#announcements (2018-09)

cloudposse Cloud Posse Open Source Community <#CB84E9V54 geodesic> <#CB6GHNLG0 terraform> <#CBW0HJDS8 release-engineering> <#CB2PXUHLL random> <#CB9N1MMFV releases> <#CB7CA7X0D docs>

This channel is for workspace-wide communication and announcements. All members are in this channel. Archive: https://archive.sweetops.com

2018-09-30

GreetBot avatar
GreetBot
11:42:31 AM

hey everyone give a warm welcome to @vitaly.markov! Good to have you here

1
GreetBot avatar
GreetBot
12:43:50 PM

hey everyone give a warm welcome to @praveen! Good to have you here

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hey @vitaly.markov and @praveen, what are you working on?

Zapier avatar
Zapier
05:19:59 AM

@Erik Osterman (Cloud Posse) created a new channel #events. Join if this sounds interesting!

2018-09-28

GreetBot avatar
GreetBot
08:46:49 AM

hey everyone give a warm welcome to @Daz! Good to have you here

dennybaa avatar
dennybaa

Hi everybody! It’s pleasure to hang out here. @rohit.verma Hey, there’s an easy “openvpn” way with pritunl, https://pritunl.com/ , users can be configured via web if it suits you. Also making a k8s deployment/chart for pritunl should be very easy, it uses mongo which is the only which will require a pvc…

Enterprise VPN Server

Free open source enterprise distributed VPN server. Virtualize your private networks across datacenters and provide simple remote access in minutes.

dennybaa avatar
dennybaa

all the dns, dhcp you get out-of-the-box

rohit.verma avatar
rohit.verma

@dennybaa Thanks for suggesttion, this is really nice. I tried and it was working as expected.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@dennybaa that is a great suggestion. I forgot about it.

:--1:1

2018-09-26

GreetBot avatar
GreetBot
03:39:56 PM

@channel hey everyone give a warm welcome to @jonboulle! Good to have you here

1
:--1:1
antonbabenko avatar
antonbabenko

Hi @jonboulle!

maarten avatar
maarten

hi @jonboulle

jonboulle avatar
jonboulle

whoa lots of welcomes

5
jonboulle avatar
jonboulle

o/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@jonboulle What brings you around?

jonboulle avatar
jonboulle

maarten

maarten avatar
maarten

Jon replaced me at Blinkist and also works on the ecs airship modules, although he actually is more of an K8S guy.. @jonboulle maybe you can share some more info’s.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Haha ok, well you are amongst friends :) we do lots of k8s and terraform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hopefully you can join our next town hall zoom call which is next Wednesday 11am PST

Zapier avatar
Zapier
11:51:33 PM

@markmutti created a new channel #aws. Join if this sounds interesting!

markmutti avatar
markmutti

Thanks, bot!

GreetBot avatar
GreetBot
11:54:20 PM

hey everyone give a warm welcome to @Andy! Good to have you here

3
:--1:3
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hey @Andy! let me know if there’s anything we can help out with.

2018-09-25

mark avatar

Anyone know if TF supports disabling/enabling STS regions? I’ve been googling and can’t find anything …

loren avatar
loren

i’ve looked for an api to do this, but haven’t found one. looks to be a console-only thing?

loren avatar
loren

we’ve stopped bothering… sts is global anyway, so disabling it in a region doesn’t really stop an attacker from getting a credential that is valid for an sts-disabled region

mark avatar

Also – Anyone have link to some cool global AWS organization TF stuff for small/mid/medium sized ORGS in terms of things being applied everywhere (e.g. cloudtrail, config, some global roles, etc.)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Hey @mark

mark avatar

Yo

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not sure if it’s cool but here is what we usually do https://docs.cloudposse.com/reference-architectures/

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-root-modules

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

mark avatar

awesome

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/root.cloudposse.co

Example Terraform Reference Architecture for Geodesic Module Parent (“Root”) Organization in AWS. - cloudposse/root.cloudposse.co

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/staging.cloudposse.co

Example Terraform Reference Architecture for Geodesic Module Staging Organization in AWS. - cloudposse/staging.cloudposse.co

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

terraform-root-modules is our collection of TF modules that we usually deploy

mark avatar

Looking at that one now

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

root, testing, staging, prod etc. are our reference architectures for the stages, they don’t have any code, they are just identities, we deploy them do different AWS accounts

mark avatar

gotcha checking it now

rohit.verma avatar
rohit.verma

hi all, any recommendation on vpn setting, which allow resolving private route53 dns records locally. I have tried this https://github.com/kylemanna/docker-openvpn, along with bind instructions from here https://www.youtube.com/watch?v=xeIWpyst0P4. On my local use tunnelblick to connect. Couldn’t mac the setup working though, got connected to vpn and can use private ips, but dns resolution still not workable. Tried adding nameserver also manually, no luck.

kylemanna/docker-openvpn

OpenVPN server in a Docker container complete with an EasyRSA PKI CA - kylemanna/docker-openvpn

rohit.verma avatar
rohit.verma

@Erik Osterman (Cloud Posse) @Andriy Knysh (Cloud Posse) Any leads on above

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

have you seen our bad ass chart for this?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/charts

