "niki-dev-commerce" => <computed> (forces new resource)
apply_immediately: "true" => "true"
availability_zones.#: "3" => "2" (forces new resource)
availability_zones.2050015877: "us-west-2c" => "us-west-2c"
availability_zones.221770259: "us-west-2b" => "us-west-2b"
availability_zones.2487133097: "us-west-2a" => "" (forces new resource)
backup_retention_period: "5" => "5"
cluster_identifier: "niki-dev-commerce" => "niki-dev-commerce"
cluster_identifier_prefix: "" => <computed>
cluster_members.#: "1" => <computed>
cluster_resource_id: "cluster-PA4BVKHSGWXDI7RT72RN2JGEZQ" => <computed>
database_name: "commerce" => "commerce"
db_cluster_parameter_group_name: "niki-dev-commerce" => "niki-dev-commerce"
db_subnet_group_name: "niki-dev-commerce" => "niki-dev-commerce"
endpoint: "niki-dev-commerce.cluster-cgxpu4rhgni7.us-west-2.rds.amazonaws.com" => <computed>
engine: "aurora-mysql" => "aurora-mysql"
engine_version: "5.7.12" => <computed>
final_snapshot_identifier: "niki-dev-commerce" => "niki-dev-commerce"
hosted_zone_id: "Z1PVIF0B656C1W" => <computed>
iam_database_authentication_enabled: "false" => "false"
kms_key_id: "" => <computed>
master_password: <sensitive> => <sensitive> (attribute changed)
master_username: "root" => "root"
port: "3306" => <computed>
preferred_backup_window: "07:00-09:00" => "07:00-09:00"
preferred_maintenance_window: "wed:03:00-wed:04:00" => "wed:03:00-wed:04:00"
reader_endpoint: "niki-dev-commerce.cluster-ro-cgxpu4rhgni7.us-west-2.rds.amazonaws.com" => <computed>
skip_final_snapshot: "true" => "true"
storage_encrypted: "false" => "false"
tags.%: "3" => "3"
tags.Name: "niki-dev-commerce" => "niki-dev-commerce"
tags.Namespace: "niki" => "niki"
tags.Stage: "dev" => "dev"
vpc_security_group_ids.#: "1" => "1"
vpc_security_group_ids.1052271664: "sg-0774db77" => "sg-0774db77"
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Probably something making it not idempotent
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I cannot look at it now though - on my way out
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The problem looks like your AZ map is not static
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
no problem, initially i though it can be due to either you are calculation azs or subnets counts somewhere
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Consider hardcodifnit
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hard coding it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Or at the very least sorting it
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Already did that ` availability_zones = [“us-west-2b”, “us-west-2c”]`
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hrmm I see
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That is the line of investigation I would pursue
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We used this module for multiple enagagemebrs
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Probably a regression caused by a newer version of terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Show me your subnet invocation
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
module "subnets" {
source = "git::<https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master>"
availability_zones = ["us-west-2b", "us-west-2c"]
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${local.name}"
region = "${var.kops_region}"
vpc_id = "${module.vpc.vpc_id}"
igw_id = "${module.vpc.igw_id}"
cidr_block = "${module.vpc.vpc_cidr_block}"
nat_gateway_enabled = "true"
}
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
hardcoded here as well
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hrmmm yea was going to be my other suggestion
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You can try upgrading / downgrading the AWS provider
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hrmmm can you check the status of your 2a az?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
AWS takes zones out of commission
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Though unlikely in us-west
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also, not all services are available in all zones
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Try a different az selection and see if it makes a difference
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also try reducing to just 2, for example
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
And don’t include the 2a
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
okay
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But their weird thing is it’s saying you are going from 3 => 2
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
As an outsider, it looks like you previously provisioned the cluster in 3 az and now want to shrink it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That will destroy the cluster
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Terraform is not a good tool for that kind of automation
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
it never actually happened and i verified that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hrm odd indeed
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
i have actually destroy the module and recreated also
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
and the aws console shows 2 azs only
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
this looks more of an issue on terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ya…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@mcrowe are you using the RDS cluster module?
2018-07-15
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
For my info, what is the reason to both specify vpc subnets and ec2 availability zones ?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
If you leave out availability zones it will work out most likely. The subnet group defines the azs.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
availability_zones - (Optional) A list of EC2 Availability Zones that instances in the DB cluster can be created in
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea that’s a good suggestion @maarten
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@rohit.verma
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Has there been a discussion about whether having security groups defined inside modules along the resource of purpose is OK or not, like with the rds module ? I personally dislike it a lot as I used ot create modules which did exactly that. It makes migrations extremely complex in some cases. Next to that the AWS/Terraform security group implementation is poor enough on itself, so it’s something I’m extremely careful with. Having vpc_security_group_ids as list variable for a module is a lot simpler and safer I think.
![mcrowe avatar](https://secure.gravatar.com/avatar/376a37607d4a5672ed16bf47f6df7369.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
@rohit.verma Can you show us the output of terraform plan?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@maarten yes/no, but to your point, this module does not do it correctly
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) uploaded a file: image.png
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
is bad practice. We should use security group rules for stability/interoperability with other modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i think it’s ok, so long as the module returns the security group, so that other modules or consumers can add rules.
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
@Erik Osterman (Cloud Posse) If you define a SG with inline rules, it is very problematic to add additional rules using security group rules. We ran into this and removed all inline rules to support the intra-module flexibility
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
From https://www.terraform.io/docs/providers/aws/r/security_group.html
At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
Provides a security group resource.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, 100%
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we need to remove these inline rules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but also to @maarten point, i think we need to add the option of moving the SG outside of the module too
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we had this problem at gladly too and it complicated migrations.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
added issues
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what consider removing security group from the resource in the module, or making it an optional parameter why complicates interoperability with other modules reported by @maartenvanderhoef
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i am open to discussion around this. @Igor Rodionov @jamie @mcrowe and @Andriy Knysh (Cloud Posse) probably have more thoughts
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
let’s decide on something.
