Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cpco.io/slack-office-hours
Meeting password: sweetops
@roth.andy I’m looking forward to that, I was reading about it earlier this morning on a reddit post - https://github.com/antonbabenko/pre-commit-terraform/blob/master/README.md
my boss just pushed back a meeting that now conflicts with the first half of office hours, so i might miss the first half. We’ll see how long the other meeting lasts
Hope you make it, would love to see what you have done.
Extend your AWS IAM switching roles. You can set the configuration like aws config format
Read: Securing Environment Variables with 1Password
When I received my new laptop at Hashicorp, I began personalising it as we all do. I used dotfiles to configure iTerm, and quickly pulled down Brew to get (almost) everything I needed installed.
Static analysis powered security scanner for your terraform code - liamg/tfsec
a lightweight, security focused, BDD test framework against terraform. - eerkunt/terraform-compliance
Very Good Security (VGS) lets you operate on sensitive data without the cost or liability of securing the data. VGS also helps you achieve PCI, SOC2, and other compliance certifications. VGS is a sensitive data custodian that provides turnkey security with no changes to existing products or systems. We accelerate your time to market and simplify the use of sensitive data while eliminating the risk of breaches. After all, hackers cannot steal what isn’t there.
An open source trusted cloud native registry project that stores, signs, and scans content. - goharbor/harbor
We’ve been working with Jetstack, the authors of cert-manager, on a series of fixes to the client. Cert-manager sometimes falls into a traffic pattern where it sends excessive traffic to Let’s Encrypt’s servers, continuously. To mitigate this, we plan to start blocking all traffic from cert-manager versions less than 0.8.0 (the current semver minor release), as of November 1. We’ll be sending out notifications to cert-manager clients that meet those criteria over the next two months. Version 0…
Amazon EKS now allows you to assign IAM permissions to Kubernetes service accounts, which in-turns makes it possible to give pod level…
@kareem.shahin has joined the channel
Sorry I missed office hours! If people still want to see the pre-commit stuff I can definitely show it at the next one
Little show-and-tell I can do tomorrow at office hours if people are interested. We’re using the tool pre-commit heavily in most of our projects. This is an example from the state backend project I set up for one of our stacks.
That’s great! I’d like to see it.
@Erik Osterman (Cloud Posse) Could you re-iterate the strategy and pros for deploying a kubernetes node pool within a single AZ opposed to deploying across multiple AZs?
Cluster Autoscaler needs separate node pools for each AZ
The Kubernetes Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail to launch due to lack of resources or when nodes in the cluster are underutilized and their pods can be rescheduled onto other nodes in the cluster.
AWS calls them Node Groups
Thank you @roth.andy that’s what I was looking for, supporting documentation.
Yep, I second this.
I have one thing I’d like to review today with those on the call.
We are working on releasing our official “code of conduct” for SweetOps
Would love your feedback.
/conf/$project, and then in project, you define each environment.
environment ~ workspace
workspace ~ account
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
terraform cli_arg_init var?
terraform init --from-module
Microsoft and Alibaba Cloud have created the Open Application Model (OAM) project under the Open Web Foundation.
questions asked in zoom
As a general rule of thumb, If I am able to automatically enforce something, I’ll always try to do that rather than try to make sure people are following a rule. A perfect example is - don’t use a coding style document, use Prettier
Don’t use a terraform style document, use
terraform fmt in your CI
and reject if it changes files
and reject if it changes files I’d offer that it’s even more blissful to have the CI update and commit
fmt changes for you if you forget.
I wish that was done more.
I’m not a big fan of CI making commits to my code. There are minor exceptions like Weave Flux updating versions, but other than that I want commits to my codebase to be coming from developers.
Pre-commit hooks take care of automating it from the developer’s standpoint
I’d suggest that’s still playing favorites to a tool
git – those hooks won’t get run if you create a commit using any other tool
there are other tools ?
- open a commit + pr from the github web ui
- use another compatible tool, like
plus commit hooks fall afoul of the local-workstation-configuration problem
now you need tooling to maintain versions of tools used by your hooks
Awesome session, thank you sifu @Erik Osterman (Cloud Posse)!!
Thank you @Blaise Pabon!
I did not get too far into the weeds with my project. I’m happy I asked about this. I’m going to start using geodesic
@Erik Osterman (Cloud Posse) I took a closer look at how you are using geodesic and what you had explained during office hours, I can’t wait to get home and start testing this.
I think piecing it together as you did today helped a great deal.
@dalekurt that’s great news! let me know how it goes….
I was just having some fun with using a
Makefile for pulling remote modules
here’s a demo:
Recovered Recording at Wed Oct 23 2019 1524 GMT-0700 (Pacific Daylight Time)
Here’s the video from today’s “office hours” (from when we hit “record”)
Office hours today?
nodes group per az, equivalent to an eks worker pull i believe
Validating cluster us-east-1.staging.spoton.sh INSTANCE GROUPS NAME ROLE MACHINETYPE MIN MAX SUBNETS bastions Bastion t3.small 1 1 utility-us-east-1c,utility-us-east-1d,utility-us-east-1a master-us-east-1a Master t3.medium 1 1 us-east-1a master-us-east-1c Master t3.medium 1 1 us-east-1c master-us-east-1d Master t3.medium 1 1 us-east-1d nodes-us-east-1a Node t3.medium 1 3 us-east-1a nodes-us-east-1c Node t3.medium 1 3 us-east-1c nodes-us-east-1d Node t3.medium 1 3 us-east-1d
Autoscaling components for Kubernetes. Contribute to kubernetes/autoscaler development by creating an account on GitHub.
CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code - GoogleCloudPlatform/terraformer
awesome turn out! thanks everyone for joining and sharing what your working on. hope we answered your questions
make sure to check out the links that were shared
I have a question for tomorrow’s Office Hours. How to maintain a single source of truth and updating a secrets manager (AWS SM or HashiCorp Vault) while having some audit and using a CI?
Will there be a an office hours meeting today?
Sorry guys! Had to go to emergency hospital to pick up doggie and totally spaced
Will be back next week, same time and place
What’s that website that was shared before where you can see what other companies are paying for a SaaS?
We’re looking at terraform cloud
SaaS pricing is opaque and complex, increasingly hidden behind enterprise pricing and sales calls. It’s impossible to know what software really costs. We’re building a price transparency community to level the playing field.
Right now it’s mostly just a newsletter it seems like, and to join (at least when I did a month or two ago) you have to give them a certain number of pricing stories, but I’m interested to see where this goes.
Thanks - a shame it isn’t widely adopted though
For example how to do blue green
Create Jenkinsfile to deploy UI code to S3 bucket.
Terraform module for provisioning an EKS cluster. Contribute to cloudposse/terraform-aws-eks-cluster development by creating an account on GitHub.
Terraform module that provision an S3 bucket to store the
terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption. - cloudposse…
Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault - s12v/exec-with-secrets
Do you know if this is a good PID 1? (killing things that need killed, etc.) Could always start with something like https://github.com/Yelp/dumb-init
A minimal init system for Linux containers. Contribute to Yelp/dumb-init development by creating an account on GitHub.
The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts