#office-hours (2022-07)
“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours
Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!
https://cpco.io/slack-office-hours
Meeting password: sweetops
2022-07-01
2022-07-06
@here office hours is starting in 30 minutes! Remember to post your questions here.
Andy Miguel (Cloud Posse) has joined Public “Office Hours”
Brian Pauley has joined Public “Office Hours”
Ayobami Bamigboye has joined Public “Office Hours”
Oskar Maria Grande has joined Public “Office Hours”
Allan Mohr has joined Public “Office Hours”
Vlad Ionescu has joined Public “Office Hours”
Ralf Pieper has joined Public “Office Hours”
Isaac M has joined Public “Office Hours”
Matt Calhoun has joined Public “Office Hours”
Erik Osterman (Cloud Posse) has joined Public “Office Hours”
Luis Masaya has joined Public “Office Hours”
Julian Diaz has joined Public “Office Hours”
Sean O’Dell has joined Public “Office Hours”
Charles Smith has joined Public “Office Hours”
Michael Williams has joined Public “Office Hours”
Alexander Goya has joined Public “Office Hours”
Michael Jenkins has joined Public “Office Hours”
Alexandr Vorona has joined Public “Office Hours”
Marc Tamsky has joined Public “Office Hours”
Matt Gowie has joined Public “Office Hours”
Amer Zec has joined Public “Office Hours”
Arthur Dent has joined Public “Office Hours”
Olad Oke has joined Public “Office Hours”
Bob K has joined Public “Office Hours”
Charles Randall has joined Public “Office Hours”
Marc Tamsky has joined Public “Office Hours”
emem emem has joined Public “Office Hours”
Imran Hussian has joined Public “Office Hours”
Mohammed Yahya has joined Public “Office Hours”
Sherif Abdel-Naby has joined Public “Office Hours”
Roy Sprague has joined Public “Office Hours”
links from today’s session
• https://github.com/infracost/vscode-infracost
• https://github.com/bridgecrewio/AirIAM
• https://www.cloudvulndb.org/
• https://aws.amazon.com/about-aws/whats-new/2022/06/bare-metal-support-amazon-eks-anywhere/
• https://aws.amazon.com/about-aws/whats-new/2022/06/aws-sam-accelerate-test-code-against-cloud/
• https://github.com/hashicorp/terraform/releases/tag/v1.3.0-alpha20220706
Santiago Campuzano has joined Public “Office Hours”
@Michael Williams
https://cloudposse.com/faqs/why-do-you-recommend-spacelift/#<i class="em em-~"</i>text=With%20Spacelift%2C%20you%20have%20an,tech%20debt%20across%20all%20environments.&text=Drift%20Detection%20runs%20on%20a,what’s%20failing%2C%20and%20what’s%20queued>.
2022-07-07
interesting
2022-07-09
https://github.com/danielfoehrKn/kubeswitch
^ If you find yourself dealing with multiple clusters, and many namespaces, then consider using kubeswitch
2022-07-11
2022-07-12
| [Ansible vs Terraform | Cloud Posse Explains](https://www.youtube.com/watch?v=kEj-jyMqP_A) |
| [Don’t Deploy Lambdas with Terraform! (Unless..) | Cloud Posse Explains](https://www.youtube.com/watch?v=KaJuCFCDAAs) |
| [Why You Shouldn’t Terraform EVERYTHING | Cloud Posse Explains](https://www.youtube.com/watch?v=9hxMPq_iB7Q) |
| [AWS IAM Growing Pains? Watch This | Cloud Posse Explains](https://www.youtube.com/watch?v=KYeqbllLUFk) |
2022-07-13
@here office hours is starting in 30 minutes! Remember to post your questions here.
I’m working on the codebuild repo and I was told to write a migration doc for the newer version of terraform and aws provider. I saw that the same thing was done for the S3 module in a wiki on the repo. Should I write a separate doc in the docs directory and link to it in the repo readme as instructed, or should this be done in a Wiki as for S3 so that this can be consistent? And should my doc/wiki just link to the s3 module upgrade write up and the terraform guide for upgrade to 1.0? Or write the whole thing locally? I think linking it to the actual source would be better, but I want to know if there’s some standard/preference around these things?