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@Erik Osterman (Cloud Posse) what module is that?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-rds-cluster - Terraform module to provision an RDS Aurora cluster for MySQL or Postgres
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@maarten @Erik Osterman (Cloud Posse) and @mcrowe, thanks for your suggestions. For the time being i have actually added all 3 availability zones, anyways as mentioned the instances are created in provided subnets only, so it don’t impact anything
2018-07-17
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
hi team, did any one tried kube2iam with eks and got it working?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Use Kiam
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
kiam has master agent configuration
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Crap
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
i don’t understood how to schedule master
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
eks have no master nodes
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You might need to have a pseudo master tier
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
On phone
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Kube2iam has a lot of serious issues
![evan avatar](https://secure.gravatar.com/avatar/e1cc41769c4f2033af801ed3a9d5ead6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
this is a bit concerning, is there something else we should be using?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yes, kiam
will work out-of-the-box for you guys using our helmfile
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i can show @Max Moon
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This still needs to be discussed, I’ll gladly take a look at it on Monday when I’m back in the country
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
If you could put together a list of these serious issues I can take a look at before then, that would be great.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on strictly Open Source tools. https://docs.cloudposse.com/geodesic/
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks, I will take a look at that. Do you have a list of github issues about kube2iam?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sec
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![attachment image](https://cdn-images-1.medium.com/max/1200/1*HbLk_c8Do3bsH7CdI8lSdA.png)
Kiam bridges Kubernetes’ Pods with Amazon’s Identity and Access Management (IAM). It makes it easy to assign short-lived AWS security…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
FWIW, gladly and PeerStreet have both had issues
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
And Joany
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Gladly is evaluating Kiam
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It has its own set of issues :-)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But has a dedicated following and a channel now in the official kube Slack team
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
sorry didn’t got that, what is pseudo master tier on phone ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Any interest to collaborate on our EKS modules?
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
sure i will
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I am on my phone - hard to type :-)
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
okay, no problem
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Bagel in other hand
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
ah ha
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
take your time
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
also to support eks, you have to make changes to your subnet module
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
i will send pr, small change
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ok many thanks
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
just when you got time, tell me about psuedo master,
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
if i promote any worker to act as master, i can’t run anything on it which need role assumption
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yes, want to review the EKS modules I am working on with you
2018-07-18
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@rohit.verma are you around?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i can share now
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(or later today - ping me)
![jonathan.olson avatar](https://secure.gravatar.com/avatar/a2451bb545b1ea09447c3d02290cb060.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Just dropped a PR for elasticache-redis, need to be able to pass the encrypt at rest / enable TLS flags. Should be backwards compatible with previous releases (e.g. defaults to false on both). No idea if this is how you prefer I contribute, but let me know: https://github.com/cloudposse/terraform-aws-elasticache-redis/pull/15
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thanks @jonathan.olson
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@evan @Max Moon @Daren @chris might be interested in this enhancement for encryption at rest and TLS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@dave.yu also a heads up, we might need to do this: https://github.com/cloudposse/geodesic/issues/180
what Set memory and CPU limits for Kiam why Kiam may have a memory leak references uswitch/kiam#72 uswitch/kiam#125
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(reported by @Daren)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
they are seeing memory leaks in kiam
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(and possibly some excess network traffic)
2018-07-19
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
We just released Cloud Posse reference architectures:
https://github.com/cloudposse/terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures https://github.com/cloudposse/root.cloudposse.co - Terraform Reference Architecture of a Geodesic Module for a Parent (“Root”) Organization in AWS https://github.com/cloudposse/prod.cloudposse.co - Terraform Reference Architecture of a Geodesic Module for a Production Organization in AWS https://github.com/cloudposse/staging.cloudposse.co - Terraform Reference Architecture of a Geodesic Module for a Staging Organization in AWS https://github.com/cloudposse/dev.cloudposse.co - Terraform Reference Architecture of a Geodesic Module for a Development Sandbox Organization in AWS https://github.com/cloudposse/audit.cloudposse.co - Terraform Reference Architecture of a Geodesic Module for an Audit Logs Organization in AWS https://github.com/cloudposse/testing.cloudposse.co - Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS
They show how we provision AWS accounts and what Terraform modules we use. Complete description is here https://docs.cloudposse.com/reference-architectures
Thanks everybody for your contributions. We will be improving the repos and the docs. Your input and PRs are very welcome.
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Awesome team, thanks for open sourcing
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Hi Team, I’m writing a naming/tagging strategy document. I would love another set of eyes on it and suggestions. As far as I can I’m using the cloudposse terraform naming convention, but I needed to extend it to cover a larger number of scenarios.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Sorry, just fixed the access
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
try and click again now
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Permission to comment in the doc is enabled.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
wow, great document
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
very detailed
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I think you have everything covered there
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Hah, well, thats kind of you. But critical feedback will help me improve it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
nice doc @jamie
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
here is some feedback
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
1) we usually use namespace
as a company name or abbreviation so we can distinguish the company’s resources from other companies resources (but it’s your choice to expand its usage as you described in the doc)
2) the third part in our naming (label) pattern is name
, not role
. The difference is what it does
vs. what it is
. Those could be just small differences, but we usually try not to use the resource types in resource names, e.g. we don’t use cp-prod-subnet-xxx-yyy-zzz
but instead cp-prod-app1-xxx-yyy-zzz
to name a subnet. But I think your doc has described both cases
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
1) As it is a single company, but with 6 different divisions i was wanting to have them use it for that instead
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
2) Role is a suggested tag from AWS for categorisation, and i wanted to have them group resources as needed by the role.
As in role: frontend
or cmsstack
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the only issue with that (and why we use a company name as the namespace
) is to name global AWS resources like S3 buckets. Could be naming collisions if not used properly
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I wanted to disambiguate the Name input from the Name output (id) that the label module does, but as a convention document.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Which is why i changed from name to role.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Well, I can tell you from years of field experience that most people don’t even have the document for the tags, but plenty of tags they want to use
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
So you end up with a giant cluster f*$! of mismatched tags with very little direction, and plenty of weird dependancies and gotchas baked into the system.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
So, touch somethign and watch the dumpster start burning
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Having a document like that to start with is a solid way of moving, good footing from the start is a powerful position for sure
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
what it is vs what it does is a very valid point.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Haha, well thats good news @krogebry - its for a transformation project one of my clients have. They have a monolith of aws EC2 instances, and are moving to serverless and docker microservices. And they have hired new teams and such, so before the big work starts on the transform i’m wanting to get a a few standards in place for consistancy
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
nice
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
yeah, that’s solid, I’ve done that work to transform, doing that work now
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you use role
as a name, it should be role from the business point of view, not resource types point of view. Although in some cases it’s difficult to assign names (yes, naming is hard)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i'm wanting to get a a few standards in place for consistency
- very valid point @jamie
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Whats that saying you have about naming?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
There are only two hard things in Computer Science: cache invalidation and naming things – Phil Karlton (bonus variations on the page)
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Love that
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I may put that as a footnote.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Jamie this is awesome. I will take a closer look later today. At first glance love the selection of tags.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Access controls via tags is only sometimes supported
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Ha, thanks Erik. Yeah, I have the list
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Maybe add a note in regards to that. It should be used as a last resort IMO
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
For stage segregation, tags are not well suited since there are resources which do not even support tags
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I’m gonna do a policy that means that anyone in the ‘developer’ group that wants to create new resources from that list, must apply tags at creation. As well as to ‘start’ a resource.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
That way the greenfields stuff has to have tags, even if they are not awesome.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That is cool. Enforcing tags at some level would be a nice account level module!
