#aws (2022-07)
Discussion related to Amazon Web Services (AWS)
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
2022-07-01
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
Hello, do you have any recommendations on unified (or SSO) for SSH? We do not want to manually copy-delete ssh keys all over our EC2 instances.
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
If you are using AWS, why not use AWS SSO with permission set in combination with AWS Session Manager?
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
I’m not sure I understand you
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
Manage your nodes using an auditable and secure one-click browser-based interactive shell or the AWS CLI without having to open inbound ports.
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
With System Manager Agent, you don’t need to manage SSH Keys or open inbound ports to your machines
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
That sounds good! Thanks, I’m gonna have a look
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
And if you want to leverage with SSO, you can use AWS SSO
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications. Specifically, it helps you manage SSO access and user permissions across all your AWS accounts in AWS Organizations. AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0. AWS SSO includes a user portal where your end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
In my company we use Session Manager + AWS SSO + Okta (as IdP)
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
works like a charm
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
the downside: only works at AWS
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
glad to hear
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
I mean that should be OK
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
We have around 100 servers, and we’re done with copying ssh keys back and forth. So we need something simple
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
yep, I hear your pain
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
you basically need to install AWS Session Manager, create some policies to start using it
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
![mikesew avatar](https://secure.gravatar.com/avatar/735f27b55681e06ef0dcbc0ab146cd49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
@Rodrigo Rech: slightly piggybacking on this thread, can you assign AWS SSO to AD groups? We use AWS SSO with Azure AD, but i’m being told by my platform administrator that we cant do nested groups, and thus we have to enter AWS account/role access per user .
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
Hi @mikesew not sure if I got your use case
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
On Okta I assign AWS SSO to specific users groups
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
On AWS side I grant a Permission Set base on the user group
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
I didn’t get it what do you mean by nested groups
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
If need more granular control, you could look for ABAC (Attribute-based access control) https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. You can use AWS SSO to manage access to your AWS resources across multiple AWS accounts using user attributes that come from any AWS SSO identity source. In AWS, these attributes are called tags. Using user attributes as tags in AWS helps you simplify the process of creating fine-grained permissions in AWS and ensures that your workforce gets access only to the AWS resources with matching tags.
![mikesew avatar](https://secure.gravatar.com/avatar/735f27b55681e06ef0dcbc0ab146cd49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
Org Had a set of basic roles ie. AWS administrator access , AWSReadOnlyAccess. We could assign human ad users to thise roles but apparently not ad groups. Puzzling.
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
From what I understand @mikesew, it’s possible
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
What happen on my company:
• We manage users and groups at Okta side.
• On the AWS side, we have different Permission Sets, which includes different IAM Policies
• Based on the AWS Account and User Group, we assign this permission set. You can also assign multiple permission sets to a single group within same account if you wish.
![mikesew avatar](https://secure.gravatar.com/avatar/735f27b55681e06ef0dcbc0ab146cd49.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
thank you. Okta doesn’t have a free tier, does it? I want to try for my own learning, to setup an aws org, setup some free directory service like.. azure AD, setup AWS SSO to use that azure AD SAML, then see if i can add nested groups to those roles.. not just users.
• Q: are there any other free tier directory services i can try in a sandbox? my AWS free tier account expired.. I could try jumpcloud, but was hoping to use something closer to my company (azure AD)
![Andrey Taranik avatar](https://avatars.slack-edge.com/2022-06-12/3669397553761_977b72e1ce855abe47df_72.png)
![attachment image](https://goteleport.com/static/og-image.png)
The open-source Teleport Access Plane consolidates connectivity, authentication, authorization, and audit into a single platform to improve security & agility.
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
Thanks @Andrey Taranik. Any alternatives? We tried Teleport but for some reason we keep needing restarting services every now and then and I don’t find it straightforward
![Michael Galey avatar](https://avatars.slack-edge.com/2021-12-09/2846579901200_c7033a89629ebac670a7_72.jpg)
I like cloudflare tunnels a lot if you use cloudflare.
![Andrey Taranik avatar](https://avatars.slack-edge.com/2022-06-12/3669397553761_977b72e1ce855abe47df_72.png)
![attachment image](https://smallstep.com/uploads/smallstep-meta.png)
Smallstep SSH provides single sign-on SSH via your identity provider—replacing key management agony with secure, short-lived SSH certificates.
