#aws (2019-04)
Discussion related to Amazon Web Services (AWS)
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
2019-04-01
2019-04-02
2019-04-03
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
If your EBS backed EC2 instances are SHUTDOWN (not terminated) do you still pay for the EC2? I understand you’d still pay for EBS.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I want to turn off EC2s at night for non-core environments, using Lambda.
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
hello everyone, is there any way to invoke lambda func, when add/remove user into AWS account ?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Maxim Tishchenko you can log user creation/deletion events to CloudTrail https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
Learn about logging IAM and AWS STS with AWS CloudTrail.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then send all those events to lambda https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
How to set up and start using the AWS Lambda service.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
which will filter the required events
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also interesting article https://aws.amazon.com/blogs/mt/automate-account-creation-and-resource-provisioning-using-aws-service-catalog-aws-organizations-and-aws-lambda/
![attachment image](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2019/01/24/mainArch-519x630.png)
As an organization expands its use of AWS services, there is often a conversation about the need to create multiple AWS accounts to ensure separation of business processes or for security, compliance, and billing. Many of the customers we work with use separate AWS accounts for each business unit so they can meet the different […]
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Periodic Lambda function to alert when CloudTrail is not being delivered to an S3 bucket - alphagov/lambda-check-cloudtrail
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@lvh
Periodic Lambda function to alert when CloudTrail is not being delivered to an S3 bucket - alphagov/lambda-check-cloudtrail
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Big up UK govt dev team ^
![lvh avatar](https://avatars.slack-edge.com/2018-10-18/460751698838_c04539b5f7dd55184398_72.png)
@lvh has joined the channel
2019-04-04
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
If your EBS backed EC2 instances are SHUTDOWN (not terminated) do you still pay for the EC2? I understand you’d still pay for EBS.
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
EC2 instances accrue charges only while they're running
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I think I read this before
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
And made me wonder if they meant running
as in OS RUNNING / POWER ON
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
or running as in… it is created and say SHUTDOWN
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
When an EC2 instance is stopped you only pay for the EBS volumes you are using.
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Thanks guys, that’s perfect then. No reason not to switch off the EC2s over night!
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
… The IPs wouldn’t change, right?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
They will when you’re not using elastic ip’s
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
Hmmm, so on spin-up would need to run terraform to update the R53 records. Alright that will take a bit more effort
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
when teleport provide a full script with make file for terraform, but you wish it was just a provider because you only need an 8th of what they’ve shoved in it https://github.com/gravitational/teleport/tree/master/examples/aws/terraform
Privileged access management for elastic infrastructure. - gravitational/teleport
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
The UI stuffs nice for teleport but I think it’s going to give me a stroke. We took SSH proxying via a gateway and added 300 new things that can break
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
default size for the SSH proxy in that things a m4.large; 8gig of ram dual-core
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
“sets up the bastion using route53 and registers a cert with letsencrypt” … so it sticks the route to your bastion into public CT logs (using wildcards is better) and theres no config in that thing to restrict traffic to the bastion sooo we’re doing public ssh now
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
all just their example of course; you can do what you like in reality. Wish it was just an ansible module (only one around hasnt been touched in 11 months); at least it doesnt cripple normal ssh
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
so you have a backup when it facepalms
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
@Erik Osterman (Cloud Posse) with the cloudposse bastion what’s the deal with users. how can it say which user logged in if the volume mounts against 1 user (just going off the readme)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@chrism user management is outside of the scope of the project. There are dozens of ways to provision users with the #bastion
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Yeah I mean if i have 9 users already there by other means how does the bastion map to those 9 users if its using volumes?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
A bastion is a jump box
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I know
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Users should not be hanging out on it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
:-)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
lol no, but if I create jim, jane, alice with their own auth pubkeys do I have to map the bastion for all 3 users
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
See GitHub authorized keys project for inspiration
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
There’s a gist in the GitHub issues to how someone else did it with cloud formation
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
in comparison; if you setup teleport you add N users; its not mapping 1 auth key; it knows jims keys are x etal
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Teleport handles SSO
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Teleport is what we use :-)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Aye i’m sorta leaning that way at the moment; just not keen on the fat
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
feels like using a juggernaut to deliver a box of matches
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We have open sourced our implementation of teleport with kops
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Oh yes! It’s totally a hack job to use anything else but teleport
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Plus with teleport you get easy YouTube style replays
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
it has lots of selling points; other than having to rejig the world
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I assume you can do tedious stuff like create groups with it and say teamx can only access teamx’s machines
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
You can have groups
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Teleport is beautiful. Inside and out.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It is a beast to setup the first time. All in all we have spent probably more than 2 months of man hours on it .