The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this supports GitHub SSO + shortlived open vpn keys

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It could use some dusting off - but here to help if you want to

rohit.verma avatar
rohit.verma

this is required for an old environment, there is no kubernetes there

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

rohit.verma avatar
rohit.verma

this image cloudposse/openvpn, can you share code?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/openvpn

Contribute to cloudposse/openvpn development by creating an account on GitHub.

rohit.verma avatar
rohit.verma

I don’t see any usage of bind, are you sure client can resolve route53 entries, e.g. from my local if I try private.internal.api ( internal.api=private hosted zone), will it work?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so the traffic is NAT’d from internal ec2 instance

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so it has the internal-view for route53

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it also resolves kube-dns

rohit.verma avatar
rohit.verma

you mean from my local I can call svc directly, e.g curl <http://alertmanager-operated.monitoring.svc.cluster.local>

:--1:1
rohit.verma avatar
rohit.verma

but how your local nameservers are updated? which openvpn client you used?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s a DHCP setting

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/charts

The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/charts

The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

-n $(cat /etc/resolv.conf | grep -i nameserver|head -n1|cut -d ' ' -f2)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

as argument to ovpn_genconfig

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@rohit.verma

maarten avatar
maarten
Feature request: Having a simple way to disable chamber backend lookups · Issue #143 · segmentio/chamber

Hi everyone, In some use cases the transformation into using Chamber inside an (external) organisation is not always straight forward. In many cases it is not only a migration on AWS from using ENV…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Suggest breaking it apart into what and why

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Reading the description it’s not clear what it does does, but more why it does it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What ~ like how it works

maarten avatar
maarten

good idea, thanks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ping me when you update it and I’ll Re review :)

maarten avatar
maarten

ping & thanks

2018-09-24

 avatar
04:00:01 PM

There are no events this week

2018-09-23

antonbabenko avatar
antonbabenko

I will be on vacation during next Town Hall call, so talk without me.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok!

2018-09-21

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:42:12 PM
:100:2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Such a great description of GitOps by Flux. https://github.com/weaveworks/flux

tolstikov avatar
tolstikov

so, we have GitOps for Terraform (Atlantis), and GitOps for k8s (flux), but does some universal GitOps solution exist?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Jenkins?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

j/k

loren avatar
loren

lulz

tolstikov avatar
tolstikov

ohh, yeahh, but still needs some setup

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So, I don’t know of anything off the shelf

tolstikov avatar
tolstikov

also, I believe Jenkins have some great plans for the future now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What I like about Codefresh, is that every step of the pipeline is a container. So if we can containerize the Business Logic, we can do it.

loren avatar
loren

personally i kind of think of pretty much any set of tools that executes a workflow based on PRs, merges, and tags can be considered GitOps

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes - i don’t think flux or atlantis is technically needed. they are good purpose built tools.

tolstikov avatar
tolstikov

I’d like to see some general framework for any type of “command to launch on PR approval”

tolstikov avatar
tolstikov

instead of kubectl/terraform apply launch hardcoded

loren avatar
loren

here’s what i created to piece things together between codecommit and codebuild, https://github.com/plus3it/terraform-aws-codecommit-flow-ci

plus3it/terraform-aws-codecommit-flow-ci

Implement an event-based CI workflow on a CodeCommit repository - plus3it/terraform-aws-codecommit-flow-ci

tolstikov avatar
tolstikov

probably Cloud Posse will have something at some point

loren avatar
loren

a pull request triggers a job, a merge triggers another job, and a tag triggers a job. you define what each job-type does via your buildspec(s)

tolstikov avatar
tolstikov

yep, but vendor-lock again…

loren avatar
loren

not really

loren avatar
loren

i write the jobs in a Makefile, and the buildspec just executes make targets

loren avatar
loren

easy enough to port to gitlab-ci or travis or whatever

loren avatar
loren

also, this summarizes nicely what i think of vendor lock-in, https://bravenewgeek.com/multi-cloud-is-a-trap/

Multi-Cloud Is a Trap

It comes up in a lot of conversations with clients. We want to be cloud-agnostic. We need to avoid vendor lock-in. We want to be able to shift workloads seamlessly between cloud providers. Let me s…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’m working on our requirements here: https://cloudposse.quip.com/Mb7cA97IuIm8

GitOps

Via flux by WeaveWorks.

:--1:2
loren avatar
loren




The mental gymnastics I see companies go through to avoid vendor lock-in and “reasons” for multi-cloud always astound me. It’s baffling the amount of money companies are willing to spend on things that do not differentiate them in any way whatsoever and, in fact, forces them to divert resources from business-differentiating things.

