#geodesic (2021-02)
Discussions related to https://github.com/cloudposse/geodesic
Archive: https://archive.sweetops.com/geodesic/
2021-02-09
![Mathieu SERRA avatar](https://secure.gravatar.com/avatar/ca7f4b99f80b31cd9c4e090b8a564ae0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Hi Everyone. I’m trying to reproduce your architecture for a test project. I’m succeded in using atmos. Very helfpful tool. But I’m bit struggling to get the differences between the “iam-primary-role” and “iam-delegated-roles” modules in https://github.com/cloudposse/terraform-aws-components . If I correctly understand , the “iam-primary-role” need to be only run on root account and the “iam-delegated-role” on all other account. Is that correct ? Second question related to the first one. In the “iam-primary-role” you two have two variables delegated_roles_config
and primary_roles_config
. I’ve noticed that this two variables are merged together to create roles. My question is when I need to use the first one and when I need to use the second one. I see too that delegated_roles_config
varaible is use by “iam-delegated-modules” by reading the tfstate output of “iam-primary-role”. Thanks for your help and your work
Catalog of reusable Terraform components and blueprints for provisioning reference architectures - cloudposse/terraform-aws-components
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Mathieu SERRA we have some incoming documentation on this from @Matt Gowie
Catalog of reusable Terraform components and blueprints for provisioning reference architectures - cloudposse/terraform-aws-components
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what Updates pre-commit to include terraform_docs + bumps to 0.45.0 Updates pre-commit workflow for terraform_docs checking Adds information on installing / using pre-commit Adds rebuild-docs targ…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Mathieu SERRA avatar](https://secure.gravatar.com/avatar/ca7f4b99f80b31cd9c4e090b8a564ae0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Ok thanks for your help. It’s help a lot. One question regarding variables assume_role_restricted in iam-primary-roles. I need to set to false first when I created all the roles for a cold start. But does I need to relaunch terraform process after creation with this variable to true in the identity account ?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Jeremy G (Cloud Posse) @Dan Meyers
![Jeremy G (Cloud Posse) avatar](https://avatars.slack-edge.com/2020-07-04/1229022582372_22757dbc9ef96d371614_72.jpg)
Sorry it is so complex, @Mathieu SERRA, but you seem to be getting the hang of it. We recommend creating an identity
account separate from the root
account and creating the primary
roles in that account.
When assume_role_restricted
is true
, we add limitations on roles to prevent them from assuming other roles in the same account. For example, identity-observer
is not allowed to assume identity-ops
. However, we cannot create that restriction until after both identity-observer
and identity-ops
have been created, so when first creating the roles you have to set assume-roles-restricted
to false
so we do not create rules referencing non-existent roles. Then you need to do terraform apply
in order to actually create the roles. After the roles are created, you can set assume-role-restricted
back to true
and terraform apply
to create the restrictions.
![Mathieu SERRA avatar](https://secure.gravatar.com/avatar/ca7f4b99f80b31cd9c4e090b8a564ae0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
@Jeremy G (Cloud Posse) Thanks for yor complete answer. I’ve followed your instruction but I’m facing an issue. I’ve taken your example and put this in var for the module iam-primary-roles :
delegated_roles_config:
admin:
role_policy_arns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
role_description: "Role with AdministratorAccess permissions"
sso_login_enabled: false
# list of roles in primary that can assume into this role in delegated accounts
# primary admin can assume delegated admin
trusted_primary_roles: [ "admin" ]
I take this configuration from you readme. But I juste disable the sso for the moment I will only use aws user. For the first appliance with assume_role_restricted to false no error the role is correctly created. But when I set assume_role_restricted to true and relaunch terraform apply the assume role policy of the admin role is replace with null:
assume_role_policy = jsonencode(
~ {
~ Statement = [
- {
- Action = [
- "sts:TagSession",
- "sts:AssumeRole",
]
- Effect = "Allow"
- Principal = {
- AWS = "arn:aws:iam::x:root"
}
- Sid = "IdentityAccountAssume"
},
] -> null
Version = "2012-10-17"
}
)
If we look your code it’s seems that you exclude in trusted_primary_roles
all the role who has the same name that the role to create or update.
![Jeremy G (Cloud Posse) avatar](https://avatars.slack-edge.com/2020-07-04/1229022582372_22757dbc9ef96d371614_72.jpg)
Yes, no identity role is allowed to assume the identity-admin
role. Also, because of the limitations of role chaining, we do not allow any role to assume itself. We would rather have an error if that situation arises so we can fix whatever is causing that to happen.
![Mathieu SERRA avatar](https://secure.gravatar.com/avatar/ca7f4b99f80b31cd9c4e090b8a564ae0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Thanks for your answer. You said that you not allow any role to assume itself but in readme of iam-primary-roles
you put the admin as himself trusted primary role:
delegated_roles_config:
admin:
role_policy_arns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
role_description: "Role with AdministratorAccess permissions"
sso_login_enabled: false
# list of roles in primary that can assume into this role in delegated accounts
# primary admin can assume delegated admin
trusted_primary_roles: [ "admin" ]
And how I can correctly configure the admin role with no trusted_primary_roles and sso disable without having a null assume_role_policy
when I set assume_role_restricted
to true ? Thanks
![Jeremy G (Cloud Posse) avatar](https://avatars.slack-edge.com/2020-07-04/1229022582372_22757dbc9ef96d371614_72.jpg)
admin
is trusted in delegated roles. This is a shorthand for saying identity-admin
can assume otherAcct-admin
. When you set assume_role_restricted = true
then the roles are automatically restricted from assuming themselves as well.
This is the point of having target_role
here
if ! contains([target_role, "cicd"], source_role)
![Mathieu SERRA avatar](https://secure.gravatar.com/avatar/ca7f4b99f80b31cd9c4e090b8a564ae0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Thanks for your answer. I have know a better view of how it’s work. Do you know I can fix my issue when I put assumed-role-restricted
to true. When I set to true the assume role policy of the root role become null. So terraform raise an error:
assume_role_policy = jsonencode(
~ {
~ Statement = [
- {
- Action = [
- "sts:TagSession",
- "sts:AssumeRole",
]
- Effect = "Allow"
- Principal = {
- AWS = "arn:aws:iam::x:root"
}
- Sid = "IdentityAccountAssume"
},
] -> null
Version = "2012-10-17"
}
)
I have the following config for the delegated-role-config
delegated_roles_config:
admin:
role_policy_arns:
- "arn:aws:iam::aws:policy/AdministratorAccess"
role_description: "Admin role"
sso_login_enabled: false
trusted_primary_roles: [admin]
terraform:
role_policy_arns:
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
- "delegated_assume_role"
role_description: "Role with permissions for terraform automation"
sso_login_enabled: false
trusted_primary_roles: ["admin", "terraform"]
Thanks
![Jeremy G (Cloud Posse) avatar](https://avatars.slack-edge.com/2020-07-04/1229022582372_22757dbc9ef96d371614_72.jpg)
You need to give me more context. I can’t find jsonencode
anywhere. Are you using the latest versions of everything?
2021-02-10
![Dan Meyers avatar](https://secure.gravatar.com/avatar/383e16d33f68d3b44dcc921cf91ddea1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
@Dan Meyers has joined the channel
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
im a geodesic noob. how does one run it ?
docker run -it cloudposse/geodesic
docker run -it cloudposse/geodesic bash
both fail
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Oh, so when you run it with no arguments it outputs a bash script installer
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Run it like docker | bash |
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(On my phone
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The result is a script is installed that helps you start it since running long Docker commands is no fun
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
If you just want to kick the tires and skip installation, then add -l
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
docker run -it cloudposse/geodesic -l
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The way we use it is as a base Docker image for our customers
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We also have Debian and CentOS images
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We like to mount $HOME to /localhost so we can access files during development (e.g. tf)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
you dont mount it to /conf the root $HOME
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
No…
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
oh i see i see. got it working
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
docker run -v "$HOME:/localhost" -it cloudposse/geodesic -l
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Conf is where we copy the configurations for distribution in the Docker file that is FROM geodesic
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Cloud Posse DevOps distribution of linux packages for native apps, binaries, alpine packages, debian packages, and redhat packages. - cloudposse/packages
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
All of these tools are easily installed. We update every night automatically
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
hmmm
⨠ aws-vault exec sso_sre --server
Enter passphrase to unlock /conf/.awsvault/keys/:
Enter passphrase to unlock /conf/.awsvault/keys/:
Enter passphrase to unlock /conf/.awsvault/keys/:
aws-vault: error: exec: fork/exec : no such file or directory
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
thanks for the help. i’ll keep playing with it
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think we do some symlinking for that
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Check out /etc/profile.d
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
ya i was trying to use the same profiles i have setup locally
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That should work
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
i can see my profiles when doing aws-vault list
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Aha are you on a Mac?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
lol. yessir
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So I think you need to use the vault backend of file for it to work across OS barriers
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Used
docker run --env AWS_VAULT_BACKEND=file -v "$HOME:/localhost" -it cloudposse/geodesic -l
then
⨠ env | grep AWS_VAULT
AWS_VAULT_SERVER_ENABLED=false
AWS_VAULT_BACKEND=file
AWS_VAULT_ENABLED=false
⧉ geodesic
√ . [default] ~ ⨠ aws-vault exec sso_sre --server
Enter passphrase to unlock /conf/.awsvault/keys/:
aws-vault: error: exec: fork/exec : no such file or directory
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
this seems to work tho
aws-vault exec sso_sre -- aws sts get-caller-identity
Enter passphrase to unlock /conf/.awsvault/keys/:
{
"UserId": "snip",
"Account": "snip",
"Arn": "snip"
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Jeremy G (Cloud Posse) may know
![Jeremy G (Cloud Posse) avatar](https://avatars.slack-edge.com/2020-07-04/1229022582372_22757dbc9ef96d371614_72.jpg)
aws-vault exec --server sso_sre -- /bin/bash -l
2021-02-11
2021-02-12
2021-02-14
![Michael Dizon avatar](https://avatars.slack-edge.com/2021-01-15/1664383757488_b5214d00b8fce4726a7c_72.jpg)
in a workflow, is it possible to use the outputs from terraform as inputs for helm?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
are we talking about atmos
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…are you using helmfile
with helm
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…what’s calling helm?
![Michael Dizon avatar](https://avatars.slack-edge.com/2021-01-15/1664383757488_b5214d00b8fce4726a7c_72.jpg)
woops, yeah atmos. i think i read something about helmfile supporting tfstate
![Michael Dizon avatar](https://avatars.slack-edge.com/2021-01-15/1664383757488_b5214d00b8fce4726a7c_72.jpg)
er tfstate-lookup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
exactly - so you shouldn’t have state based between anything in atmos, you should use the tools ability to access remote state.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
helmfile can read from SSM or terraform remote state
![Michael Dizon avatar](https://avatars.slack-edge.com/2021-01-15/1664383757488_b5214d00b8fce4726a7c_72.jpg)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Comprehensive Distribution of Helmfiles for Kubernetes - cloudposse/helmfiles
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
here’s how to read from SSM in helmfile
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
if you’re using pure helm
, then what you’d want is that terraform
uses the kubernetes
provider to write a ConfigMap
or Secret
instead
![Michael Dizon avatar](https://avatars.slack-edge.com/2021-01-15/1664383757488_b5214d00b8fce4726a7c_72.jpg)
got it. going to jump on this tonight when i get back. thanks for help!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, once you have this stuff working in atmos, you should be able to use spacelift very easily too.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
2021-02-17
![Robert Horrox avatar](https://avatars.slack-edge.com/2020-06-15/1182949442165_e37a3c7f7c7baa32cbcb_72.jpg)
@Erik Osterman (Cloud Posse) Dropping this here for reference, with the latest version of Docker Desktop for Mac you can run into a high cpu issue when mounting the home directory (https://github.com/docker/for-mac/issues/5200). Disabling the GRPC Fuse filesystem make the CPU issue go away.
I have tried with the latest version of my channel (Stable or Edge) I have uploaded Diagnostics Diagnostics ID: 7576B821-77FA-4C5C-91C4-3E1ABEA6A7FD/20201230115951 Expected behavior Should have no …
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
hrmmm @Jeremy G (Cloud Posse) mentioned something about the problem being introduced. have you seen this workaround?
I have tried with the latest version of my channel (Stable or Edge) I have uploaded Diagnostics Diagnostics ID: 7576B821-77FA-4C5C-91C4-3E1ABEA6A7FD/20201230115951 Expected behavior Should have no …
![Jeremy G (Cloud Posse) avatar](https://avatars.slack-edge.com/2020-07-04/1229022582372_22757dbc9ef96d371614_72.jpg)
Docker really blew it with the 3.x version and people are pretty steamed. If there were an alternative to Docker, people would be flocking to it, which I am sure has some people working to set up an alternative to it.
Yes, I knew about turning off gRPC Fuse. Sadly, the alternative, OSX Fuse, as used by Docker, seems to have a memory leak. I had it using > 70 GB of swap. But the CPU is manageable and memory leaked to swap is not a big deal since by virtue of it being leaked, it is never paged back in.
![Robert Horrox avatar](https://avatars.slack-edge.com/2020-06-15/1182949442165_e37a3c7f7c7baa32cbcb_72.jpg)
podman is the best alternative I can see https://podman.io/. That could be combined with https://github.com/gyf304/vmcli or https://github.com/machyve/xhyve or https://github.com/moby/hyperkit to make a suitable docker alternative for OSX. You could also use https://developers.redhat.com/blog/2020/02/12/podman-for-macos-sort-of/
A set of utilities (vmcli + vmctl) for macOS Virtualization.framework - gyf304/vmcli
xhyve, a lightweight OS X virtualization solution. Contribute to machyve/xhyve development by creating an account on GitHub.
A toolkit for embedding hypervisor capabilities in your application - moby/hyperkit
![attachment image](https://developers.redhat.com/blog/wp-content/uploads/2019/08/podman.png)
See how podman-machine (mostly) lets you run Buildah, Podman, and skopeo on your Mac without having to build your own Linux VM.
2021-02-23
![Mathieu SERRA avatar](https://secure.gravatar.com/avatar/ca7f4b99f80b31cd9c4e090b8a564ae0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Hi everyone,
I have a question regarding all modules in aws-terraform-component
. In most of this modules you require the module iam-roles
. But you call it with few parameters:
module "iam_roles" {
source = "../account-map/modules/iam-roles"
stage = var.stage
assume_role = false
region = var.region
}
But this module need other information to access remote state of account-map. Like the account id, the namespace or the bucket envirnoment_name. I think someting like that can work:
module "iam_roles" {
source = "../account-map/modules/iam-roles"
stage = var.stage
tfstate_assume_role = false
tfstate_bucket_environment_name = var.tfstate_bucket_environment_name
region = var.region
context = module.this.context
tfstate_account_id = var.tfstate_account_id
}
Or maybe you have a way in atmos to pass this variables to the module directly. Thanks
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@Matt Gowie this is one of the things I ran into and had a question about as well. I did the same thing as Mathieu. Is the longer term intent to do something like terraform-null-label
but for the tfstate-context?
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Ah yeah the [tfstate-context.tf](http://tfstate-context.tf)
files was a pattern that I believe the CP team tried out, but it didn’t work out and was deprecated.
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
I see, thanks. Do you know if there is something more up to date that I should look at?
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
@Mathieu SERRA @Joe Hosteny The issue with the above usage of iam_roles is that the account-map version likely doesn’t have the latest iam_roles submodule which causes issues. We need to get everything up-to-date and get it all working together which unfortunately we’re waiting on PR reviews and some time from some of the more in-the-know Cloud Posse team members.
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Thanks @Matt Gowie. Not sure if you caught my message above while you were typing out your last one. Or maybe you meant that was part of the pending work?
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
I believe it’s like just a disconnect between the pending work and what has merged. Let me check again what has merged so I know which direction it is borked in.
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Yeah so I believe the issue is likely that these components haven’t landed yet: https://github.com/cloudposse/terraform-aws-components/pull/304
what Upstreams the account, account-map, and account-settings components why Keeping our components up-to-date with updates that have been made for clients
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Once those are merged in, we’ll have the most up-to-date iam_roles submodule and then things start to fit together better.
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Thanks! I may try to merge those into my local repo
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Honestly… I believe we’re going to need to pull that submodule out and start versioning submodule usage instead of relying on path based modules because these types of issues crop up.
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
cc @Erik Osterman (Cloud Posse) for discussion / context later.
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Also we need a #sweetops channel Talking about this in #geodesic aint right.
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
(It’s the best we’ve got, but we need a better spot to talk about atmos, stacks, components, and all the things)
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Yeah, sorry - I think I saw some other discussions regarding the new structure here.
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Ah nothing to be sorry about — Really thinking out loud more than anything.
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
BTW, I was working from the all-new-components
branch. I diff’ed a lot of the changes between that and the upstream-account-comps
branch, and wound up just deleting the tfstate-context.tf and tfstate.tf files from the account-map
component, and everything worked cleanly
![Joe Hosteny avatar](https://secure.gravatar.com/avatar/851f2d21e357fbb172c3abfc9860d9c5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
With applying twice (first time w/ assume_role_restricted: false
)