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Maybe i can see if I can just make a cloudtrail metric alert that looks for missing tags on creation, and notifys slack, or a dashboard via sns
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Btw love the font in your doc
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Oh thanks
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
More of a ‘soft’ way to enforce it
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
and implement the hard enforcement if required.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Can I offer an idea on that front?
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I just did something with the tags on this client wrt missing tags
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
It’s an idea that Intuit implemented, but geared for tags.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sure!
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Alright, so Intuit started this with an “up and to the right” progress over perfection initiative with regards to the overall security of any given account that ran a service ( mobile stuff, mint, etc… ). I’ve implemented the same idea with various different things including pager duty noise levels.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Start with a simple code base ( lambda could work, or ruby+docker+jenkins, whatever ), analyze tags, then create a grading metric. So, A for >90% compliance, B for compliance of >80% >90%, C,D,F etc.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Or just go with the numeric, but i think there’s almost a cognitive hook on the grades.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I usually end up representing these as graphs in Jira
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I was thinking I would use https://www.terraform.io/docs/providers/aws/r/config_config_rule.html
Provides an AWS Config Rule.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
A config rule, to do the checks
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@krogebry So this is in terms of bringing an account into compliance?
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
@krogebry uploaded a file: Screen Shot 2018-07-19 at 11.13.49 AM.png
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Yeah, so forcing compliance from resource creation can work, but does get in the way.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
However, a stance of “progress over perfection” usually works better in the transformation world of things.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Like, the reality is that you’re probably not going to get people to conform to tags right away, and in some cases you can’t enforce things because enforcing the standard might actually break things.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
So the idea is the Riot sort of mindset where we’re just trying to move things up and to the right, or progress over time.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Usually more effictive when dealing with people who are maybe a little timid around big changes.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
</rant cents=”2”>
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@krogebry agree. But how do you do it from the automation point of view? E.g. we create and provision TF resources without tags (or with some tags), and then use the process to validate the tags and then update all the resources from TF?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
@Andriy Knysh (Cloud Posse) with aws config rules you can have it provide a compliance report based on your terraform resources https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_manage-rules.html
Use the AWS Config console, AWS CLI, and AWS Config API to view, update, and delete your AWS Config rules.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
nice
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So instead of hard enforicing it, it can just be dashboard
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Okay, I can tell you a tale of woe as to how not to do it
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
and its something that could be a TF module easily
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Yeah, so you’re on the right track, basically you have two good options: either enforce it from the creation of things, or enforce it later with some kind of dashboard/report’y thingie
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
If you enforce at creation the only real risk is the timing with things, so in many cases the tag creation is a secondary action after the resource is created
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
So you just have to be aware of that, if you do something like “kill instance if tags are missing” with an ASG, you’re going to have a bad time because of the timing stuff.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yea, that’s why naming is hard
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
It would be neat to have some kind of way to have TF actually enforce the naming conventions with if conditionals
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Might be an option in 0.12?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Its an option now
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
using my nifty hack
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
ohh, with config rules?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so I think it’s good to combine the two strategies: 1) enforce some rules at creation; 2) check it after creation and alert/dashboard
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
yeah, okay, I can see how that would be pretty awesome with config rules
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
variable "failure_text" {
default = "The values didn't have the values needed"
}
variable "conditional" { default = true }
resource "null_resource" "ASSERTION_TEST_FAILED" {
count = "${var.conditional ? 1 : 0}"
"${var.failure_text}" = true
}
![stephen avatar](https://secure.gravatar.com/avatar/ee9263db304e8d1cd5e3f8e9f9655015.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
im curious, is this pseudo code or you actually have this working?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It’s working
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It’s works great. I wrote an article on it :)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
And it gets referenced here https://github.com/hashicorp/terraform/issues/2847
It would be nice to assert conditions on values, extending the schema validation idea to the actual config language. This could probably be limited to variables, but even standalone assertion state…
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Thats the entire assert module I have
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
you would use it like
module "assert_name_length" {
source = "thatmodulepath"
failure_text = "Your name is too long"
conditional = "${length(var.name) < 63}"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
nice hack @jamie
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Although @Andriy Knysh (Cloud Posse) actually won’t touch it, because he hates hacks
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So its just for my own compliance checks for now
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for a few reasons :
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
understandable
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
breaking changes and all
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- As a user of the module, you instantiate the module in TF and you add/change the assertion code - looks like you just control yourself
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
- Little bit difficult to read
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
But that module has worked since at least version 0.9
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I added it because I had a client just filling in tf vars files
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So they wouldn;t have tf access, and it would go through a pipeline
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but i agree something like that is needed
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
so, i was using it to cause a TF error and message when their vars were flakey
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
for 0.12
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Error: Error running plan: 2 error(s) occurred:
* module.elasticache_redis.module.dns.var.records: Resource 'aws_elasticache_replication_group.default' does not have attribute 'primary_endpoint_address' for variable 'aws_elasticache_replication_group.default.*.primary_endpoint_address'
* module.elasticache_redis.output.id: Resource 'aws_elasticache_replication_group.default' does not have attribute 'id' for variable 'aws_elasticache_replication_group.default.*.id'
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Daren have you seen this with yours/our TF module for redis
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
Yes
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
We are using auth_tokens
and if the token is not valid for AWS this happens
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ok, i think that could be related to our issue
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
We used:
![Daren avatar](https://secure.gravatar.com/avatar/55429c4768df2c080781c0a4f0bedb77.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
resource "random_string" "redis_auth_token" {
length = 16
override_special = "!&#$^<>-"
}
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
@jamie
I have grown to dislike “terraform_remote_state” data provider
I love the data provider.
In directories (origin) where another directory (client) is expected to read the state, I create a lib/remote_state.tf
in the origin directory.
The (client) directory has a symlink to the lib/remote_directory.tf
file, and leaves all the implementation details up to the (origin).
example: https://github.com/tamsky/terrabase/blob/master/aws-blueprints/core/lib/remote-state.tf
Contribute to terrabase development by creating an account on GitHub.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Its all we have but my list of gripes are:
- It hard binds one tf template to another: I.e. even using variables to choose a state to use at first run, you can’t search for a state to use, or select states by relative paths. Because the s3 bucket has to be unique.
- You have to have an agreed naming structure to use a state, and there are no standards, so each setup will be different.
- It does have default values, but no way to provide a wildcard default, so that you can query for a value that doesn’t exist. I.e. If you are using version 1.0.1 of a tf template that has an output string “alb_frontend_sg” but in version 1.0.2 you have changed it to a list “alb_frontend_sgs”. And your remote state is changed to query for “alb_frontend_sgs”, if you need to roll back to version 1.0.1. You would get an error looking for “alb_frontend_sgs”. While it is good practice to error, it doesn’t allow you to create terraform level exception handling. Such as querying for both variables, and outputting the value that isn’t an empty string.