:100:1
loren avatar
loren

so many good quotes


When you abstract away the differentiating features to avoid lock-in, you also abstract away the value. You end up with vendor “lock-out,” which basically means you aren’t leveraging the full value of services.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea - building for LCD is no good

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

“lowest common denominator” ; he says it better though. “abstract away the value”

loren avatar
loren

yea, same thing, but the focus on value sells better imho

:--1:1
tolstikov avatar
tolstikov

@loren yes and no, I believe there should be “the golden mean” between totally avoiding vendor-lock and total locking, in other words, you should have some way to easy move to other provider

but, with kubernetes the issue is mitigated a lot I believe (especially with k8s-as-service)

loren avatar
loren

i just don’t see it being that big a deal, people get way bent out of shape over the smallest thing

loren avatar
loren

spaces or tabs! vi or emacs! blech. just get the job done, stick with whatever the project already does.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

looks like I (almost) always agree with you @loren

tolstikov avatar
tolstikov

but better to be DRY, and don’t repeat yourself with a next job or at least be able to re-use most parts of the previous work

loren avatar
loren

i agree. though i always try to remember also that premature optimization is the root of all evil, and that copy-paste is often better than a bad abstraction

tolstikov avatar
tolstikov

that’s true

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Worse is better

Worse is better, also called New Jersey style, was conceived by Richard P. Gabriel in an essay “Worse is better” to describe the dynamics of software acceptance, but it has broader application. It is the idea that quality does not necessarily increase with functionality—that there is a point where less functionality (“worse”) is a preferable option (“better”) in terms of practicality and usability. Software that is limited, but simple to use, may be more appealing to the user and market than the reverse. As to the oxymoronic title, Gabriel calls it a caricature, declaring the style bad in comparison with “The Right Thing”. However he also states that “it has better survival characteristics than the-right-thing” development style and is superior to the “MIT Approach” with which he contrasted it in the original essay.

loren avatar
loren

lolol, this has been a great topic over the decades, “worse is better is worse”, “rise of worse is better”, “is worse really better”

Worse is better

Worse is better, also called New Jersey style, was conceived by Richard P. Gabriel in an essay “Worse is better” to describe the dynamics of software acceptance, but it has broader application. It is the idea that quality does not necessarily increase with functionality—that there is a point where less functionality (“worse”) is a preferable option (“better”) in terms of practicality and usability. Software that is limited, but simple to use, may be more appealing to the user and market than the reverse. As to the oxymoronic title, Gabriel calls it a caricature, declaring the style bad in comparison with “The Right Thing”. However he also states that “it has better survival characteristics than the-right-thing” development style and is superior to the “MIT Approach” with which he contrasted it in the original essay.

Max Moon avatar
Max Moon

“new jersey style”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I started #chatops for those interested

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’ve started an agenda for the next Town Hall on 2018-10-03

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
SweetOps Town Hall Agenda

When:  11:00am PST 

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@antonbabenko

SweetOps Town Hall Agenda

When:  11:00am PST 

antonbabenko avatar
antonbabenko

Coool

2018-09-20

tolstikov avatar
tolstikov

hi all!

I wanted to say “Thank you!” for a LOT of amazing insights & ideas here (and in github repos - that’s how I got here). Though I processed only a bit, I’d already borrowed some.

1
antonbabenko avatar
antonbabenko

Hi @tolstikov! Welcome to us

:--1:2
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hey @tolstikov

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what are you working on?

tolstikov avatar
tolstikov

@Andriy Knysh (Cloud Posse) some CICD, IaC, automation, stuff like that mostly

:--1:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what CI/CD are you using?

tolstikov avatar
tolstikov

Jenkins pipelines, Gitlab CI, Travis, etc but now I’m working on some idea of making universal pipelines that are not locked into specific CICD solution and could be launched from any CICD or manually (to avoid a vendor lock and well-known complications and limits of available systems)

tolstikov avatar
tolstikov

though to be honest, I don’t consider Gitlab CI & Travis as a fully blown CICD, but rather CI with some functions of CD

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@tolstikov we have similar ambitions for the CI/CD - reducing vendor lock-in

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we use our https://github.com/cloudposse/build-harness to achieve this to some degree

cloudposse/build-harness

Collection of Makefiles to facilitate building Golang projects, Dockerfiles, Helm charts, and more - cloudposse/build-harness

tolstikov avatar
tolstikov

I believe you already have a good foundation to do it soon, as I could see from repos

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we use it with travis and codefresh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

in an ideal world, every step of the build pipeline is a container. then the build-harness is a perfect compliment.

tolstikov avatar
tolstikov

yep, I spent some time digging build-harness already

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha yea - it’s pretty massive

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

TBH though we’re focused mostly on Codefresh these days

tolstikov avatar
tolstikov

I have to say that it changed my “world vision” a bit

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so many CICD systems, so little time

tolstikov avatar
tolstikov

seems like Makefile is the almost perfect fit for this goal (at least I sticked to this thought these days). And with some additional wrappers and builders it could do the job perfectly.

tolstikov avatar
tolstikov

do you have any particular reason to use Codefresh?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:08:35 PM
:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

my favorite quote

tolstikov avatar
tolstikov

I believe that I saw in this slack something like “I can iterate with it faster”, but I never had a chance to check it by myself.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

my (3) arguments for codefresh:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

