#aws (2019-04)

aws Discussion related to Amazon Web Services (AWS)

aws Discussion related to Amazon Web Services (AWS) Archive: https://archive.sweetops.com/aws/

2019-04-30

Lee Skillen avatar
Lee Skillen

Yup, you can use an Origin Access Identity on the CloudFront distribution which has access to the S3 bucket via a policy. If you need your own auth at the CDN level you can implement it with a small Lambda @ Edge too. :)

:--1:1
rohit avatar
rohit

@Lee Skillen thanks for answering my question

rohit avatar
rohit

what would be advantage of using Origin Access Identity over presigned URL/cookies ?

Lee Skillen avatar
Lee Skillen

It’s transparent to those using the CDN for a start, and it means you don’t need to generate presigned URLs upfront. The downside is that you might still be interested in protecting the content, so need to think about auth in a different way.

Lee Skillen avatar
Lee Skillen

What kind of content is it?

rohit avatar
rohit

it is all media files

Lee Skillen avatar
Lee Skillen

Do you need auth? What if someone obtains a URL and distributes it to others?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if all content of the bucket is not a secret, then having private or public bucket does not make any difference since your users will see all the files via CloudFront. With a private bucket, use origin access identity as @Lee Skillen mentioned

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/terraform-aws-cloudfront-s3-cdn

Terraform module to easily provision CloudFront CDN backed by an S3 origin - cloudposse/terraform-aws-cloudfront-s3-cdn

:--1:1
rohit avatar
rohit

we want to make the media files private, so planning to use private bucket

Lee Skillen avatar
Lee Skillen

Some small difference is that a public bucket can be listed but not necessarily true with CloudFront. It may make a difference if you don’t care if files are public, but also don’t want easy access to all of the other files. It wouldn’t make sense for me, but I have seen people do this with URLs that are impossible to guess upfront (e.g. with randomised prefixes or something else in the URL). But if you go to that extent, I would just throw an auth method in there via a Lambda @ Edge. :)

:--1:1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


I have seen people do this with URLs that are impossible to guess upfront

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s security by obscurity bad idea, never works

Lee Skillen avatar
Lee Skillen

Depends on your goal, but I broadly agree :)

rohit avatar
rohit

i haven’t used cloudfront + Lambda Edge, did you use any auth method with Lambda Edge ?

imiltchman avatar
imiltchman

Is there a way to automatically update Amazon AMIs on a launch template to the latest, instead of having to rerun terraform against it on monthly basis?

Lee Skillen avatar
Lee Skillen

@rohit It depends how fancy you want to get. How are users authenticated before they access the CDN? I assume you wouldn’t want them to have to pass a username/password via basic auth if they were already authed before? In fact, are they authed at all or “anonymous”? Is the CDN on a subdomain of your main app website (if any)? You said media before, is it for static assets, downloads or streaming? Lots of questions and possibilities. :)

2019-04-29

chrism avatar
chrism

When you accidentally spin up a k8 cluster using T instances and the cpu-burst wipes out leaving 1 node running at ~20% of cpu

Lee Skillen avatar
Lee Skillen

All kinds of awesome: https://infrastructure.aws/

AWS Global Cloud Infrastructure

The AWS Global infrastructure is built around Regions and Availability Zones (AZs). AWS Regions provide multiple, physically separated and isolated Availability Zones which are connected with low latency, high throughput, and highly redundant networking.

:--1:4
rohit avatar
rohit

Is there a way to get objects from AWS S3 private bucket using cloudfront without presigned URL’s ?

2019-04-25

vishnu.shukla avatar
vishnu.shukla
vishnu.shukla avatar
vishnu.shukla

can someone help me one this.

Exequiel Barrirero avatar
Exequiel Barrirero

Just in case anyone find it useful.

