#announcements (2018-08)

cloudposse Cloud Posse Open Source Community <#CB84E9V54 geodesic> <#CB6GHNLG0 terraform> <#CBW0HJDS8 release-engineering> <#CB2PXUHLL random> <#CB9N1MMFV releases> <#CB7CA7X0D docs>

This channel is for workspace-wide communication and announcements. All members are in this channel. Archive: https://archive.sweetops.com

2018-08-31

Jeff avatar

Quick question about terraform-aws-rds-cluster outputs… How do I ask for the cluster endpoint?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @Jeff

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

The endpoint and reader_endpoint are not in the outputs of the module. https://www.terraform.io/docs/providers/aws/r/rds_cluster.html#attributes-reference

If you need them, you can open an issue, and we’ll add.

But you can provide a Route53 Zone Id, and the module will create subdomains (more friendly names) for both master and replicas. https://github.com/cloudposse/terraform-aws-rds-cluster/blob/master/outputs.tf#L21

Using Route53 is better since if you use the URL in your app and then rebuild the cluster, you will not have to update the URL (if you use endpoint and reader_endpoint, they will change after each rebuild).

AWS: aws_rds_cluster - Terraform by HashiCorp

Manages a RDS Aurora Cluster

cloudposse/terraform-aws-rds-cluster

Terraform module to provision an RDS Aurora cluster for MySQL or Postgres - cloudposse/terraform-aws-rds-cluster

Jeff avatar

ahh ok

Jeff avatar

do you have an example of that somewhere?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-rds-cluster

Terraform module to provision an RDS Aurora cluster for MySQL or Postgres - cloudposse/terraform-aws-rds-cluster

Jeremy Grodberg (Cloud Posse) avatar
Jeremy Grodberg (Cloud Posse)

Is there a recipe somewhere for setting up a service with WebSocket/WebRTC ingress under Kubernetes on AWS?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There shouldn’t be anything necessary to add. I believe @Daren and and @Max Moon haven’t had problems with this.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
What does the nginx.org/websocket-services annotation do? · Issue #322 · nginxinc/kubernetes-ingress

The documentation on WebSockets mentions: To load balance a WebSocket application with NGINX Ingress controllers, you need to add the nginx.org/websocket-services annotation to your Ingress resourc…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(Note that annotation is for the commercial edition which does not apply to you)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

“Support for websockets is provided by NGINX out of the box. No special configuration required.”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So I guess what I mean to say is just configure the ingress as you would any other service.

Jeremy Grodberg (Cloud Posse) avatar
Jeremy Grodberg (Cloud Posse)

Thanks. I know ELB doesn’t support Websocket stickiness and I forgot we’re already using nginx.

Jeff avatar

For cloudposse/terraform-aws-rds-cluster… does anyone know why it won’t let me assign the value of a var for admin_password?

Jeff avatar

I get the following error…

Jeff avatar
Jeff
03:01:00 AM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i’ll check @Jeff

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

just created a cluster with the following config

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
module "rds_cluster_aurora_postgres" {
  source             = "git::<https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=master>"
  name               = "postgres"
  engine             = "aurora-postgresql"
  cluster_family     = "aurora-postgresql9.6"
  cluster_size       = "2"
  namespace          = "eg"
  stage              = "dev"
  admin_user         = "admin1"
  admin_password     = "Test123456789"
  db_name            = "dbname"
  instance_type      = "db.r4.large"
  vpc_id             = "vpc-XXXXXXXX"
  availability_zones = ["us-east-1a", "us-east-1b"]
  security_groups    = []
  subnets            = ["subnet-XXXXXXXX", "subnet-XXXXXXXX"]
  zone_id            = "ZXXXXXXXXXXXX"
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
output "name" {
  value       = "${module.rds_cluster_aurora_postgres.name}"
  description = "Database name"
}

output "user" {
  value       = "${module.rds_cluster_aurora_postgres.user}"
  description = "Username for the master DB user"
}

output "password" {
  value       = "${module.rds_cluster_aurora_postgres.password}"
  description = "Password for the master DB user"
}

output "cluster_name" {
  value       = "${module.rds_cluster_aurora_postgres.cluster_name}"
  description = "Cluster Identifier"
}

output "master_host" {
  value       = "${module.rds_cluster_aurora_postgres.master_host}"
  description = "DB Master hostname"
}

output "replicas_host" {
  value       = "${module.rds_cluster_aurora_postgres.replicas_host}"
  description = "Replicas hostname"
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Outputs:

cluster_name = eg-dev-postgres
master_host = [master.postgres.XXXXXXXXX.net](http://master\.postgres\.XXXXXXXXX\.net)
name = dbname
password = Test123456789
replicas_host = [replicas.postgres.XXXXXXXX.net](http://replicas\.postgres\.XXXXXXXX\.net)
user = admin1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jeff not sure why you have the error

2018-08-30

Matthew avatar
Matthew

Hello friends, I have a question regarding the rds_cluster_aurora_mysql terraform module - currently I have a security group with my IP as an ingress rule, then I utilize that security group using the module and specify the group within the “security_groups” parameter and when I try to connect from our IP it gives a connection refused. I can simply add the rule to the security group the module creates which is the exact same rule within the security group I attached to it and it’ll work properly. Any ideas?

Matthew avatar
Matthew

Also does anyone use Mesosphere DC/OS ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @Matthew

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

regarding terraform-aws-rds-cluster

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you said and it'll work properly. Did you test it or just think it will work?

Matthew avatar
Matthew

If i add my ingress IP to the generated security group the module creates it’ll work

Matthew avatar
Matthew

But when i attach the security group with the same ingress IP rule in it to the generated security group the module creates it won’t work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you test If i add my ingress IP to the generated security group the module creates?