1) unlimited pipelines per repo; every step is a container. no need for complicated manifests (E.g. circle). stick all complexity in the container.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2) tight integration with kubernetes and helm. easy 1-click deployments and rollbacks.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

3) native support for docker/docker compose. need to spin up 15 containers for CI? no problem. they’ll do it.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

4) integrated chartmuseum?

tolstikov avatar
tolstikov

sounds good… But why do you need smth like Atlantis for Terraform CICD?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hah - that’s a good question

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i’m teetering back and forth on atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

atlantis pros:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
  • purpose built CI/CD tool for terraform; I like tools that specialize
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
  • chatops style interaction
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
  • run atlantis inside AWS account and use instance profiles for IAM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

atlantis cons:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
  • no easy way to do even basic acls like restricting who can run plan or apply.
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
  • currently no way to have multiple pipelines per repo
tolstikov avatar
tolstikov

yep, I saw the proposal about multiple pipelines from you…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea - haven’t checked if there was any update on that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for now, we’re going to move forward with Codefresh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

downside with codefresh is running build agent inside of AWS account (atlantis style) requires enterprise agreement

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

since most of our customers have enterprise agreements, this is not a problem

tolstikov avatar
tolstikov

anyway, I believe, that behind each “apply” on PROD environment should be a git tag, and not just some pull request approved

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i agree with you in an ideal world

tolstikov avatar
tolstikov

and didn’t see anything like that in Atlantis, but I just did a very quick check

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for staging, however, that should not be a requirement

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

as it might not work first time around. <— hence i like the chat ops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/github-commenter

Command line utility for creating GitHub comments on Commits, Pull Request Reviews or Issues - cloudposse/github-commenter

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

our intent is to mimick some of the atlantis behavior using this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

whereby we comment back on PRs

tolstikov avatar
tolstikov

yep, I can see what you mean

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, it’s unclear to me how well atlantis works in a large terraform monorepo with many projects <— we want to only plan/apply projects that have changes

tolstikov avatar
tolstikov

good point

tolstikov avatar
tolstikov

also, I believe that it is better to have separated “build” and “apply” stages for the pipeline itself too:

so, in “build” stage you apply some template processing, etc (e.g. with gomplate, etc) and create the “pipeline artifact” (e.g. commit/tag in some other repo or branch) with the final pipeline and all deps

and in “apply” stage you don’t perform any processing, but only execute command(s) on top of “pipeline artifact”

sounds like over-engineering, but I believe this is the way

maarten avatar
maarten

@Erik Osterman (Cloud Posse) What is unclear ? The way it works now is that it can autoplan for projects with changes. This could mean that 3 out of 10 projects would be autoplanned for which you after can apply, and then also apply-per-project.

maarten avatar
maarten

big problem is the one huge yaml

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok that’s cool

maarten avatar
maarten

Also if you have modules in the same mono-repo, it would automatically autoplan all projects the moment you change the modules. I’m not sure if it actually calculates dependencies.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@maarten so in my own words, if a monorepo has aws/vpc and aws/ecs, and aws/dns folders, and I only make changes to aws/dns, it will detect that and only run plan (and eventually apply) on that

maarten avatar
maarten

correct

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

nice

maarten avatar
maarten

it’s actually working really nice. pre-merge-apply’s are confusing but it never leads to problems. The plan locking works well.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

are you by any chance using anton’s module?

maarten avatar
maarten

used but modified a bit.. was too lazy to PR then, then I saw jamie making some of the same changes

maarten avatar
maarten

The module is better now

maarten avatar
maarten

Not having streaming output is more of an issue. I’d like to see what’s happening in real time.

:--1:2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what about the acl issues?

maarten avatar
maarten

wdym ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

no way to restrict who can run atlantis plan or atlantis apply

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

other than restricting access to repo altogether

maarten avatar
maarten

ah that can be, hasn’t been an issue for us

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

as an active user, what are your thoughts on this? https://github.com/runatlantis/atlantis/issues/249#issuecomment-422240279

Atlantis nodes in different accounts with one repository · Issue #249 · runatlantis/atlantis

We have a repository that contains our live terraform definitions for multiple accounts. We currently have 4 accounts and plan to have an Atlantis node in each account. We&#39;ve tossed around the …

maarten avatar
maarten

We don’t have that structure, but for the way cloudposse is doing stuff it would make it compatible. I also don’t see another way how to do it otherwise,

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks for the first-hand account

maarten avatar
maarten

This shouldn’t involve a lot of code change in Atlantis I think, have you taken a look already @Erik Osterman (Cloud Posse)?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I asked @alebabai to take a brief look at it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but haven’t checked in to hear what the scope-of-work would entail.

maarten avatar
maarten

in the end it’s always a lot, with added testing and what not.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hah, yea

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

hey folks. didn’t know this existed.