@Jeremy G (Cloud Posse)
@Denis Thank you for your contributions!
Putting the migration docs in the Wiki was an experiment, and in the end we decided we did not like it. So we have standardized on creating migration documents in the docs/ directory with names like migration-v1-v2.md . You should then put a summary/highlights in the PR description, which we will then copy to the Release Notes. See, for example, dynamic-subnets v2.
You should not copy the S3 bucket documentation, you should link to https://github.com/cloudposse/terraform-aws-s3-bucket/wiki/Upgrading-to-v2.0 instead.
On the question of what to put in README.yaml, if the breaking changes due to an upgrade could result in data loss, then a warning to that effect should be included in the introduction block. Otherwise, migration docs can be left to just the release notes.
One other thing is to make sure to update the examples in the README, as well as in examples/, for the new interface.
Thanks again!
CC @RB
Erik Osterman (Cloud Posse) has joined Public “Office Hours”
Oscar Blanco has joined Public “Office Hours”
Roy Sprague has joined Public “Office Hours”
Denis Simonovski has joined Public “Office Hours”
venkata mutyala has joined Public “Office Hours”
Ralf Pieper has joined Public “Office Hours”
Matt Calhoun has joined Public “Office Hours”
Marcos Soutullo has joined Public “Office Hours”
Andy Miguel (Cloud Posse) has joined Public “Office Hours”
Ralf Pieper has joined Public “Office Hours”
Uwaila Adams has joined Public “Office Hours”
Alexandr Vorona has joined Public “Office Hours”
Ralf Pieper has joined Public “Office Hours”
Luis Masaya has joined Public “Office Hours”
Andy Roth has joined Public “Office Hours”
Isa Aguilar has joined Public “Office Hours”
Harold Sphinx has joined Public “Office Hours”
Vlad Ionescu has joined Public “Office Hours”
Bob K has joined Public “Office Hours”
Eric Berg has joined Public “Office Hours”
Yusuf has joined Public “Office Hours”
Brian Choate has joined Public “Office Hours”
Babu Balagani has joined Public “Office Hours”
Marcos Soutullo has joined Public “Office Hours”
tamsky has joined Public “Office Hours”
links from today’s session
• https://github.com/Pluralith/pluralith-cli
• https://www.hashicorp.com/blog/announcing-launch-and-free-public-beta-of-hcp-boundary
• https://github.com/cloudposse/terraform-aws-security-group/releases/tag/2.0.0-rc1
• https://aws.amazon.com/about-aws/whats-new/2022/07/general-availability-aws-cloud-wan/
Marcos Soutullo has joined Public “Office Hours”
Amer Zec has joined Public “Office Hours”
Patrick McDonald has joined Public “Office Hours”
Sherif Abdel-Naby has joined Public “Office Hours”
Amer Zec has joined Public “Office Hours”
Paul Bullock has joined Public “Office Hours”
Asha Duri has joined Public “Office Hours”
Kayode Adeniyi has joined Public “Office Hours”
Basilis Markopoulos has joined Public “Office Hours”
Maybe can be a discussion for another Office Hours, but I now hate Helm Charts :’D
Helm Charts are “Shifting Right” instead of left. Our company Helm Charts for our apps (not third party apps) is now very complicated that only a “Platform / DevOps” guy can “debug” them.
We end up needing to parameterize everything, and Go Templates is basically “not enough” for all the logic we need. Curious to know your thoughts, do you feel the same way ?
i have missed the Office Hours, was this topic discussed? If so pls let me know and will watch the recording. Thx
https://kpt.dev/ ^ Is interesting tho
I think @Sherif asked in the chat if anyone uses Crossplane. @Matt Gowie has been kicking the tires a lot on it lately
@Sherif I wasn’t able to make office hours today as I’m teaching, but if you’re interested in chatting Crossplane then feel free to ping me directly!