Matthew avatar
Matthew

Yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you place the cluster instances into public or private subnets?

Matthew avatar
Matthew

public

Matthew avatar
Matthew

If the module would create a security group and allow me to specify some ingress rules that would solve my problem

Matthew avatar
Matthew

But as far as i can see, It only lets you attach pre-made security groups

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

do you see the other security group (with your IP) in the list of ingress rules for the cluster security group (that the module created)?

Matthew avatar
Matthew

Yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

can you show images of the two SGs with ingress rules?

Matthew avatar
Matthew

I sent in private chat

:--1:1

2018-08-27

 avatar
04:00:01 PM

There are no events this week

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

since we have quite a few new memembers since last week, I wanted to reintroduce the “Town Hall” meeting we have going on here

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

basically, we hold a ~1 hour call via Zoom. it’s an opportunity for everyone to get to know each other, share what their working on, ask questions, and help us steer the direction of what we’re building

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Doodle: SweetOps "Town Hall" Meeting attachment image

Meetings will be conducted via Zoom (recorded) and held every couple weeks at different times to accommodate different geographies.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Vote for the next time that works for you. We may run multiple meetings so we can be as inclusive as possible.

2018-08-26

maarten avatar
maarten

Hey everyone, I’ve invited @alex.somesan , he worked before with CoreOS on Tectonic, and will now work on the Kubernetes Provider at Hashicorp .. Welcome

alex.somesan avatar
alex.somesan

Hi all! Thanks for having me around. This channel feels familiar. As Maarten said, i was involved in writing the installer tool for Tectonic on a few different cloud providers and before that i spent a few years at AWS. I hope I can help out around here. See you around!

maarten avatar
maarten

And we both are two horrible Terraform User Group organizers in Berlin

alex.somesan avatar
alex.somesan

The worst!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@alex.somesan welcome!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I never got to use Tectonic, but heard great things about the distribution

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We could certainly learn a lot from someone with your background!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So you’re now working with the terraform-kubernetes-provider?

alex.somesan avatar
alex.somesan

I’m starting with Hashicorp beginning of September. Most likely that provider will be my first endeavor there.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Cool - we haven’t started using that provider yet for anything. Mostly use helm for everything now. But I would be open to learning about complementary use-cases where the provider would help us out.

antonbabenko avatar
antonbabenko

Hi @alex.somesanand welcome.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
04:45:25 AM

Who will be #100?

2

2018-08-25

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Dave how did it go with the bastion on ECS?

2018-08-24

Max Moon avatar
Max Moon

Not sure if anyone else listens to this but generally some pretty good stuff on here: https://kubernetespodcast.com/

:--1:1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks for sharing. Listened to an episode today in the car. Got a lot out of it.

2018-08-23

loren avatar
loren

oh, i missed the mention of pullrequestreminders, that is awesome, just added it to our workspace

pecigonzalo avatar
pecigonzalo

Hello!

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

welcome @pecigonzalo

adamstrawson avatar
adamstrawson

Hi all, We’re looking at implementing the Bastion container alongside github-authorized-keys, but despite following the docs to the letter, I keep getting the below error on github-authorized-keys when attempting to sync users, anyone experienced it before?

{"job":"syncUsers","level":"error","msg":"exit status 1","subsystem":"jobs","time":"2018-08-23T15:16:19Z"}
adduser: Specify only one name in this mode.

I’ve not defined either SYNC_USERS_GID or SYNC_USERS_GROUPS, so it should be defaulting to adduser {username} --disabled-password --force-badname --shell {shell}, which I can’t see why it would be triggering the above error

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@adamstrawson I will get back to you in a couple hours.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@adamstrawson can you give me a little bit more context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

are you deploying on kubernetes, ECS or regular instances?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


adduser: Specify only one name in this mode.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes, I’ve experienced similar problems before.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So our default command template works with alpine linux (if I recall correctly)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

adduser is unfortunately not standardized across linux distributions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this is why we allow the command template to be defined with an environment variable

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I presume you’re not running the github-authorized-keys daemon inside of the bastion container (which is not advisable)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@pecigonzalo anything we can help you out with?

pecigonzalo avatar
pecigonzalo

Not really at the moment

adamstrawson avatar
adamstrawson

Hi @Erik Osterman (Cloud Posse) Thanks for coming back to me. This is on a regular instance (on Digital Ocean), running Ubuntu 16.04

adamstrawson avatar
adamstrawson

we’re not tied to using Ubuntu though, so if it’s better supported with Alpine or similar I don’t mind going with that

adamstrawson avatar
adamstrawson

I just used Ubuntu out of habit for my test servers

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-template-user-data-github-authorized-keys

Contribute to terraform-template-user-data-github-authorized-keys development by creating an account on Github.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that defines the template compatible for debian systems

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(albeit a year or two old)

adamstrawson avatar
adamstrawson

Great, I’ll have a play with that - Thanks

adamstrawson avatar
adamstrawson

@Erik Osterman (Cloud Posse) That did the trick, thanks. Next question i’m afraid, I’m struggling to see how you get the github-authorized-keys container and the bastion container to work together. They’re both running and working independently, but the bastion container doesn’t seem to want to do anything with the keys (eg. if I ssh to -p 1234, I get permission denied.) github-authorized-keys has synced the users and keys to the host machine (I can ssh fine to the host machine with a synced user), but via the bastion container it doesn’t detect any keys. Can’t see in the docs how the two work together

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Sure, let me explain (but gimme a few to get back to you)

adamstrawson avatar
adamstrawson

Thank you, no rush

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Are you familiar with the sidecar pattern?

adamstrawson avatar
adamstrawson

I am

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

cool

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@adamstrawson I’m going to move this discussion to #security

