#geodesic (2019-07)
Discussions related to https://github.com/cloudposse/geodesic
Archive: https://archive.sweetops.com/geodesic/
2019-07-01
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic
, get live demos and learn from others using it. Next one is Jul 10, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-07-03
Public Office Hours starting now! Join me here: https://zoom.us/meeting/register/dd2072a53834b30a7c24e00bf0acd2b8
Have any questions? This is your chance to ask us anything.
anybody think this would be cool? https://github.com/genuinetools/img
Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder. - genuinetools/img
compile geodesic to an exe
so it wouldn’t require even docker
Slick
2019-07-04
Does GEODESIC_PORT serve a purpose?
Yes, it’s used for things like kubectl proxy and teleport logins. Basically where you want to access something in geodesic via http
Figured so, can see some bits for teleport
Don’t remember needing to do anything with kubectl proxy though…
Nice for accessing kube dashboard when you don’t have all the other infra in place like keycloak
2019-07-08
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic
, get live demos and learn from others using it. Next one is Jul 17, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-07-15
Is there a quick way when in geodesic to refresh your vault session
Do you use vault server?
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic
, get live demos and learn from others using it. Next one is Jul 24, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
sorry i mean aws-vault
right, but aws-vault server
mode
we have support for that in geodesic
and it will automatically refresh your tokens
oh; have to prod that. I was digging through the shell
ta
Geodesic is a cloud automation shell. It's the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…
@Jeremy G (Cloud Posse) spent a lot of time to get this right.
there were all kinds of edge cases (like what to do when running on an EC2 instance like an AWS Workspace)
…what to do when the clock is behind
…what to do if already in a shell with a role
i get the clock issue all the time since updating from ~40odd to current. There’s a whole pile of related issues with docker4win /hyperv and that though.
I generally just run hwclock -s
@Jeremy G (Cloud Posse) do you know why the organizations module is not enabled in root.tfvars?
In the ref arch…
@joshmyers pointed this out and I don’t understand either
2019-07-16
Actually, @chrism what @Erik Osterman (Cloud Posse) was referring to was a command I added to Geodesic called role-server
. I have only tried it when using credentials that have/require virtual MFA, and with that setup, here is how it works:
You start your first Geodesic shell and run role-server
. It uses aws-vault
to assume an IAM role, creating temporary credentials with a life of AWS_VAULT_ASSUME_ROLE_TTL
(default 1h meaning 1 hour) and a role session with life of AWS_VAULT_SESSION_TTL
(default 12h). aws-vault
then runs as a credential server, using the same interface that the AWS credential server uses on EC2 instances. It runs in debugging mode so you will see all the activity printed out on the screen as it runs. For this reason, I usually hide the window.
Then you start a second Geodesic shell using the same Docker image. This second shell, as it starts up, finds the credential server is running and immediately assumes the role it is serving. This shell will work uninterrupted until the role session runs out (12 hours). When the temporary credentials expire, aws-vault
renews them as long as the role session is valid. When the session runs out, the shell will stop having credentials, but back in the window that I hid, running the role server, aws-vault
will ask for the MFA token. Type it in and you get a new session for another 12 hours.
And of course, you are not just limited to 1 useful Geodesic shell. You can run several at the same time and they will all share the same credential server, as long as they are all running the same Docker image. The Geodesic wrapper script that gets installed to launch the Docker image does not run multiple copies of the image, but rather starts multiple bash
shells running inside the same image. This is how they are able to share the credential server (and the kubecfg
).
@Erik Osterman (Cloud Posse) @joshmyers I believe the reason the organizations module is not enabled in root.tfvars in the ref arch is that it is not needed because it is not practical. From a cold start, you have to use ClickOps to:
- create the root account,
- add billing info,
- buy a root domain,
- connect the root domain to the root account and Route 53,
- create the organization,
- verify the root account email address with AWS,
- request an increase in the limit of the number of accounts allowed under your organization,
- wait for the organization to finish initializing (can take an hour or more), and
- wait for the requested limit increase to be approved and implemented.
Because of the long waits and the interaction with AWS support and email, none of the above is done with Terraform. After it is all done, Terraform does not need to manage the organization at all. New accounts are automatically added to the organization when they are created because they are created as “child” accounts of the “root” account.
@Jeremy G (Cloud Posse) So https://github.com/cloudposse/terraform-root-modules/blob/master/aws/organization/main.tf is not used anywhere..?
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
I have never seen it used. It was written over a year ago, when the whole terraform-root-modules
project was new. My guess is that it was an attempt at automating the cold start that was abandoned when it was realized that the above-mentioned tasks really needed to be done via ClickOps.