![Andrey Taranik avatar](https://avatars.slack-edge.com/2022-06-12/3669397553761_977b72e1ce855abe47df_72.png)
or just build your own solution as described in smallstep blog https://smallstep.com/blog/diy-single-sign-on-for-ssh/
![attachment image](https://smallstep.com/uploads/diy-sso-ssh-unfurl.jpg)
Let’s set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
Thanks Andrey! I’m gonna have a look
![attachment image](https://smallstep.com/uploads/diy-sso-ssh-unfurl.jpg)
Let’s set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
![attachment image](https://tailscale.com/blog/tailscale-ssh/social.png)
Today we’re delighted to introduce Tailscale SSH, to more easily manage SSH connections in your tailnet. Tailscale SSH allows you to establish SSH connections between devices in your Tailscale network, as authorized by your access controls, without managing SSH keys, and authenticates your SSH connection using WireGuard®.
![Soren Jensen avatar](https://avatars.slack-edge.com/2022-03-29/3335297940336_31e10a3485a2bd8c35af_72.png)
Does anyone know if it’s possible to see how much electricity your aws resources are consuming? Alternatively find a co2 footprint of the resources?
![Vlad Ionescu (he/him) avatar](https://avatars.slack-edge.com/2020-10-03/1417676895681_ea45b3f22e5fea04f2fc_72.png)
https://aws.amazon.com/blogs/aws/new-customer-carbon-footprint-tool/ is a first step in that direction!
![attachment image](https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2022/03/01/Site-Merch_AWS-Customer-Carbon-Footprint-Tool_Blog.png)
Carbon is the fourth-most abundant element in the universe, and is also a primary component of all known life on Earth. When combined with oxygen it creates carbon dioxide (CO2). Many industrial activities, including the burning of fossil fuels such as coal and oil, release CO2 into the atmosphere and cause climate change. As part […]
![Soren Jensen avatar](https://avatars.slack-edge.com/2022-03-29/3335297940336_31e10a3485a2bd8c35af_72.png)
Thanks, I was sure I had seen an article about it somewhere..
2022-07-04
![jonjitsu avatar](https://secure.gravatar.com/avatar/8d4169f1a7fd27bd9a11a25ccfed62c8.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0014-72.png)
Anyone have any flakiness issues with codedeploy? I have a lot of services using it and when I trigger too many codedeploys at once it seems the whole thing just freezes but not always, it’s weird.
![Stephen Tan avatar](https://avatars.slack-edge.com/2021-10-07/2572140401110_4fb0b6f5fd5409d8f56f_72.png)
I use Code Deploy but on a small scale. Works really well and very happy with it - nothing to maintain and pretty much free. My use case is to get it to pull repos from Github and trigger ansible runs so you can get it to do pretty much anything that Tower does but in a proper way - securely, pulling rather than pushing etc. It’s pretty sweet
2022-07-05
![Adnan avatar](https://secure.gravatar.com/avatar/86fbcb1983990cec4ffd9e7f6b009669.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
I am currently at at EKS version 1.20. Do you know if there is a deadline for upgrading this version?
![Stef avatar](https://secure.gravatar.com/avatar/f0e2e1bd608129e466f4a51ba9dd502c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
End of support for 1.20 is 03 Oct 2022
![Adnan avatar](https://secure.gravatar.com/avatar/86fbcb1983990cec4ffd9e7f6b009669.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
The Kubernetes project is continually integrating new features, design updates, and bug fixes. The community releases new Kubernetes minor versions, such as 1.22 . New version updates are available on average every three months. Each minor version is supported for approximately twelve months after it’s first released.
![Adnan avatar](https://secure.gravatar.com/avatar/86fbcb1983990cec4ffd9e7f6b009669.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
thanks
![Constantin Popa avatar](https://avatars.slack-edge.com/2022-06-10/3635984174887_1ad5d7abf569c841c03b_72.png)
Here’s the response I got from AWS support with regards to my concerns of not being able to upgrade our EKS cluster in time, before the End of support date, hope it helps people to plan the upgrade accordingly:
Query 1 : What is the impact of running our EKS with K8s 1.19 after June 2022 ? According to the docs 1.19 will be unsupported past that date.
* From [1] it is stated that On the end of support date, you can no longer create new Amazon EKS clusters with the unsupported version.
* Existing control planes are automatically updated by Amazon EKS to the earliest supported version through a gradual deployment process after the end of support date.
* After the automatic control plane update, make sure to manually update cluster add-ons and Amazon EC2 nodes.
* In this regard you might have a query of when the control plane takes place exactly ?
* In the same document [1] Amazon EKS can't provide specific timeframes. Automatic updates can happen at any time after the end of support date.
* We recommend that you proactively update your control plane without relying on the Amazon EKS automatic update process.
==================
==================
Query 2 : Will the cluster be shut down after that date?
* No your cluster won't be shut down from the AWS end.
* However as mentioned above the control plane of the EKS cluster will be upgraded any time after the end of support date.
==================
==================
Query 3 : Won't we be able to add new nodes?
