#geodesic (2019-05)
Discussions related to https://github.com/cloudposse/geodesic
Archive: https://archive.sweetops.com/geodesic/
2019-05-01
hi everyone, I have a question. Do aws-chamber and vault overlap ?
aws-vault for securely storing and accessing AWS credentials in an encrypted vault for the purpose of assuming IAM roles
chamber for managing secrets with AWS SSM+KMS and exposing them as environment variables
you would use aws-vault first to obtain a session. then with that session you could use chamber. it would be a catch22 if we tried to use chamber for AWS credentials
seems they’re for managing aws secrets
i think chamber is more general purpose
aws-vault is specifically for retrieving an aws credential and assuming an IAM role
no office hours this week?
ooops
i totally lost track of time
sorry everyone!
2019-05-06
There are no events this week
Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7).
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Mar 20, 2019 11:30AM.
Add it to your calendar
https://zoom.us/j/684901853
#office-hours (our channel)
geodesic 0.106.0 adds support for man pages in markdown
stick all your documentation in /usr/share/docs and run docs update
then using man works as expected
try man faq to test
or help to search
@oscarsullivan_old
2019-05-07
anyone using packer at all? i’m curious why packer isn’t in the geodesic image.
nm, i think i see a solution in the slack archives… thanks @oscarsullivan_old for asking this before me. will do RUN apk add --update packer@cloudposse in Dockerfile
Ya just trying to reduce the number binaries. Tempted to remove more from the default distribution in the future, since we have packages for most things.
2019-05-08
That’s cool.. What sort of man pages are we talking? Custom?
So I create one called api.md and inside i have say internal instructions for our api?
yes, exactly!
it’s for custom man pages
but we are just piggy backing on the existing linux manpage system by installing the generated man pages to /usr/share/man
that means it will wrk with system man pages too
2019-05-13
There are no events this week
Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7).
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Mar 20, 2019 11:30AM.
Add it to your calendar
https://zoom.us/j/684901853
#office-hours (our channel)
2019-05-15
office hours starting now https://zoom.us/j/684901853
I tried using s3fs but couldn’t mount sub directories. I saw that you are using it as part of geodesic so posting my question here
2019-05-16
Share what you we’re doing …
Not enough to go on
i am just trying to mount S3 bucket using
s3fs bucketname directoryname
Need ab fstab entry
we have a “helper” to make this easier
this is an example of how to do it
after you add the fstab entry, just run mount -a
assumes you’ve already run assume-role
@Erik Osterman (Cloud Posse)
s3 fstab '${TF_BUCKET}' '/' '/secrets/tf'
what is s3 in this command ?
Just a helper to make it easier to work with goofys and fstab
it’s entirely optional, but you could say it documents how to do it.
ohh ok. I am trying to form s3fs command using it
so s3fs is intended to be called via mount
like the other filesystems (E.g. extfs)
here’s what my fstab looks like in a geodesic container
note, that mount will call the s3fs
that’s what s3fs#${TF_BUCKET} is saying….
note the ${TF_BUCKET} is eval’d by the s3fs command (wrapper) so that we can have dynamic mounts
you can cat /usr/bin/s3fs to see what it does
it’s just a simple helper script
i don’t have /usr/bin/s3fs on my machine
i installed s3fs using brew install s3fs
ok, so I think there’s a disconnect.
We’re in the #geodesic channel
brew is for mac
geodesic runs alpine
all of our instructions for s3fs are relative to geodesic
my bad, sorry
this is our wrapper script
I will checkout . thanks again
when i cd to the directory i don’t see anything
it is trying to fetch all the subdirectories when i run ls command
s3 is an object store, not a file system. this idea of s3fs confuses me. I’ve never even thought to use s3 in that way. Though I guess a filesystem is just a specialized object store?
i know but that’s what s3fs does
@Alex Siegman using goofys is a nice escape-hatch for using S3 as a filesystem
not for databases, but great for “legacy” apps that want to read files
in the past, we’ve used it to store SSH keys and other configuration files.
2019-05-18
Could someone help me locate or add aws creds to a built geodesic container? I’m having some issues understanding where geodesic looks for this info, and in what format to provide it. I have no roles yet, and id like to add one for aws so i may assume it.