Dave avatar

hi there, any tips for getting https://github.com/cloudposse/bastion working on ECS (amazon linux)? I have both containers running (bastion, and github-authorized-keys) but I’m not really sure how one makes use of the other and the exact volume mounts I need

cloudposse/bastion

bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Dave would love to work with you to figure that out. Haven’t yet tried to deploy it that way.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am about to head to bed, but maybe ping me tomorrow or open up a GitHub issue and we can have a discussion there

Dave avatar

@Erik Osterman (Cloud Posse) ok thank you! will do

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Basically, you would want to deploy a task with two containers

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

GitHub authorized keys would be a sidecar to the bastion

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Are you familiar with Kubernetes?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I could show you an example there

Dave avatar
cloudposse/charts

charts - The “Cloud Posse” Distribution of Kubernetes Applications

Dave avatar

I think I’m close

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes that’s the one

Dave avatar

I’ll open an issue if I can’t figure it out by the end of the day (here in Melbourne, AU). I may open an issue anyway, to share my task definition

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Would love for you to share that task definition if you get it working

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think others would dig it

Dave avatar

yeah no worries

2018-08-22

loren avatar
loren
GitOps: A Path to More Self-service IT - ACM Queue

IaC + PR = GitOps: GitOps lowers the bar for creating self-service versions of common IT processes, making it easier to meet the return in the ROI calculation. GitOps not only achieves this, but also encourages desired behaviors in IT systems: better testing, reduction of bus factor, reduced wait time, more infrastructure logic being handled programmatically with IaC, and directing time away from manual toil toward creating and maintaining automation.

tamsky avatar
tamsky
probot/probot

probot - A framework for building GitHub Apps to automate and improve your workflow

tamsky avatar
tamsky

@loren this may be the GitOps article you mentioned in townhall? https://queue.acm.org/detail.cfm?id=3237207

GitOps: A Path to More Self-service IT - ACM Queue

IaC + PR = GitOps: GitOps lowers the bar for creating self-service versions of common IT processes, making it easier to meet the return in the ROI calculation. GitOps not only achieves this, but also encourages desired behaviors in IT systems: better testing, reduction of bus factor, reduced wait time, more infrastructure logic being handled programmatically with IaC, and directing time away from manual toil toward creating and maintaining automation.

loren avatar
loren

yep

tamsky avatar
tamsky
Dependabot

Automated dependency updates

tamsky avatar
tamsky
claranet/python-terrafile

python-terrafile - Manages external Terraform modules

:--1:1
antonbabenko avatar
antonbabenko

yes

antonbabenko avatar
antonbabenko
antonbabenko/terrible

terrible - Let’s orchestrate Terraform configuration files with Ansible! Terrible!

antonbabenko avatar
antonbabenko
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this is perfect!!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks

antonbabenko avatar
antonbabenko

You are welcome!

tamsky avatar
tamsky

Thanks for arranging todays townhall @Erik Osterman (Cloud Posse), kudos!

loren avatar
loren

ditto, good stuff

antonbabenko avatar
antonbabenko

Good stuff! Great to e-meet some of you today

:--1:2
tamsky avatar
tamsky

Regarding bitly/oauth2_proxy — I mentioned the “sidecar” authentication mode, which is the 401 redirect. Here’s someone else’s writeup of how to use it wtih nginx. (My usage is very similar…)

Prometheus authentication with oauth2_proxy - Carlos Alexandro Becker

I wanted to set up a prometheus machine for me to monitor random stuff, but I was always postpone that because I didn’t want to use SSH port-forwarding, firewalls, create a VPC and/or setup an OpenVPN server or anything like that.

antonbabenko avatar
antonbabenko

Can somebody remind me where is the self-hosted version of TF Registry? I remember I saw some repo before summer, but can’t remember now.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, i recall seeing an anouncement for that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but thought it was for enterprise

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Terraform Registry - Private Registry - Terraform by HashiCorp

Terraform can load private modules from private registries via Terraform Enterprise.

antonbabenko avatar
antonbabenko

no-no. It is someone’s open initiative, so code was on github 100%

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha

antonbabenko avatar
antonbabenko

it was incomplete, but still better than starting from scratch probably…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
apparentlymart/terraform-simple-registry

Contribute to terraform-simple-registry development by creating an account on Github.

antonbabenko avatar
antonbabenko

Thanks, yes!

antonbabenko avatar
antonbabenko
outsideris/citizen

citizen - A Private Terraform Module Registry

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@antonbabenko what are you working on ?

antonbabenko avatar
antonbabenko

It is not for me

antonbabenko avatar
antonbabenko

I just want to see open-source version of everything… now this - [terrahub.io> </i](http://terrahub.io)

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh wow, that’s cool - terrahub

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

smart idea for SaaS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Introducing TerraHub.io — DevOps Hub for Terraform – TerraHub – Medium attachment image

Over the last couple of months we have been working with several customers to reduce the development burden of terraform configuration and…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Better explanation

antonbabenko avatar
antonbabenko

follow me on twitter - https://twitter.com/antonbabenko - I blog almost exclusively about Terraform

Anton Babenko (@antonbabenko) | Twitter

The latest Tweets from Anton Babenko (@antonbabenko). AWS / Terraform / Architecture / DevOps fanatic. I like organizing related events and speak often. Oslo, Norway

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


We have sailed 1500 miles from Spain to Greece and now back to the life on the land!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

wow jealous!

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We had a successful “Town Hall” meeting. Unfortunately, I forgot to click “record”, but will do that next time.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I will be posting some meeting notes later on today

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For now, I’ve setup a poll to vote for the next meeting time (for September 5th)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

https://doodle.com/poll/d8z7m9u8n2ddtmfp (thanks @antonbabenko for suggestion)

Doodle: SweetOps "Town Hall" Meeting attachment image

Meetings will be conducted via Zoom (recorded) and held every couple weeks at different times to accommodate different geographies.

tarrall avatar
tarrall

Howdy folks. n00b user here! :wave: We’re trying out the AWS “reference architecture” stuff (docs.cloudposse.com/reference-architectures/) and have some n00b questions.