* After the end of support date you won't be able to add new nodes with the expired version since the support for that version will be expired.
* Also you won't be able to create new EKS cluster with the version for which the support has ended.
==================
==================
Query 4 : What is the actual date for end of support, 1st of june or 30th of June ?
* The date for the Amazon EKS end of support for Kubernetes version of 1.19 is June 30, 2022
* You can check the Amazon EKS Kubernetes release calendar [2] for the same
==================
As you have mentioned that the upgrade might not be completed within the end of support date for EKS 1.19 ( June 30th 2022 ) I recommend you to provide the EKScluster,region along with the business justification as to why the support should be extended so that I can reach out to the EKS Service Team and create a request for extension of support on your behalf for your EKS cluster for 1.19 version.
![Yoav Maman avatar](https://avatars.slack-edge.com/2022-06-26/3715477112502_3bd2f4f37ed2d812e10e_72.png)
I’m having a trouble finding an answer on AWS docs, Anyone happens to know whether it’s possible to configure an Application Load Balancer to accept requests only from API gateway?
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
This sort of question is great for AWS support. It’s a simple closed technical query
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
You could use a WAF in front of the ALB to check for the API GW http header and then allow access based on that header response
![Milan Simonovic avatar](https://avatars.slack-edge.com/2022-07-08/3769532287878_6c9d4256ed88a0202e3e_72.png)
but a malicious user can also manually set that http header right?
![Milan Simonovic avatar](https://avatars.slack-edge.com/2022-07-08/3769532287878_6c9d4256ed88a0202e3e_72.png)
what’s the use case of having both actually? dont they do the same job?
2022-07-06
![yi gong avatar](https://avatars.slack-edge.com/2022-04-30/3462891965299_de2be3a79e95a817a815_72.jpg)
I meet an error when using terraform-aws-eks-cluster. Error: Invalid count argument on .terraform/modules/eks/main.tf line 34, in resource “aws_kms_key” “cluster”: 34: count = local.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == “” ? 1 : 0
![sohaibahmed98 avatar](https://secure.gravatar.com/avatar/7b37243707b021807fb94c79561a22b0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Least privilege AWS IAM Terraformer
![tor avatar](https://secure.gravatar.com/avatar/98665e1c946d458ddacaf636a5dd0092.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
Hey I was wondering where I could find documentation for all the arguments s3_replication_rules accepts for https://github.com/cloudposse/terraform-aws-s3-bucket#input_s3_replication_rules ?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
@tor best bet is the code for this
dynamic "rule" {
for_each = local.s3_replication_rules == null ? [] : local.s3_replication_rules
content {
id = rule.value.id
priority = try(rule.value.priority, 0)
# `prefix` at this level is a V1 feature, replaced in V2 with the filter block.
# `prefix` conflicts with `filter`, and for multiple destinations, a filter block
# is required even if it empty, so we always implement `prefix` as a filter.
# OBSOLETE: prefix = try(rule.value.prefix, null)
status = try(rule.value.status, null)
# This is only relevant when "filter" is used
delete_marker_replication {
status = try(rule.value.delete_marker_replication_status, "Disabled")
}
destination {
# Prefer newer system of specifying bucket in rule, but maintain backward compatibility with
# s3_replica_bucket_arn to specify single destination for all rules
bucket = try(length(rule.value.destination_bucket), 0) > 0 ? rule.value.destination_bucket : var.s3_replica_bucket_arn
storage_class = try(rule.value.destination.storage_class, "STANDARD")
dynamic "encryption_configuration" {
for_each = try(rule.value.destination.replica_kms_key_id, null) != null ? [1] : []
content {
replica_kms_key_id = try(rule.value.destination.replica_kms_key_id, null)
}
}
account = try(rule.value.destination.account_id, null)
# <https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-5.html>
dynamic "metrics" {
for_each = try(rule.value.destination.metrics.status, "") == "Enabled" ? [1] : []
content {
status = "Enabled"
event_threshold {
# Minutes can only have 15 as a valid value.
minutes = 15
}
}
}
# This block is required when replication metrics are enabled.
dynamic "replication_time" {
for_each = try(rule.value.destination.metrics.status, "") == "Enabled" ? [1] : []
content {
status = "Enabled"
time {
# Minutes can only have 15 as a valid value.
minutes = 15
}
}
}
dynamic "access_control_translation" {
for_each = try(rule.value.destination.access_control_translation.owner, null) == null ? [] : [rule.value.destination.access_control_translation.owner]
content {
owner = access_control_translation.value
}
}
}
dynamic "source_selection_criteria" {
for_each = try(rule.value.source_selection_criteria.sse_kms_encrypted_objects.enabled, null) == null ? [] : [rule.value.source_selection_criteria.sse_kms_encrypted_objects.enabled]