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Wonder how many headaches getting our “the world is cisco” folks heads around that will be
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I just used https://github.com/woohgit/ansible-role-teleport up front; slightly put off for the vsphere land as we use RoyalTS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Are you using dynamodb, IAM roles, s3 backend storage and SAML?
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
teleport would solve lots of the niggly “everything everywhere needs auditing” alongside the “if the grunts dont have ssh access to things I’ll have to debug everything”
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
For teleport auth and node?
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
no; I was using SSH proxy commands in a shell script and a bastion host as the lord-god-aws defined on the mount
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
The ansible script just uses tokens
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I’ve setup a proxy/auth on the existing throwaway bastion to test it
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
and shoving a node on another box
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Their repo’s terraform setup for aws consists of graphana/influx monitoring / dynamo/s3
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
our machines are supposed to be immutable; so the only reason you’d ssh in is to grab a log thats not already being exported or to diagnose an issue before burning the machine to the ground
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
We use RKE rather than KOPS
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
which will be more pleasant when ranchers finished its v2 terraform provider that seems to wrap rke + the cli
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I am just implying that to do teleport the “right way” will most likely be a lot more work. While getting a POC up takes a day or two. :-)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
yeah; tbh I just wanted to see how easy it was to throw up on the minimum settings. Nothing comes free
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
the base setup using tokens isn’t too bad; realistically as a 1/3 of our setup isn’t kubernetes and everything sits in ASGs long-life tokens are probably more necessity than a nicety
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
The rancher hardening guides if they’re of interest to anyone https://releases.rancher.com/documents/security/latest/Rancher_Hardening_Guide.pdf
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
sigh; im sold on teleport. Now to read everything
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Terraform module to provision Teleport related resources - skyscrapers/terraform-teleport
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Gravitational Teleport backing services (S3, DynamoDB) - cloudposse/terraform-aws-teleport-storage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We also have the Helmfiles
![phanindra bolla avatar](https://secure.gravatar.com/avatar/c458d07a4fcde8364d8726487da12c5d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0017-72.png)
How do i deploy AWS ASG ec2 through terraform as a blue green deployment . i am thinking about diff types of methods
- Create a Launch template which update/ creates new ASG ,new ALB/ELB and switch the R53 domain to new
- Create a new Launch template ,, ASG and ALB and update and target ALB to existing R53
please suggest me best way
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
cross-posted, with an answer, at https://sweetops.slack.com/archives/CB6GHNLG0/p1554427553386300
2019-04-05
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
There’s numerous things in IAC where you start to think terraform isnt helping :face_with_rolling_eyes:
Create an aws_acm_certificate
, then add an extra SAN.
Terraform sits there trying to destroy the old one… but the new ones only just been created; so everythings attached to it, it aint letting go
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
They didnt code in to check the api response that its in use so it just retries to death
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
lmao https://github.com/terraform-providers/terraform-provider-aws/issues/3866 good god its a “feature”
We are seeing an issue with using acm certificates during terraform destroy where the certificate is still seen as in use by a load balancer that was just deleted. Due to eventually consistent apis…
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
There’s numerous things in IAC where you start to think terraform isnt helping
yeah, the more the current crop of tools evolve, the more I miss using my old circa ‘09 framework that just wrapped the java cli tools……
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
“the infra is code because we -wrote- code”
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
I guess the idea is that not everybody has to invent that wheel anymore? I dunno. Certainly understand the feeling though
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
yeah - it’s just that they write the opinions to be so frameworked…er frameworks to be so opinionated… that if you had a worldview that doesnt fit the framework….