2022-07-14
| [Standardize Your Kubernetes App Monitors! (& How to Handle Exceptions) | Cloud Posse Explains](https://www.youtube.com/watch?v=cEGOdr3ekS8) |
2022-07-15
2022-07-19
2022-07-20
Speaking of AWS SSO ^^ — If we’re lacking topics for today, I would be interested to hear how folks are finding their implementations of AWS SSO w/ SAML vs IAM SAML. I’ve worked with AWS SSO but it was before it had Terraform support and even now that it does have Terraform support, it seems limited. I’d like to hear about any pitfalls, what can and can’t be automated today, and what to watch out for.
2
Nice! i worked on this recently! i’d love to hear about it too.
@matt @Jeremy G (Cloud Posse)
@here office hours is starting in 30 minutes! Remember to post your questions here.
I’m having some technical difficulties (network died) hoping to be back on shortly
Erik Osterman (Cloud Posse) has joined Public “Office Hours”
Allan Mohr has joined Public “Office Hours”
venkata mutyala has joined Public “Office Hours”
Yusuf has joined Public “Office Hours”
Isaac M has joined Public “Office Hours”
dag viggo lokoeen has joined Public “Office Hours”
Kayode Adeniyi has joined Public “Office Hours”
Oliver Schoenborn has joined Public “Office Hours”
Jose Figueredo has joined Public “Office Hours”
Mohammed Yahya has joined Public “Office Hours”
Hari Prasad Venkatanarayana has joined Public “Office Hours”
Alexandr Vorona has joined Public “Office Hours”
Matt Calhoun has joined Public “Office Hours”
Bridget Royer has joined Public “Office Hours”
Matt Gowie has joined Public “Office Hours”
Amaan Khan has joined Public “Office Hours”
Adam Buggia has joined Public “Office Hours”
Amer Zec has joined Public “Office Hours”
Ralf Pieper has joined Public “Office Hours”
Ingvar Örn Ólason has joined Public “Office Hours”
Andrew Vitko has joined Public “Office Hours”
Isa Aguilar has joined Public “Office Hours”
Sherif Abdel-Naby has joined Public “Office Hours”
Yusuf has joined Public “Office Hours”
Matt Calhoun has joined Public “Office Hours”
Christopher Pieper has joined Public “Office Hours”
Oliver Schoenborn has joined Public “Office Hours”
A B has joined Public “Office Hours”
Santiago Campuzano has joined Public “Office Hours”
I have a question about best practice when using an API Gateway which handles authorization token validation.
CURRENT ARCHITECTURE (Authorisation handled by individual services)
DESIRED ARCHITECTURE (Authorisation handled by the API gateway)
Questions:
• When offloading token authorisation to the API gateway are all API requests between services essentially unprotected?
• If so how do you manage access to the services (e.g. from developers in the non-prod environment)
@matt my understanding was that when using an API gateway you could offload the responsibility of validating tokens to the API gateway, so communication behind that didn’t require token validation. Is that incorrect?
That’s what we were hoping just to simplify our services so they didn’t have to worry about it. (they currently all individually make calls to our token-service to validate tokens)
Roy Sprague has joined Public “Office Hours”
Maged Abdelmoeti has joined Public “Office Hours”
PePe Amengual has joined Public “Office Hours”
2022-07-21
Anyone here have a preferred helm chart they would recommend for deploying prometheus + grafana?
Adding another BeyondCorp tool question to the seemingly never ending pile: Has anyone used Cloudflare’s Tunnel + Access products? A prospect just brought it up and I’d be interested to hear if anyone has adopted it and what your experience was.
2022-07-27
I’m working on pulling out my K8s workload deploys to a non-TF-based solution. What solutions are you using? I’ve come up with paths to using Flux, Github Actions, and Spacelift. I’d like to hear about some approaches you’ve taken, pros/cons, etc.
@here office hours is starting in 30 minutes! Remember to post your questions here.
Great questions today!