content {
sse_kms_encrypted_objects {
status = source_selection_criteria.value
}
}
}
# Replication to multiple destination buckets requires that priority is specified in the rules object.
# If the corresponding rule requires no filter, an empty configuration block filter {} must be specified.
# See <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket>
dynamic "filter" {
for_each = try(rule.value.filter, null) == null ? [{ prefix = null, tags = {} }] : [rule.value.filter]
content {
prefix = try(filter.value.prefix, try(rule.value.prefix, null))
dynamic "tag" {
for_each = try(filter.value.tags, {})
content {
key = tag.key
value = tag.value
}
}
}
}
}
}
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
id, priority, status, etc are keys
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
basically anything in aws_s3_bucket_replication_configuration
’s rule
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
reason for list(any) is because terraform hasn’t upgraded to optional
map keys as a thing until terraform 1.3 which is not out of beta yet
![tor avatar](https://secure.gravatar.com/avatar/98665e1c946d458ddacaf636a5dd0092.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
but it could be still be documented in the respective variable’s description. perhaps we need to get better at that
![tor avatar](https://secure.gravatar.com/avatar/98665e1c946d458ddacaf636a5dd0092.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0018-72.png)
The documentation just says a list(any)
2022-07-07
![Saleem Clarke avatar](https://avatars.slack-edge.com/2022-07-01/3753832483556_17ed449f84d094cd82fb_72.jpg)
Anyone know how to have session manager sit behind OpenVPN, so user is required to connect to OpenVPN before a session can be started
2022-07-08
2022-07-09
![Saleem Clarke avatar](https://avatars.slack-edge.com/2022-07-01/3753832483556_17ed449f84d094cd82fb_72.jpg)
this should be AWS CLI not via console
2022-07-10
![idan levi avatar](https://avatars.slack-edge.com/2021-10-18/2629280056609_a23e173158a977252a76_72.png)
Hey all! im trying to install your Aws-ebs-csi-driver by that guide https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html created all the roles and policies. on a quick look at the ebs-csi-node pod at my k8s env i can see that i get that error from ebs-plugin container :
`I0628 10:44:05.130666 1 metadata.go:85] retrieving instance data from ec2 metadata
I0628 10:44:05.135264 1 metadata.go:92] ec2 metadata is available
panic: could not get number of attached ENIs
goroutine 1 [running]:
github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver.newNodeService(0xc0000c6f00)
/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver/node.go:86 +0x269
github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver.NewDriver({0xc000609f30, 0x8, 0x55})
/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver/driver.go:95 +0x38e
main.main()
/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/cmd/main.go:46 +0x365
` im using v1.7.0-eksbuild.0 deriver version and 1.20 k8s version. do you now how can i solve it ? Thanks !
The Amazon EBS CSI plugin requires IAM permissions to make calls to AWS APIs on your behalf.
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
this is not an official AWS suport channel
The Amazon EBS CSI plugin requires IAM permissions to make calls to AWS APIs on your behalf.
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
given “panic: could not get number of attached ENIs”, I suspect the permissions you’ve attached to the role are incomplete
![RO avatar](https://secure.gravatar.com/avatar/c962bc3329f29927700779392045913a.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0001-72.png)
2022-07-11
![Karim Benjelloun avatar](https://avatars.slack-edge.com/2020-02-26/970268829476_48bd73425f3094c51c8f_72.png)
Question. Is it more common to do VPC Peering Connections with vendors of managed services such as Databases? Or is it more common to do VPC PrivateLink & Endpoints?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I’d have an architectural preference for private link, personally, I think. Not sure what would be more “common” though
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
VPC peering was more common as private link wasn’t available. Private link is much the preferred method as VPC peering is much more intended for using across your orgs crosx account comms
![Taz avatar](https://secure.gravatar.com/avatar/7a759a17c60c7ee9e0767a78fb180873.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
I have been asked to move 2 .Net Core applications that are running as apps on Azure App Services to AWS. What is the best method to deploy these apps Would the deployment need a beanstalk per .Net CORE App or would this option be more suitable. I am after the quickest solution!! https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/deployment-beanstalk-multiple-application.html
Deploying multiple apps to Elastic Beanstalk.
2022-07-12
![Frank avatar](https://secure.gravatar.com/avatar/1b4b7744d083431522fb3e1b49206492.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Hi all!
We have an Aurora Serverless PostgreSQL instance in a private subnet. Now our customer wants to connect an externally hosted application (on Azure) to it. As a temporary fix we have manually created a new “Regional Cluster” (non-serverless) based off a snapshot of the Serverless DB Cluster, gave it a public IP and firewalled it to the customer-provided subnets.
