#geodesic (2021-05)

geodesic https://github.com/cloudposse/geodesic

Discussions related to https://github.com/cloudposse/geodesic Archive: https://archive.sweetops.com/geodesic/

2021-05-10

2021-05-07

2021-05-05

Joe Hosteny avatar
Joe Hosteny

Hi all, I had some more time to work on our account conversion today. I got to the dns-primary component, but I seem to be missing something now. What is the expectation for how to run non-bootstrap terraform plan / apply for the non-bootstrap components using the terraform profiles, rather than the org role ARNs (I am looking at the all-new-components branch)? For example, it was easy for the iam-delegated-roles, as that component’s provider performs an assume_role into the destination account. Is there a short blurb that gives a high level view of how things are to fit together?

Joe Hosteny avatar
Joe Hosteny

Specifically, I kind of blindly configured the stack and started a run, then was surprised to see the zones appearing in the root account. That’s when I noticed that the component was using the named terraform profile (or named terraform role ARN on master)

Matt Gowie avatar
Matt Gowie

@Joe Hosteny the current status of assume_role vs profile is a bit in flux. I know Cloud Posse folks are moving towards using profiles for everything since that covers some issue that they were having that I’m not 100% up-to-speed on.

I personally had issues with this so I created a potential abstract aws-provider.tf> proposal which is up on PR: <https://github.com/cloudposse/terraform-aws-components/pull/322

Does that possibly help you if it were used more widespread through out the components?

feat: adds a new abstract providers.tf proposal by Gowiem · Pull Request #322 · cloudposse/terraform-aws-components attachment image

what Proposes a new pattern for abstractly defining the aws provider via a common providers.tf why This enables usage of the following types of AWS auth for components: Environment credentials …

Joe Hosteny avatar
Joe Hosteny

Thanks @Matt Gowie. I will take a look at this.

Joe Hosteny avatar
Joe Hosteny

Are you just using an IAM user that is able to assume the *-terraform role in the identity account?

Joe Hosteny avatar
Joe Hosteny

@Matt Gowie FYI, I was able to finally get this to work (deployed DNS primary stack in the dns account using the proper terraform role). It was death by a thousand papercuts, but I think I have it all down now.

Joe Hosteny avatar
Joe Hosteny

And by papercuts, I mean my mistakes

Joe Hosteny avatar
Joe Hosteny

This was done via a login for a user, not system account, provisioned via GSuite and using SAML SSO. I did use the terraform_profile_name too, not the dynamic assume role. It fell into place once I was able to figure out how to get the iam-delegated-roles to deploy in root

Matt Gowie avatar
Matt Gowie

Ah sorry I didn’t see your other reply Joe. Glad you got it figured. Sorry I can’t be of much help — I’m not utilizing this 100% yet, just piecemeal so I don’t use the IAM roles stuff unfortunately.

Joe Hosteny avatar
Joe Hosteny

No worries! I realize I am working on it probably a little too early anyway.

2021-05-04

2021-05-03

2021-05-02

marc slayton avatar
marc slayton

RE: Atmos – kudos to you @Joe Hosteny for your advice today in getting my Atmos compiles going. Everything works now. Cheers –

1

2021-05-01

    keyboard_arrow_up