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

I’m hitting an issue with the VPC peering module. Is this the right room to discuss?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Let’s move to #terraform

johncblandii (Cloud Posse) avatar
johncblandii (Cloud Posse)

thx

2018-09-19

 avatar
05:45:01 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am running a tad late. Got locked out of my office

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

#townhall has some meeting links

2018-09-18

andrey.a.devyatkin avatar
andrey.a.devyatkin

Hello to you people of SweetOps! I’m Andrey, solo consultant with focus on CI/CD, Jenkins, Docker, K8S, HashiCorp tools. Good to be here!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

nice to meet you @andrey.a.devyatkin

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@andrey.a.devyatkin great to meet you! got your email too. Would love to give you a tour of everything going on as it relates to what you’re working on. If that sounds interesting, drop something on my calendar here: https://calendly.com/cloudposse

andrey.a.devyatkin avatar
andrey.a.devyatkin

Done. Talk to you soon

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

är du svensk?

andrey.a.devyatkin avatar
andrey.a.devyatkin

Ha, define Swedish Have Swedish passport and understand swedish but lived in russia for first 24 years of my life. Do I qualify?

andrey.a.devyatkin avatar
andrey.a.devyatkin

Plus lived in Spain for last 6 month and considering moving there soon enough. So questions like - from where are you are hard

andrey.a.devyatkin avatar
andrey.a.devyatkin

I would rather put it in the future perspective - not from where are you but where are you heading. Do you see what I mean?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hahah ok!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sounds wonderful

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(the same invitation goes to anyone else here! if anyone wants a tour of everything going on here at cloudposse as it relates to our Open Source initiatives, feel free to use the calendly link above to schedule a time)

Gabe avatar

Have you guys ever considered the name Insane Cloud Posse?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha we own the domain

:100:1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but not branding around it…

Gabe avatar

that’s awesome

antonbabenko avatar
antonbabenko

Hi @andrey.a.devyatkin! Great to see you here

2018-09-17

maarten avatar
maarten
New – AWS Systems Manager Session Manager for Shell Access to EC2 Instances | Amazon Web Services attachment image

It is a very interesting time to be a corporate IT administrator. On the one hand, developers are talking about (and implementing) an idyllic future where infrastructure as code, and treating servers and other resources as cattle. On the other hand, legacy systems still must be treated as pets, set up and maintained by hand […]

antonbabenko avatar
antonbabenko

Wow, gitter room for Terraform is so active. It is nice to see so many familiar faces there Notifications in gitter are weird, I have just received notifications from people who mentioned my name from July…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Haha, job queue is too big :)

antonbabenko avatar
antonbabenko

Yeah, they definitely have to improve the way they handle queues

 avatar
04:00:01 PM

There is 1 event this week

Townhall Meeting (SweetOps)

September 19th, 2018 from 9:00 AM to 9:50 AM GMT-0700 at https://zoom.us/j/299169718

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

CORRECTION this event has moved to 11am PST (two hours later) per popular demand

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ping me if you want to be added to the calendar invite

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, if you have suggestions for managing events like this using som SaaS <—- i want to know

 avatar
12:11:16 AM
Townhall Meeting (SweetOps)

September 19th, 2018 from 11:00 AM to 11:50 AM GMT-0700 Recurring every 2 weeks on Wednesday at https://zoom.us/j/299169718

antonbabenko avatar
antonbabenko

I will try to be on this call but can’t promise today.

2018-09-15

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@OGProgrammer thanks, finally somebody would fix that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Module recreates all `settings` on each `terraform plan/apply` · Issue #43 · cloudposse/terraform-aws-elastic-beanstalk-environment

terraform-aws-elastic-beanstalk-environment recreates all settings on each terraform plan/apply setting.1039973377.name: &quot;InstancePort&quot; => &quot;InstancePort&quot; setting.1039973377.n…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we think the problem is that TF has one set of params while EB maintains a diff (smaller) set of params (relevant to your env)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if the assumption is correct, then what needs to be done is to determine the diff b/w only those params that EB returns from the API (not all params that TF has in the module)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

although it could be more complicated than that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
terraform-providers/terraform-provider-aws

Terraform AWS provider. Contribute to terraform-providers/terraform-provider-aws development by creating an account on GitHub.

2018-09-14

rms1000watt avatar
rms1000watt

Write everything in Go and use FROM scratch Docker containers in Multi-Stage builds. Problem solved

:--1:1
rms1000watt avatar
rms1000watt
rms1000watt/dummy-golang-project

Dummy Golang Project. Contribute to rms1000watt/dummy-golang-project development by creating an account on GitHub.

mark avatar

Morning. Is this the cloudposse general slack hangout?

:--1:2
mark avatar

Setting up a new multi-account setup in aws for small/medium company (not large) .. In the following scenario … would there be any reason to NOT have IAM users in the root account

[Root]                  (Consolidated Billing / Org Root +  IAM users here)
[Security]              (Central logs, audits)
[Prod], [Dev], [Local]  (Environment application specific accounts)

or

[Root]                  (Consolidated Billing / Org Root)
[Security]              (Central logs, audits)
[Identity]              (IAM here?)
[Prod], [Dev], [Local]  (Environment application specific accounts)

So to clarify – are there advantages having a separate Identity / Hub / Gateway account for IAM? or since it’s a somewhat smaller deployment … can I just store IAM in ROOT account? I’ve seen setups both ways .. but looking for a reason FOR or AGAINST