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
thoughts on aurora Postgres? im aware of all the improvements its supposed to give for roughly the same cost over vanilla RDS Postgres but wondering if anyones used it in production and what their thoughts are
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
We use it all the time, it’s very good
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Synchronous replication with milliseconds latency
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Many read replicas
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
nice
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
and costs? @Andriy Knysh (Cloud Posse)
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
more expensive/same/cheaper than vanilla RDS?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Now that Database-as-a-service (DBaaS) is in high demand, there is one question regarding AWS services that cannot always be answered easily : When should I use Aurora and when RDS MySQL? DBaaS clo…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
For production where you need bigger instances, the cost is relatively the same. With plain RDS you can get smaller and cheaper instances, but that are just good for testing and maybe staging
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
are you using it for postgres or mysql
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Both
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
we just talked to the solutions architect that said we can just restore the rds potgres snapshot to aurora and it will just work
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Yes
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
did you find that to be true or did aurora change things
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
nice
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Aurora changes things mostly in user and permissions management, and some other minor things
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
mmm
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
i am using alot of roles/databases in my rds instance
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
multi-tenant so i wonder if that will change things
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
E.g. even the master user you create is not the admin in the cluster
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
thanks @Andriy Knysh (Cloud Posse)!
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
i will test it out
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Security with Amazon Aurora PostgreSQL.
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
aurora’s a bit more fun to codify setup, and to do instance up/downgrades (ie, you have to do each of them yourself. tip: just create new nodes in the cluster at the scale you want, then failover to them…)
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
if you make the mistake of scaling your write node, it will create an outage because aurora dont care.
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
oh, and I have a broke psql aurora node right now, it borked in prod, didnt failover. failed the cluster over, the node is still borked. can’t add support to the account because no one can get into the vault in the office where the root acct’s mfa key is.
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
It’s even worse with regular Postgres and MySQL :)
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
regular rds used to be a dream to update/scale with maz turned on - punch it and walk away, it’d update the slave, then failover and update the master.
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
let it trigger in the maint window if you want
2019-04-08
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
So looking at the reference architectures repository, there seems to be two accounts that seem to overlap:
root
The "root" (parent, billing) account creates all child accounts and is where users login.
Of note here is the “where users login.” There’s also an “identity” account:
identity
The "identity" account is where to add users and delegate access to the other accounts
I’m a bit unsure how this would look in reality. I’m not sure how you’d “login” to the root account, if your user is over in a separate account. Am I missing something? I thought in AWS your starting point always had to be wherever your IAM user existed, and from there you can assume roles in whatever fashion is needed.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We provide a stub of an identity account
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
but we currently provision all our customers using the root account as the identity account.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
… in other words, we don’t have a configuration for the “identity” account besides the creation of it.
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Okay, I’m curious what the future idea of it is then.
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Like, would I put dev accounts there, and they’d “log in” there and assume roles from there?
![keen avatar](https://secure.gravatar.com/avatar/41580526a0ebadc7f2078aac776c30cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0005-72.png)
that’s how I’d see it yeah. that would mean the default org account role assumption wouldn’t work, and require more specific setup. which isn’t strictly a bad thing, and would save having to -undo- the default setup….
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, rather than stick user accounts or (SSO integrations) in the “root” (payer) account, we’d just provision it in the identity account instead.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The difference is just there’s a tad bit more effort in initial setup.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Does anyone have any experience with hosting images and videos that are optimal for each device? Is there an AWS service or an approach that’s better than generating 10 versions of an image and using S3/Cloudfront?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we recently deployed https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/welcome.html. It uses http://www.thumbor.org/ to change image size/format/filter on the fly. Behind a CDN works ok and fast enough. It’s CloudFormation, not TF though
How to deploy the Serverless Image Handler. AWS CloudFormation templates automate the deployment.