First up… we’ve followed the cold-start process and now have [root.example.com>, prod.example.com etc repos, accounts stood up, k8s cluster up in prod. Which is cool, but the current Dockerfile is basically an intermingling of configuration and code, making updating it to track the “upstream” versions (e.g. <http://prod.cloudposse.co/Dockerfile prod.cloudposse.co/Dockerfile`](http://root.example.com)) awkward. Are there plans to extract the configuration into a separate file in order to make the existing repo more usable longterm, or is this intended more as a “here’s an example of how you might glue this all together” repo rather than a tool you’d use directly?
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@tarrall you’re a very advanced “n00b” if you got that far

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

congrats!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

let’s move the discussion to #geodesic if you don’t mind

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’ll answer there

tarrall avatar
tarrall

Well, actually much of this was set up when I got here and yup moving

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha, you’re at Flowtune

tarrall avatar
tarrall

:–1:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

cool

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Here’s are the minutes from today’s Town Hall meeting:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
SweetOps Town Hall Meeting attachment image

Today we had our first “Town Hall” meeting where members of our SweetOps community (slack.cloudposse.com) got together on a Zoom conference call to talk shop. Remember to vote when we should have our next call. Discussion Points GitOps - CI/CD Automation of Terraform Git ChatOps OAuth

:--1:1
sarkis avatar
sarkis

@mrwacky welcome

2

2018-08-21

OGProgrammer avatar
OGProgrammer

Been using the EB app and env TF repos y’all made. Love it.

OGProgrammer avatar
OGProgrammer

TY!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@OGProgrammer thanks! Appreciate it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

welcome to community!

:--1:1

2018-08-20

 avatar
04:00:01 PM

There is 1 event this week

Townhall Meeting (SweetOps)

August 22nd, 2018 from 9:00 AM to 9:50 AM GMT-0700 at https://zoom.us/j/299169718

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@here join us for our first open “Townhall” meeting this wednesday. Get to know everyone, ask questions, debate strategies, anything goes…. it’s an open discussion and everyone is invited!

loren avatar
loren

timezone? also, that link opens a google calendar… is that shared somewhere or is it private?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I can also invite you directly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

timezone is PST.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We selected 9am since it works well with GMT too

loren avatar
loren

ahh my bad, just had to switch to the gsuite account associated with this workspace, now i see the event!

loren avatar
loren

nice integration

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
:--1:1

2018-08-17

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Finally they caught up with the latest version 6.3 of Kibana and ES client

2018-08-15

pericdaniel avatar
pericdaniel

So for terraform AWS ssm parameters store…. Do I use that module to store the ssm values that I want to store? Then use the data and resource piece of that into another terraform module I have to call those values?(sorry I’m still new to all this!) My goal is there I don’t want my access and secret keys in plain text so I want to have another module that will call those values and then I can pass those values as access and secret keys in AWS…(videos would be nice if you can explain it)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @pericdaniel

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes you can use https://github.com/cloudposse/terraform-aws-ssm-parameter-store to write secrets to SSM from one Terraform module and then read the secrets from another TF module

cloudposse/terraform-aws-ssm-parameter-store

terraform-aws-ssm-parameter-store - Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-ssm-parameter-store

terraform-aws-ssm-parameter-store - Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we also use https://github.com/segmentio/chamber to write and read secrets from SSM

segmentio/chamber

chamber - CLI for managing secrets

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

take a look at our reference architectures https://docs.cloudposse.com/reference-architectures/ - shows how we use Terraform/chamber/SSM together

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

here are a few possible scenarios:

  1. Use terraform-aws-ssm-parameter-store to write secrets from one TF module, and use terraform-aws-ssm-parameter-store to read secrets from another TF module
  2. Use terraform-aws-ssm-parameter-store to write secrets from a TF module, and then use chamber in a CI/CD pipeline to read secrets from SSM and populate ENV vars for the application beign deployed
  3. Use chamber to write secrets to SSM, and then use chamber in a CI/CD pipeline to read secrets from SSM and populate ENV vars for the application beign deployed
pericdaniel avatar
pericdaniel

Thank you! I’ll look into it tomorrow!

2018-08-13

 avatar
04:00:01 PM

There are no events this week

2018-08-12

2018-08-10

Sebastian Nemeth avatar
Sebastian Nemeth

I have a stupid question, but what is the correct set up for using geodesic modules in CI/CD? Is the goal to have changes to infrastructure auto-deployed through promotion through CD pipelines, or is the cloudposse approach all about pushing things from CLI using the geodesic wrapper?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Our ultimate goal is to do exactly what you want: test and deploy the geodesic-based containers as part of cicd.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The interactive cli was the easiest way to get started.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think it’s about a week worth of effort to implement. Basically, the way we look at it is this: infrastructure as code is the same as all other code. Therefore we should treat it the same. Package the infrastructure inside a geodesic container. Test that container. If successful, push image to repo. Deploy to target environment by running container and calling apply.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So what I don’t like about Atlantis is that it violates this paradigm. It does not treat infrastructure as code like all other code. It requires a new standalone CI/CD system (the Atlantis daemon) to work, which is different from how we deploy all other software. I am not ripping on Atlantis; I think it’s cool what it does. I just wish it was compatible with the containerized approach we take, which is how all other modern software is deployed.