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

currently we have IAM users/roles in the root account, but we’ve been discussing to move it to a new identity account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the reason might be that nobody should access the root (billing) account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and also, in some companies they don’t even allow to do it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but for a small setup, both ways should work, depends on if you want to give access to the billing account to somebody who needs to manage IAM

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Erik Osterman (Cloud Posse) has more insights into this

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but in general, yes, having a separate identity is more secure and will work for more companies/use-cases

:--1:1
mark avatar

Yeah my thoughts similarly … the only thing I could think of if somehow the IAM users are misconfigured could give potentially elevated priv in root account ; while they could be misconfigured in the identity as well .. but slightly harder to cross-account jump into root to elevate

OGProgrammer avatar
OGProgrammer

I’m very determined to fix the elasticbeanstalk terraform provider , I miss it saying “nothing changed” haha… Any helpful links for doing Go/Terraform development?

2018-09-13

ff avatar

Hi, just stumbled here by accident. Interesting stuff. Reading into it

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @ff, welcome to the community

1
1
antonbabenko avatar
antonbabenko

Hi @ff! Most of us are here by accident, so welcome to the club

1
ff avatar

amazing stuff to explore. more night shifts to come

:--1:1
GC avatar

Hello everyone

1
markmutti avatar
markmutti

Welcome!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

welcome @GC @ff!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not a bad place to stumble into

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what are you guys working on?

jamie avatar
jamie

I miss you guys.

2
3
1
jamie avatar
jamie

I’m doing long days at the moment but I remember our time together fondly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

have you just been heads down?

jamie avatar
jamie

Yeah I’ve written so much stuff!

sarkis avatar
sarkis
Remote Code Execution in Alpine Linux

tl;dr I found several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker…

:--1:1
sarkis avatar
sarkis
alpine: security updates by ncopa · Pull Request #4834 · docker-library/official-images

apk-tools has an important security fix that has been updated in v3.2 to v3.8. edge has got musl libc update to 1.1.20.

OGProgrammer avatar
OGProgrammer

I know a few security companies that won’t use alpine for compatibility reasons but that’s not good.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Heh, and we just discovered it doesn’t use TLS by default on repos

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Anyone using alpine as a base image should consider enabling TLS on repos to avoid MITM attacks

2018-09-12

eric_garza avatar
eric_garza

Hello, I’m new here, any chance we can add custom_error_response = [”${var.custom_error_response}”] to the https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn module? I have not really contributed to github projects before and thought I’d ask here. Could I use the non S3 cdn module with an existing S3 origen?

cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@eric_garza hello

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

let’s move this conversation to #terraform

2018-09-11

pecigonzalo avatar
pecigonzalo

is this related to my comments? as I never mentioned redis

maarten avatar
maarten

Can someone advise me good literature on implementing “Continuous Delivery”, preferably something readable for non-devops ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrmmm so are you looking for something that sells the merits of Continuous Delivery for non techies? E.g. why we should practice it rather than how to do it with some specific technologies

maarten avatar
maarten

Correct.. I found two articles which look helpful. Docker Orchestration is nice and all but the goal is to boost development. I’m currently helping a company which has not really implemented CI let alone CD, and a lot of manual QA..

https://harness.io/2018/04/10-signs-you-dont-do-continuous-delivery/ & https://semaphoreci.com/blog/2017/07/27/what-is-the-difference-between-continuous-integration-continuous-deployment-and-continuous-delivery.html

loren avatar
loren

if you find a resource that convinces this company, i’d love to hear about it

1
maarten avatar
maarten

Well.. these were already a good start it seems, so they want to start with the lesser important services first. Challenge is that this works with good test coverage. So I stressed the importance that they start writing proper tests for their new features or this idea will fail and it will go back to manual QA with 2 weekly press on the button releases

justin.dynamicd avatar
justin.dynamicd

@pecigonzalo sorry about that minor derail, @maarten mentioned redis so I was trying to keep both going in one reply. I clearly failed

:--1:1

2018-09-10

pecigonzalo avatar
pecigonzalo

I know KV stores dont automatically reload everything, much to the contrary I saw many people advocating/writing/blogs/etc about auto reload, and I was concerned about how they handled failure domains

pecigonzalo avatar
pecigonzalo

tbh we only use KV for secrets, and I think they are a good usecase for dynamic values created from other services but not for the core settings of the service itself.

maarten avatar
maarten

Hi @pecigonzalo What kind of dynamic values would see as a possible fit ? And what about SSM rate limiting ?

pecigonzalo avatar
pecigonzalo

No particularly in SSM, I was thinking more about Consul/etcd/etc

pecigonzalo avatar
pecigonzalo

something like Service A uses some details from Service B, service B keeps them up to date when running, but Service A still runs without those

pecigonzalo avatar
pecigonzalo

like how you do service discovery

maarten avatar
maarten

What would be the advantage of this over using json http endpoints, as in the way microservices would normally talk to each other. I’d like to understand.

maarten avatar
maarten

With this I mean, if service A needs some of those params from B, A would connect to B’s json endpoint, retrieves params, and service A stores it in redis with some expiry information.