Thumbor is a smart imaging service. It enables on-demand crop, resizing and flipping of images. It features a very smart detection of important points in the image for better cropping and resizing, using state-of-the-art face and feature detection algorithms (more on that in Detection Algorithms).
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Thank you
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Where can I find the CloudFormation template(s)?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
(click Next
a few times) https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/template.html
AWS CloudFormation template that deploys Serverless Image Handler on the AWS Cloud.
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Sorry & thanks
2019-04-09
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
@Andriy Knysh (Cloud Posse) what are the running costs like? we currently use imageresizing.net on iis (m3 mediums) x3 with cloudfront over it as we’re loading images from s3 etal
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Overview of Serverless Image Handler.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
As of the date of publication, the estimated cost for running the Serverless Image Handler for 1 million images processed, 15 GB storage and 50 GB data transfer, with default settings in the US East (N. Virginia) Region is as shown in the table below. This includes estimated charges for Amazon API Gateway, AWS Lambda, Amazon CloudFront, and Amazon S3 storage
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
AWS Service Total Cost
Amazon API Gateway $3.50
AWS Lambda $3.10
Amazon CloudFront $6.00
Amazon S3 $0.23
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
ta; id clicked architecture not clicking the overview was a page
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Anyone experienced * module.elasticache_redis.module.label.data.null_data_source.tags_as_list_of_maps: data.null_data_source.tags_as_list_of_maps: value of 'count' cannot be computed
recently starting
I ran the module a couple of weeks ago without an issue. Counts from beyond the grave
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Hi there, I've traced down a problem from one of your other modules to the way that tags are consumed when you use interpolated values in tags. I'm fairly sure that it's a terraform pro…
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
is this only an issue because the enabled flag sets a count on a resource thats only ever 1 but terraform thinks it has an enumerable to work with that it cant
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
the answer to that is no lol its in the label code
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
tbh the elasticache module only needs a tags + id input; the additional dependency on label seems overkill; more injection > less dependencies
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Dependency on labels is central to our entire terraform strategy. It ensures composability of modules and consistency. Humans are just not good, nor consistent about naming things. If we are not consistent about it’s usage then we would be breaking that contract. :-)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
aye i mean that if it only needs id + tags then module.label.id module.label.tags to set the variable input seems less fussy.
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
of course, the dns parts of debatable use once you enable tls as the tls isnt configurable
2019-04-10
![raehik avatar](https://secure.gravatar.com/avatar/84502e7dfcfbb5f67526a52f8c3d311d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Hey all, I’m stuck in the world of IAM and I had a thought about permissions management. It’s nice to split permissions into a user-role structure for management and auditing, but the way role assumption is done feels awkward, and users have to “know” what roles they have available to them. Does AWS provide a method to find out all the assumable roles for a given user?
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Not natively that I’ve run in to. At a previous gig we used OneLogin I think it was, and the roles you had access to were based on groups from our corp AD, and you saw a list of them when you signed in. That’s the closest I’ve seen, and far from a AWS-based solution. I’d love to be wrong though, but my guess is you’d have to engineer something to provide that info.
![raehik avatar](https://secure.gravatar.com/avatar/84502e7dfcfbb5f67526a52f8c3d311d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Cool, thanks for the info Alex. I thought as much because of the somewhat arbitrary way role assumption permissions are granted. If using AWS account federation I feel it could be automated with some API calls to look for sts:AssumeRole policies & wondered if it had been done before - probably different for AD and SAML etc. Cheers for the response!
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
is the fargate cli the closest thing in awsland to https://cloud.google.com/run/?
