#aws (2024-10)
Discussion related to Amazon Web Services (AWS)
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
2024-10-01
2024-10-03
hi guys, I have a laravel in elasticbeanstalk, im planning to migrate to aws ecs fargate, since the elasticbeanstalk have a worker, I look challenging in ecs fargate on how to have a worker - its for scheduler.. can you help or give some insights? thanks
But what is the question. You can use ECS in that way. If your process doesn’t need to be awake and polling or some such all the time and you don’t need to manipulate the environment much, Lambda is great for scheduled workers. You can use a scheduled event to trigger the Lambda, do the work and then stop. But you definitely can use ECS / Fargate similarly. For example, you don’t have to run a service. You can just call the ECS API to schedule a task, and that task just does its work then halts.
2024-10-11
Can CloudPosse’s transit gateway module be configured to provide a connection to the internet via transit gateway to private only VPCs
cross post from refarch - let’s use that one instead
@Andriy Knysh (Cloud Posse)
I have used the reference architecture to setup a transit gateway to connect 2 VPCs in different accounts. However, I am having trouble understanding how the transit gateway offers a connection to the internet. Is that not a part of the reference architecture and is something we should setup separately on our own? If so, how can this be achieved?
There is a line in the reference architecture VPC section that states this
# Use PrivateLink in private-only VPCs at least until we have
# a connection to the internet via Transit Gateway.
So ideally, transit gateway setup should provide connection to the internet right?
2024-10-14
anyone know if passing custom attributes from an IDP like okta to aws iam identity center is as easy as creating the attribute, and letting SCIM push it over?
the goal is to have those attributes manifest as session tags
Yes it’s that easy
See this blog post
April 25, 2023: We’ve updated this blog post to include more security learning resources. September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. This blog post discusses the benefits of using an attribute-based […]
gotcha, given that SCIM is being used
are updates real time?
for example, if the user gets pushed over a tag because they were temporarily added to a group with a custom attribute…
when they get removed from the group, will aws remove the tag from the user?
in theory, it SHOULD, but given that SAML assertions are evald at logon, im a bit unsure if that tag would remain on the user until they re auth
also I looked at that blog post a while back, and something that makes me skeptical is no mention of custom tags
but I’ll give it a shot
im pretty sure it works for user profile attributes, but looks like it doesn’t for group attributes :(
Oh yes i don’t believe it works for group attributes, only user attributes. At least, that’s as far as i tested
You could probably add some automation. If user is in group x, grab group attributes and add to user
Reverse automation if the user is removed or not in the group, the group attributes should then be removed from the user
yeah I was trying to avoid any custom automation :(
in this case with okta workflows
im seeing some conflicting info about how feasible it is for CUSTOM attributes (specifically group custom attributes)
2024-10-15
I’m checking out Elasticache Valkey today. going to upgrade my Elasticache Redis cluster to Valkey and test it out. has anyone used it yet and have any thoughts/findings?
the switch from Redis to Valkey took about an hour (just waiting for the status to update from Modifying to Available) for a 2 node cluster. Everything seems to work out of the box with no other changes necessary.
I will update on costs once I have some better numbers
I changed redis instance to valkey and everything works like a charm
after running Valkey for a week, we are seeing slightly more than 20% reduction in costs, and no issues
2024-10-16
2024-10-21
We have a cloud hosted application with all components running in a single VPC. We are considering setting up a transit gateway to simplify routing and enhance security by abstracting the network. Would implementing a transit gateway be overkill in this scenario, or is it a recommended approach for better network management and security?
if everything is running in a single VPC, then transit gateway doesn’t have any value for you
transit gateway would be useful if you split network into VPCs/accounts
As others have indicated based on solely the description above, it’s hard to identify how a transit gateway would help. However, let me describe how we use them in the event that it is also what you were maybe contemplating. In reference architecture, we have the concept of a platform organizational unit or OU. In this OU, we have dev, staging and production accounts. Each of those accounts has a VPC. None of those accounts need to talk with each other. Separately, we have another OU. We call that core. In this OU, we have a number of accounts that we call singletons that form the core organizational accounts for our organization. One of those is an automation account used for hosting runners for CICD. And another is a network account. The automation account to be able to connect to clusters inside of each of the platform accounts we need network connectivity. This is used to provision things, for example, on kubernetes or to manage users on databases, using something like the postgres terraform provider. To make all of that possible we use a transit gateway with a hub deployed in the network account. Then each of the accounts are connected as spokes hub. we can set up routing to permit certain accounts to talk to others. For example, the automation can talk to everything but individual SDLC account cannot.
The main reason to have an architecture like this so that you can have account level IAM boundaries. This is necessary as an organization grows because you’ll have multiple owners. Somebody might need to be an administrative network admin, but doesn’t have any access to do non-networking things in other accounts. Restricting I am by tags or other dimensions is complicated and it’s much much easier when you start breaking your infrastructure into accounts this way.
@Erik Osterman (Cloud Posse) @andrey.a.devyatkin @loren Thank you for the response!
2024-10-22
Is anyone here familiar with traffic mirroring? I have 2 services. I would like to mirror traffic from one to the other. They are within the same VPC.
I tried to get this going, but couldn’t figure it out. It also hasn’t been updated in a while https://github.com/edmunds/shadowreader
If there is no cloud-native way to achieve this on the ALB level then probably I would go with Envoy Proxy, so then you need the proxy itself without any Lambdas
2024-10-23
2024-10-24
Curious if anyone is using AWS cost anomaly detection and managing it via Terraform? https://docs.aws.amazon.com/cost-management/latest/userguide/getting-started-ad.html
Configure your anomaly monitors and alert preferences in Billing and Cost Management. Learn about each monitor type and how to edit your alert preferences.