pecigonzalo avatar
pecigonzalo

Im not saying it is better. Its a different way I guess. Just to clarify, im not talking about using it to do queries through Consul, mostly discovering parameters of the other services or similar

pecigonzalo avatar
pecigonzalo

in a mesh/service discovery pattern, you will query a KV store like consul/etcd to get the ips/ports of ServiceB and then route to them (be it through itsio/etc or directly from your service A) but I have seen many patterns where people also store Service config or dynamic service options for other services in the KV.

pecigonzalo avatar
pecigonzalo
Configuration management with Consul attachment image

Always wanted to know how we manage the configuration of all our (micro)services at Magnet.me? In this blogpost we’ll show you how we use Consul to manage the configuration of all our services.

pecigonzalo avatar
pecigonzalo

another example of what I was talking about: https://github.com/breser/git2consul

breser/git2consul

Mirrors the contents of a git repository into Consul KVs. - breser/git2consul

 avatar
04:00:01 PM

There are no events this week

justin.dynamicd avatar
justin.dynamicd

Redis and Consul aren’t really designed to solve the same problems though. Heck you can find blogs of people using one to help configure the other: https://www.joyent.com/blog/redis-on-autopilot

Redis on Autopilot | Joyent

A tutorial on using the Redis Autopilot Pattern blueprint.

1

2018-09-08

pecigonzalo avatar
pecigonzalo

Any of you guys configuring your services through SSM/ETCD/etc dynamically (automatically updating after run). There are several examples online of using somthing like confd or similar to dynamically update your service from some K/V store, I was thinking of the failure domain for this scenarios because lets say someone/something updates a k/v for that service, the service reloads and fails now (all containers, since it has no way of green/blue) now your entire service is down. I have not seen any blog/article talk about this either, but it seems really risky.

thoughts?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, I have used etcd/confd in the past. Any system that automatically reloads all services when the value changes is inherently fragile. That’s why the kubernetes approach is the best we can do: update secrets or configmaps, then trigger rolling updates which will abort if health checks fail.

pecigonzalo avatar
pecigonzalo

AFAIK, it will still have this issue, as you roll your config, it will not be able to roll it back

pecigonzalo avatar
pecigonzalo

Actually, not the same issue, but a related one

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Helm will roll back secrets

pecigonzalo avatar
pecigonzalo

So it points to a versino of the secret? Nice, I will look it up

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yup, it versions all resources so rollbacks are possible.

pecigonzalo avatar
pecigonzalo

Well, SSM does version them as well, but normally you point to the secret, not the version of the secret

pecigonzalo avatar
pecigonzalo

Or at least with most tools that use htem

pecigonzalo avatar
pecigonzalo

Is this the helm secrets plugin you are talking about? https://github.com/futuresimple/helm-secrets

futuresimple/helm-secrets

A helm plugin that help manage secrets with Git workflow and store them anywhere - futuresimple/helm-secrets

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sorry - i think a few different threads have converged

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I was referring really to just the native Secrets resource type in kubernetes

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the helm-secrets is a way to get them populated during the deployment phase

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use chamber, but it does not automatically reload. So it is compatible with the rolling update strategy.

justin.dynamicd avatar
justin.dynamicd

I personally swear by SSM/Consul KV stores (not tried etcd). Couple of thoughts there:

  1. there is no reason your configs shouldn’t be subject to the same dev/test/prod flow that everything else is. Keep your SSM config in cloudformation/teraform/ansible/whatever all codified with a deployment pipeline. If a bad setting crashes in test it never makes it into prod. It also means during development it’s super easy to replicate running configs if needed, as well as better unit test potential as you have “real world configs” you can test containers/functions against.
  2. for more dynamic settings (that maybe an ops team is applying to a live system to tune things), simply don’t grant direct access to the KV. Instead there should be an api abstraction so your devs can “protect” fields from getting bad settings. Ops don’t really know the ugly details of that var after all, so wrap it up to prevent the unpredictable “oops i used a string instead of a list” drama.
  3. SSM is inherently region based. If you blue/green across regions settings don’t “spill”. Consul has a “datacenter” concept which works similarly but is a bit more flexible because it’s not a baked in service. Both also have version history so it’s easy to undo a bad change … and sometimes I’ve even seen companies nest versions into the kv/path, though that’s not something I’ve personally done.
  4. It’s just a good idea to keep your configs separate from code. This fits very naturally into that paradigm, and I’m not rebuilding code just because I want to change a minor setting.
  5. KV stores don’t automatically reload anything. That’s up to the dev and how he wrote his code. If he only polls the setting on boot then you have to restart the containers. Lambdas obviously will poll every run because of their nature. The fragility of the services is in the hands of the devs at the end of the day, or confd/consul-template if you automated that … but honestly that’s still you making the stability decision.
justin.dynamicd avatar
justin.dynamicd

the best real-world example I could point to would be Amazons RDS service. I’m sure you noticed but every run-time configurable setting is stored in SSM for those database servers.

justin.dynamicd avatar
justin.dynamicd

I’d also add it’s inevitable if you go serverless, which is honestly how I learned to love it. I was forced to take the journey then on the end of it I went “huh, why didn’t I do this sooner”?

1

2018-09-06

antonbabenko avatar
antonbabenko

https://nanobrain.io/ - give it a try if you have strange bug you don’t even know where to look into. I tried it on Terraform errors during apply and it gave me some tips (I knew them very well before, because I could search on github, but still)

:--1:2

2018-09-05

 avatar
03:45:01 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
opencredo/terrahelp

Terraform helper. Terrahelp is as a command line utility written in Go and is aimed at providing supplementary functionality which can sometimes prove useful when working with Terraform. - opencred…

antonbabenko avatar
antonbabenko

Awesome chat! Thanks everyone for inputs!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks guys! @antonbabenko great talking points. will summarize what I remember.

antonbabenko avatar
antonbabenko

What you will be missing I will try to reflect in my work document

maarten avatar
maarten

Just don’t summarize my last sentence, that was quite unsummarizable.

1
h20melonman avatar
h20melonman

Hey friends, trying to lock down to a specific CP release of terraform-aws-rds-cluster?

h20melonman avatar
h20melonman

having issues where i can build a db, which works fine, and then if i simply run the same tf code again, instead of saying ‘ no changes’ it rips it down and rebuilds : (

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @h20melonman

h20melonman avatar
h20melonman

hello !

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

let’s move to #terraform

h20melonman avatar
h20melonman

ok

2018-09-04

Toby avatar

Hi Gang,

I’ve just started using your vpc_peering terraform module and have run into an issue during the plan stage. I’m getting

* module.vpc_peering.data.aws_route_table.requestor: data.aws_route_table.requestor: value of 'count' cannot be computed

I checked out the FAQ at https://github.com/cloudposse/docs/blob/master/content/faq/terraform-value-of-count-cannot-be-computed.md and it doesn’t seem to be the same issue.

I am getting it during the plan stage when the requestor_vpc_id is coming from the output of a vpc module, however that vpc hasn’t yet been created and the id is going to be computed at this stage.

Something you’ve seen before and if so is this a supported scenario? Can provide more info if needed.

cloudposse/docs

Cloud Posse Developer Hub. Complete documentation for the Cloud Posse solution. https://docs.cloudposse.com - cloudposse/docs

Toby avatar
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.40.0"

  name = "hub-vpc"
  cidr = "${var.bit_mask_16}.0.0/16"
  azs             = ["${var.az_a}"]
  private_subnets = ["${var.bit_mask_16}.1.0/24"]
  public_subnets  = ["${var.bit_mask_16}.101.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = false

  tags = {
    Terraform = "true"
    Environment = "hub"
  }
}

module "vpc_peering" {
  source           = "git::<https://github.com/cloudposse/terraform-aws-vpc-peering.git?ref=master>"
  namespace        = "hub"
  stage            = "dev"
  name             = "hub-to-mc"
  requestor_vpc_id = "${module.vpc.vpc_id}"
  acceptor_vpc_id  = "${var.mc_vpc_id}"

  tags = {
    Terraform = "true"
    Environment = "hub"
  }
}

Toby avatar

"${var.mc_vpc_id}" is a hard coded id of an existing vpc in the same account.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

hi @Toby I’ll get to your question soon (we’ve seen that too)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

let’s move the conversation to #terraform

Toby avatar

Thanks. Want me to link or copy/paste there?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes please

Toby avatar

np

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jeff what’s your status on terraform-aws-rds-cluster?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

let’s move to #terraform as well

Jeff avatar

@Andriy Knysh (Cloud Posse) I wasn’t able to get admin_password to take a variable. I ended up using sed.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we improved the examples for the module, did you try this https://github.com/cloudposse/terraform-aws-rds-cluster/blob/master/examples/basic/main.tf ?

cloudposse/terraform-aws-rds-cluster

Terraform module to provision an RDS Aurora cluster for MySQL or Postgres - cloudposse/terraform-aws-rds-cluster

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

was tested as it is and was working

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Jeff ^

siert avatar
siert

I saw that the terraform-rds-cluster module supports DNS friendly names for both master and replica’s. This may cause issues when SSL connections to the database are being used. Perhaps, it’s wise to document this somewhere? And according to the markdown, the zone id is required - which seems a bit odd to me.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@siert thanks, if you want the zone to be optional (and I see why), please open an issue in the repo and we’ll implement it

2018-09-03

 avatar
04:00:01 PM

There is 1 event this week

Townhall Meeting (SweetOps)

September 5th, 2018 from 9:00 AM to 9:50 AM GMT-0700 at https://zoom.us/j/299169718

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Actually it will be at 11 am pst Unfortunately, I have a conflict at 11am PST this time. I’m going to stick with 9:00 am. We’ll schedule the next one at 11am which was the most popular time according to the poll.

2018-09-01

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Is there an enabled flag?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Enabled by default

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok, and what happens when you set to false? :)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Nothing gets provisioned

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

As we already do in terraform-root-modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok

    keyboard_arrow_up