Archive: https://archive.sweetops.com/docs/


Is this the correct def’n for aws-vault? https://docs.cloudposse.com/glossary/aws-vault/

My understanding atm is that aws-vault is for credential management only, and chamber is for managing secrets

Erik Osterman


Erik Osterman

@ you are right

Erik Osterman

opened that


Erik Osterman

So you would provision your ECR repo like this:

Erik Osterman
module "kops_ecr_app" {
  source    = "git:<i class="em em-<https"></i>//github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.4.0>"
  namespace = "${var.namespace}"
  stage     = "${var.stage}"
  name      = "${var.kops_ecr_app_repository_name}"

  enabled = "${var.kops_ecr_app_enabled}"

  principals_full_access     = ["${local.principals_full_access}"]
  principals_readonly_access = ["${local.principals_readonly_access}"]

  tags = "${module.label.tags}"

Erik Osterman

where principals_readonly_access are the principals of your kops cluster nodes & masters

Erik Osterman

that says, create a new ECR repo for an “app” (since you need one repo per app in AWS; not like in docker hub)

Erik Osterman

then allow principals_readonly_access to pull from that repo


Stephen Lawrence

I see, I am looking for a quick way to get an ECR + a user for our kubernetes cluster + ci to access.

Erik Osterman

What we do is grant the nodes’ instance profile/role access to ECR

Erik Osterman

that way it’s seamless

Erik Osterman

are you using kops?

Stephen Lawrence

Yes, we have kops building our VPC and k8s cluster

Erik Osterman


Erik Osterman

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

Stephen Lawrence

@Erik Osterman I would need to create an assumable role outside of this?


Stephen Lawrence

Hello, checking on the status of the docs for https://github.com/cloudposse/terraform-aws-kops-ecr


Terraform module to provision an ECR repository and grant users and kubernetes nodes access to it. - cloudposse/terraform-aws-kops-ecr

Stephen Lawrence

The usage section is showing an older version of the modules.

Stephen Lawrence

When I update my code to point at the latest releases of the two mentioned modules, I get this: module.kops_ecr.module.kops_metadata.data.aws_security_group.bastion: data.aws_security_group.bastion: no matching SecurityGroup found

Erik Osterman

@Stephen Lawrence yes, ignore those version numbers.

Erik Osterman

Use the latest per the release.

Erik Osterman

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules


Erik Osterman
05:18:49 AM

@Erik Osterman set the channel purpose: Archive: https://archive.sweetops.com/docs/


Hi @Igor Rodionov!


Erik Osterman

@ is having some git woes working on our docs

Erik Osterman

@joshmyers, @aknysh and @Igor Rodionov can help unblock you

12:08:11 AM

@ has joined the channel

Erik Osterman

@aknysh is CST, @joshmyers GMT, and @Igor Rodionov OMST

Erik Osterman

(@ is helping with all the copy editing and will be updating the docs/faqs/etc)


Hi Nicki

Hi @aknysh! Thanks @Erik Osterman!


Let us know what issues you are having so we could help

Erik Osterman

(I think she just recloned and is starting from scratch this time)

Igor Rodionov

Hi @


Erik Osterman
Document our Semver Strategy · Issue #335 · cloudposse/docs

what it&#39;s not clear how we currently do versioning old strategy Bump patch always unless there was a “known breaking change” Bump minor anytime there was a breaking change We never bumped major…

Great improvement @Erik Osterman!

Erik Osterman

we have someone starting tomorrow who will help us keep the docs updated.

Even better


Erik Osterman
Blog | Documenting Architecture Decisions | Relevance

Context Architecture for agile projects has to be described and defined differently. Not all decisions will be made at once, nor will all of them be done whe…

Erik Osterman

going to take a stab at adopting this

Erik Osterman

we’ll track in in cloudposse/docs

Erik Osterman
10:22:44 PM
Erik Osterman
Create Design Decisions Category by osterman · Pull Request #323 · cloudposse/docs

what Start a &quot;Design Decisions&quot; category why Allow us to discuss big decisions in an open, collaborative (via GitHub PRs) and transparent manner references https://github.com/npryce/

Erik Osterman


Erik Osterman

we’ve moved all troubleshooting related docs to this category:

Erik Osterman

https://docs.cloudposse.com/faq/ is now strictly for product related q & a

Erik Osterman

https://docs.cloudposse.com/design-decisions/ <– home of future design decisions


Erik Osterman
Online FlowChart & Diagrams Editor - Mermaid Live Editor

Simplify documentation and avoid heavy tools. Open source Visio Alternative. Commonly used for explaining your code! Mermaid is a simple markdown-like script language for generating charts from text via javascript.

Deployment Diagram syntax and features

PlantUML deployment diagram syntax: Deployment diagrams are not fully supported within PlantUML. This is a draft version of the language can be subject to changes.

Erik Osterman

I like that UML is a standard language

Erik Osterman

don’t like we have to compile the images

Erik Osterman

i like that images are shareable though

Erik Osterman

Erik Osterman

what I like about the mermaid approach is it just uses a JS canvas, so no image generation required

Erik Osterman

easier for static documentation.

Yea that makes sense

Erik Osterman

@Igor Rodionov check this out

Erik Osterman
.. ECS made easy

Home of Terraform Airship

Igor Rodionov

@Erik Osterman this is awsome

Igor Rodionov

we need to create task for frontend to implement that on our docs portal

Erik Osterman

Yes will do

Erik Osterman

@ how did you find mermaidjs?


Has the deployed version of the docs been refreshed?