:--1:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

this cold be useful for dev and staging environments (low cost) https://aws.amazon.com/blogs/aws/aurora-serverless-ga/ (no Postgres yet)

Aurora Serverless MySQL Generally Available | Amazon Web Services attachment image

You may have heard of , a custom built MySQL and PostgreSQL compatible database born and built in the cloud. You may have also heard of , which allows you to build and run applications and services without thinking about instances. These are two pieces of the growing AWS technology story that we’re really excited […]

2018-08-09

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you’re still waiting on a PR code review or some other issue, let me know!

Sebastian Nemeth avatar
Sebastian Nemeth

Just the PR I pushed to geodesic yesterday

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks! I have assigned it to @Andriy Knysh (Cloud Posse) to test

2018-08-08

pericdaniel avatar
pericdaniel

What’s everyone doing these days to learn kubernetes and terraform?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We don’t have any materials yet to start from ground zero.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But here are some resources I recently researched for another client.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Kubernetes By Example

This is a hands-on introduction to Kubernetes. Browse the examples: pods labels replication controllers deployments services service discovery health checks environment variables namespaces volumes secrets logging jobs nodes Want to try it out yourself? You can run all this on Red Hat’s distribution of Kubernetes, OpenShift. Follow the instructions here for a local setup or sign up for openshift.com for an online environment.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Tutorial : Getting Started with Kubernetes with Docker on Mac attachment image

If you are looking for running Kubernetes on your Windows laptop, go to this tutorial.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Both are for getting started with kubernetes and learning by example using a local kubernetes cluster.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

As for learning Terraform, I know @jamie has some tutorials he’s been working on, but not sure if they are public.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
kelseyhightower/kubernetes-the-hard-way

kubernetes-the-hard-way - Bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@pericdaniel I’ve started an issue to track this so we can update our docs. Please add any links that you find useful. https://github.com/cloudposse/docs/issues/205

Document Resources for Getting Started with Kubernetes and Terraform · Issue #205 · cloudposse/docs

what we should provide a curated list of links why For people just getting started with Terraform and Kubernetes, references e.g. https://github.com/kelseyhightower/kubernetes-the-hard-way http://k…

pericdaniel avatar
pericdaniel

Thank you so much!

jamie avatar
jamie
Kubernetes Tutorials, Resources, and Courses. – Pavan Belagatti – Medium attachment image

I am too active on LinkedIn and I always share posts on DevOps and about other DevOps tools. Since Kubernetes is really making it big in…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @pericdaniel

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

practice in writing TF modules and helm charts and provisioning real infrastructure - it’s a slow process

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(no books can substitute that :)

:--1:1
Luke avatar

Hi all, wondering if someone could point me in the right direction to get the bastion docker image working with the github integration, both running on docker on the same host.

Luke avatar

Does anyone have a working compose file I could look at?

sarkis avatar
sarkis

@pericdaniel shameless plug, check out docs.cloudposse.com.. tons of open source modules on GitHub as well that will take the initial work of getting kubernetes running a much easier task than it really is… Then as @Andriy Knysh (Cloud Posse) said, nothing can replace just doing things on the cluster - use kubectl until you are comfortable with it and then start automating it out of your workflow

:100:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

as @sarkis pointed out, take a look at our docs https://docs.cloudposse.com/ and also our reference architectures https://docs.cloudposse.com/reference-architectures/

pericdaniel avatar
pericdaniel

Thank you! I have been looking through those modules and they look great. Just slowly learning and getting through it

sarkis avatar
sarkis

I’ll say from experience aha moment will take a couple weeks. Once you get there though - you will wonder where these modules were all your tech life

sarkis avatar
sarkis

Also please do contribute, ask here, or open issues as you go through if something is not clear…

sarkis avatar
sarkis

@Luke how far along are you? If you share some context/dockerfiles/compose I could try and help.

Luke avatar

@sarkis - I’m having issues getting the bastion talking to the github api.

If you have any docket files I can scan over that would be a massive help

sarkis avatar
sarkis

Hm, I have not done this myself before, however first thing I’d check is the networking outbound from the bastion docker container

i5okie avatar
i5okie

back to docker kibana… im now getting this. just wondering have you seen this issue too?

i5okie avatar
i5okie
04:12:39 PM
rfaircloth avatar
rfaircloth

I found this place because of copyright-header

rfaircloth avatar
rfaircloth

Any maintainer hanging around?

jamie avatar
jamie

Hi @rfaircloth

jamie avatar
jamie

@sarkis and @Erik Osterman (Cloud Posse) should be online around now too normally

rfaircloth avatar
rfaircloth

Great project, I am looking at a missing feature if I have a license with a copy right in it. When a new release is produced the copy right year should be updated Is that something that can be done (I could be missing it)

jamie avatar
jamie

@Erik Osterman (Cloud Posse)

rfaircloth avatar
rfaircloth

@Erik Osterman (Cloud Posse) I’m following your copyright-header project I sent over a PR with some minor things I could fix/enhance. I’m not a ruby dev getting stuck on last tweak. When a release is issued for IP protection the new release should have updated copyright. in parser.rb/ def add(license) there is a if condition “if has_copyright?” I’m just not getting the syntax but using the regex “([cC]opyright(?:(C))?)([^ ]{2,20})” to replace and substitute updated year value would do the job rather than raise exception. If the substitution doesn’t change anything then raise the exception

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@i5okie regarding kibana, did you use any IAM access policy to control access to the cluster?

i5okie avatar
i5okie

no

i5okie avatar
i5okie

its setup with VPN, and access policy is *

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
04:26:03 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what is your?

i5okie avatar
i5okie
04:26:50 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, another reason could be a time drift in Docker container, which prevents AWS request from being properly signed

i5okie avatar
i5okie

right

i5okie avatar
i5okie

right now im trying to figure out why docker isn’t exposing the kibana port.