Contribute to terrabase development by creating an account on GitHub.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
if you could get the outputs of terraform_remote_state as a map, and do a lookup, it would help that last part on unknown outputs at the code level. And you can workaround that last part if you have easy access to the terraform_remote_state data provider, as you could add both alb_frontend_sgs and alb_frontend_sg as default values.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s nice @tamsky
2018-07-20
![Sebastian Nemeth avatar](https://secure.gravatar.com/avatar/0e7701f737a3c7ef31d80680f565791e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
Hey everybody! Proud to join the SweetOps crowd… this is a great initiative, seems like a real missing piece.
![Sebastian Nemeth avatar](https://secure.gravatar.com/avatar/0e7701f737a3c7ef31d80680f565791e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
I have a quick q regarding the reference architectures, which operate under root.company.com, staging.company.com and prod.company.com etc. Where/how, in this setup, would I set up top-level DNS mappings, e.g. CNAME record referencing company.com -> prod.company.com, app.company.com -> app.prod.company.com etc? Would this be in the root module?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Sebastian Nemeth I can help answer in a few hours.
![Sebastian Nemeth avatar](https://secure.gravatar.com/avatar/0e7701f737a3c7ef31d80680f565791e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
Great! Thanks very much. I’m trying to get rolling with geodesic and some basic stuff as we speak.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, let’s move the conversation to #geodesic so it’s not lost in the noise
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
btw, let’s start using #geodesic so we can concentrate knowledge
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) might be around to answer some questions related to this.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Have you seen this? https://docs.cloudposse.com/reference-architectures/cold-start/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sorry for the messed up css
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We are still refining that doc to make it more clear
![Sebastian Nemeth avatar](https://secure.gravatar.com/avatar/0e7701f737a3c7ef31d80680f565791e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
I’m following it now, but it’s taking some cross-referencing. e.g. it tells me to install aws-vault, but then I read that it’s included in geodesic, so trying to figure out best way to use geodesic and where to keep the credentials store.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Great of feedback. Agree. Credentials will be stored in an encrypted key chain file
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Inevitably you will want to use AWS vault natively as well. E.g. docker compose
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But you don’t need to install to get started, so we should not make that a step so early on
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Actually, @Andriy Knysh (Cloud Posse) and I were talking about just this yesterday.
![Sebastian Nemeth avatar](https://secure.gravatar.com/avatar/0e7701f737a3c7ef31d80680f565791e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
I don’t mind installing aws-vault, but if its already installed in geodesic maybe it’s better to just run geodesic while mounting a local volume to store credentials for our developers.
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@tamsky thanks for the bug report on https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms! Just addressed the arn_suffix issue with a PR - just waiting on an approval and should be merged in…
Also just a heads up that I found and fixed an edge case here, would love a quick review and any comments/suggestions on the solution: https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/issues/8
terraform-aws-alb-target-group-cloudwatch-sns-alarms - Terraform module to create CloudWatch Alarms on ALB Target level metrics.
what AWS CloudWatch Alarm Thresholds should be assumed to contain floats when used in conditionals. why Fix the following case: CloudWatch thresholds are specified in seconds, which results in spec…
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
whoops sorry Jamie - just committed this too: https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/pull/9/commits/dfdb45d0a293cb745a6d40e153e2b3a0cf991578
what Wrap thresholds with a floor to convert to int before comparing to 0. why Fixes #8 and #6
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
didn’t think it was worth it’s own PR for that since it is just cosmetic
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
maybe target_response_time_alarm_enabled = "${floor(var.target_response_time_threshold) < 0 ? 0 : 1 * local.enabled}"
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
should be the one without a floor
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
ah yea its confusing
![Yoann avatar](https://secure.gravatar.com/avatar/9509153cc85ed829359aadcd811747b5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
Hi there! I am evaluating using geodesic for my organization and curious to discuss some kubernetes cluster related patterns.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Sure thing! You can direct message me or shoot me an email ([email protected])
Our current kubernetes architecture is captured in this kops
manifest:
https://github.com/cloudposse/geodesic/blob/master/rootfs/templates/kops/default.yaml
Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on strictly Open Source tools. https://docs.cloudposse.com/geodesic/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, let’s move the conversation to #geodesic so it’s not lost in the noise
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
since it is actually float
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
@Yoann hi, welcome
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i think you mean the other way around right @jamie since reponse time is the one that is a float?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
so only wrap floor() for var.target_response_time_threshold so it converts that to an int and can compare to 0 safely
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Lets try it in terraform console
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
where var.target_response_time_threshold is 0.5
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
> floor(0.5) < 0
false
> 0.5 < 0
false
>
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So it evaluates fine
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
hmm
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
ah right
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
string
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
try “0.5” < 0
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
> floor(0.5)
0
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
> floor("0.5") < 0
false
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
> "0.5" < 0
__builtin_StringToInt: strconv.ParseInt: parsing "0.5": invalid syntax in:
${"0.5" < 0}
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
> floor("1") < 0
false
> floor("-1") < 0
true
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
but when you do the extrapolation
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
it shouldn’t be a string
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
thats the exact error you get currenly in latest stable when trying to set response time to 0.X: __builtin_StringToInt: strconv.ParseInt: parsing “0.5”: invalid syntax in:
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
ah
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
well then…. floor it is!
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
haha
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Although this should change in 0.12
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i wrapped the others to be safe - but obviously we should not expect a count to be a float
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
What if you took the quotes off the variable?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
defaults
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
nah.. don;t worry about that
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
just floor it
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i agree with erik there too - < 0.12 this is the most sane way to work with terraform i.e. strings, maps, lists
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Yeah
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I have a really large stack of metric alarm notes
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
For things like, containers per instance alarm
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
and ‘lambda max concurrent execution alarms’
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
and ‘rds database level custom metrics -> alarms’
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Which im looking forward to adding to our arsenal
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Oh and billing alerts
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
i copied some already for the module we were talking about
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
def good stuff - thanks for sharing it!