AWS Management Console down :warning: without region #aws #outage :aws: (https://status.aws.amazon.com/)

• (link: https://us-west-2.console.aws.amazon.com/console) us-west-2.console.aws.amazon.com/console works :github-check-mark:

• (link: https://us-east-2.console.aws.amazon.com/console) us-east-2.console.aws.amazon.com/console works :github-check-mark:

• (link: https://us-east-1.console.aws.amazon.com/console) us-east-1.console.aws.amazon.com/console does NOT work :negative_squared_cross_mark: (link: https://console.aws.amazon.com/console/home) console.aws.amazon.com/console/home :disappointed:

So you can basically by-pass the error specifying the console region in the access url. To hit a specific service in us-east-1 you can use the service URL, eg: https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Home:

2019-04-23

nutellinoit avatar
nutellinoit

Hello, anyone using ec2 spot fleet plugin with jenkins?

2019-04-18

vishnu.shukla avatar
vishnu.shukla

hey all, I am stuck at AWS code build with ruby framework, seeking help on this

Tim Malone avatar
Tim Malone

post what you’re stuck on - someone might be able to help

vishnu.shukla avatar
vishnu.shukla
vishnu.shukla avatar
vishnu.shukla

there must be issue with the buildspec.yml file or image

vishnu.shukla avatar
vishnu.shukla

i tried with many other option as well

vishnu.shukla avatar
vishnu.shukla

everytime i get different error

xluffy avatar
xluffy


exit status is 127

xluffy avatar
xluffy

It means command not found

vishnu.shukla avatar
vishnu.shukla

its like on of the error

xluffy avatar
xluffy

see above line, doesn’t have sudo command

vishnu.shukla avatar
vishnu.shukla

does AWS code build provide docker image with mysql installed on this?

oscarsullivan_old avatar
oscarsullivan_old

I attended a security webinar from AWS. here are my notes

https://github.com/osulli/security-strategies

osulli/security-strategies

Notes from AWS’ Security Strategies webinar by Tim Rains - osulli/security-strategies

vishnu.shukla avatar
vishnu.shukla

@xluffy do you have any buildspec.yml file for Ruby to use on AWS code pipeline.

vishnu.shukla avatar
vishnu.shukla
vishnu.shukla avatar
vishnu.shukla

here is the latest error i am getting

xluffy avatar
xluffy

see error, this is another error, in this container, doesn’t any JS runtime (u need a container with js runtime)

oscarsullivan_old avatar
oscarsullivan_old

No js installed or avlb in PATH

vishnu.shukla avatar
vishnu.shukla

provided AWS docker image doesn’t have it , i tried installing it but no success, also AWS code build has only single image for Ruby

2019-04-17

mumoshu avatar
mumoshu
03:00:17 PM

@mumoshu has joined the channel

imiltchman avatar
imiltchman

Does anyone know of a good way to tag shared resources for billing reporting/monitoring purposes? For example, if I have an ALB that’s in front of two web apps - W1 and W2, can I have a billing report that includes 1/2 of the ALB cost with W1 and the rest with W2?

Issif avatar
Issif

I’m FinOps, trust me, you can’t do that

Issif avatar
Issif

we could try with a lot of custom but It will not be relevant

Issif avatar
Issif

you can spread your cost by tags, but the scope will be the whole ALB, not only a part

imiltchman avatar
imiltchman

Thanks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@imiltchman are you using Kubernetes by anychance?

imiltchman avatar
imiltchman

No, not using Kubernetes

2019-04-16

Alex Siegman avatar
Alex Siegman

This just popped in to my email: https://aws.amazon.com/app-mesh/

I’m wondering if this could also integrate with say GKE for multi-cloud application networking. I also wonder how that integrates with EKS, since I’ve seen envoy in use primarily as a app mesh for K8S

AWS App Mesh - Application-level networking for all your services - Amazon Web Services

AWS App Mesh is a service mesh that allows you to easily monitor and control communications across services.