Run stateless HTTP containers on a fully managed environment or in your own GKE cluster.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Probably
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
btw, there are (2) clis for AWS
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Also, they’ve started developing this one again: https://github.com/jpignata/fargate
CLI for AWS Fargate. Contribute to jpignata/fargate development by creating an account on GitHub.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
new maintainer
![Igor Rodionov avatar](https://secure.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Does anyone knows how RDS encryption storage works with KMS key that have rotation enabled?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Learn about automatic and manual rotation of your customer managed customer master keys.
2019-04-16
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
This just popped in to my email: https://aws.amazon.com/app-mesh/
I’m wondering if this could also integrate with say GKE for multi-cloud application networking. I also wonder how that integrates with EKS, since I’ve seen envoy in use primarily as a app mesh for K8S
AWS App Mesh is a service mesh that allows you to easily monitor and control communications across services.
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
App-mesh an AWS version of istio. Look for Istio service on GKE
AWS App Mesh is a service mesh that allows you to easily monitor and control communications across services.
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
anyone know if we can use different encryption keys for a single database storage in an RDS instance? (multi-tentant rds instance)
![Abel Luck avatar](https://secure.gravatar.com/avatar/0f605397e0ead93a68e1be26dc26481a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
interested to know this as well
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Kubernetes external secrets. Contribute to godaddy/kubernetes-external-secrets development by creating an account on GitHub.
![Pablo Costa avatar](https://secure.gravatar.com/avatar/9f3ab1747bd9edcebb69a05f1b056dba.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Nice project, but the problem is that AWS Secrets is quite expensive: https://aws.amazon.com/secrets-manager/pricing/. Using chamber with AWS Systems Manager Parameter Store hasn’t praticaly any costs https://aws.amazon.com/systems-manager/pricing/
There is no additional charge for AWS Systems Manager. You only pay for AWS resources created or aggregated by AWS Systems Manager.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think @mumoshu was first with his operator https://github.com/mumoshu/aws-secret-operator
A Kubernetes operator that automatically creates and updates Kubernetes secrets according to what are stored in AWS Secrets Manager. - mumoshu/aws-secret-operator
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
$0.40 per secret per month jfc, didn’t realise it was that much.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea it’s odd that they charge so much for it. Don’t get it.
2019-04-17
![mumoshu avatar](https://secure.gravatar.com/avatar/8e045bf747ca7a90b1d955dc30217271.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@mumoshu has joined the channel
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Does anyone know of a good way to tag shared resources for billing reporting/monitoring purposes? For example, if I have an ALB that’s in front of two web apps - W1 and W2, can I have a billing report that includes 1/2 of the ALB cost with W1 and the rest with W2?
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
I’m FinOps, trust me, you can’t do that
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
we could try with a lot of custom but It will not be relevant
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
you can spread your cost by tags, but the scope will be the whole ALB, not only a part
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Thanks
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Igor are you using Kubernetes by anychance?
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
No, not using Kubernetes
2019-04-18
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
hey all, I am stuck at AWS code build with ruby framework, seeking help on this
![Tim Malone avatar](https://secure.gravatar.com/avatar/cec04d078c5af3d798433ab294657e36.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
post what you’re stuck on - someone might be able to help
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
there must be issue with the buildspec.yml file or image
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
i tried with many other option as well
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
everytime i get different error
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
exit status is 127
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
It means command not found
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
its like on of the error
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
see above line, doesn’t have sudo
command
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
does AWS code build provide docker image with mysql installed on this?
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
I attended a security webinar from AWS. here are my notes
Notes from AWS’ Security Strategies webinar by Tim Rains - osulli/security-strategies
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
@xluffy do you have any buildspec.yml file for Ruby to use on AWS code pipeline.
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
here is the latest error i am getting
![xluffy avatar](https://secure.gravatar.com/avatar/f3405055ad5ad1d4933752b143807a49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
see error, this is another error, in this container, doesn’t any JS runtime (u need a container with js runtime)
![oscarsullivan_old avatar](https://avatars.slack-edge.com/2019-02-27/563892542694_c14d0b37236a4a398ef8_72.png)
No js installed or avlb in PATH
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
provided AWS docker image doesn’t have it , i tried installing it but no success, also AWS code build has only single image for Ruby
2019-04-23
![nutellinoit avatar](https://avatars.slack-edge.com/2018-11-26/487007455216_a140ee997507b177e7a5_72.jpg)
Hello, anyone using ec2 spot fleet plugin with jenkins?