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
haha
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I hope you plastered my face across the footer
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
of course
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@jamie if you got a sec: https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/pull/7 - CR please and I’ll owe you a
what Fix the dimensions by removing unnecessary join in interpolation why Fixes #4 Terraform will perform the following actions: ~ module.data_model_web_app.module.ecs_codepipeline.aws_codepipe…
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
or a CR whichever
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Checked
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Verified
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
lgtm
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
ty ty
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Just a heads up - released 0.4.0 for https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms. This fixes a few reported issues: https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/issues/8 https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/issues/4 https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/issues/6
Thanks to @tamsky, @Erik Osterman (Cloud Posse), @jamie!
terraform-aws-alb-target-group-cloudwatch-sns-alarms - Terraform module to create CloudWatch Alarms on ALB Target level metrics.
what AWS CloudWatch Alarm Thresholds should be assumed to contain floats when used in conditionals. why Fix the following case: CloudWatch thresholds are specified in seconds, which results in spec…
currently at https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/blob/master/alarms.tf#L10-L11 we have: "TargetGroup" = "${join("/", list(&qu…
what what we’re mixing snake case with camel case why bad convention
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
thanks for the quick fix! like the use of floor()
.
terraform-aws-alb-target-group-cloudwatch-sns-alarms - Terraform module to create CloudWatch Alarms on ALB Target level metrics.
what AWS CloudWatch Alarm Thresholds should be assumed to contain floats when used in conditionals. why Fix the following case: CloudWatch thresholds are specified in seconds, which results in spec…
currently at https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/blob/master/alarms.tf#L10-L11 we have: "TargetGroup" = "${join("/", list(&qu…
what what we’re mixing snake case with camel case why bad convention
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Issue 6 was mixing case because the cloudwatch metric names are in
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So that there was a 1:1 for name recognition
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Originally
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Since we have to use modules with terraform and really don’t have a desire to buy TF Enterprise just to get a “registry”, I was thinking of writing a little utility that will:
• parse through your TF project
• find any modules, then grab the source repo
• compare what version you have to the latest available in the source repo and then output if there is a new revision/tag compared the one being used
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think @mcrowe did wrote something similar
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
would like something like this though
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
hmm nice i’d love to see it - i might just write one on my free time anyway so i have an excuse to write a go utility with cobra
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, go would be my pref!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this example is a bash
script
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
ah cool!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i also think it would be a popular utility for the community
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yea i feel like can benefit from concurrency here - but of course already thinking about github api limits
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
there’s some way also to convert HCL to json
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, what’s nice with mike’s script is it can generate the composite outputs from all module deps
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) uploaded a file: image.png
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@sarkis you can start with something like this https://github.com/kvz/json2hcl. It shows what terraform packages to use for parsing, or you can convert hcl
to json
which is easier to analyze
json2hcl - Convert JSON to HCL, and vice versa
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
hey all, just want to invite those interested to #geodesic and #terraform
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it might help organize information and get questions better answered if we distribute the traffic
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
set the channel topic: Cloud Posse Open Source Community #geodesic #terraform #random #releases #docs
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
2018-07-23
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Hey guys, can you give me some idea why the term ‘stage’ was chosen over ‘environment’? In the label module?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) uploaded a file: Image from iOS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
See #2
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
There are multiple stages
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It’s where software performs
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The term environment is also overloaded and often abbreviated as env
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Which from my subjective experience more confusing. Stage imo is misused inside many organizations and I guess I made it our personal mission to correct its usage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
However I could maybe consider adding environment after stage as another (optional) dimension of disambiguation
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I have used environment in all other projects as the term to encapsulate the resources for development vs production.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
And I think it is quite a common use, but I do understand the ambiguity issue.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
How the term environment means, environment variables, it the old word for terraform workspaces as well.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
My issue with the term stage is the implicit temporal nature it has. Like a stage in a pipeline or rocket is something that gets used and is destroyed.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
But environment describes what surrounds something, and doesn’t imply any permanency, or lack of.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
So for describing a split between production and preproduction, where the application is exactly the same build asset, but the configuration and attached resources are different. I align more with environment.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It feels like environment is something that should be encapsulated in a module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thus the environment is baptized with name
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Then resources with in that are disambiguated with attributes to that environment name
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Couldn’t it be argued that the root level module invocation is the environment?
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
I align more with environment
for the same reasons Jamie has mentioned. I’m also not a fan of env
as an abbreviation.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
What about adding more optional fields to the label module
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Perhaps along the lines of Jamie’s document on canonical tag names
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
If not passed, they are not concatenated
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Stage and environment can be adjacent, that way the caller can use what it’s most natural to their organization
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think this would satisfy both requirements. Thinking environment would be concatenated after stage.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It’s a non breaking change so I think it’s good idea
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Stage can then be specific to things like. Source. Build. Test. Tag. Release. As well.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
In any case it will add flexibility to the module that allows me to use it in different clients
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
agreed - and we want to support other use-cases too so lets do it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
see that?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what Support passing a label's context between label modules why DRY demo module "label1" { source = "../../" namespace = "Namespace" stage = &…
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I’ll update it
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
So what’s the name for the env between dev and prod?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that might be staging. note, that staging is not the same word as stage.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) uploaded a file: image.png
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
could be QA, UAT, preproduction
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so “dev” is a stage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
production is a stage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
it’s a stage in a lifecycle
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![attachment image](https://upload.wikimedia.org/wikipedia/commons/d/d6/Black_Brant.jpg)
A multistage rocket, or step rocket is a launch vehicle that uses two or more rocket stages, each of which contains its own engines and propellant. A tandem or serial stage is mounted on top of another stage; a parallel stage is attached alongside another stage. The result is effectively two or more rockets stacked on top of or attached next to each other. Taken together these are sometimes called a launch vehicle. Two-stage rockets are quite common, but rockets with as many as five separate stages have been successfully launched. By jettisoning stages when they run out of propellant, the mass of the remaining rocket is decreased. This staging allows the thrust of the remaining stages to more easily accelerate the rocket to its final speed and height. In serial or tandem staging schemes, the first stage is at the bottom and is usually the largest, the second stage and subsequent upper stages are above it, usually decreasing in size. In parallel staging schemes solid or liquid rocket boosters are used to assist with lift-off. These are sometimes referred to as “stage 0”. In the typical case, the first-stage and booster engines fire to propel the entire rocket upwards. When the boosters run out of fuel, they are detached from the rest of the rocket (usually with some kind of small explosive charge) and fall away. The first stage then burns to completion and falls off. This leaves a smaller rocket, with the second stage on the bottom, which then fires. Known in rocketry circles as staging, this process is repeated until the desired final velocity is achieved. In some cases with serial staging, the upper stage ignites before the separation—the interstage ring is designed with this in mind, and the thrust is used to help positively separate the two vehicles. A multistage rocket is required to reach the escape velocity of 11.186 km/s (25,020 mph) from Earth’s gravity.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
stage 1, stage 2, …. stage n.
A file, which can’t be shown because your team is past the free storage limit, was commented on.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I think I like UAT
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
It’s descriptive as to what it actually does
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
“Stage” is like you say, it’s a part of the rocket, but it doesn’t actually define what it’s doing
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I like y’all in this group, really makes me think about the important questions
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
2018-07-24
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Suggestions on additional sections, or technologies to cover, or core concepts are very welcomed!
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Can i just paste questions I’ve asked recently beneath it and don’t care about formatting ?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Yes! You can also use the comment feature
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Less Meta , hard to keep an interview < 1h and to also ask a few easy questions to make the candidate feel at ease.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Thank you very much!