So, after building the container, run make install, which will install a simple wrapper script into /usr/local/bin/
when you use that wrapper script, it’ll take care of automatically mounting ~/.aws into the container
we generally use aws-vault
also helpful to note, is that $HOME is mounted to /localhost in the container
Hi Jesse - been a little bit since I had the pleasure to use geodesic, but I think I have a good idea where you are stuck… have you followed along with the documentation here? https://docs.cloudposse.com/documentation/getting-started/
The reference architecture should give you a good idea on where/how the roles to be assumed are meant to be used: https://github.com/cloudposse/terraform-root-modules
Hi, i started reading these docs again, i think i missed the cold start section which seems to cover this.
2019-05-19
2019-05-20
There are no events this week
Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7).
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Mar 20, 2019 11:30AM.
Add it to your calendar
https://zoom.us/j/684901853
#office-hours (our channel)
Has anyone run across this error when running make root from the reference architectures?
@jober not that one in particular
but I can maybe help you work through it if you want to zoom
Trying to run it on an active account not sure if it is conflicting with something
I ran on personal account and everything was ok
My hunch is this: see that error in the output about copying overrides? I think maybe that’s preventing it from completing.
i was looking at that as well
so I makefile will abort on the first failure
so i think the module is just not getting initialized and that’s maybe causing nothing to be written to SSM
Like it says their is no overrides
are you familiar with what we are doing here with overrides?
No
(maybe not this exactly spot, but the pattern itself)
ok
so basically we use the terraform init -from-module=.... pattern everywhere.
That works great, except for the init will bail if there are any .tf files in the current directory
so what we do is stick all those “overrides” (.tf files) in the overrides/ directory
then…
terraform init -from-module=....
cp overrides/* .
3 terraform init -from-module= (null modules so that it it doesn’t try to redwnload)
why do we need overrides?
…that’s so we can have a general root module like a “users” module, but not define any users
then we stick the user accounts in overrides/ e.g. overrides/osterman.tf
ahh ok
is it required to have overrides?
i don’t think it should be required (fundamentally speaking), but that error is complaining about that.
@Jeremy G (Cloud Posse) do you recall seeing this error when you recently provisioned “that customer”
Is this something new? I copied the reference architectures about a month or 2 ago and setup on a personal account and this did not come up
hrmmm so actually, it might be “new” in the sense we finally got around to updating the ref arch with our latest customer rollout, but not new in the sense we’ve been doing it for about 6mo
gotcha
basically, every time we do a customer rollout we revise/polish the ref-arch. it’s still got it’s bugs (first and foremost it’s a device we use to speed up our own engagements)
makes sense
i am just looking at the user module and the code to deal with the overrides to try and gain some insight on the implementation
try and find a work around
I do not have any users setup in the root.tfvars
is this required?
Aha, haven’t tested it without probably
ok so i should add it their an try again
so if i add my user to here in the root.tfvars:
# Administrator IAM usernames mapped to their keybase usernames for password encryption
users = {
# "[email protected]" = "osterman"
}
Yes, I believe that should be all it takes.
ok so then do i need to create an overrides folder and anything in their?
no, it should get created for you
ok i will try that
thanks!
well that worked, but now i am getting….
hrmmm odd
that second terraform init should look like:
terraform init -from-module=
that empty -from-module= is deliberate
this is why noobs are the best QA haha
thanks for sticking in there
Hahaha this will put me miles ahead from where i would be otherwise
it looks like the exported worked to /artifacts/accounts.tfvars
btw i am only initializing audit, dev, staging, test and prod
@jober @Erik Osterman (Cloud Posse) It is required to have at least 1 user configured in root.tfvars because that is how you are intended to have long-term access to the organization accounts.
@Jeremy G (Cloud Posse) thanks! sorry it was not clear that is a requirement. But it makes sense
Unfortunately, the reference architecture is intended to get things started. It is not a full-fledged multi-functional tool.
Forsure! And its awesome!
I am still having issues withe the above error. @Jeremy G (Cloud Posse) do you have any suggestions/insight?
You need to do make reset to clear the errored state
That worked thanks!!!
2019-05-22
Hi , i’m seeing the same issue as @jober
just reading through the notes above …
I saw the same issue above as well…noticed when I ran make root/shell and manually ran cd /conf/accounts direnv exec . make deps in the shell it would initialize but when running make root/provision it would throw error. I was able to get around it however I was not aware of make reset that @Jeremy G (Cloud Posse) mentioned
@Erik Osterman (Cloud Posse) curious to know how you obtain admin user password. I ran reference-architectures however I didn’t pull the password before closing out my shell and deleting my root creds. I have already committed my repos however now I’m not certain proper way to get admin user console password. Any thoughts?