Pablo Costa avatar
Pablo Costa

App-mesh an AWS version of istio. Look for Istio service on GKE

AWS App Mesh - Application-level networking for all your services - Amazon Web Services

AWS App Mesh is a service mesh that allows you to easily monitor and control communications across services.

btai avatar

anyone know if we can use different encryption keys for a single database storage in an RDS instance? (multi-tentant rds instance)

Abel Luck avatar
Abel Luck

interested to know this as well

chrism avatar
chrism
godaddy/kubernetes-external-secrets

Kubernetes external secrets. Contribute to godaddy/kubernetes-external-secrets development by creating an account on GitHub.

Pablo Costa avatar
Pablo Costa

Nice project, but the problem is that AWS Secrets is quite expensive: https://aws.amazon.com/secrets-manager/pricing/. Using chamber with AWS Systems Manager Parameter Store hasn’t praticaly any costs https://aws.amazon.com/systems-manager/pricing/

AWS Systems Manager Pricing – Amazon Web Services (AWS)

There is no additional charge for AWS Systems Manager. You only pay for AWS resources created or aggregated by AWS Systems Manager.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think @mumoshu was first with his operator https://github.com/mumoshu/aws-secret-operator

mumoshu/aws-secret-operator

A Kubernetes operator that automatically creates and updates Kubernetes secrets according to what are stored in AWS Secrets Manager. - mumoshu/aws-secret-operator

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

chrism avatar
chrism

$0.40 per secret per month jfc, didn’t realise it was that much.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea it’s odd that they charge so much for it. Don’t get it.

2019-04-10

raehik avatar
raehik

Hey all, I’m stuck in the world of IAM and I had a thought about permissions management. It’s nice to split permissions into a user-role structure for management and auditing, but the way role assumption is done feels awkward, and users have to “know” what roles they have available to them. Does AWS provide a method to find out all the assumable roles for a given user?

Alex Siegman avatar
Alex Siegman

Not natively that I’ve run in to. At a previous gig we used OneLogin I think it was, and the roles you had access to were based on groups from our corp AD, and you saw a list of them when you signed in. That’s the closest I’ve seen, and far from a AWS-based solution. I’d love to be wrong though, but my guess is you’d have to engineer something to provide that info.

raehik avatar
raehik

Cool, thanks for the info Alex. I thought as much because of the somewhat arbitrary way role assumption permissions are granted. If using AWS account federation I feel it could be automated with some API calls to look for sts:AssumeRole policies & wondered if it had been done before - probably different for AD and SAML etc. Cheers for the response!

daveyu avatar
daveyu

is the fargate cli the closest thing in awsland to https://cloud.google.com/run/?

Cloud Run  |  Google Cloud

Run stateless HTTP containers on a fully managed environment or in your own GKE cluster.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Probably

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

btw, there are (2) clis for AWS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, they’ve started developing this one again: https://github.com/jpignata/fargate

jpignata/fargate

CLI for AWS Fargate. Contribute to jpignata/fargate development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

new maintainer

Igor Rodionov avatar
Igor Rodionov

Does anyone knows how RDS encryption storage works with KMS key that have rotation enabled?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Rotating Customer Master Keys - AWS Key Management Service

Learn about automatic and manual rotation of your customer managed customer master keys.

2019-04-09

chrism avatar
chrism

@Andriy Knysh (Cloud Posse) what are the running costs like? we currently use imageresizing.net on iis (m3 mediums) x3 with cloudfront over it as we’re loading images from s3 etal

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


As of the date of publication, the estimated cost for running the Serverless Image Handler for 1 million images processed, 15 GB storage and 50 GB data transfer, with default settings in the US East (N. Virginia) Region is as shown in the table below. This includes estimated charges for Amazon API Gateway, AWS Lambda, Amazon CloudFront, and Amazon S3 storage

