#aws (2021-05)
Discussion related to Amazon Web Services (AWS)
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
2021-05-04
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
anyone got a good reason to use savings plans over RIs?
![Vlad Ionescu (he/him) avatar](https://avatars.slack-edge.com/2020-10-03/1417676895681_ea45b3f22e5fea04f2fc_72.png)
You can change instance types, families, regions!
You don’t actually get reserved capacity tho. Buuut you can do capacity reservations so
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Savings Plans apply to EC2, Lambda and Fargate
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
The better question: is there any good reason to use RIs over savings plans?
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
If you do the Compute Plan where you lock into a region and I think a family of instances, it should be 1:1 with the RIs (while still allowing slightly more flexibility)
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
the Savings Plan is the more broad one - any region, any compute type. You get less overall savings, but more freedom to change your operation on the fly
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Before savings plans, we were locked into instance types which resulted in putting off upgrading to modern instance types for years… Glad that’s over since the ability to use the newer instance types sooner (via savings plans) has saved us more money than upgrading after our RIs expire
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
I’m with @RB. The money saved from RIs is offset by the loss in flexibility and added management time. Savings Plan is a better tradeoff for us.
![mikesew avatar](https://secure.gravatar.com/avatar/735f27b55681e06ef0dcbc0ab146cd49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
RDS is only compatible with RI’s, but I’m pretty sure you implied that by specifically mentioning fargate/lambda/ec2. =] seems like savings plans is the recommended way to go from the ‘common wisdom’ im reading
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
I imagine they’ll add RDS and elasticache savings plans at some point
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
The RDS RIs make me extremely sad
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
At this point, RDS being included in Savings Plans is the only announcement I am hanging on the edge of a chair for.
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
interesting, do you guys believe RIs take more time to manage (@Alex Jurkiewicz? News to me that people are so much more excited by Savings plans than RIs. Personally, we havent personally had that much of an issue w/ locking in instance types but I was def curious if it was easier to manage. (We also don’t use fargate and our lambda cost is miniscule)
![Lee Skillen avatar](https://avatars.slack-edge.com/2021-04-22/1991426762722_fdd3e48bc80e736b3576_72.png)
Starts getting interesting when you’re managing RIs across regions and sub-accounts. However, a Savings Plan can be applied to shared accounts and across regions, so it’s much simpler at scale.
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
right, we’re managing our RIs in a single region and in a single account (although we buy RIs for all accounts there) I can see where savings plans can be easier to manage at scale when it comes to multi-region etc.
![mikesew avatar](https://secure.gravatar.com/avatar/735f27b55681e06ef0dcbc0ab146cd49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
we have nonprod in 1 region and prod in 2 region, all with a jumble of different RDS db classes, so we have to pre-buy
• us-west-1 db.m5.*
• us-west-1 db.t3.*
• us-west-1 db…
• us-east-2 db.m5.*
• us-east-2 db-t3.*
• us-east-2 db… and so forth. savings plans we could have went for a single block and not worry about splitting between regions.
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
Managing RIs was hours of work each week for one person at our company
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
2021-05-05
![Nathaniel Selzer avatar](https://avatars.slack-edge.com/2021-01-29/1705201099345_5497913d6f3f8c3fb2ef_72.png)
audit2rbac scans kubernetes audit logs and automatically generates a rbac policy with least-privilege for a user. Anyone know of anything similar for cloudtrail/IAM?
![Darren Cunningham avatar](https://secure.gravatar.com/avatar/d0ea359c3ff6b8093ae53e57fbbe2570.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies. - duo-labs/cloudtracker
2021-05-07
![Adrian avatar](https://secure.gravatar.com/avatar/4b71388b769491f96d7c20dc27d4635b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
Hi, when I use multiple packages like aws-elastic-beanstalk-environment
and terraform-aws-documentdb-cluster
I get the error that the security group for the vpc already exists.
First terraform creates the documentDB and then the elastic beanstalk stack.
