#geodesic (2019-09)
Discussions related to https://github.com/cloudposse/geodesic
Archive: https://archive.sweetops.com/geodesic/
2019-09-01
2019-09-02
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Sep 11, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-09-04
2019-09-09
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Sep 18, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-09-16
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Sep 25, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-09-18
Hey guys, I’m using the reference architecture to setup my AWS landing zone and having an issue with make finalize with the following output - https://gist.github.com/dalekurt/7c451ba3914f066bf16b42392904aca1
I believe from the output some s3 bucket are missing from other accounts.
from the output it looks like all your child account state buckets are missing.. maybe you missed steps when provisioning the children.. child account should be provisioned and finalized before finalizing the root account..
Yes, I had a successful completion of the make children but that my very well be true. I will review the children stage of the deployment
I confirmed that the s3 buckets do exist in one of the accounts the error is complaining about.
I’m assuming that this should be the mydomain-com-dev-terraform-state
2019-09-20
2019-09-23
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Oct 02, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)
2019-09-24
I’ve placed a file in /rootfs/usr/bin with the hopes it’ll copy to bin but no luck on make build. Any guidance available please?
did you make install your new container? Sure you are running the newly built version?
Putting into rootfs/usr/local/bin/foo worked for me with a make all
This is an existing geodesic module.
I have a new script : rootfs/usr/bin/lint and run make build and then start my Geodesic module, but the script is not in the /usr/bin/ dir in the Geodesic module container
Doesn’t seem any different to my rootfs/etc/profile.d/aliases.sh script, yet doesn’t copy over
In your Dockerfile, you’ll need something like COPY rootfs/ /
COPY rootfs/ / Already present
so alises.sh works just fine
I suspect it’s attaching to a running container
but lint does not
ah ok
Ah yes
I did have it open in a nother window
lets see
Spot on
Anyway to give a /usr/bin/ file chmod +x easily?
I notice for this you don’t https://github.com/cloudposse/geodesic/blob/master/rootfs/usr/bin/s3fs
For now I’ve popped
COPY rootfs/ /
RUN chmod -R +x /usr/bin/
in Dockerfile which will do, but let me know if there’s a better solution
According to that link, it’s an executable
Would need to take a deeper look
lol.
@Erik Osterman (Cloud Posse) That is correct, the mode of the file (in git) would be the same when copied to the Docker image.
Excellent thanks
Missed that part.
2019-09-25
We have some people using AWS Vault and other AWS auth mechanics. We’ve disabled aws-vault in the Dockerfile due to the UI prompts it causes that aren’t needed for ‘other auth’ users (90% of users).
For the 10% using AWS Vault, how can we have them use the same Geodesic/Dockerfile, but toggle AWS_VAULT_ENABLED ? I notice if you set this to true inside the container nothing happens, so it is clearly a build arg (could be wrong).
Any alts?
(Or is it possible to have it enabled but disable -> Run 'assume-role' to login to AWS with aws-vault that is printed on every command )
@oscar Have you looked through the geodesic codebase for how to do this? It is all pretty readable. I’m sure PRs welcome if it doesn’t do what you require
I have not. I will take a look and see if I can put a PR through
Thx
I imagine that runs at build time only?
So, off the top of my head you could use build args here, which geodesic and build harness already supports
https://github.com/cloudposse/geodesic/blob/master/Makefile#L19-L20 Geodesic uses the docker:build target from https://github.com/cloudposse/build-harness/blob/master/modules/docker/Makefile.build
So you could an an ARG to the dockerfile, and change https://github.com/cloudposse/geodesic/blob/master/Makefile#L20 to make --no-print-directory docker:build ARGS="AWS_VAULT_ENABLED"
I’m actually leaning towards…
PROMPT_HOOKS+=("aws_vault_prompt")
function aws_vault_prompt() {
if [ -z "${AWS_VAULT}" ] && [ "${AWS_VAULT_PROMPT" == "true"]; then
echo -e "-> Run '$(green assume-role)' to login to AWS with aws-vaultdsfdsfdssf"
fi
}
and add some makefile default that users can set an env var to turn off at build time
Would you accept the above?
It’s not me
Jeremy and Erik??
Not sure who atm but best open a PR and see
The above just turns off the prompt though, why not use the ENV var that is already there to turn the whole lot off, which is actually what you want
Not just the prompt.
I want AWS VAULT on, but prompt off
that way everyone can use the same Dockerfile no extra config
Not what you said in https://sweetops.slack.com/archives/CB84E9V54/p1569407689020100
L142
PROMPT_HOOKS+=("aws_vault_prompt")
function aws_vault_prompt() {
if [[ -z "${AWS_VAULT}" ]] && [[ "${AWS_VAULT_PROMPT" != "false"]]; then
echo -e "-> Run '$(green assume-role)' to login to AWS with aws-vault"
fi
}
The above would also allow the same Dockerfile etc to be used
Yeh think I had some development time between then and went out for a lunch
That snippet wouldn’t affect anyone else
but the folks who do want to use aws-vault just set some var in their bash profile or whatever which will be used when they make build
but would allow others to disable prompt
What you want to do is already supported with some tweaks to the dockerfile/Makefile, which wouldn’t need to effect all of you.
