#geodesic (2021-09)

geodesic https://github.com/cloudposse/geodesic

Discussions related to https://github.com/cloudposse/geodesic Archive: https://archive.sweetops.com/geodesic/

2021-09-09

2021-09-08

2021-09-07

ChristianF avatar
ChristianF

hi there. Was wondering how people use chamber and atmos together. For example, how to get parameters from terraform (urls, keys) into helmfile or other tools. From what I saw it’s purely static config and does not support variable substituation, e.g to inject env variables dynamically. The same goes for secrets management. Or is the current understanding to just leave the env variable substitution logic inside TF and helmfile?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the design philosophy there to not make anything dynamic in the stack configs. otherwise we’re just creating a language on top of a language.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

instead, it’s the responsibility for your terraform components (root modules) to read from SSM

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s why chamber is no longer needed, since terraform reads from SSM flawlessly.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

make your component as declarative as possible. if you need a secret, the path to the secret in SSM should be the parameter, not the value.

ChristianF avatar
ChristianF

thanks for the quick reply. this sounds like the way to go to read a secret stored in SSM from terraform. my challenge is in reading a secret stored in SSM from helm/helmfile. for example previously I had terraform write the secret and then chamber injecting for helmfile to consume through env vars to create a k8s secret.

ChristianF avatar
ChristianF

i haven’t checked yet but maybe there is a way already to consume secrets from ssm in helmfile

ChristianF avatar
ChristianF

ok. I think I found what I was looking for here https://github.com/roboll/helmfile/pull/906.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes, you can read from SSM directly in helmfile

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you can also use the terraform-provider-helmfile which we are using for customers that have a lot of complicated helmfiles

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

for customers that have easier helm deployments, we’ve started using the native helm provider in terraform.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
GitHub - cloudposse/terraform-aws-helm-release: Create helm release and common aws resources like an eks iam role attachment image

Create helm release and common aws resources like an eks iam role - GitHub - cloudposse/terraform-aws-helm-release: Create helm release and common aws resources like an eks iam role

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so if you use any of the terraform methods, you can access SSM that way, or as you mentioned you can read from SSM natively in helmfile

ChristianF avatar
ChristianF

thanks for the pointers and generally for the help. I would like to use atmos in the short to midterm and execute helmfile straight from there. In particular the stack concept would fit well in my use case.

2021-09-06

2021-09-03

chrism avatar
chrism

Is there anything like a migration guide for going from geodesic to new geodesic

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

unfortunately, no, however, remember it’s just a toolbox. so if any tools go away in the base image, just re-install. if any script/profile.d functionality goes away, just copy it in.

chrism avatar
chrism

Aye we pretty much maintain the current version tooling wise anyway. Good to know for definite though

chrism avatar
chrism

we’re kinda rolling on a custom build of 0.136.1 (as we mostly use it for the tfenv / structure / tools and keep terraform up to date via the docker file)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’ve moved away from tfenv/direnv b/c it was not very conducive for gitops.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we document our current approach here https://docs.cloudposse.com/

1
chrism avatar
chrism

later versions assume-role vanishes etc guessing there was a major change of direction

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We’ve moved to Leapp b/c we work predominantly with various SSO providers and this is the best tool we’ve found so far

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Leapp - One step away from your Cloud attachment image

Leapp grants to the users the generation of temporary credentials only for accessing the Cloud programmatically.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

as for assuming roles, we’re doing that in the terraform directly, so we don’t need to have the command itself

2021-09-02

hugo976 avatar
hugo976

I’m looking to enable access to the docker socket on the container, I found the with_docker == true setting on the wrapper file but how would I pass that when starting geodesic?

hugo976 avatar
hugo976

Or rather make it so I don’t have to export it before running geodesic

    keyboard_arrow_up