Erik Osterman (Cloud Posse) has joined Public “Office Hours”
Jeremy Bouse has joined Public “Office Hours”
Allan Mohr has joined Public “Office Hours”
Ralf Pieper has joined Public “Office Hours”
dag viggo lokoeen has joined Public “Office Hours”
Alex Atkinson has joined Public “Office Hours”
Vlad Ionescu has joined Public “Office Hours”
Linda Pham (Cloud Posse) has joined Public “Office Hours”
Dimitris Kargatzis has joined Public “Office Hours”
Robert Jordan has joined Public “Office Hours”
Christopher Pieper has joined Public “Office Hours”
Luis Masaya has joined Public “Office Hours”
Qazi Hasan has joined Public “Office Hours”
David Hawthorne has joined Public “Office Hours”
Charles Smith has joined Public “Office Hours”
Isa Aguilar has joined Public “Office Hours”
Matt Calhoun has joined Public “Office Hours”
Eric Berg has joined Public “Office Hours”
Allan Swanepoel has joined Public “Office Hours”
Andrew Hall has joined Public “Office Hours”
Ben Smith (Cloud Posse) has joined Public “Office Hours”
Matt Gowie has joined Public “Office Hours”
Rupinder Matharoo has joined Public “Office Hours”
Roy Sprague has joined Public “Office Hours”
Dave Gregory has joined Public “Office Hours”
Tim Gourley has joined Public “Office Hours”
Isa Aguilar has joined Public “Office Hours”
Alexandr Vorona has joined Public “Office Hours”
Ozzy has joined Public “Office Hours”
Michael Williams has joined Public “Office Hours”
Matt Calhoun has joined Public “Office Hours”
Jim Park has joined Public “Office Hours”
Ian Bartholomew has joined Public “Office Hours”
Oskar Maria Grande has joined Public “Office Hours”
A few weeks ago (been looking through old vids but can’t find it) there was some talk about Control Tower and whether it could be fully Terraformed. IIRC CloudPosse don’t use Control Tower because it can’t. What do you do instead? Just about to embark on building a fresh org to migrate old accounts into and was planning to use ATF to vend new accounts, but the lack of Terraformability put me off and now I can’t really see what I’m getting from Control Tower.
Ozzy has joined Public “Office Hours”
Gerard Ceraso has joined Public “Office Hours”
Sherif Abdel-Naby has joined Public “Office Hours”
Patrick McDonald has joined Public “Office Hours”
Dave Gregory has joined Public “Office Hours”
Marc Tamsky has joined Public “Office Hours”
links from today’s session:
just a heads up for folks who might consider using ssosync - i’m using it but hit https://github.com/awslabs/ssosync/issues/81 and so i’m now using the fork as mentioned in one of the comments.
eek! that’s a big one:
Doesn’t support more than 50 users
yep, note much can be done unless AWS does some changes to their API … unlikely imo . The fork works for me but then again my entire org is only 200 employees out of which only 2/3 gets synced so not sure if this scales for bigger orgs.
2022-07-28
Hey there. I just ear the concern about multiple MFAs for AWS root accounts. You can use vault, 1pw or authy. You can also just share the mfa seed key with multiple people. Just share the qr code (or qr code content) and ask people to add it to their authenticator. It’s not centralized, so not shared wich means you’ll have to re-share the new key on a event of a renew for example. it’s not ideal, but possible.
that is true but that doesn’t do anything for safe storage of the QR code or seed key. You still have to protect that from potential leak accidently. If you print the QR code with the seed key or save the file, how do you ensure it is kept secure. The suggestions of vault, 1pw and authy all have means by which it can be shared securely and restrict dissemination. I believe that is why they were recommended vs just sharing the seed key or QR code.
What we did in one previous location was to split the mfa seed key into 3 fragments, and put each fragment in a different safe, and a different guardian assigned to verify that the fragment is tamper proof ( used evidence bags and sealed envelopes)
All three parties had to attend a pseudo key ceremony if it was needed to access the fragment to get access. Not ideal, but better than Single person with single point access
2022-07-29
2022-07-30
Came across this build framework today. The config looks like a cocktail made with one part Dockerfile and one part Makefile. https://earthly.dev/
I’m curious if anyone has tried earthly and what the results were.
This has come up a few times. It looks pretty cool — I haven’t checked it out yet, but I would like to.