Open a PR and I’m sure someone will get to it.
@oscar How will you set AWS_VAULT_PROMPT ?
Geodesic Dockerfile
Right, so you still need to add something to the Dockerfile
Yep, I am ok with that, is that a problem generally?
Seems like an OK thing. It’s a per geodesic module config
No but I don’t see how it differs from the suggestion above which doesn’t involve a PR as it is already supported. Also still not sure why you want AWS_VAULT_ENABLED true, but no prompt….
Other people can benefit
Ok I can explain
Maybe context will help understand my rationale
Maybe best off to add that to the PR.
We have 9 users on Azure AD authing with AWS
we have to use this NPM package called aws-azure-login
we don’t need aws-vault
but we have 1 user using IAM users with keypair
they need aws-vault
We all use the same geodesic repo + module + files
I understand the geodesic local config
that is fine in principle
but I don’t want to have to ask people to do such things
So how can all users use the same dockerfile now if passing AWS_VAULT_PROMPT = false ?
Because we don’t use aws-vault, but now the prompt is gone
So it’s there
just not in our faces
sigh
nvm
Plus even when using aws-vault it’s annoying
You don’t need the prompt to use vault
or am I misunderstanding
You don’t need the prompt no.
I am missing why you are frustrated then
Your solution is good. Have a .bashrc variable and pass it in the build target, but I don’t want to have to ask people to modify their .bashrc
From experience working with devs who may not be used to AWS or geodesic, telling them to assume-role is useful. Rather than not, expecting people to know to run the thing before anything else
and what you actually want to do is not enable AWS_VAULT for those users, not just hide the prompt for all…
anyway, nvm, I see your use case.
public #office-hours starting now! join us to talk shop https://zoom.us/j/508587304
12019-09-27
hi guys ! tnaks for the SweetWorks ! I don’t really understand how you can override the policy or roles attributes using terraform-aws-ecr (0.6.1 tag) module. The documentation seems a bit outdated because the provided samples raise error in geodesic shell. Do you have an up to date usage sample ?
I’m using this regularly. Here’s an example that I’m using:
module "example_django_app" {
source = "git::<https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.6.1>"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "example-django-app"
use_fullname = "false"
max_image_count = "800"
principals_full_access = ["${local.principals_full_access}"]
principals_readonly_access = ["${local.principals_readonly_access}"]
tags = "${module.label.tags}"
}
Those locals are processed and provided in the module like this: https://github.com/cloudposse/terraform-aws-ecr/blob/0.11/master/main.tf#L1-L8 And I use pass in what it wants like this, via tfvars
external_principals_full_access=[
"arn:aws:sts::1234567:role/OrganizationAccountAccessRole"
]
external_principals_readonly_access=[
"arn:aws:iam::987654321:role/nodes.us-east-1.staging.example"
]
You would want to extend it (fork and PR) so that it can default to a policy doc that has CP’s default but also support taking from a users input https://github.com/cloudposse/terraform-aws-ecr/blob/master/main.tf#L28
thxs @oscar
(but as of yet doesn’t look like you can hence why you’d need to develop it yourself)
ok got it clear. i was wondering this because of the error but in the meantime i understood it was linked to the IAM role not being specified as data. So no need to PR at the end but good to know it work this way.
What’s the error?
module.ecr.aws_ecr_lifecycle_policy.default: Creation complete after 0s (ID: goalgo-dev)
module.ecr.aws_ecr_repository_policy.default: Still creating... (10s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (20s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (30s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (40s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (50s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (1m0s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (1m10s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (1m20s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (1m30s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (1m40s elapsed)
module.ecr.aws_ecr_repository_policy.default: Still creating... (1m50s elapsed)
Releasing state lock. This may take a few moments...
Error: Error applying plan:
1 error(s) occurred:
* module.ecr.aws_ecr_repository_policy.default: 1 error(s) occurred:
* aws_ecr_repository_policy.default: Error creating ECR Repository Policy: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
status code: 400, request id: cd97a9c3-1065-474f-8169-51235bd0ebf7
Also send your usage of the module
Might show something
the error was when principals_full_access was defined actually
So you’ve taken that out and it is fine?
no i added it and seems fine
FYI
0.7.0 is TF 12
So you want TF 11? Okie that’s fine. Is your Geodesic using TF 11?
terraform version Terraform v0.11.7
- provider.aws v2.30.0
- provider.null v2.1.2
@Fred Light here is the latest example on using aws-ecr module https://github.com/cloudposse/terraform-root-modules/blob/master/aws/ecr/kops_ecr_app.tf#L11
for TF 0.12, use release 0.7.0 https://github.com/cloudposse/terraform-aws-ecr/releases
thanks @oscar !
2019-09-30
There are no events this week
:zoom: Join us for “Office Hours” every Wednesday 11:30AM (PST, GMT-7) via Zoom.
This is an opportunity to ask us questions about geodesic, get live demos and learn from others using it. Next one is Oct 09, 2019 11:30AM.
Register for Webinar
#office-hours (our channel)