However, they would need more up-to-date information. I would like to prevent deleting the old DB regional cluster + re-creating it on a daily/weekly basis since it would give a new IP every time.
For this I am currently leaning toward setting up a fresh (public, firewalled, SSL-enforeced) DB and using DMS to sync the databases so that the external party always has access to the most recent data without needing access to the actual DB instance. The snapshot alone is 76GiB and the sync should be done outside of office hours, which makes it a bit more tricky.
Would this be a good approach or are there better/easier alternatives? Thanks!
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
consider:
- Moving the original database. This will be cheaper than running two copies of the DB
- Peer the Azure VPC with a VPN
![this](/assets/images/custom_emojis/this.png)
![Frank avatar](https://secure.gravatar.com/avatar/1b4b7744d083431522fb3e1b49206492.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
For performance (and security) reasons I would prefer having a separate instance for them though
![Alanis Swanepoel avatar](https://avatars.slack-edge.com/2022-06-24/3739166585152_acef2e16a544a0e63cbd_72.png)
I don’t disagree with having a separate instance, but would still advise haviit vpc locked, and accessible over a vpn.
![Frank avatar](https://secure.gravatar.com/avatar/1b4b7744d083431522fb3e1b49206492.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
Agreed. But the only way to properly automate migrating data (without having it change IP’s every time with a snapshot restore) would be using DMS? Or is there an easier approach?
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
well… is a provisioned replica supported by aurora serverless?
![Frank avatar](https://secure.gravatar.com/avatar/1b4b7744d083431522fb3e1b49206492.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.limitations “Aurora Replicas” are not supported by Aurora Serverless v1 it seems
Work with Amazon Aurora Serverless v1, an on-demand, autoscaling configuration for Amazon Aurora.
![Rodrigo Rech avatar](https://avatars.slack-edge.com/2022-06-25/3705406276167_95612582721aae6c3226_72.png)
I don’t have the full context here, but it seems you are trying to fix an architecture issue with an infrastructure solution. From an application/architecture perspective, this Azure application should directly access an API, not the DB. Each service/app should have its own database and expose its data using some API/integration mechanism. Sharing it across multiple services/apps will make your data governance, security, compliance, and operations chaotic in the long run.
2022-07-13
![Kevin H avatar](https://secure.gravatar.com/avatar/a45924bc5888aadc9e758d9235bb7b41.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
A friend of mine is the CEO of this early-stage startup and asked that I share it around, in case anyone finds it interesting: https://www.usage.ai/
![attachment image](https://usage.ai/preview/homePreview.png)
Usage AI’s automated cloud management tools help companies save time and money in the cloud.
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
truly a fulsome endorsement
![attachment image](https://usage.ai/preview/homePreview.png)
Usage AI’s automated cloud management tools help companies save time and money in the cloud.
![Darren Cunningham avatar](https://secure.gravatar.com/avatar/d0ea359c3ff6b8093ae53e57fbbe2570.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
love that pricing model
![Matt McLane avatar](https://secure.gravatar.com/avatar/c3637d037eaeea67afb52106b7562cbc.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Very interesting
2022-07-14
![nobodyreally needstoknow avatar](https://avatars.slack-edge.com/2022-06-08/3634980950566_d366f970fe3dba25a68b_72.png)
Hi I am trying to incorporate congnito with an ALB, but i am getting this error when creating the listener rule and with “client_credentials” oauth flow:
│ Error: Error creating LB Listener Rule: InvalidLoadBalancerAction: The authorization code grant OAuth flow must be enabled in the user pool client
I don’t understand why client credentials does not work with the ALB.
![Alex Mills avatar](https://avatars.slack-edge.com/2022-07-08/3788341193361_f715a3fc0aeba305dc69_72.png)
have you configured a hosted UI for the app client? it’s a requirement for Oauth flow
![Alex Mills avatar](https://avatars.slack-edge.com/2022-07-08/3788341193361_f715a3fc0aeba305dc69_72.png)
![nobodyreally needstoknow avatar](https://avatars.slack-edge.com/2022-06-08/3634980950566_d366f970fe3dba25a68b_72.png)
yes I have
![nobodyreally needstoknow avatar](https://avatars.slack-edge.com/2022-06-08/3634980950566_d366f970fe3dba25a68b_72.png)
when i click the hosted ui link it says An error was encountered with the requested page.