OK, should prob remove it then, I’ll open a PR
Heads up that I applied that module to root, seems fine…
@Josh Larsen any opinions on this? https://github.com/cloudposse/geodesic/pull/500
what Use an empty cache folder to initialize module why Terraform 0.12 no longer allows initialization of folders with even dot files =( Example of how to use direnv with terraform 0.12
yes this looks great! might be worth mentioning that people may need to change the make deps target on modules that use overrides
what Use an empty cache folder to initialize module why Terraform 0.12 no longer allows initialization of folders with even dot files =( Example of how to use direnv with terraform 0.12
yes, I need to do that
@oscarsullivan_old
basically, this is to get around the fact that 0.12 does not allow the initialization of modules to a non-empty directory (previously terraform permitted dot files)
What’s an example of initialising an empty directory?
much more elegant than my workaround
deps:
mkdir -p modules
terraform init modules
cp modules/* ./
rm -rf modules
haha, more or less the same
just using ENVs
though in this case, we keep using .modules/
by passing it always as an argument to terraform (~ TF_CLI_ARGS_plan=.module
, TF_CLI_ARGS_apply=.module
)
or TF_CLI_PLAN=.module
and TF_CLI_APPLY=.module
when using cloudposse/tfenv
Does every terraform 0.12 command support a directory as an argument? I know in 0.11 it was not consistent
Not sure if every command supports it
The ones we care about do: init, plan, apply, destroy
I think it was import or state that did not
2019-07-17
@chrism Another quick thing, any issues running the Geodesic wrapper script on windows? i.e. make install
so you get a [root.foo.co](http://root.foo.co)
in your /usr/local/bin
to call ?
#office-hours starting now! https://zoom.us/s/508587304
2019-07-19
hmmm, how are folks doing Terraform 0.12 and geodesic?
this is what https://github.com/cloudposse/geodesic/pull/500 addresses
what Use an empty cache folder to initialize module why Terraform 0.12 no longer allows initialization of folders with even dot files =( Example of how to use direnv with terraform 0.12 usage e…
but this is what @Josh Larsen and @daveyu are doing https://sweetops.slack.com/archives/CB84E9V54/p1563307247187300
much more elegant than my workaround
deps:
mkdir -p modules
terraform init modules
cp modules/* ./
rm -rf modules
2019-07-22
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic
, get live demos and learn from others using it. Next one is Jul 31, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-07-23
@chrism Re Geodesic on windows, are you running native Windows? Bash? WSL? I literally have no idea with windows these days but a dev in the team is a Windows user
Windows 10 + Docker for windows. Ubuntu 18 / WSL (from the store)
Do you need to install docker in WSL? Colleague has docker for windows installed but in a “bash” environment, cannot see DOCKER
yeah
one mo
With a couple of tweaks the WSL (Windows Subsystem for Linux, also known as Bash for Windows) can be used with Docker for Windows.
Thanks @chrism
So yeah, it looks like assume-role interactive doesn’t work, and also /localhost/.aws/config doesn’t exist, are you setting AWS_DATA_PATH
?
@chrism Are you always running assume-role $ROLENAME
in that case?
ENV ASSUME_ROLE_INTERACTIVE=false
ENV TF_BUCKET_PREFIX_FORMAT="basename-pwd"
# Needed because multi provider started failing with wsl and dynamic linking
ENV TF_PLUGIN_CACHE_DIR=/tmp
in my docker file
how does your aws config end up in the right place? It looks like WSL has a mapping of e.g. /mnt/c/Users/work/.aws
inside WSL
or is your aws config inside WSL? >_<
you configure vault + aws in wsl
otherwise you’re in the weird world of virtualised chmod
OK ta, this dev is a windows windows user, grrrr
Are you able to write to /root/.aws/config
inside WSL land?
Feels like I need to do some reading around WSL
thats just normal linux shit
the aws config should be in ~~~/.aws/config the vault ~~~aws-vault/ etc
basically dont sudo su
main issues I had with the folders was sudo altering the owner of files
nothing as heart warming as fighting your way through config just to get a worker node to reply banana on request
WSL seems broken…. there isn’t a /root/.aws
dir inside WSL, but we can’t seem to create one
We’re getting some weird input/output error trying to create /root/.aws
it should be /home/username/.aws I don’t get why its in root
hmm
For some reason he is root as soon as enters WSL…. there is nothing in /home/
whoami = root
thats… screwy
Said he just installed WSL from the store and doesn’t know anything else
¯_(ツ)_/¯
burn it start again
Yeah, he’s already not happy
Never had that one and I’ve been using wsl since insider release came out
Legacy wsl you could force it to open as root
lxrun /setdefaultuser root
newer ones ` ubuntu config –default-user
Indeed
So how do you keep it as real usernames? Default that should be the case?
just the default tbh
OK, thanks for all the info dude! Out my depth in windows world
It’s a fun system of virtualised virtualisation
2019-07-24
Public #office-hours with cloud posse starting now! https://zoom.us/s/508587304 join if you have any questions or want to listen in.