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS Service	Total Cost
Amazon API Gateway	$3.50
AWS Lambda	$3.10
Amazon CloudFront	$6.00
Amazon S3	$0.23
chrism avatar
chrism

ta; id clicked architecture not clicking the overview was a page

chrism avatar
chrism

Anyone experienced * module.elasticache_redis.module.label.data.null_data_source.tags_as_list_of_maps: data.null_data_source.tags_as_list_of_maps: value of 'count' cannot be computed recently starting I ran the module a couple of weeks ago without an issue. Counts from beyond the grave

chrism avatar
chrism
Using interpolated values in strings · Issue #44 · cloudposse/terraform-null-label

Hi there, I've traced down a problem from one of your other modules to the way that tags are consumed when you use interpolated values in tags. I'm fairly sure that it's a terraform pro…

chrism avatar
chrism

is this only an issue because the enabled flag sets a count on a resource thats only ever 1 but terraform thinks it has an enumerable to work with that it cant

chrism avatar
chrism

the answer to that is no lol its in the label code

chrism avatar
chrism

tbh the elasticache module only needs a tags + id input; the additional dependency on label seems overkill; more injection > less dependencies

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Dependency on labels is central to our entire terraform strategy. It ensures composability of modules and consistency. Humans are just not good, nor consistent about naming things. If we are not consistent about it’s usage then we would be breaking that contract. :-)

chrism avatar
chrism

aye i mean that if it only needs id + tags then module.label.id module.label.tags to set the variable input seems less fussy.

chrism avatar
chrism

of course, the dns parts of debatable use once you enable tls as the tls isnt configurable

2019-04-08

Alex Siegman avatar
Alex Siegman

So looking at the reference architectures repository, there seems to be two accounts that seem to overlap:

root
The "root" (parent, billing) account creates all child accounts and is where users login.

Of note here is the “where users login.” There’s also an “identity” account:

identity
The "identity" account is where to add users and delegate access to the other accounts

I’m a bit unsure how this would look in reality. I’m not sure how you’d “login” to the root account, if your user is over in a separate account. Am I missing something? I thought in AWS your starting point always had to be wherever your IAM user existed, and from there you can assume roles in whatever fashion is needed.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We provide a stub of an identity account

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but we currently provision all our customers using the root account as the identity account.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

… in other words, we don’t have a configuration for the “identity” account besides the creation of it.

Alex Siegman avatar
Alex Siegman

Okay, I’m curious what the future idea of it is then.

Alex Siegman avatar
Alex Siegman

Like, would I put dev accounts there, and they’d “log in” there and assume roles from there?

keen avatar

that’s how I’d see it yeah. that would mean the default org account role assumption wouldn’t work, and require more specific setup. which isn’t strictly a bad thing, and would save having to -undo- the default setup….

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, rather than stick user accounts or (SSO integrations) in the “root” (payer) account, we’d just provision it in the identity account instead.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The difference is just there’s a tad bit more effort in initial setup.

imiltchman avatar
imiltchman

Does anyone have any experience with hosting images and videos that are optimal for each device? Is there an AWS service or an approach that’s better than generating 10 versions of an image and using S3/Cloudfront?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we recently deployed https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/welcome.html. It uses http://www.thumbor.org/ to change image size/format/filter on the fly. Behind a CDN works ok and fast enough. It’s CloudFormation, not TF though

Serverless Image Handler - Serverless Image Handler

How to deploy the Serverless Image Handler. AWS CloudFormation templates automate the deployment.

thumbor - open-source smart on-demand image cropping, resizing and filters

Thumbor is a smart imaging service. It enables on-demand crop, resizing and flipping of images. It features a very smart detection of important points in the image for better cropping and resizing, using state-of-the-art face and feature detection algorithms (more on that in Detection Algorithms).

imiltchman avatar
imiltchman

Thank you

imiltchman avatar
imiltchman

Where can I find the CloudFormation template(s)?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
AWS CloudFormation Template - Serverless Image Handler

AWS CloudFormation template that deploys Serverless Image Handler on the AWS Cloud.