![nobodyreally needstoknow avatar](https://avatars.slack-edge.com/2022-06-08/3634980950566_d366f970fe3dba25a68b_72.png)
“unauthorized client”
![nobodyreally needstoknow avatar](https://avatars.slack-edge.com/2022-06-08/3634980950566_d366f970fe3dba25a68b_72.png)
Error: Error creating LB Listener Rule: InvalidLoadBalancerAction: The authorization code grant OAuth flow must be enabled in the user pool client
![nobodyreally needstoknow avatar](https://avatars.slack-edge.com/2022-06-08/3634980950566_d366f970fe3dba25a68b_72.png)
If I set the Cognito user pool client allowed OAuth flow to “Authorization code grant” and create the load balancer, it will get created. I can then after change it to “client credentials”.
2022-07-15
![Balazs Varga avatar](https://secure.gravatar.com/avatar/944e59f1543dc43935bda4d7b9be7f85.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
hello all, Is there a way to renew a cert where we have only private hosted zone? I cannot access the main public domain so cannot do my trick to point it to a new public zone until cert will be renewed.
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
Not sure I understand your ask… you have a public domain cert that you want to renew via a private CA server?
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
If that is the case, no that’s not possible. Highly recommend using Let’s Encrypt, it provides auto renewing free public domain Certificates. https://letsencrypt.org/
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).
![Eric Villa avatar](https://avatars.slack-edge.com/2021-07-02/2235922309299_4e42f8a4a2fc00656116_72.jpg)
Hi! Is there anyone who is going to the AWS reInforce?
2022-07-18
![Desire BANSE avatar](https://secure.gravatar.com/avatar/29cf2f2f41be13c0570a3739cc9e9c58.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
Hello all. Is there a way to programmatically upgrade the Kubernetes version of an EKS cluster (on AWS) ?
![Matt McLane avatar](https://secure.gravatar.com/avatar/c3637d037eaeea67afb52106b7562cbc.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
![Desire BANSE avatar](https://secure.gravatar.com/avatar/29cf2f2f41be13c0570a3739cc9e9c58.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
Thank you! That is great.
![Victor Grenu avatar](https://secure.gravatar.com/avatar/49acff62a9be5ac6709f724dab346909.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0010-72.png)
AWS Security Digest Newsletter #79 is out!
Fourteen AWS Security Best Practices in IAM [VIDEO] Speeding Up AWS IAM Least Privileges Open-source proof-of-concept client for IAM Roles Anywhere
Read more: https://asd.zoph.io
2022-07-19
![DaniC (he/him) avatar](https://secure.gravatar.com/avatar/40632d3e633431836692bbb081f94a61.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
hi folks, am trying to get a feeling of what sort of solutions/ approaches you took to manage/ adhere to IAM least privilege principle ?
I find that the granular we go the higher the cost is to manage it for various users. AWS Managed policies are too “open” and then when you combine that across various accounts is getting even harder.
If going with AWS SSO then we need to work on permission sets and the main prob around manage them is still there imo.
![carlos.clemente avatar](https://avatars.slack-edge.com/2023-05-17/5276351875363_4f4318c60331a01ead9e_72.jpg)
are you using RBAC or ABAC?
![DaniC (he/him) avatar](https://secure.gravatar.com/avatar/40632d3e633431836692bbb081f94a61.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
I have a mix of
• IAM users mapped to groups ( custom/ inline/ managed policies)
• IAM users with direct attached managed policies
• AWS SSO users mapped to permissions sets
However the q is not what i have as i know is rubbish, the q is how other folks managed to adhere to least privilege principle and managed in a “sane” way w/o too much operational overhead . Especially when in prod accounts not everyone has the same privileges
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
I would say the most “typical” or common approach you will see is user management via Active Directory/Azure AD –> AWS SSO ( or other Identity provider ala: centrify) –> Control Tower –> IAM Roles –> Services. To that end, you have your users in AD, and you create groups for those users, you then map those groups to Roles in IAM, and the Roles define access to services. Using Control tower to centrally manage the Roles/Policies for your account access. More into the Grit: What I have done for simplicities sake is to have basically 3 roles per service that your org will be using, Admin Role, User Role, Read Only Role.
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
Then it becomes easy to assign Matching groups of users from AD to one of the 3 roles in any given service. The advantage is that you keep all your user management inside AD, and it makes it easy to assign users or groups of users to services, and take away that access just as easily, without having to go in and check every AWS service and Role you have created otherwise.
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
Also get the advantage of using nested grouping in AD to assign a single person to multiple roles, could be an admin for one service, and RO for another
![jsreed avatar](https://avatars.slack-edge.com/2022-12-06/4491361948977_169d2199777bd480b3dd_72.png)
Also a really good idea to leverage Service catalog along with this, so based on Group/Role Assignment the users are presented with a list of services they have access to, and nothing they dont.
![DaniC (he/him) avatar](https://secure.gravatar.com/avatar/40632d3e633431836692bbb081f94a61.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
thanks for detailed info @jsreed !