2019-04-25
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
can someone help me one this.
![Exequiel Barrirero avatar](https://avatars.slack-edge.com/2023-05-29/5341352413764_fb3262cc4b4be6b53bb0_72.png)
Just in case anyone find it useful.
AWS Management Console down :warning: without region #aws #outage :aws: (https://status.aws.amazon.com/) • (link: https://us-west-2.console.aws.amazon.com/console) us-west-2.console.aws.amazon.com/console works :github-check-mark: • (link: https://us-east-2.console.aws.amazon.com/console) us-east-2.console.aws.amazon.com/console works :github-check-mark: • (link: https://us-east-1.console.aws.amazon.com/console) us-east-1.console.aws.amazon.com/console does NOT work :negative_squared_cross_mark: (link: https://console.aws.amazon.com/console/home) console.aws.amazon.com/console/home :disappointed:
So you can basically by-pass the error specifying the console region in the access url.
To hit a specific service in us-east-1
you can use the service URL, eg: https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Home:
2019-04-29
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
When you accidentally spin up a k8 cluster using T instances and the cpu-burst wipes out leaving 1 node running at ~20% of cpu
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
All kinds of awesome: https://infrastructure.aws/
The AWS Global infrastructure is built around Regions and Availability Zones (AZs). AWS Regions provide multiple, physically separated and isolated Availability Zones which are connected with low latency, high throughput, and highly redundant networking.
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Is there a way to get objects from AWS S3 private bucket using cloudfront without presigned URL’s ?
2019-04-30
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
Yup, you can use an Origin Access Identity on the CloudFront distribution which has access to the S3 bucket via a policy. If you need your own auth at the CDN level you can implement it with a small Lambda @ Edge too. :)
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
@Lee Skillen thanks for answering my question
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
what would be advantage of using Origin Access Identity
over presigned URL/cookies ?
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
It’s transparent to those using the CDN for a start, and it means you don’t need to generate presigned URLs upfront. The downside is that you might still be interested in protecting the content, so need to think about auth in a different way.
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
What kind of content is it?
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
it is all media files
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
Do you need auth? What if someone obtains a URL and distributes it to others?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
if all content of the bucket is not a secret, then having private or public bucket does not make any difference since your users will see all the files via CloudFront. With a private bucket, use origin access identity as @Lee Skillen mentioned
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
we want to make the media files private, so planning to use private bucket
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
Some small difference is that a public bucket can be listed but not necessarily true with CloudFront. It may make a difference if you don’t care if files are public, but also don’t want easy access to all of the other files. It wouldn’t make sense for me, but I have seen people do this with URLs that are impossible to guess upfront (e.g. with randomised prefixes or something else in the URL). But if you go to that extent, I would just throw an auth method in there via a Lambda @ Edge. :)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
I have seen people do this with URLs that are impossible to guess upfront
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
that’s security by obscurity bad idea, never works
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
Depends on your goal, but I broadly agree :)
![rohit avatar](https://secure.gravatar.com/avatar/96545ffc5c19a46414f41c76b28d2944.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
i haven’t used cloudfront + Lambda Edge, did you use any auth method with Lambda Edge ?
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
Is there a way to automatically update Amazon AMIs on a launch template to the latest, instead of having to rerun terraform against it on monthly basis?
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
@rohit It depends how fancy you want to get. How are users authenticated before they access the CDN? I assume you wouldn’t want them to have to pass a username/password via basic auth if they were already authed before? In fact, are they authed at all or “anonymous”? Is the CDN on a subdomain of your main app website (if any)? You said media before, is it for static assets, downloads or streaming? Lots of questions and possibilities. :)