i5okie avatar
i5okie
04:28:55 PM
i5okie avatar
i5okie
kibana_1 {“type”“2018-08-08T16:28:00Z”,“tags”1,“message”:“Server running at http://0.0.0.0:5601”}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Kibana is only reachable from inside Docker container · Issue #12918 · elastic/kibana

Kibana version: 5.5.0 Elasticsearch version: 5.5.0 Server OS version: Debian 8 with Docker 17.06.0-ce Original install method (e.g. download page, yum, from source, etc.): docker-compose.yml Descri…

i5okie avatar
i5okie

funny enough thats what im looking at right now

:--1:1
i5okie avatar
i5okie

works

1
i5okie avatar
i5okie

but back to the authorization issue

i5okie avatar
i5okie

oh i lost the –oss flag dang it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@i5okie same issues with credentials or signature headers?

i5okie avatar
i5okie

signature headers… the xpack thing

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@smoll i personally did not test bastion, can take a look. Maybe @Erik Osterman (Cloud Posse) will help faster when he is online

smoll avatar
smoll

no worries @Andriy Knysh (Cloud Posse). the bastion error looks like it could be stemming from the fact that github-authorized-keys isn’t able to manage users properly (due to the connection failure). i wonder if i’m missing a required field from https://github.com/cloudposse/github-authorized-keys in https://github.com/cloudposse/charts/blob/master/incubator/bastion/values.yaml#L11

i5okie avatar
i5okie
06:08:08 PM

Back to this. Running Kibana from Docker. Looks like it connected to ellastic search. But the pages are all blank.

i5okie avatar
i5okie
06:08:51 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Oh well @i5okie how do you find those empty Kibanas :)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Can you try to delete all browser cache just in case, or use a different browser?

i5okie avatar
i5okie

i dont know

i5okie avatar
i5okie

wtf

i5okie avatar
i5okie

it works in firefox

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Haha

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Browser cache

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

So you had it working before too

i5okie avatar
i5okie

this is so odd

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Just did a nice exercise with Docker, which is good for you too :)

i5okie avatar
i5okie

kibana from AWS ES, loads fine in chrome.

i5okie avatar
i5okie

this is same version too

i5okie avatar
i5okie
06:15:06 PM

i see.

i5okie avatar
i5okie

its the basic auth. thats the issue

i5okie avatar
i5okie

this happens when i have basic auth on nginx. for troubleshooting i turned nginx off and piped all traffic to docker instead. so firefox didn’t have the basic auth, and chrome had it.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Ok I see

i5okie avatar
i5okie

ok for future reference: If someone sets up Kibana separate from ElasticSearch, proxied through NGINX, and gets a blank screen. After basic authentication Kibana will load, but when requesting data from elasticsearch NGINX passes the basic auth headers which ES doesn’t like. The following nginx config flushes the auth header.

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Good sleuthing!

i5okie avatar
i5okie
06:57:09 PM

/etc/nginx/conf.d/kibana.conf

i5okie avatar
i5okie

have to reset the auth header when passing to proxy

:--1:1
smoll avatar
smoll

so it looks like this error Connection to [github.com> failed <https://github.com/cloudposse/github-authorized-keys/blob/111b4401d4597c6a97b7a5316bcd35e697ab07ff/api/github.go#L32](http://github.com) is getting raised no matter what the actual error is, for example even if i change the oauth token to "x" i get the exact same error

cloudposse/github-authorized-keys

github-authorized-keys - Use GitHub teams to manage system user accounts and authorized_keys

smoll avatar
smoll

i take that back, i think this is just me… when i ran the docker image locally i definitely don’t get this exception, with the exact same credentials. there’s definitely something funky with how the service is running on my GKE cluster… not sure if it’s a problem with the chart or some configuration issue with my cluster though…

cloudposse/github-authorized-keys

github-authorized-keys - Use GitHub teams to manage system user accounts and authorized_keys

smoll avatar
smoll

Figured out the first problem: https://github.com/cloudposse/charts/blob/master/incubator/bastion/templates/deployment.yaml#L69 /etc volume mount blasts away etc/ssl which means it can’t initiate an SSL connection

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we had to do some hacks to get it to work and currently don’t have it deployed because our custom is now using a far superior solution: telelport.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think teleport is free for small clusters

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and still affordable for enterprises.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
gravitational/teleport

teleport - Privileged access management for elastic infrastructure.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

they have an “open core” model, where most features are available free in the open source version

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and some enterprise features require a subscription.

smoll avatar
smoll

ah gotcha, will check teleport out

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hey y’all - sorry, I am AWOL. Traveling today to Tulum, MX on vacation. Will be available intermittently. Looks like a lot has been discussed today! Will reply to all threads as soon as we get settled.

:--1:1
1
2

2018-08-07

i5okie avatar
i5okie

hey guys, slightly off-topic perhaps, question…

i5okie avatar
i5okie

Have you guys ever use an external Kibana with an AWS ElasticSearch domain?

i5okie avatar
i5okie

I’ve just supposedly connected a Kibana on ec2 instance to ES domain, but kibana’s blank

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We recently have been using that!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Did you know that AWS ElasticSearch ships with kibana

i5okie avatar
i5okie

yeah but you can’t extend if plugins

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha

i5okie avatar
i5okie

it with*

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we also have been using the helm chart for kibana on kubernetes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we pretty much only do containerized stuff these days

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/helmfiles

helmfiles - Comprehensive Distribution of Helmfiles. Works with helmfile.d

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) might have some insights

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, we deployed Kibana on K8s and connected it to AWS Elasticsearch

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we also used the Kibana that comes with Elasticsearch

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@i5okie did you deploy the ES cluster into AWS public domain or into your VPC?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but @i5okie brings up a good point about the plugins. we haven’t yet gone deep on ES.