Using Control tower to centrally manage the Roles/Policies for your account access.
is this version controlled somehow or is UI driven ?
![DaniC (he/him) avatar](https://secure.gravatar.com/avatar/40632d3e633431836692bbb081f94a61.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
For audit reasons folks where i currently work had to log every change via Jira and then i came and added TF but that is getting out of control as you end up providing a “managed” policy or a role which covers “a lot” to not spend tons of time on this requests . And the whole process is also odd as after Jira ticket raised and approved, folks or “a monkey” needs to raise a PR to update the tfvars
file , not so smooth process
2022-07-21
![Adnan avatar](https://secure.gravatar.com/avatar/86fbcb1983990cec4ffd9e7f6b009669.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Did anybody experience latencies with one service calling a service in another subnet/AZ?
I have an issue where an app/pod running in EKS, is responding much faster to requests when running in a specific subnet/AZ compared to running in the other subnets/AZ’s.
The only obvious characteristic of the “fast” subnet/AZ is that a Elasticache/Redis is running in it which the app is heavily using.
Ideas about how to debug this?
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
inter-AZ latency (~1-2ms) is higher than intra-AZ latency (<1ms). Is that your question?
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
if one service talks to another service, that will be faster if they are colocated in the same AZ
![Adnan avatar](https://secure.gravatar.com/avatar/86fbcb1983990cec4ffd9e7f6b009669.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
To be more specific. In the AZ where Redis is colocated, the app responds to a request 50%+ faster than in the other AZ’s
example:
eu-central-1b
0m0.546s
0m0.537s
0m0.567s
other az's
0m1.141s
0m1.312s
0m1.299s
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
You’re going to need some more specific numbers than overall latency from an internal app
![Tsu Wei Quan avatar](https://secure.gravatar.com/avatar/8e9f442f760b8e3d66ac12df7199432b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
Hello team! I require some advice/help on this.
I just deployed terraform-aws-elasticsearch (7.10) from this module https://github.com/cloudposse/terraform-aws-elasticsearch via terraform. Then via the aws console i updated my ES cluster to opensearch v1.2.
Now i wonder if my terraform code would be synced to the changes? i believe it will not be sync. Can i still use this same module for opensearch??
Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash.
![Alex Jurkiewicz avatar](https://avatars.slack-edge.com/2020-09-08/1346106958085_9b44ddacd6267cc803c8_72.jpg)
with aws_elasticsearch_domain
, you can specify opensearch versions https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain
Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash.
![Milan Simonovic avatar](https://avatars.slack-edge.com/2022-07-08/3769532287878_6c9d4256ed88a0202e3e_72.png)
i did the same, should work fine if you change tf to:
elasticsearch_version = "OpenSearch_1.2"
![Milan Simonovic avatar](https://avatars.slack-edge.com/2022-07-08/3769532287878_6c9d4256ed88a0202e3e_72.png)
and then just refresh state
![Tsu Wei Quan avatar](https://secure.gravatar.com/avatar/8e9f442f760b8e3d66ac12df7199432b.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0011-72.png)
yup it works! thank you guys!!!
2022-07-22
2022-07-27
![Jeremy (UnderGrid Network Services) avatar](https://avatars.slack-edge.com/2021-12-29/2893240357986_43abb0cb567d0eb2a80a_72.png)
I’d be interested to hear if anyone else has tried to have private hosted zones for services within a given region but also want to have a public hosted zone that can point to the active regional resource. I’m trying to figure out of there’s an automatic way to go about this or if I need to look at crafting something external
![Jim Park avatar](https://secure.gravatar.com/avatar/e166c478c5b78e93a5fb116d92a2dc7e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Could it be broken out as two independent concerns? For example, you could have private service discovery using Cloud Map and App Mesh, which is in effect private DNS. On the backend, whatever services present themselves with the appropriate envoy container get the traffic. On the frontend, regional load balancers can represent their geographic regions using geolocation routing in route53.
2022-07-28
![Yordon Smith avatar](https://secure.gravatar.com/avatar/3fa7ec99a23ea77c2d11861b12182838.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Hey Everyone.. Wondering a easy yet effective way to do a bulk deletion of EBS snapshots. Got a list (thousands) of older snapshots to be cleaned. Appreciate your inputs.
![Josh B. avatar](https://avatars.slack-edge.com/2022-05-23/3590168213712_fc95e4468b027cdca900_72.png)
I think I saw some lambda functions that did this; also, you can use the EC2 Lifecycle Manager. I am not sure if it will only clean up going forward or if it’s retro. Maybe something like this https://medium.com/nerd-for-tech/ebs-snapshot-management-using-aws-lambda-and-cloudwatch-d961fdbe3772
![Yordon Smith avatar](https://secure.gravatar.com/avatar/3fa7ec99a23ea77c2d11861b12182838.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
Ya, the life cycle manager doesn’t seem to be useful for the existing snapshots.