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I was also providing question answer formats because I am not the one hiring them
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@jamie as always, very nice doc, thanks for initiating these conversations
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Met with @tamsky yesterday. He has also lots of nice things to say about your docs.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
I had to move the document for the client. If you want to access the document still, whoch you are welcome to. Here https://docs.google.com/document/d/1yO7qgVyfKwPpK6EzBv0w64TzDOAUfCnE_nCEYX4maJg/edit?usp=sharing
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It will need you to request access though guys. @Erik Osterman (Cloud Posse) @Andriy Knysh (Cloud Posse) @tamsky
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
Curious @jamie– is there a LICENSE for your https://github.com/firmstep-public/trainingdayone ?
trainingdayone - Day One: Using the Terraform command, creating a resource, and managing Terraform state.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
@tamsky in regards to trainingdayone’s license. Thanks for asking. Do you want to use some of it? Or add to it?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It would be the MPL 2.0 license. So that I would be notified of any improvements if there were any.
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
I may want to use it - just checking in – I like the order and how you introduce the concepts.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Firstly if I post it in here. Take it if you want. It’s the cost I pay for the quality feedback.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Secondly, if I can help you improve it let me know. If you’re interested let’s do a slack video or something to rough out improvements
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
It’s a good investment in time for me and anyone else. As it’s very reusable
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Thank you @Andriy Knysh (Cloud Posse) :-)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@pmuller hi and welcome
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
i have exposed kubernetes dashboard with bitly oauth proxy as we do with cloudposse portal
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
can we pass the dashboard token
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
somewhere within bitly redirect etc..
![rohit.verma avatar](https://secure.gravatar.com/avatar/2fe004659fb5ecb920681f93103d6957.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
or for that kind of login we have to use dex
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
thanks!
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
funny how nice slack channel mostly live… during the night
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
(UTC+8 here)
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i discovered your github a few days ago, and i love it
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i am learning so much thanks to you guys !
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(Cloud Posse is based in Los Angeles, CA)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Awesome! Glad to hear your getting some mileage out of it.
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
since when all of this is on GH ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We’ve been publishing our modules for the past 2 years , but we only really started promoting them this year when we doubled down on our documentation, readme’s and community.
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i thought i had a lot of not-that-nice patterns in my code base.. now i know for sure
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
thanks! would be happy to give you a tour of the complete open source ecosystem. we have A LOT so it can be hard to see the trees through the forest.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
set the channel topic: Cloud Posse Open Source Community #geodesic #terraform #release-engineering #random #releases #docs
2018-07-25
![tpagden avatar](https://secure.gravatar.com/avatar/604f40aadab7134f22ade420f7d2023b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Hey guys, pretty sweet collection of blocks. I’ve been swaying between the aws community modules on Terraform and yours. I have a quick question - terraform-aws-cicd <— I believe this module does not support multi-container beanstalk, is that correct? (using beanstalk for first time with new org.)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@tpagden welcome
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
correct, the module does not support multi-container beanstalk
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can open an issue for that and we’ll review
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
or use ECS instead
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Expert Cloud Architects DevOps Professional Services
![tpagden avatar](https://secure.gravatar.com/avatar/604f40aadab7134f22ade420f7d2023b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
@Andriy Knysh (Cloud Posse) Cool, no problem at all. I was just confirming what I saw and that I didn’t miss anything. I’ll mull over some of the options
![tpagden avatar](https://secure.gravatar.com/avatar/604f40aadab7134f22ade420f7d2023b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
@Andriy Knysh (Cloud Posse) One more question - I know you all have avoided doing a wrapper approach (such as Terragrunt), which I’m inclined to avoid as well, however, do you all have a recommended directory structure approach that you recommend? Like live/non-prod/{region}/application ? If so, do you separate the application directories from infrastructure (like VPC) ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We use containers instead
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So we package all of our terraform invocations in one repo. Then we use docker Multi Stage builds to copy them. Have a look a look at our reference architectures
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The Dockerfile shows our strategy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You could say we deploy infrastructure as code the same way we deploy applications.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So we don’t have our apps broken out into production and staging folders. We have then containerized. Then we deploy those containers. We think infrastructure code should be treated the same way.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Cristin we still recommend to separate all resources into at lest two stages (dev
and prod
) and don’t mix anything b/w/ them
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
staging.cloudposse.co - Example Terraform Reference Architecture for Geodesic Module Staging Organization in AWS.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This is how we deploy those modules for a staging account.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it’s wrapper approach (such as Terragrunt)
vs. container + ENV vars approach
. We use the second one
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea that’s a succinct way of putting it. @Andriy Knysh (Cloud Posse) I should probably add that to the geodesic readme.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yep, naming is important, not only for TF resources
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
but also for patterns and approaches
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
next time somebody asks what approach we use, we can say container + ENV vars
(or something like that maybe with a better name)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I added a #jobs channel where people can post if they are looking for work or are hiring (FTE or contractors).
2018-07-26
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
![attachment image](https://user-images.githubusercontent.com/29592817/43219741-fdfef302-8ffc-11e8-96f4-4a2ab2ce136b.png)
Today we’re launching new ways to simplify your CI process, so you can use the tools you need to focus on the work that matters to your team.
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
Finally getting some of those awesome GitLab features.
![attachment image](https://user-images.githubusercontent.com/29592817/43219741-fdfef302-8ffc-11e8-96f4-4a2ab2ce136b.png)
Today we’re launching new ways to simplify your CI process, so you can use the tools you need to focus on the work that matters to your team.
2018-07-27
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
@Erik Osterman (Cloud Posse) I am working on updating the aws cloud front module to allow me to disable alias creation. https://github.com/cloudposse/terraform-aws-cloudfront-cdn/issues/14. I want to add a boolean dns_aliases_enabled. If the value is false no alias will be create. I see that DNS records are created using module “dns”. If DNS was created with resource I can set the count = “${var.dns_aliases_enabled}”. False is 0 so no record will be created. As far as I know I cannot pass in “count” to a module. Only option I see is to modify the module that creates DNS to take in count parameter. I am wondering if you have any suggestion for me.
We are hosting 5 different sites in AWS. All of them are behind the same ALB. We want to put CDN in front of all these sites. When I was creating CDN using your module I specified aliases for all t…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Correct, first we need to update the dns module to add that flag
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Then we can do this module.
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
It is great to be here. Thanks for creating these modules. I have a consulting company and one of our clients is using terraform. They told me that cloudposse writes excellent modules.
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
I will also add web_acl_id parameter to the cloud front module.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Thanks @rajcheval !!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Can we add the web acl id as a separate PR? Just so we can be more pedantic about how we introduce changes.
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
yes this makes sense. adding web acl id is an easier change and I will keep it separate.