2019-07-29
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic
, get live demos and learn from others using it. Next one is Aug 07, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
Hi all! I’m trying to use the https://github.com/cloudposse/reference-architectures repo to put some order into an ad-hoc AWS I inherited. I have two questions:
1) in configs/root.tfvars
I have to change the domain for the entire infra. Now currently the company domain [example.com](http://example.com)
is pointed to a heroku app and I can’t make AWS the SOA for the entire domain. If I use something like [infra.example.com](http://infra.example.com)
will that then make all the accounts register as <account>.[infra.example.com](http://infra.example.com)
??
2) In running make root
I get the following error. I can’t create the accounts/root
dir by hand as the first step in the Makefile removes it!
We suggest distinguishing between your branded/vanity domains and you infrastructure service discovery domains
e.g. a product might have dozens of branded domains, but you’ll only have one infra
so for our customers, we usually register a new domain on route53 or repurpose an existing one that was unused
aahh, so you’d suggest the ‘root’ account to ‘own’ [companyexmaple.net](http://companyexmaple.net)
or something completely separate from the company itself
yes, precisely
the .net
, .io
, .org
, .dev
, .sh
, .co
domains are what we typically use
2019-07-31
As a service that runs on .io
(we have the .com
as well, and we’re migrating to it), I’d heartily recommend avoiding .io
if you can. It’s mostly OK, but occasionally has worldwide resolution issues.
It’d be fine unless you’re running something that’s mission-critical though. A blog? Fine. Something that your pipeline needs for deployments? Negative.
Another question - are you guys still supporting the terraform iam user modules? I noticed terraform-aws-iam-system-user
was updated to terraform v0.12 but not terraform-aws-iam-user
(I submitted a PR https://github.com/cloudposse/terraform-aws-iam-user/pull/3)?
I’m curious to know how it, terraform-aws-organization-access-group
, terraform-aws-iam-assumed-roles
, and terraform-aws-organization-access-role
are all meant to work together…
Updated to be compatible with Terraform v0.12
yea, it’s just a slog. We have over 100 modules.
upgrading them a little bit at a time.
we’ve upgrading 40+ modules to 0.12 and terratest
(but this is all out of pocket for cloudposse)
Ya’ll rock! @Andriy Knysh (Cloud Posse) is a machine
I can only imagine the chore!! Hopefully my contrib helps, since I’m looking at adopting your modules. They follow really great practices from what I can see.
My company is happy to let me dedicated paid time to Open Source projects that we use in turn.
thanks @Tim Jones!
most of the slow down for us accepting 0.12 PRs is that we want to have testing in place so all future PRs can be merged faster.
we’re using the 0.12 upgrade as the excuse to add them.
@Andriy Knysh (Cloud Posse) on our side is doing most of the work.
Cool! I’d like to help out here I can, and can easily use my fork until PRs get merged…
thanks! sorry for the hold ups
No need to apologise!! We’re already grateful for the awesome contributions you’ve all made!
To my other question though: can you give a quick run-down of how terraform-aws-iam-user
, terraform-aws-organization-access-group
, terraform-aws-iam-assumed-roles
, and terraform-aws-organization-access-role
are made to be used together?
For instance, I have the master account, along with develop, staging, & production accounts. I create the real-life users in the master account with terraform-aws-iam-user
, but I’m not sure how I then give the, access to the other accounts & control things like MFA requirements…
fwiw, have you had a chance to look through our terraform-root-modules
repo? this is a collection of blueprints we use that leverage all the modules together.
terraform-aws-organization-access-group
is used when you have a role in another account and you want to allow users in your root account (or identity account) easily assume roles in the other account.
so you deploy terraform-aws-organization-access-group
for each role that exists in another account that is assumable
terraform-aws-iam-assumed-roles
was one of our earlier modules. We use it for provisioning a few default roles in the root account. it also enforces some best practices around MFA and password resets.
terraform-aws-iam-user
is used when you don’t have SSO. it provisions an IAM account suitable for humans
(we also have terraform-aws-iam-system-user
for bot accounts. e.g. external CI/CD systems)
So really I should be using terraform-aws-iam-assumed-roles
for human users, and then simply delegate their access with an terraform-aws-organization-access-group
with the role ARNs of the org accounts?
Ah, I think I see it now, create the individual users with terraform-aws-iam-user
, manage the settings of all the users with terraform-aws-iam-assumed-roles
and delegate their account access with terraform-aws-organization-access-group`
the terraform-aws-organization-access-group
is somewhat redundant with terraform-aws-iam-assumed-roles
the terraform-aws-organization-access-group
module was designed to be a more general way to assume any role in other accounts
while the terraform-aws-iam-assumed-roles
is designed specifically to assume roles in the “root” (apex) account.