i5okie avatar
i5okie

VPC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ok, good point about plugins, we need to look at it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

about VPC… Did you create the correct Security Groups to connect from the EC2 instance to the cluster?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and also, did you use any IAM policies for ES?

i5okie avatar
i5okie
05:46:33 PM

this is when I start kibana in cli with -e and point to ES domain

i5okie avatar
i5okie

right now my security policy on ES is just opened up completely. and security group’s open for the EC2 instances.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

looks good

i5okie avatar
i5okie

except every page in Kibana is blank, besides the menu

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what do you mean by empty Kibana?

i5okie avatar
i5okie
05:47:41 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

nothing on the right side?

i5okie avatar
i5okie
05:48:25 PM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you click on Dev Tools

i5okie avatar
i5okie

nope, only shows if i look at status. everything else is empty. including dev tools

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hmm, never seen that

i5okie avatar
i5okie

ikr

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

maybe broken Kibana?

i5okie avatar
i5okie

hmm

i5okie avatar
i5okie

could be. i installed it by downloading the rpm. so i can match the version

i5okie avatar
i5okie

maybe i need to get the -oss flavor one?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not sure. we did install it from https://github.com/cloudposse/helmfiles/blob/master/helmfile.d/0630.kibana.yaml (it uses the Kibana chart)

i5okie avatar
i5okie

ah docker.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
helm/charts

charts - Curated applications for Kubernetes

i5okie avatar
i5okie

I’m still a docker n00b for the most part. nevermind kubernetes

i5okie avatar
i5okie

about to switch production app from heroku to elasticbeanstalk. and i’ve been getting a pretty clear message that ECS is probably the way to go instead..

i5okie avatar
i5okie

so im going to have to do more learning

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yea, that’s good

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can try diff versions from rpm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(it’s easy to break stuff with Kibana, even if server and client have diff versions, will be a lot of issues)

i5okie avatar
i5okie

interesting. so you guys are using kibana 6.3.1… but AWS ES is on 6.2 there’s no version mismatch? like it doesn’t complain?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it did

i5okie avatar
i5okie

hmm

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we told it to use 6.0.0

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for the client

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/helmfiles

helmfiles - Comprehensive Distribution of Helmfiles. Works with helmfile.d

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

KIBANA_IMAGE_TAG was set to 6.0.0

i5okie avatar
i5okie

ah

i5okie avatar
i5okie

ok i’ll try the docker route

i5okie avatar
i5okie

thanks

i5okie avatar
i5okie

while im here… So I know what docker is, i’ve built docker images, ran them locally, made one for circleci.. bam. What would be a good path to go from here? if you’re using Kubernetes, do you use aws EKS instead of ECS then?

i5okie avatar
i5okie

at this point i just have the aws associate architect cert.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think it depends a little bit about your use-case, how many services, how many engineers, etc

i5okie avatar
i5okie

me myself and i are the only devops engineers here. at least for now. lol

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think kubernetes is awesome for teams of 5+ hands on engineers who will share devops responsibilities, and where you have a lot of services to deploy.

i5okie avatar
i5okie

ah gotcha

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But the kubernetes ecosystem moves so fast, that as a solo-engineer whose job is to maintain it, it will be a lot of work, as much as I hate to say it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Kubernetes >> ECS. However, for simpler use-cases, it’s still awesome.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

have you seen our modules for ECS?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I think the easiest way now is SSH to the EC2 instance and run Kibana in Docker, just to confirm everything is ok

:--1:1
i5okie avatar
i5okie

so at what point does it make sense to go from elastic beanstalk which would manage about 16+ instances.. to ECS?

i5okie avatar
i5okie

ah thats a good idea @Andriy Knysh (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We had really bad experiences with beanstalk. Namely, lots of failed deploys due to dependencies failing (temporary 503s, or broken rpm repos, etc). I think if we did it again, and had beanstalk as a requirement (e.g. due to customer), we would use beanstalk+containers.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but given the choice between beanstalk and ECS, ECS would definitely be my pick.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

containers solve so many problems about packaging dependencies, testing, and deployment

i5okie avatar
i5okie

i’ve been looking at Segment’s Stack (terraform modules) pretty opinionated. but kind of cool. so im using your modules to sort of setup a good infrastructure with public/private subnets, EB.. etc. (someone before me ended up putting everything except DB to public subnets)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, no fun taking over that kind of environment.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hopefully you can make some big inroads on how they architect things

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:01:42 PM

added an integration to this channel: Google Calendar

2018-08-06

smoll avatar
smoll

i stumbled on https://github.com/cloudposse/bastion earlier today and it looks really nice, but i’m wondering if the primary use case is to connect to stuff in a preexisting k8s cluster. what about if the primary use case is terraforming/modifying the cluster itself? in that case, wouldn’t it be better if the bastion lived outside of the cluster entirely?

cloudposse/bastion

bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@smoll the bastion can satisfy both use-cases, but we used it with Kubernetes.

cloudposse/bastion

bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it’s still a great way to run a bastion on a classic EC2 instance b/c you jail the SSH session in a container reducing the blast radius.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Plus, containers are a great way to distribute/deploy software in a consistent, repeatable manner.

smoll avatar
smoll

fair. i think i’m leaning towards skipping the EC2 instance altogether though (for a GKE Private Cluster), because i just need to poke a hole in the firewall just to deploy this one service, and then use the jumpbox to bootstrap everything else. brilliant!

smoll avatar
smoll

so i tried using the helm chart you guys provided, but the bastion container keeps failing with /etc/ssh/sshd_config: No such file or directory and i see