I would now expect that if I use allowed_security_groups = [module.vpc.vpc_default_security_group_id]
for both, that both are in the same security group. is this not correct?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
this is a “feature” that we need to actually fix
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
in cases like that, just add some attributes to ne of the module
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
attributes = ["2"]
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it will add -2
to all names in that module
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
not pretty, but will work
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and you can select whatever attribute you want, not necessary the “2” in this example
![Adrian avatar](https://secure.gravatar.com/avatar/4b71388b769491f96d7c20dc27d4635b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
thank you, I will try this
![Adrian avatar](https://secure.gravatar.com/avatar/4b71388b769491f96d7c20dc27d4635b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
this worked, but how do i add the security group from the database to the elastic beanstalk, so the application ca connect to the database?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Elastic beanstalk has the SG ID output https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/outputs.tf#L16
Terraform module to provision an AWS Elastic Beanstalk Environment - cloudposse/terraform-aws-elastic-beanstalk-environment
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
DocumentDB has allowed_security_groups
input https://github.com/cloudposse/terraform-aws-documentdb-cluster/blob/master/variables.tf#L7
Terraform module to provision a DocumentDB cluster on AWS - cloudposse/terraform-aws-documentdb-cluster
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
allowed_security_groups = [module.elastic_beanstalk.security_group_id]
![Adrian avatar](https://secure.gravatar.com/avatar/4b71388b769491f96d7c20dc27d4635b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
alright, thanks
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
Hello
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
I have hit a wall when trying to remove an eks
cluster. I have added null_data_source.wait_for_cluster_and_kubernetes_configmap
as per the README, but now when I’m trying to delete the cluster I get
Error: Get "<http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth>": dial tcp [::1]:80: connect: connection refused
We are wrapping the cloudposse module with a thin layer, so I’m looking into that as well, but is this somethign that others have seen?
![Vlad Ionescu (he/him) avatar](https://avatars.slack-edge.com/2020-10-03/1417676895681_ea45b3f22e5fea04f2fc_72.png)
It’s an issue that stems from the Terraform Kubernetes provider. See https://github.com/cloudposse/terraform-aws-eks-cluster/issues/104 and https://github.com/terraform-aws-modules/terraform-aws-eks/issues/911
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
Thanks! It seems to be affecting a lot of people…
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
I’m seeing that problem when I set enabled=false
in order to destroy the cluster.
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
-parallelism=1
doesn’t help
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
null_resource.wait_for_cluster
is also causing the issue
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
I tried removing wait_for_cluster_and_kubernetes_configmap
from the terraform state, but it still causes the aws-auth
configmap to be read, leading to the error: Error: Get "<http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth>": dial tcp [::1]:80: connect: connection refused
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
I think that resource should be tied to context.enabled
![Marcello Romani avatar](https://avatars.slack-edge.com/2021-05-07/2039060798117_5ab61b773a897771d4c6_72.png)
OK a workaround turned out to be removing the aws-auth
configmap from the terraform state
2021-05-10
2021-05-12
![Brij S avatar](https://secure.gravatar.com/avatar/ae6bd7c5812b96db0ac75fa625906db6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
Hi all, looking for some networking advice. I’m looking to deploy an EKS cluster with managed nodes. I’m trying to figure out how to best size the VPC. All the nodes will be in private subnets, for a nonproduction account there will be 2AZ and for prod there will be 3AZ. For nonprod, I’ve got the following
/24 VPC 256 host
/26 private subnet
64
64
/28 public subnet
14
14
Any suggestions on what a setup for prod would look like, I’m thinking a /25
CIDR, but I’m not really sure
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
/25
VPC CIDR is way too small
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
I recommend a big CIDR
![Brij S avatar](https://secure.gravatar.com/avatar/ae6bd7c5812b96db0ac75fa625906db6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
would a /24
suffice in prod too?
![Brij S avatar](https://secure.gravatar.com/avatar/ae6bd7c5812b96db0ac75fa625906db6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
or something bigger?
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
21
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
we have /21
Subnets for EKS
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
![Brij S avatar](https://secure.gravatar.com/avatar/ae6bd7c5812b96db0ac75fa625906db6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
/21
for CIDR, what do you suggest for the subnets? Private needs to be bigger
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
Well, it depends on how many unique IPs you think you will need. Try to estimate it, then add a big safety margin
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
In our case, we will able able to spin up around 5K pods per EKS cluster
![Santiago Campuzano avatar](https://secure.gravatar.com/avatar/f8f05f122df51440e3bd79dd0feb089b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
Which is way more than required
![Vlad Ionescu (he/him) avatar](https://avatars.slack-edge.com/2020-10-03/1417676895681_ea45b3f22e5fea04f2fc_72.png)
Yeah, you have to do the math. Don’t forget to account for ALBs/RDSs and whatever else you may have in the VPC.
For 5k pods I think you may have to use a /16
and at least 1 extra /16
range.
![Steve Wade (swade1987) avatar](https://avatars.slack-edge.com/2022-12-08/4499411930625_2768e5fdceec550e6669_72.jpg)
I have some logic for this that I should open source around splitting a CIDR block into regions, then VPCs in that region and then finally subnets in that VPc
![Brij S avatar](https://secure.gravatar.com/avatar/ae6bd7c5812b96db0ac75fa625906db6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
![Steve Wade (swade1987) avatar](https://avatars.slack-edge.com/2022-12-08/4499411930625_2768e5fdceec550e6669_72.jpg)
You need it ASAP? I’m away from my laptop right now, how soon you need it?
![Brij S avatar](https://secure.gravatar.com/avatar/ae6bd7c5812b96db0ac75fa625906db6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
I could wait till you’re back, no problem
2021-05-13
2021-05-14
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
We are investigating increased API error rates and increased provisioning/registration latencies for ELBs in the US-EAST-1 Region. Connectivity to existing load balancers is not affected.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
In case interested I threw together a custom AWS weekly update digest if you want a way to keep up and don’t have a method already.
There are better ways I’m sure but this is custom and has social media top posts too. I didn’t use Cloudpegboard because pretty sure I can’t include redistributed updates from them on my digest if I share it.
YMMV. Reply to email and it will email me if you have any customizations.
https://app.mailbrew.com/sheldonhull/aws-cloud-news-6TwkFMMyI1ea?aff=sheldonhull
AWS Focused. For more personalized link sharing see my sheldonhull.com digest. This is purely AWS.. Curated by Sheldon Hull.
2021-05-17
![Vivek Kushwah avatar](https://avatars.slack-edge.com/2021-05-07/2034316625942_1fafc2ae5b49f0bc282b_72.jpg)
i want to be able to change instance size using airflow dags, any ideas?
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
ALB should be automatically adding an X-Forwarded-Proto header to incoming requests, is that correct?
![Michael Warkentin avatar](https://secure.gravatar.com/avatar/219e6891cd29919cfad373a72eca17dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
I believe it sets it but doesn’t pass it through if set upstream
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Their documentation is very ambiguous on whether its set. But we have an app seeing that header as ‘null’ on the other side so we’re a bit confused.
2021-05-18
2021-05-19
![msharma24 avatar](https://avatars.slack-edge.com/2021-07-12/2274860926897_140ea0637d985071847a_72.jpg)
Looking for advice on Transit Gateway - Should you create and maintain seperate Dev and Prod TGWs or use one TGW with Prod and Dev Spokes attached and managing the routing with the TGW route tables to ensure dev spoke can’t reach Prod Spokes?
![bazbremner avatar](https://secure.gravatar.com/avatar/61190aa3ffd42f3d341a98ec700e4ceb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
Personally I’d say always have at least two of anything - if you have a dev-tier and prod-tier (TGWs in this case) then you have somewhere lower risk to apply changes before you start affecting production, but you still have the headache of routes/config being specific to combinations of environments
![bazbremner avatar](https://secure.gravatar.com/avatar/61190aa3ffd42f3d341a98ec700e4ceb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
Having multiple of anything also forces everyone to cater for a different reality, which is useful for DR, other regions, additional environments etc.
![Milosb avatar](https://avatars.slack-edge.com/2020-02-24/966891046949_8b28874492925e3ee6dc_72.jpg)
I do like separation as @bazbremner already mentioned. Depends what you want to achieve, and how your architecture looks like, and in same time to be cost effective . For example if you want to connect your own network with AWS over site-to-site vpn tunnel you would need to do it for both tgws, and that add additional costs…
2021-05-20
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I’m having a problem getting nginx as a reverse proxy to work in docker compose. I’ve tried to use the mkcert + docker-gen +nginx combo (want to stick with docker compose).
My goal was to allow local development easily against what I’d be deploying to ECS fargate. Almost all the projects I’m working with need this pattern of reverse proxy to support ssl termination as an option.
Anyone have a docker compose project that spins up a reverse nginx proxy and uses docker-gen? I’m ok with using the tmpl file too, but so far no luck in getting anything other than direct access to container, no redirect from root oauth to /appname. Probably removing docker-gen soon but would be nice if I could leverage the automatic config it offers.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
If more detail and code samples are useful I’ll do a write-up
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
I have a root “dockerize” process sending logs to STDOUT from files on the container, which are showing up when running docker locally. However, these logs don’t appear when running in AWS ECS using the awslogs driver. Any thoughts on what the issue might be?
2021-05-21
![Steve Wade (swade1987) avatar](https://avatars.slack-edge.com/2022-12-08/4499411930625_2768e5fdceec550e6669_72.jpg)
does anyone have any strong opinions on an AWS infra tagging taxonomy?
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I use the cloudposse module for tagging and leave it at that. Makes it easy!
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
Only advice is start simple
![Darren Cunningham avatar](https://secure.gravatar.com/avatar/d0ea359c3ff6b8093ae53e57fbbe2570.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
have a specific goal, then determine if tagging is what you need to achieve that goal. then tag accordingly.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
If there isn’t an absolutely must be exactly this way … then I just changed my approach to fit the module cloudposse wrote as it’s so good.
Then all my other tools just get tags = module.label.tags
or module.label.id
. Or I paste in the [context.tf](http://context.tf)
file and add support for the naming tools they built.
As a result naming is consistent, but takes no more mental effort.
![Steve Wade (swade1987) avatar](https://avatars.slack-edge.com/2022-12-08/4499411930625_2768e5fdceec550e6669_72.jpg)
We mostly want it for costing/billing purposes
![Michael Warkentin avatar](https://secure.gravatar.com/avatar/219e6891cd29919cfad373a72eca17dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
We rely mainly on Application and Environment tags. If you’re trying to allocate to a team that could be another one or you could configure cost categories to map apps to teams.
(This really depends on your company and how you want to allocate costs though)
![Michael Warkentin avatar](https://secure.gravatar.com/avatar/219e6891cd29919cfad373a72eca17dd.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
The terraform provider has the ability to set default tags for almost all resources which is nice.
![Eric Berg avatar](https://avatars.slack-edge.com/2022-02-23/3149638965779_b5a77c77548365fff07f_72.jpg)
Consistency is key. From the billing requirements, some of the required tags should be fairly obvious. It’s more challenging for shared resources, in terms of cross-charging, etc.
We have this standard set of tags, which allows us to allocate AWS usage by client
, environment
, and service
. Datadog uses the env
tag to identify a “unique environment”, which for us is basically client-environment
(i.e., clientX-prod
). We also keep client and environment as discrete tags for searching.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Anyone try using Lando? https://docs.lando.dev/basics/
I’m interested in anything that simplifies local dev tooling without a ton of extra complexity and seemed interesting. Seems similar to Cloudposse modules in that they are trying to set “sane defaults” by default on the apps to reduce effort.
Get an introduction to Lando; why it exists, what it’s good for and how it differs from Docker Compose and other local development and DevOps tools.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
This also sent me towards looking at: https://platform.sh/
Always interested in tooling that reduces complexity when possible and allows me to focus on core business needs. Love to hear any thoughts (and I plan on looking at archives too)
![attachment image](https://platform.sh/images/meta/Facebook_new.png)
Get hosting, CI/CD, automated updates, global 24x7 support. We support PHP, Node.js, Drupal, WordPress, Java, Ruby, Python, MySQL, ElasticSearch, and more.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Sigh. I’m so tired of ‘contact us’ pricing
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Just curious, are you objecting to platform.sh pricing transparency?
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I’m not sure what @Zach meant on your pricing page, but I’ll say asking for a call to just get info on product is frustrating with all the tooling devops work requires, it’s just a major annoyance to me. I’ll most likely move on.