@Tega McKinney, thanks , looking at this now
@Tega McKinney, which directory are you running make reset from ?
@paul.mortimer Not sure; I did not run it however it looks like it’s available in /conf/accounts. @jober may have some insight
Each directory under /conf is a Terraform module to install (except for /conf/helmfiles, which are helmfiles). In a Terraform directory, make deps loads the modules and initializes the Terraform state, and as part of loading the modules, loads a module-specific Makefile. After running make deps you can do all the normal Terraform stuff, but as protection against accidentally overwriting something, you cannot run make deps while there is Terraform state in the current directory. If you are sure you want to clear it out, that is when you run make reset, which deletes everything make deps pulled in and any state Terraform stored in the directory.
@Tega McKinney @paul.mortimer I ran the make reset from the /conf/accounts
Public/Free Office Hours with Cloud Posse starting now!!
@Jeremy G (Cloud Posse) @jober, thanks for the info appreciate the pointers.
I’m in Australia, so just getting up … is there any chance i could jump on zoom shortly and walk through this issue with someone?
@Erik Osterman (Cloud Posse) ?
@paul.mortimer best way is to schedule some time here: https://calendly.com/cloudposse
2019-05-23
Just curious, when running reference-architecture, i just realized that it does not add users from /config/root.tfvars as admins on the root accounts. That make sense as those users may not be admins. Should it expose a root_admin_user_names and/or root_readonly_user_names var(s) to ensure the ability to administer the account using IAM vs the root email?
@Erik Osterman (Cloud Posse) any thoughts on the above?
might be an oversight
Oh, i think this is what you were suggesting in #office-hours
(and agree)
brought up a good point that we need to document how to get the outputs for the users created in the reference-architectures
@Erik Osterman (Cloud Posse) I believe I see my mistake. I logged into the root account using my email / password instead of assuming the <namespace>-root-admin role. All sorted now
Also, this note was different than the #office-hours report. That references how to obtain the admin user’s password after closing the terminal.
This thread was just my mistake in logging into the console incorrectly. Thanks a bunch
2019-05-24
2019-05-27
There are no events this week
Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7).
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Mar 20, 2019 11:30AM.
Add it to your calendar
https://zoom.us/j/684901853
#office-hours (our channel)
2019-05-28
I’ve followed the reference architecture setup, so i’ve got an admin group in the root account with users added to it, and the users access sub-accounts by assuming a role
now, in one sub-account I want to enable SSM Session Manager to allow users to create sessions on instances. I’ve created an appropriate policy, but I’m stuck on where to attach the policy to. I probably should attach this policy to a group, but in the sub-account there are no users/groups of course.
I haven’t tried to use SSM this way, but what I think you want to do is attach the policy to a role in the child account
The allow the group in the root account to assume that role
We have an example of how to do that if you look at the organization access role module
Woops I minced my word there, I definitely meant attach the policy to a role and then attach it to a group. But you knew what I meant hah.
Ah I see now. I’ve had my admin group setup to assume the OrganizationAccountAccessRole, which gives the AdministratorAccess policy
This actually addresses an issue I’ve wanted to fix for awhile: restricting access to the users in the sub-accounts.
I didn’t quite understand how assumed role access worked until just now
Awesome! Yes we should offer some more canned roles
But i can’t attach it the group in the root account, because the policy is in the sub-account
anyone know the correct approach here?
2019-05-29
@Erik Osterman (Cloud Posse) i’m sorry if this has already been asked, but is there a rough timeline on when geodesic will be updated to terraform 0.12?
Working on it as we speak
Might have it ready by end of day
Problem is we need to support multiple versions concurrently so introducing a system For that
nice… ok thank you. looking forward to it
public #office-hours starting now! join us here: https://zoom.us/j/684901853
2019-05-30
@Josh Larsen
TL;DR:
apk add --update terraform_0.12@cloudposse
and add use terraform 0.12 in your .envrc
to support 0.11 as well
do apk add --update terraform_0.11@cloudposse and add use terraform 0.12 in the .envrc
if you only care about 0.12 and not 0.11
awesome!
you can skip the brouhaha with installing terraform_0.x packages