{"job":"syncUsers","level":"error","msg":"Connection to [github.com](http://github\.com) failed","subsystem":"jobs","time":"2018-08-08T17:14:10Z"}
{"job":"syncUsers","level":"error","msg":"Connection to [github.com](http://github\.com) failed","subsystem":"jobs","time":"2018-08-08T17:19:11Z"}

in the logs for github-authorized-keys… however, when i SSH into the pod and try to ping [github.com> echo -e "GET /\n\n" | nc <http://github.com|github.com](http://github\.com) 80, it looks okay. any ideas?

jengstro avatar
jengstro

hello all

jengstro avatar
jengstro

does anyone happen to know why I am getting the following odd error when trying to stand up an RDS cluster with terraform-aws-rds-cluster?

jengstro avatar
jengstro
11:41:52 PM
jengstro avatar
jengstro

thx in advance

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @jengstro

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what db are you trying to deploy, MySQL or Postgres?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I think you are mixing some parameters from both

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

terraform-root-modules - Collection of Terraform root module invocations for provisioning reference architectures

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


DBParameterGroupFamily
The DB cluster parameter group family name. A DB cluster parameter group can be associated with one and only one DB cluster parameter group family, and can be applied only to a DB cluster running a database engine and engine version compatible with that DB cluster parameter group family.

Aurora MySQL Example: aurora5.6, aurora-mysql5.7

Aurora PostgreSQL Example: aurora-postgresql9.6

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

oscar5.6 is for MySQL

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you use engine = "aurora-postgresql", then cluster_family should be aurora-postgresql9.6

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you use engine = "aurora", then cluster_family should be aurora-mysql5.7

jengstro avatar
jengstro

that did the trick @Andriy Knysh (Cloud Posse) thank you

:--1:2
jengstro avatar
jengstro

@Andriy Knysh (Cloud Posse) Even though it appears that db.t2.medium appears to support aurora-postgresql9.6… I get an error…

jengstro avatar
jengstro
04:07:00 AM
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

1 sec

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

db.r4.large is the smallest instance type supported by Aurora Postgres

jengstro avatar
jengstro

ahh ok

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Amazon Aurora Pricing – Amazon Web Services

Learn about pricing for Amazon Aurora the MySQL-compatible database with pay as you go pricing with no upfront fees. There is no minimum fee.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

db.r4.large is expensive for anything but prod (e.g. dev or staging)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

MySQL is better with pricing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ya pretty pricey

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We have had luck deploying Postgres in Kubernetes for disposable environments like staging and dev

jengstro avatar
jengstro

thanks guys

2018-08-02

stephen avatar
stephen

just saying hi, been lurking in the background for a few days reading over the code everyone has been publishing, they have been incredibly useful resources

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @stephen, welcome

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks @stephen ! It’s really encouraging to hear that. :-)

krogebry avatar
krogebry

I’m helping a friend with a … gig of sorts. He’s working on material that would help teach people how to interview better.

krogebry avatar
krogebry

Does anyone here have any thoughts on how to promote that idea?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

from tech point of view, maybe a mobile app or mobile site or PWA (Progressive Web App) so people would use it on their phones

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

with server-side updates for new materials

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@krogebry or you are asking about marketing?

krogebry avatar
krogebry

Maybe, I’m not exactly sure on this one, it’s a totally new field.

krogebry avatar
krogebry

I think interviewing people for technical positions is something we don’t do well in this business in general, specifically in the arena of the enterprise

krogebry avatar
krogebry

Obviously @Erik Osterman (Cloud Posse) is a pro

1
krogebry avatar
krogebry

So, between better interviews that are more able to create productive outcomes ( hiring people that are better fits ) and my theory that influence is the new currency of IT

krogebry avatar
krogebry

I’m trying to figure out how to get my buddy into a position where we can …something something… create better interviews.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for me, it would be nice to have a mobile app (or mobile website) with learning materials, and then a test exam, and a real exam/test

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
‎AWS Certified Solutions Arch. on the App Store

‎Read reviews, compare customer ratings, see screenshots, and learn more about AWS Certified Solutions Arch.. Download AWS Certified Solutions Arch. and enjoy it on your iPhone, iPad, and iPod touch.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
‎Professional - AWS Sol. Arch. on the App Store

‎Read reviews, compare customer ratings, see screenshots, and learn more about Professional - AWS Sol. Arch.. Download Professional - AWS Sol. Arch. and enjoy it on your iPhone, iPad, and iPod touch.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, the question of why? would be more important and useful than what? and how? (as we see in many interview materials)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

e.g.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(off the top of my head)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

why would you use Terraform to provision cloud resources if you can do everything manually (and even faster) (stupid question

sarkis avatar
sarkis

I’d love to see how someone can do everything manually faster than using tf modules

sarkis avatar
sarkis

Oh and not just faster but more secure too

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i believe you could do it @sarkis

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

part of the the correct answer would be repeatability, maintainability, ownership of the code, version control, and security of cause

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

why and in what cases would you use EC2 instances to deploy a database instead of utilizing managed services like RDS or Aurora

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

why would you use Kubernetes instead of ECS (or otherwise)

krogebry avatar
krogebry

yeah, Love those questions

krogebry avatar
krogebry

Simon Sinek is a big fan of starting with why

krogebry avatar
krogebry

So according to my friend, Christian, the biggest indicator of success in any role ends up being more around the idea of attitude

:--1:1
krogebry avatar
krogebry

One of the questions he asked in interviews ( for microsoft ) was: how do you make friend

krogebry avatar
krogebry

*friends

krogebry avatar
krogebry

Apparenlty that had more to do with success than anything technial

:100:1

2018-08-01

i5okie avatar
i5okie

hm can’t install gomplate on amazon linux

i5okie avatar
i5okie

nvm

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/packages

packages - Cloud Posse installer and distribution of native apps

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We distribute a docker image with all the binaries we use

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the install/ folder has the Makefile target for installation

    keyboard_arrow_up