On your pricing page I see some transparency on pricing, and the contact us seems to be for highest tier which probably makes sense. I’d like to know what @Zach noticed specifically as well.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Just what you said
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
I ask because I’m an engineer and CEO. Certainly agree with you . But curious because platform.sh does have quite a bit of pricing albeit complicated and hard to extrapolate.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Nothing specific to you guys, I just clicked to check out the link the other day and I always look at the pricing. Sort of an off the the cuff thought about these things in general
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
To be clear, I have nothing to do with platform.sh.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Ah! misunderstood your stmt above
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
I’m just interested in pricing plans that don’t suck.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
The problem generally is they’ll put a plan out at like $5/month for a single dev working on a personal project and then next tier is like “3 people for $50/month” and then “all others contact sales”
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Yeah, exactly. You want more visibility to the point that the product is an entrenched success.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
and then I’ll have to sit through a bunch of back and forth email, schedule a meeting, have an hour call to find out that the enterprise starts at like $50/person plus some other scaling factors.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Even if its complicated pricing I’d like to see something like ’starts $x based on A B and C factors”
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Aside from AWS, any really awesome examples you have of those that don’t suck. Off the top of your head. CI usually pretty clear of course.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
haha no, I think just about everyone hides their ‘enterprise’ prices
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
GitHub, GitLab, atlassian.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
Its sort of like if you walk by a fancy clothing store in the mall, when they don’t have prices out you figure “out of my league” and just walk past
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Yeah, I guess the counter to this is that pricing that seems inconsequential at small scale can appear asinine at large scale.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
plus the usual “please don’t put SSO on your enterprise only plan”
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Here’s a couple that show pricing very clearly on the enterprise level (though they may have addons) https://spacelift.io/pricing.html vs https://www.env0.com/pricing (no detail on enterprise)
I think that enterprise level at some of these places is such a small number that it’s probable that they want hands on with with sales/engineering to ensure it’s successful. I get that. I guess I’d still like an approx range from someone offering enterprise support like “starting at” vs “contact us.
Enable collaboration. Ensure control and compliance. Customize and automate your workflows.
![attachment image](https://assets-global.website-files.com/5ceab5395d0f478e169de7c0/604fa2ab88ae386bfe813e4d_Open_graph%402x.png)
Learn about our flexible, usage based pricing that makes it easy to get started empowering your team with infrastructure as code automation.
2021-05-24
![Rhys Davies avatar](https://avatars.slack-edge.com/2020-12-18/1580964655798_828968c042a3796c57d9_72.jpg)
Hey guys seem to be having read time out connection issues trying to run Terraform apply
s from CircleCI on AWS currently. Is anyone else experiencing this?
![Yoni Leitersdorf (Indeni Cloudrail) avatar](https://avatars.slack-edge.com/2020-08-26/1310888406231_2dc8c60843ac09dc06bb_72.jpg)
I didn’t. What error are you getting?
![Tomek avatar](https://secure.gravatar.com/avatar/b355b9b70cf60dfc12f0c375bb5b558e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
we’re seeing the following Trace breakdown for a Java runtime based AWS Lambda. I know Java has a hefty cold-start time and I would expect the JVM starting would fall in the “Initialization” phase of execution. What is the 10 second gap before the Initialization phase that is happening in this trace?
2021-05-25
![ikar avatar](https://avatars.slack-edge.com/2019-12-12/872745210438_a9cbe68481dd0d2b9e3d_72.jpg)
Hey guys, one of the API we’re about to use requires IP whitelisting. Is there a way how to configure http proxy using AWS without the need to configure e.g. tinyproxy or nginx?
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
NLB can have static IP
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
If you mean static IP for outbound traffic, use a NAT gateway
![ikar avatar](https://avatars.slack-edge.com/2019-12-12/872745210438_a9cbe68481dd0d2b9e3d_72.jpg)
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Global accelerator is another option, depending on the use case
2021-05-26
![Brian Ojeda avatar](https://avatars.slack-edge.com/2021-05-21/2091552027955_105f68e1608ac63c274a_72.jpg)
Any reason to prefer account-scoped cloudtrails over organization-scoped cloudtrails? I noticed that terraform-aws-components
seems to be preferring account-scoped trials.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
multi-payer/multi-org environments is the main reason for me
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
we have some accounts that need to strictly separate billing, but everything else (cloudtrail, securityhub, guardduty, etc) can be linked to a single management account
![Brian Ojeda avatar](https://avatars.slack-edge.com/2021-05-21/2091552027955_105f68e1608ac63c274a_72.jpg)
Thank you.
2021-05-27
![Shreyank Sharma avatar](https://avatars.slack-edge.com/2020-10-21/1438500514694_ba31ccb589c56a529289_72.jpg)
Hi All, I wanted to know is there any way in AWS to notify us if s3 bucket or lambda function is down using SNS with cloud watch. Thank you
![Yoni Leitersdorf (Indeni Cloudrail) avatar](https://avatars.slack-edge.com/2020-08-26/1310888406231_2dc8c60843ac09dc06bb_72.jpg)
Why would an S3 bucket be down? What do you mean there?
![Shreyank Sharma avatar](https://avatars.slack-edge.com/2020-10-21/1438500514694_ba31ccb589c56a529289_72.jpg)
okay why i asked this question is, s3 is a object storage and behind the scenes its just a storage devices what if that goes down and my s3 buckets are down,.. at that time is there any why to notify users
![pjaudiomv avatar](https://secure.gravatar.com/avatar/40f13c8f113a13f5b9730c8cd47ec9ee.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
I think s3 is resilient to nine nines
![pjaudiomv avatar](https://secure.gravatar.com/avatar/40f13c8f113a13f5b9730c8cd47ec9ee.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
And I only remember 1 time on passed 10yrs of it going down
![Shreyank Sharma avatar](https://avatars.slack-edge.com/2020-10-21/1438500514694_ba31ccb589c56a529289_72.jpg)
okay thank you @pjaudiomv
![pjaudiomv avatar](https://secure.gravatar.com/avatar/40f13c8f113a13f5b9730c8cd47ec9ee.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
For lambda you can use a cloudwatch metric alarm to alert on failed invocations
![pjaudiomv avatar](https://secure.gravatar.com/avatar/40f13c8f113a13f5b9730c8cd47ec9ee.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
![pjaudiomv avatar](https://secure.gravatar.com/avatar/40f13c8f113a13f5b9730c8cd47ec9ee.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0013-72.png)
Yea you can use sns to send an email notification
![managedkaos avatar](https://secure.gravatar.com/avatar/f7d88a7a95990c984ab107b491b51b3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
I think if S3 goes down, all of us will have bigger problems.
But if you truly want to monitor your content and access to S3, I would suggest setting up a resource outside of AWS (perhaps in GCP or Azure) that has permission to access your bucket in the way you want to monitor: HTTPS or direct API access. And then have that service report into your monitoring system that the access is still good. So if indeed S3 goes offline for some reason (which would likely be a larger problem in AWS which might also affect their ability to notify you) you would still be able to get your monitor and alert that your bucket is inaccessible.
2021-05-29
![Steven Pham avatar](https://avatars.slack-edge.com/2021-05-26/2113544395428_f922d705a362a31e5be2_72.jpg)
Hey everyone, I’m excited to be part of this slack channel! Are there any recommended terraform/ansible repos with AWS that have prometheus/grafana visualization incorporated that you all pull from easily? I’d rather not work through and write up the IaC for it from scratch
![Mo Battah avatar](https://avatars.slack-edge.com/2021-05-29/2141880136400_a59dcd3d1dd0bf289479_72.png)
Best CI CD tool? Looking for the absolute best. PHP shop. Replacing all of our tooling so I can really start from scratch. Currently vetting CICD vendors
![Prasanta Sahoo avatar](https://avatars.slack-edge.com/2021-02-06/1707360665079_87740909037538f0baba_72.png)
Github actions, Github packages with self hosted Github runner
![Mohammed Yahya avatar](https://avatars.slack-edge.com/2020-12-17/1590276740676_9fdeb6c9ef89d13e6414_72.png)
there is no best CICD, test a group of them and use the one that match your use case.
![this](/assets/images/custom_emojis/this.png)
![managedkaos avatar](https://secure.gravatar.com/avatar/f7d88a7a95990c984ab107b491b51b3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Have to agree with Mohammed. There are literally hundreds of CICD tools out there and the best one is the one that fits your needs and use cases.
• If you are a GitHub shop, you might consider GitHub actions
• If you are a GitLab shop, you might consider GitLab CI
• If you use Docker with your PHP, you might rely on Docker Hub to build and publish your images i’m sure there are other combinations I can come up with but you get the idea. Start by taking a look at a few tools that are already close or tangential to the way you are already working. Don’t belabor your analysis but quickly pick one and go with it. If it works, you just found the best tool.
At the same time, don’t feel stuck. If you realize what you thought was the best tool is no longer working, start the process again with the next tool until you find the right fit.
![Chris Fowles avatar](https://avatars.slack-edge.com/2019-10-08/789284772630_caabfcff3b09cf0455ee_72.jpg)
![Mo Battah avatar](https://avatars.slack-edge.com/2021-05-29/2141880136400_a59dcd3d1dd0bf289479_72.png)
@managedkaos @Mohammed Yahya I agree. Asked because I’m looking for a few to vet
![managedkaos avatar](https://secure.gravatar.com/avatar/f7d88a7a95990c984ab107b491b51b3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
@Mo Battah can you give a high level description of your application and/or runtime environment? that might help a bit with recommendations. also if you are using repo deploys, building containers, kubernetes, etc..
![this](/assets/images/custom_emojis/this.png)
![bds avatar](https://avatars.slack-edge.com/2021-04-21/2008837777248_3dd6319b6315774284e0_72.png)
For resource heavy CI/CD pipelines, which include dependencies and project specific build/deploy workflows, perhaps Jenkins or TeamCity.
For CI/CD on single repos or with fewer dependencies, and less complicated workflows I’d go for Gitlab CI or Github actions, Travis, CircleCI. Mainly due to the reduced set up overhead and simpler to plug-and-play.
![bds avatar](https://avatars.slack-edge.com/2021-04-21/2008837777248_3dd6319b6315774284e0_72.png)
There’s also the world of GitOps/k8s-oriented with tools like ArgoCD. I’m unfamiliar with this though, but it’s anyways interesting
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Buildkite is really nice. It’s very simple, flexible and easy to use. It doesn’t really do anything that GitHub Actions doesn’t, though.
![toast-gear avatar](https://secure.gravatar.com/avatar/0681ca91e7d60b8650c64f127d3e253c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Does it have a native roll your own solution? Actions doesn’t have anything official for that although there are 2 really good open source solutions for that
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
“It” being BuildKite?
![toast-gear avatar](https://secure.gravatar.com/avatar/0681ca91e7d60b8650c64f127d3e253c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yarp, just curious
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
They supply the SaaS control plane and a golang runner/agent. That’s really it. Think of it like GiLab CI unbundled. Or GitHub Actions unbundled.
![Mohammed Yahya avatar](https://avatars.slack-edge.com/2020-12-17/1590276740676_9fdeb6c9ef89d13e6414_72.png)
If I understand right, you can use Github Action with your own runners ( for example in ECS service for AWS use case) for critical workload, same as buildkite
![Mohammed Yahya avatar](https://avatars.slack-edge.com/2020-12-17/1590276740676_9fdeb6c9ef89d13e6414_72.png)
I see a lot of hype following hybrid approach for their CICD even for Terraform
![toast-gear avatar](https://secure.gravatar.com/avatar/0681ca91e7d60b8650c64f127d3e253c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
yeh but there isn’t any kind of native scaling options, they provide a self-hosted capability which is mainly designed for static machines. If you want it to be elastic you need to do quite a lot of work yourself
![toast-gear avatar](https://secure.gravatar.com/avatar/0681ca91e7d60b8650c64f127d3e253c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
https://github.com/philips-labs/terraform-aws-github-runner this project lets you provide self-hosted machines using the serverless tooling on AWS and https://github.com/actions-runner-controller/actions-runner-controller this project does it for the k8s platform
![Mohammed Yahya avatar](https://avatars.slack-edge.com/2020-12-17/1590276740676_9fdeb6c9ef89d13e6414_72.png)
Thanks for sharing, good to know
![Chris Fowles avatar](https://avatars.slack-edge.com/2019-10-08/789284772630_caabfcff3b09cf0455ee_72.jpg)
I personally feel that a hosted control plane and self hosted agents (with pull connectivity) is the sweet spot of SaaS for CICD. It gives a good amount of flexibility without the overhead of managing control planes.
![robschoening avatar](https://secure.gravatar.com/avatar/fc9496da3a9c8e977cd9cf9448d7ea35.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Yes, @Chris Fowles. The first time I tried Buildkite (2017 or so) my reaction was “OMG, this is how CI was supposed to be. Why did I suffer for so long?” I’m sure there were others that got it right before them. But it’s still a great standalone experience. Now lots of choices with this model.