![Denis avatar](https://avatars.slack-edge.com/2022-07-05/3755698025589_2dee8d81d277563f5d20_72.jpg)
Were these snapshots created manually?
![Balazs Varga avatar](https://secure.gravatar.com/avatar/944e59f1543dc43935bda4d7b9be7f85.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
- name: "Delete snapshots for {{ domain }} cluster"
block:
- name: Set the retry count
set_fact:
retry_count: "{{ 0 if retry_count is undefined else retry_count|int + 1 }}"
- name: "Get all remaining snapshots"
raw: "aws ec2 describe-snapshots --cli-read-timeout 300 --filters Name=tag:kubernetes.io/cluster/{{ domain }},Values=owned --region {{ region }} | jq -r '.Snapshots | .[] | .SnapshotId'"
register: snapshots_to_delete
- name: Delete snapshots
raw: "aws ec2 delete-snapshot --snapshot-id {{ item }} --region {{ region }}"
loop: "{{ snapshots_to_delete.stdout_lines }}"
rescue:
- fail:
msg: Ended after 5 retries
when: retry_count|int == 5
- include_tasks: delete_snapshots.yaml
tags:
- delete-cluster
- delete-snapshots
- skip-delete-cluster
I use this with ansible…
![Yordon Smith avatar](https://secure.gravatar.com/avatar/3fa7ec99a23ea77c2d11861b12182838.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@Denis Unfortunately Yes, it seems to be. Not sure if they were using any other tool. But, certainly they are not through AWS Backup (or) AWS DLM.
![Denis avatar](https://avatars.slack-edge.com/2022-07-05/3755698025589_2dee8d81d277563f5d20_72.jpg)
if you have a tag based on which you can filter which exactly to delete, then a simple aws cli call or a small sdk app can do the trick.
![Yordon Smith avatar](https://secure.gravatar.com/avatar/3fa7ec99a23ea77c2d11861b12182838.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@Denis Now, that’s another challenge as none of them have tags. I am getting them added and segregate a list (which needs to be cleaned off and which is not) using AWS-Tagger.
But, I don’t see a way of deleting snapshots by passing a file as input, read and delete in bulk using CLI??
![Denis avatar](https://avatars.slack-edge.com/2022-07-05/3755698025589_2dee8d81d277563f5d20_72.jpg)
no you’ll need a for cycle, like this one for example
![Denis avatar](https://avatars.slack-edge.com/2022-07-05/3755698025589_2dee8d81d277563f5d20_72.jpg)
or you can run one command that list the ebs IDs based on the tag or whatever, and pipe that output into that for cycle
![Yordon Smith avatar](https://secure.gravatar.com/avatar/3fa7ec99a23ea77c2d11861b12182838.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0009-72.png)
@Denis @Balazs Varga Great. Thanks for your inputs. Let me try that and will let you know how it goes.
![Balazs Varga avatar](https://secure.gravatar.com/avatar/944e59f1543dc43935bda4d7b9be7f85.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
do you know anything about xcurrent issue ? any eta to solve ? all clusters in OHIO are down
![Josh B. avatar](https://avatars.slack-edge.com/2022-05-23/3590168213712_fc95e4468b027cdca900_72.png)
Mine seems to have come back up for now, lol. Datadog ddos’d my voicemail though.
![Balazs Varga avatar](https://secure.gravatar.com/avatar/944e59f1543dc43935bda4d7b9be7f85.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
it comes back and goes down… flacky…
![Josh B. avatar](https://avatars.slack-edge.com/2022-05-23/3590168213712_fc95e4468b027cdca900_72.png)
Yeah, for sure.
![Balazs Varga avatar](https://secure.gravatar.com/avatar/944e59f1543dc43935bda4d7b9be7f85.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0019-72.png)
they wrote only 1 az affected, but I saw errors on all AZ-s
![Josh B. avatar](https://avatars.slack-edge.com/2022-05-23/3590168213712_fc95e4468b027cdca900_72.png)
Yeah, it was def all of them, even if it was brief. I literally saw all of my AZ’s go down lol
2022-07-29
![karandeep singh avatar](https://avatars.slack-edge.com/2022-07-21/3838078115316_aa33a2271f763363aafe_72.jpg)
Hello, team!
https://github.com/cloudposse/terraform-aws-emr-cluster
Does this module support instance fleet?
Terraform module to provision an Elastic MapReduce (EMR) cluster on AWS