Erik Osterman

What ever is in master should be released on the web

Erik Osterman

We cut a release for every merge to master


Erik Osterman

btw, related to the docs - feel free to open issues there too

Erik Osterman

…with questions, suggestions, etc

Erik Osterman

we’ll get those addressed. we have some challenges right now with information architecture and how to organize everything

Will do


Erik Osterman
11:33:58 PM

@Erik Osterman set the channel topic: Discussions related to https://github.com/cloudposse/docs



I think the docs need to be rebuilt

the code I just forked is right

04:21:06 PM
Erik Osterman

Can you share a direct link

yet the live page shows step 1 twice

Erik Osterman

Oh maybe I didn’t tag a release

Erik Osterman

We only redeploy on tagged release. Will set a reminder to check since I can’t do it my phone

cool cool

will make notes of anything I see and wait for the next deploy before fixing in my fork

have a great thanksgiving yo

Erik Osterman

thanks @Jan

So with the cold-start docs I am updating the dockerfiles for root and testing. https://docs.cloudposse.com/reference-architectures/cold-start/

It occurs to me that it would be useful to have a list of all the resources that will be created, before any other steps, to help set context and scope

Erik Osterman

Yea, makes sense…

Erik Osterman

so something like:

Erik Osterman

“After completing the following steps you will have: 1) … 2)… 3)…”

in the sense that im not sure for example “Select the parent DNS domain name for your infrastructure - in these examples we use http://cloudposse.co

does this expect pre-existing dns or will a zone be created?

Im probably overthinking it

but I mean also if the cold start is creating the “non root” accounts how do you know the values of the testing account ID

Erik Osterman

I believe these are outputs

Erik Osterman

Collection of Terraform root module invocations for provisioning reference architectures - cloudposse/terraform-root-modules

not sure I follow

I have had a few beers


Update all ENV variables in the two Dockefiles in the repos with the values for your project:

Replace the namespace cpco with your own in all ENV vars
Change the domain names from <http://cloudposse.co> to your own
In root, update the account ID (TF_VAR_account_id) to your own root account ID
Change the IAM user names for the accounts
Update the account emails

and opening the dockerfile in root they are

ENV TF_VAR_testing_account_id="126450723953"
ENV TF_VAR_testing_name_servers='["<http://ns-312.awsdns-39.com>", "<http://ns-1416.awsdns-49.org>", "<http://ns-619.awsdns-13.net>", "<http://ns-1794.awsdns-32.co.uk>"]'

Example Terraform Reference Architecture for Geodesic Module Parent (“Root” or “Identity”) Organization in AWS. - cloudposse/root.cloudposse.co

So I am pretty much stuck currently wondering why when I am at this point https://docs.cloudposse.com/reference-architectures/cold-start/# that I am getting

 ⧉  <http://root.aws.tf>
 ✓   (aws.tf-root-admin) iam ⨠  terraform plan -target=module.organization_access_group_root
Acquiring state lock. This may take a few moments...
  Audit account ID

Despite having commented out all the env vars in the Dockerfile for root other than testing

directly after running terraform plan -target=module.organization_access_group_root

yea ran through it all again carefully and ended up in the same pace

Erik Osterman

Unfortunately with the holidays won’t be able to really get my head into it until next week. We’re going to be on the road fri-sun.

Erik Osterman

@aknysh can probably help tomorrow

Ah Yea mate, please do not feel obligated to do anything other than enjoy your holiday :)

Erik Osterman

ENV TF_VAR_testing_account_id=
ENV TF_VAR_testing_name_servers=



Just noticed a typo

The <http://dev.cloudposse.co> module represents an organization’s “development infrastructure”. This module is used as a sandbox environment where developers and test the waters and get familiar with AWS. We prescribe that organizations give all developers “Administrator” level privileges to this account where developers may test the waters.

his module is used as a sandbox environment where developers something missing here? and test

Add the source_profile created in Step 2 to your ~/.aws/config.

step 2 refers to step 2 rather than step 1

can I just create merge requests fo these things?

Erik Osterman

Yes, totally! If you find anything like that would love help to correct it

awesome, im busy reading through all the docs, will make a pull request with em when done


Pablo Costa
04:07:54 PM

@Pablo Costa has joined the channel


04:13:11 PM

@ivodvb has joined the channel


Gaurav Ubnare
11:47:41 AM

@Gaurav Ubnare has joined the channel


Garrett (PlanoCloudDude)
06:18:21 PM

@Garrett (PlanoCloudDude) has joined the channel


07:26:17 PM

@mallen has joined the channel


04:01:12 AM

@nyamada has joined the channel


08:01:18 PM

@ has joined the channel


06:47:04 PM

@J-Man has joined the channel


11:15:13 AM

@ has joined the channel

03:12:21 PM

@loweryr has joined the channel


04:17:32 AM

@ has joined the channel


07:04:27 AM

@dat.le has joined the channel


04:50:57 PM

@i5okie has joined the channel


02:49:20 PM

@Arkadiy has joined the channel


08:22:48 PM

@aknysh has joined the channel


05:10:46 AM

@zerocoolback has joined the channel


06:39:22 PM

@ has joined the channel


11:53:08 AM

@ has joined the channel


Erik Osterman
07:39:26 PM

@Erik Osterman set the channel topic: Discussions related to https://github.com/cloudposse/docs

Jeremy Grodberg
09:37:59 PM

@Jeremy Grodberg has joined the channel


Erik Osterman
12:45:06 AM

@Erik Osterman has joined the channel

Erik Osterman
01:29:53 AM

@Erik Osterman set the channel topic: Discussions related to Cloud Posse’s Documentation