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
I am looking at the https://github.com/cloudposse/terraform-aws-route53-alias/blob/master/main.tf. It currently calculates the count based on number of elements in the aliases array. I am wondering how I will pass in a count parameter and still keep the current module usable. Current users are not setting count and relying on count being calculated by number of elements in array. Is there a way to not invoke the module that creates dns at all. There is a new beta for terraform and they are making a bunch of enhancements. Perhaps I need to see the language enhancements that may help us.
terraform-aws-route53-alias - Terraform Module to Define Vanity Host/Domain (e.g. [brand.com](http://brand.com)
) as an ALIAS record
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval hi, give me 1 min I’ll show you how to do it
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
first, it will work now w/o any modifications if you provide var.aliases
as an empty list, count
will be 0 and nothing will be created
resource "aws_route53_record" "default" {
count = "${length(compact(var.aliases))}"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if we want to introduce var.enabled
to be more specific (as we have in other modules), we do this:
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
count = "${var.enabled == "true" ? length(compact(var.aliases)) : 0}"
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
variable "enabled" {
type = "string"
default = "true"
description = "Set to false to prevent the module from creating any resources"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
For <https://github.com/cloudposse/terraform-aws-cloudfront-cdn>
, it will work now w/o any modifications if you specify an empty var.aliases
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
module "dns" {
source = "git::<https://github.com/cloudposse/terraform-aws-route53-alias.git?ref=tags/0.2.2>"
aliases = []
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if we add var.enabled
to route53-alias
, then we can add var.dns_aliases_enabled
to cloudfront-cdn
and use it like this:
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
module "dns" {
source = "git::<https://github.com/cloudposse/terraform-aws-route53-alias.git?ref=tags/0.2.2>"
enabled = "${var.dns_aliases_enabled}"
aliases = "${var.aliases}"
parent_zone_id = "${var.parent_zone_id}"
parent_zone_name = "${var.parent_zone_name}"
target_dns_name = "${aws_cloudfront_distribution.default.domain_name}"
target_zone_id = "${aws_cloudfront_distribution.default.hosted_zone_id}"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval does it answer your questions?
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
@Andriy Knysh (Cloud Posse) passing in empty aliases is not an option because cloudfront distribution still needs aliases. However your other suggestion will work. Thank you so much for taking the time to help me. I am going to learn a lot from you.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(sorry, yes var.aliases
is needed in any case, so we need to modify the modules to add enabled
and dns_aliases_enabled
)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval after you make modifications and before opening a PR, run these three commands to regenerate README
:
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
make init
make readme/deps
make readme
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(not terraform-aws-cloudfront-cdn
yet, this was not converted to the new README
format yet. Just update README.md
)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what Add README.yaml why Standardize README
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Andriy Knysh (Cloud Posse) please merge for me
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Afk
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
100% have been updated
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
working on it now (it needs terraform fmt
)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Just not all yet merged
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval we merged readme changes to master for https://github.com/cloudposse/terraform-aws-cloudfront-cdn
terraform-aws-cloudfront-cdn - Terraform Module that implements a CloudFront Distribution (CDN) for a custom origin.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if you open a PR, please run the three commands above to update README
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
@Andriy Knysh (Cloud Posse) I did run make commands to update readme. I have submitted PR’s for route53 and cloudfront. Once these are approved I will be making my final change on cloudfront resource to allow me to disable DNS record creation.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval thanks, will review
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![attachment image](https://tr2.cbsistatic.com/hub/i/r/2018/07/26/641dc9a5-bf7c-4d99-aa42-f07dc5832f42/thumbnail/770x578/fbc4e7980901d127e28ec765a6050ff0/istock-697236410-1.jpg)
Interviewing for a DevOps job? Here are some questions you’ll likely have to answer.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@jamie want to review ^ and maybe add to your doc?
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
sure do!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval reviewed the PRs, look good, just a few comments
2018-07-30
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I’ve been thinking lately that we should be training the interview skills like we train anything else
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
“How do you adapt when things don’t go as planned?” This question has nothing to do with devops per se, but is probably 90% of the actual job.
![johntellsall avatar](https://secure.gravatar.com/avatar/9120a17d44e0c40f2b781ec94a0cd43e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
my buddy Ian has a great series of Tech Interview Prep emails => https://www.facebook.com/technicalinterviewprep/
Technical Interview Prep by Email. 66 likes. Improve your technical interview chances by learning to think like an interviewer. Get new insight every day for 30+ days via Email.
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Nice
![krogebry avatar](https://secure.gravatar.com/avatar/f49ced1d69d92f99bb7acbfb975ed4f1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I have a friend that I’m going to try to convince to start up a consulting company that would specialize in training for the interview process
![rajcheval avatar](https://secure.gravatar.com/avatar/4086c60d803abcefe05ba0844fe29221.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
@Andriy Knysh (Cloud Posse) Thanks for merging my changes. I have one more PR for cloudfront resource ready for review.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@rajcheval thanks for the PR, looks good, merged to master
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Erik Osterman (Cloud Posse) if you want we can go over the specs you guys want for https://github.com/cloudposse/terraform-aws-ec2-autoscale-group and i can try to jam it out this week in my spare time
terraform-aws-ec2-autoscale-group - Terraform module provision an EC2 autoscale group
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that would be awesome.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
When’s good for you?
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
my general thoughts are that it should include:
- launch config
- autoscaling group
- basic security group (ingress + egress)
- min/max size vars
- enabled var
- volume size var
- vpc id
- user data script var (this would need to be a path using ${path.module} syntax in local module)
- elb enabled/disabled
- eip enabled/disabled
- dns record pointing to elb/eip?
- dns_zone_id var
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
maybe some basic security group ingress/egress rules for things like ssh/http/https
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
really any morning works for me
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
above is a broad stroke, but that’d be the general idea
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Cool, tomorrow I’ll be busy until ~11:30. But free after that.
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
cool, just DM me
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea, let’s move this to an issue under that repo
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I know @maarten and @jamie will probably have some valuable input.
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
My general thoughts are that it should include the following resources: launch config autoscaling group security group dns record iam instance profile iam role Variables: min/max size enabled volum…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ok, I’ve commented on it with some additional resources
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
A lot of the work has already been done by @jamie - we just need to modularize it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I link to it in the GH issue
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This is massively appreciated. We need this module as one of the building-blocks for us to rollout EKS support later, as well
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Nice! Okay cool, I’ll take a look at it in a bit
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also, we can roll it out in phases, if you don’t want to bite off too much at once.
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That is a good idea haha
![jamie avatar](https://avatars.slack-edge.com/2019-06-04/648624411249_c92a3e1cb863bae41d5b_72.jpg)
2018-07-31
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
hi
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
I am in the process of migrating terraform modules to codecommit. However, as i already use codecommit on other AWS accounts, I cannot rely on ~/.ssh/config to define a default username; but I want to keep my terraform code generic. I do not want to put my IAM user ssh key id in all module statements, otherwise my coworkers and the CI won’t be able to use them. So I tried to use interpolation in the module source to optionally define a SSH username. I ended up reading a bunch of GH wont-fix issues, then found https://github.com/hashicorp/terraform/issues/15614 which tracks precisely what I would need. So, how can I handle my use case? Any suggestion?