imiltchman avatar
imiltchman

Sorry & thanks

2019-04-05

chrism avatar
chrism

There’s numerous things in IAC where you start to think terraform isnt helping :face_with_rolling_eyes: Create an aws_acm_certificate , then add an extra SAN. Terraform sits there trying to destroy the old one… but the new ones only just been created; so everythings attached to it, it aint letting go

chrism avatar
chrism

They didnt code in to check the api response that its in use so it just retries to death

chrism avatar
chrism
Deleting ACM certificate fails with ResourceInUseException by a deleted ELB. · Issue #3866 · terraform-providers/terraform-provider-aws

We are seeing an issue with using acm certificates during terraform destroy where the certificate is still seen as in use by a load balancer that was just deleted. Due to eventually consistent apis…

chrism avatar
chrism

Enjoy the weekend chaps

1
1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

:–1:

keen avatar


There’s numerous things in IAC where you start to think terraform isnt helping
yeah, the more the current crop of tools evolve, the more I miss using my old circa ‘09 framework that just wrapped the java cli tools……

keen avatar

“the infra is code because we -wrote- code”

Alex Siegman avatar
Alex Siegman

I guess the idea is that not everybody has to invent that wheel anymore? I dunno. Certainly understand the feeling though

keen avatar

yeah - it’s just that they write the opinions to be so frameworked…er frameworks to be so opinionated… that if you had a worldview that doesnt fit the framework….

btai avatar

thoughts on aurora Postgres? im aware of all the improvements its supposed to give for roughly the same cost over vanilla RDS Postgres but wondering if anyones used it in production and what their thoughts are

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

We use it all the time, it’s very good

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Synchronous replication with milliseconds latency

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Many read replicas

btai avatar

nice

btai avatar

and costs? @Andriy Knysh (Cloud Posse)

btai avatar

more expensive/same/cheaper than vanilla RDS?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
When Should I Use Amazon Aurora and When Should I use RDS MySQL?

Now that Database-as-a-service (DBaaS) is in high demand, there is one question regarding AWS services that cannot always be answered easily : When should I use Aurora and when RDS MySQL? DBaaS clo…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

For production where you need bigger instances, the cost is relatively the same. With plain RDS you can get smaller and cheaper instances, but that are just good for testing and maybe staging

btai avatar

are you using it for postgres or mysql

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Both

btai avatar

we just talked to the solutions architect that said we can just restore the rds potgres snapshot to aurora and it will just work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Yes

btai avatar

did you find that to be true or did aurora change things

btai avatar

nice

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Aurora changes things mostly in user and permissions management, and some other minor things

btai avatar

mmm

btai avatar

i am using alot of roles/databases in my rds instance

btai avatar

multi-tenant so i wonder if that will change things

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

E.g. even the master user you create is not the admin in the cluster

btai avatar

thanks @Andriy Knysh (Cloud Posse)!

btai avatar

i will test it out

keen avatar

aurora’s a bit more fun to codify setup, and to do instance up/downgrades (ie, you have to do each of them yourself. tip: just create new nodes in the cluster at the scale you want, then failover to them…)

keen avatar

if you make the mistake of scaling your write node, it will create an outage because aurora dont care.

keen avatar

oh, and I have a broke psql aurora node right now, it borked in prod, didnt failover. failed the cluster over, the node is still borked. can’t add support to the account because no one can get into the vault in the office where the root acct’s mfa key is.

keen avatar

(effing stupid that whole iam-users-can’t-change-support)

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

It’s even worse with regular Postgres and MySQL :)

keen avatar

regular rds used to be a dream to update/scale with maz turned on - punch it and walk away, it’d update the slave, then failover and update the master.

keen avatar

let it trigger in the maint window if you want

2019-04-04

oscarsullivan_old avatar
oscarsullivan_old

If your EBS backed EC2 instances are SHUTDOWN (not terminated) do you still pay for the EC2? I understand you’d still pay for EBS.