(This was split out of #1439, to capture one of the use-cases discussed there.) Currently all of the information for requesting a module gets packed into the source string, which cannot be paramete…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i’ve had good luck using an iam role with codecommit, and the codecommit helper for aws cli
(This was split out of #1439, to capture one of the use-cases discussed there.) Currently all of the information for requesting a module gets packed into the source string, which cannot be paramete…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i just configure my aws config file with a profile that has perms to the codecommit repo, and then add the credential helper to my .gitconfig
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
the module source
then looks like this:
source = "git::<https://git-codecommit.REGION.amazonaws.com/v1/repos/REPO//PATH?ref=REF>"
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Provides detailed steps for setting up to connect to AWS CodeCommit repositories over HTTPS on Linux, macOS, or Unix, including setting up a credential helper.
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
I went the https way and it works fine. Thanks.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Awesome! If you use a mac, be aware that the system gitconfig uses keychain as a credential helper and will catch and store the temporary credential… Causes problems cuz keychain doesn’t know it’s temporary… I have our team remove the credential helper from their system config
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Something like this, update for whatever region(s) and aws profiles you use:
git config --system --remove-section credential
git config --global --remove-section credential
git config --global --remove-section 'credential.<https://git-codecommit.us-east-1.amazonaws.com>'
git config --global credential.'<https://git-codecommit.us-east-1.amazonaws.com>'.helper '!aws --profile default codecommit credential-helper $@'
git config --global credential.'<https://git-codecommit.us-east-1.amazonaws.com>'.UseHttpPath true
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
(and yeah, I would also like to avoid relying on a wrapper which would rewrite all module sources)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
As far as I can tell, @loren’s suggestion is not a wrapper to git. It adds an auth mechanism to the git config
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You still interact directly with the git command
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Moving from one git repo such as GitHub to CodeCommit will necessarily require updating your module sources, no?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also, using AWS services for open source implementations will often require some hacks. Just like ECR which requires also using the AWS cli to first generate credentials to docker login.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
if you really want to use ssh auth to codecommit, another option is to use [override.tf](http://override.tf)
and define just the source field for the module
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
add [override.tf](http://override.tf)
to .gitignore to avoid committing it
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Terraform loads all configuration files within a directory and appends them together. Terraform also has a concept of overrides, a way to create files that are loaded last and merged into your configuration, rather than appended.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Wow, didn’t know about that feature :-)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
very handy if you need to move the modules around between git remotes
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i need to test it with nested modules though… not too sure off the top of my head exactly how i’d specify the module name
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea don’t see how it could work recursively
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
maybe nest things inside the override?
module "foo" {
module "bar" {
source = "..."
}
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
perhaps terragrunt
has something to help write sources on-the-fly
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i use terragrunt
pretty extensively…. i think you can interpolate the top level source
in the terragrunt
block, but the source
in any nested modules would not be interpolated… you’d have to get creative i think, with a terragrunt hook to edit the .tf file in place, after retrieving the modules…
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
no, that’s too late, the modules have already been cloned… hmm…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think it’s an interesting use-case
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Currently, our customers rely entirely on our git repo hosted modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but I could see a case where they’d want to replicate them in-house, and then rewrite the base URL and pull locally
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
One way would be to use a HTTP proxy with url rewriting
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(would only work with HTTP sources)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
since we run terraform in a container (geodesic), it would be pretty easy to introduce a proxy in the mix
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
oh, good point, nice
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
oh, I did not know about tf overrides, that’s great, thank you @loren
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(i’m looking into using them right now to help us solve our coldstart problem in a nicer way)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
you want to use overrides to disable the s3 remote state temporarily ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, exactly!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
our hack right now is to use sed
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
yes i read that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
so instead echo 'terraform { }' > [overrides.tf](http://overrides.tf)
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i have the same issue on my side, so overrides are promising to solve a few ugly stuff (i really want to AVOID writing another tf wrapper… ;))
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
in the meantime, i did another attempt to solve my issue: using https to access codecommit ; now i need to prefix some terraform and git commands with aws-vault, which is not that nice… but it works well
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(or aws-vault exec ... -- bash
)
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
hehe yeah
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and just operate in a session
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i discovered aws-vault a few weeks ago, thanks to you guys
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
before i used a dumb python script i wrote to do the same
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
but with much less features
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, we did that too in the beginning
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
do you use the aws-vault login
action? love that!
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
https://github.com/pmuller/awsudo maybe i should archive this too now
awsudo - sudo for AWS roles
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
yep, love it too :))
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
and rotate !
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, I should use rotate. haven’t yet.
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
the only thing i don’t like is that aws-vault rotate doesn’t handle MFA yet, and i don’t like the idea of allowing key rotation without MFA
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, it’s more strict
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
though i think we ended up allowing self-service key changes because developers would loose their IAM keys
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…so they can login to the console and generate a new key pair
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
guess it depends on your constraints
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(but still require MFA to use keys)
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
so you only allow MFA device management when authenticated with the MFA ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
terraform-aws-iam-assumed-roles - Terraform Module for Assumed Roles on AWS with IAM Groups Requiring MFA
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But I am definitely open to feedback
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we wanted to allow new users to be able to setup their own MFA device without admin assistance
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
so you allow MFA management without MFA but require it to deactivate it
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i have a similar policy in place
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
but i do not like it
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
but i do not require MFA to deactive MFA…yet
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
it means that a leaked API key or user password is enough to create a new MFA device, then use the new one to access all roles of the compromised user
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea, looking at this again, seems like we should require MFA for that
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
yep !
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
unsure about "iam:ResyncMFADevice",
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
resync = allowing the user to pass 2 consecutive tokens to AWS ?
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
not sure I get how this could be dangerous
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
ok
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
when digging about my terraform modules / codecommit issue, i stumbled upon some “Terrafile” projects ; any thoughts about these ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I’m not familiar with terrafile
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Looks very interesting. Ultimately, what I want though is something more like this: https://github.com/dependabot/feedback/issues/118
what Open PRs against terraform repos when terraform modules have new releases Open PRs against terraform repos when terraform providers have new releases why It's an extremely diverse ecosyste…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
To help us manage and keep deps up to date.
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
oh that’s a nice service !
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
i’d like the same for in house code
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
they support many languages and private repos
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Automated dependency updates. Dependabot creates pull requests to keep your Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust and Java dependencies up-to-date.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’re currently using them for Docker and Submodules.
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
in my current company, all repositories are in VPCs, and I cannot imagine opening this up to the internet (very sensitive code)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I think the project core is open source, you could run it in house
![pmuller avatar](https://secure.gravatar.com/avatar/fdb112fec548790fec3924f2cb149c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
but for other businesses, i’ll definitely try this
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
heh, yea - understandable