oscarsullivan_old avatar
oscarsullivan_old

EC2 instances accrue charges only while they're running

oscarsullivan_old avatar
oscarsullivan_old

I think I read this before

oscarsullivan_old avatar
oscarsullivan_old

And made me wonder if they meant running as in OS RUNNING / POWER ON

oscarsullivan_old avatar
oscarsullivan_old

or running as in… it is created and say SHUTDOWN

maarten avatar
maarten

When an EC2 instance is stopped you only pay for the EBS volumes you are using.

oscarsullivan_old avatar
oscarsullivan_old

Thanks guys, that’s perfect then. No reason not to switch off the EC2s over night!

oscarsullivan_old avatar
oscarsullivan_old

… The IPs wouldn’t change, right?

maarten avatar
maarten

They will when you’re not using elastic ip’s

oscarsullivan_old avatar
oscarsullivan_old

Hmmm, so on spin-up would need to run terraform to update the R53 records. Alright that will take a bit more effort

chrism avatar
chrism

when teleport provide a full script with make file for terraform, but you wish it was just a provider because you only need an 8th of what they’ve shoved in it https://github.com/gravitational/teleport/tree/master/examples/aws/terraform

gravitational/teleport

Privileged access management for elastic infrastructure. - gravitational/teleport

chrism avatar
chrism

The UI stuffs nice for teleport but I think it’s going to give me a stroke. We took SSH proxying via a gateway and added 300 new things that can break

chrism avatar
chrism

default size for the SSH proxy in that things a m4.large; 8gig of ram dual-core

chrism avatar
chrism

“sets up the bastion using route53 and registers a cert with letsencrypt” … so it sticks the route to your bastion into public CT logs (using wildcards is better) and theres no config in that thing to restrict traffic to the bastion sooo we’re doing public ssh now

chrism avatar
chrism

all just their example of course; you can do what you like in reality. Wish it was just an ansible module (only one around hasnt been touched in 11 months); at least it doesnt cripple normal ssh

chrism avatar
chrism

so you have a backup when it facepalms

chrism avatar
chrism

@Erik Osterman (Cloud Posse) with the cloudposse bastion what’s the deal with users. how can it say which user logged in if the volume mounts against 1 user (just going off the readme)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@chrism user management is outside of the scope of the project. There are dozens of ways to provision users with the #bastion

chrism avatar
chrism

Yeah I mean if i have 9 users already there by other means how does the bastion map to those 9 users if its using volumes?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

A bastion is a jump box

chrism avatar
chrism

I know

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Users should not be hanging out on it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

:-)

chrism avatar
chrism

lol no, but if I create jim, jane, alice with their own auth pubkeys do I have to map the bastion for all 3 users

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

See GitHub authorized keys project for inspiration

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There’s a gist in the GitHub issues to how someone else did it with cloud formation

chrism avatar
chrism

in comparison; if you setup teleport you add N users; its not mapping 1 auth key; it knows jims keys are x etal

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Teleport handles SSO

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Teleport is what we use :-)

chrism avatar
chrism

Aye i’m sorta leaning that way at the moment; just not keen on the fat

chrism avatar
chrism

feels like using a juggernaut to deliver a box of matches

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We have open sourced our implementation of teleport with kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Oh yes! It’s totally a hack job to use anything else but teleport

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Plus with teleport you get easy YouTube style replays

chrism avatar
chrism

it has lots of selling points; other than having to rejig the world

chrism avatar
chrism

I assume you can do tedious stuff like create groups with it and say teamx can only access teamx’s machines

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yup

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

You can have groups

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Teleport is beautiful. Inside and out.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It is a beast to setup the first time. All in all we have spent probably more than 2 months of man hours on it .

chrism avatar
chrism

Wonder how many headaches getting our “the world is cisco” folks heads around that will be

chrism avatar
chrism

I just used https://github.com/woohgit/ansible-role-teleport up front; slightly put off for the vsphere land as we use RoyalTS

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Are you using dynamodb, IAM roles, s3 backend storage and SAML?

chrism avatar
chrism

teleport would solve lots of the niggly “everything everywhere needs auditing” alongside the “if the grunts dont have ssh access to things I’ll have to debug everything”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For teleport auth and node?

chrism avatar
chrism

no; I was using SSH proxy commands in a shell script and a bastion host as the lord-god-aws defined on the mount

chrism avatar
chrism

The ansible script just uses tokens

chrism avatar
chrism

I’ve setup a proxy/auth on the existing throwaway bastion to test it

chrism avatar
chrism

and shoving a node on another box

chrism avatar
chrism

Their repo’s terraform setup for aws consists of graphana/influx monitoring / dynamo/s3

chrism avatar
chrism

our machines are supposed to be immutable; so the only reason you’d ssh in is to grab a log thats not already being exported or to diagnose an issue before burning the machine to the ground

chrism avatar
chrism

We use RKE rather than KOPS

chrism avatar
chrism

which will be more pleasant when ranchers finished its v2 terraform provider that seems to wrap rke + the cli

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am just implying that to do teleport the “right way” will most likely be a lot more work. While getting a POC up takes a day or two. :-)

chrism avatar
chrism

yeah; tbh I just wanted to see how easy it was to throw up on the minimum settings. Nothing comes free

chrism avatar
chrism

the base setup using tokens isn’t too bad; realistically as a 1/3 of our setup isn’t kubernetes and everything sits in ASGs long-life tokens are probably more necessity than a nicety

chrism avatar
chrism

The rancher hardening guides if they’re of interest to anyone https://releases.rancher.com/documents/security/latest/Rancher_Hardening_Guide.pdf

:--1:1
chrism avatar
chrism

sigh; im sold on teleport. Now to read everything

chrism avatar
chrism
skyscrapers/terraform-teleport

Terraform module to provision Teleport related resources - skyscrapers/terraform-teleport

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-teleport-storage

Gravitational Teleport backing services (S3, DynamoDB) - cloudposse/terraform-aws-teleport-storage

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We also have the Helmfiles

phanindra bolla avatar
phanindra bolla

How do i deploy AWS ASG ec2 through terraform as a blue green deployment . i am thinking about diff types of methods

  1. Create a Launch template which update/ creates new ASG ,new ALB/ELB and switch the R53 domain to new
  2. Create a new Launch template ,, ASG and ALB and update and target ALB to existing R53

please suggest me best way

2019-04-03

oscarsullivan_old avatar
oscarsullivan_old

If your EBS backed EC2 instances are SHUTDOWN (not terminated) do you still pay for the EC2? I understand you’d still pay for EBS.

oscarsullivan_old avatar
oscarsullivan_old

I want to turn off EC2s at night for non-core environments, using Lambda.

Maxim Tishchenko avatar
Maxim Tishchenko

hello everyone, is there any way to invoke lambda func, when add/remove user into AWS account ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Maxim Tishchenko you can log user creation/deletion events to CloudTrail https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Using AWS Lambda with AWS CloudTrail - AWS Lambda

How to set up and start using the AWS Lambda service.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which will filter the required events

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Automate account creation, and resource provisioning using AWS Service Catalog, AWS Organizations, and AWS Lambda | Amazon Web Services attachment image

As an organization expands its use of AWS services, there is often a conversation about the need to create multiple AWS accounts to ensure separation of business processes or for security, compliance, and billing. Many of the customers we work with use separate AWS accounts for each business unit so they can meet the different […]

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
alphagov/lambda-check-cloudtrail

Periodic Lambda function to alert when CloudTrail is not being delivered to an S3 bucket - alphagov/lambda-check-cloudtrail

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@lvh

alphagov/lambda-check-cloudtrail

Periodic Lambda function to alert when CloudTrail is not being delivered to an S3 bucket - alphagov/lambda-check-cloudtrail

oscarsullivan_old avatar
oscarsullivan_old

Big up UK govt dev team ^

lvh avatar
lvh
08:14:25 PM

@lvh has joined the channel

2019-04-02

2019-04-01

    keyboard_arrow_up