SweetOps #office-hours for August, 2022

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!

https://cpco.io/slack-office-hours

Meeting password: sweetops

2022-08-02

david.gregory_slack

10:08:02 AM

I’m just embarking on ‘decomposing’ a small number of shared/’monolithic’ AWS accounts into a larger number of focussed AWS accounts. Naming is hard. Feels like every account/workload/stage needs an expressive string to embed in its resource names, so when you’re referencing those resources across accounts, it’s easy to see what’s what without needing to parse account IDs. That string needs to be short (because of the many resource name length restrictions), expressive (so it actually helps) and unique (for facepalm avoidance). Am I thinking about this right? Any advice?

Joe Niland

08:26:34 PM

Do you mean something like this? https://registry.terraform.io/modules/cloudposse/label/null/latest

david.gregory_slack

12:51:21 PM

That certainly looks useful, thanks!

Erik Osterman (Cloud Posse)

05:31:30 PM

I’ll discuss on our call today

Erik Osterman (Cloud Posse)

08:48:59 PM

https://sweetops.slack.com/archives/CCT1E7JJY/p1659467623805429

I have an unusual situation with a client. They manage many remote sites and have physical devices (up to 20) at each location. Each device needs to send metrics to cloudwatch and upload files to S3 and they currently use static aws credentials (~~~/.aws/credentials). I would like to move them to IAM anywhere to use temporary credentials. The ask is if a device gets compromised how can we disable access to AWS from that particular device. I was thinking to use an IAM Role per device however they are expecting to have ~~~k devices online by the end of the year. I’d use Terraform to manage the roles and AWS organizations to use multiple accounts since there’s a 5k IAM role quota per account. Does this sound manageable? or is there a better approach?

2022-08-03

Mohammed Yahya

08:34:23 AM

I would like to discuss this today https://github.com/cloudposse/terraform-aws-efs/issues/114

Have a question? Please check out our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Adding missing EFS Terraform resources:

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy • https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_replication_configuration

Goals

• EFS Policy will make sure TLS connection only to EFS and enable encryption in transit • more here https://aws.amazon.com/blogs/aws/new-for-amazon-efs-iam-authorization-and-access-points/ • EFS replication will help greatly with DR scenarios

Use Case

resource "aws_efs_file_system" "fs" {
  creation_token = "my-product"
}

resource "aws_efs_file_system_policy" "policy" {
  file_system_id = aws_efs_file_system.fs.id

  bypass_policy_lockout_safety_check = true

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Resource": "${aws_efs_file_system.test.arn}",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_efs_replication_configuration" "example" {
  source_file_system_id = aws_efs_file_system.fs.id

  destination {
    region = "us-west-2"
    kms_key_id = "xxx"
  }
}

also for the KMS key, if we used aws_kms_replica_key will allows to use the same key in DR regions:

provider "aws" {
  alias  = "primary"
  region = "us-east-1"
}

provider "aws" {
  region = "us-west-2"
}

resource "aws_kms_key" "primary" {
  provider = aws.primary

  description             = "Multi-Region primary key"
  deletion_window_in_days = 30
  multi_region            = true
}

resource "aws_kms_replica_key" "replica" {
  description             = "Multi-Region replica key"
  deletion_window_in_days = 7
  primary_key_arn         = aws_kms_key.primary.arn
}

Erik Osterman (Cloud Posse)

05:37:02 PM

@Jeremy G (Cloud Posse) will you be on the call today?

Have a question? Please check out our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Adding missing EFS Terraform resources:

Goals

Use Case

resource "aws_efs_file_system" "fs" {
  creation_token = "my-product"
}

resource "aws_efs_file_system_policy" "policy" {
  file_system_id = aws_efs_file_system.fs.id

  bypass_policy_lockout_safety_check = true

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Resource": "${aws_efs_file_system.test.arn}",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_efs_replication_configuration" "example" {
  source_file_system_id = aws_efs_file_system.fs.id

  destination {
    region = "us-west-2"
    kms_key_id = "xxx"
  }
}

also for the KMS key, if we used aws_kms_replica_key will allows to use the same key in DR regions:

provider "aws" {
  alias  = "primary"
  region = "us-east-1"
}

provider "aws" {
  region = "us-west-2"
}

resource "aws_kms_key" "primary" {
  provider = aws.primary

  description             = "Multi-Region primary key"
  deletion_window_in_days = 30
  multi_region            = true
}

resource "aws_kms_replica_key" "replica" {
  description             = "Multi-Region replica key"
  deletion_window_in_days = 7
  primary_key_arn         = aws_kms_key.primary.arn
}

Jeremy G (Cloud Posse)

05:51:27 PM

@Erik Osterman (Cloud Posse) I wasn’t planning to be on the call, but I can join if you want. LMK.

Erik Osterman (Cloud Posse)

06:25:10 PM

@Mohammed Yahya this question is probably best sorted directly with @Jeremy G (Cloud Posse)

Mohammed Yahya

08:35:50 AM

and also there is a nice number of replication supported with Terraform now, which will help set up a DR easily:

• KMS

• ECR

• SecretManager

• EFS

• RDS

Gabriel

10:55:00 AM

Regarding GitOps …

Without going into too much detail, I use Github actions and a structure of application and env repositories. Applications publish charts and terraform modules. Env repositories use those in addition to a env specific configuration. Everything is automated, the infrastructure and Kubernetes resources state is located as code in the env repositories. There is a lot of reusability with GH actions, there are a few cool custom features like automatic conversion of terraform output to helm values, automatic blue/green deployments for k8s version upgrades and others. Because of GH actions I don’t have to deploy/manage/troubleshoot/fix anything myself, I don’t have to worry about scalability. Multi-tenancy is achieved by creating additional env/tenant repositories and updating configuration.

Questions are:

Are solutions like Flux/Argo worth the self managing/scaling/troubleshooting/migration efforts? Can those solutions handle terraform? Or would I need another service like Spacelift in addition to Flux/Argo? Anybody using Flux/Argo? Pros/Cons? Anybody migrated from GH to Flux/Argo?

Sorry for the general open ended questions, I know that in the end I will have to decide for myself but I was curious about your thoughts and experience. Maybe this is something for the Office Hours. I will also go through older episodes try to find GitOps content.

Eamon Keane

11:07:43 AM

I think a portion of your question was actually answered in the previous oh.

https://youtu.be/gWbBF-bflPw?t=2046

DevOps "Office Hours" (2022-07-27)

Eamon Keane

12:09:48 PM

just as an additional point, GCP are going on all in on the Kubernetes Resource Model (KRM) and have comprehensive coverage to let you manage your resources in yaml with the config managed by GCP (e.g. no need to centrally manage/backup the config in a management cluster).

https://cloud.google.com/config-connector/docs/reference/overview

Redhat is investing some resources in this KRM direction also with kcp (https://github.com/kcp-dev/kcp).

AWS is hedging its bets but defaulting to cloud formation it seems. Azure is going with flux and bicep. On AWS the two approaches that support the KRM model are Pulumi and Crossplane but to get the managed config cluster you need to get the hosted version and they may not have full coverage/good components yet.

Erik Osterman (Cloud Posse)

05:39:37 PM

Great - lets discuss today

Gabriel

12:53:58 PM

Listened to the episode, great input and points regarding flux/argo/etc. Will definitely help with decision making.

Gabriel

02:01:50 PM

Thanks a lot

Erik Osterman (Cloud Posse)

08:04:27 PM

Thanks @Gabriel

DaniC (he/him)

08:48:25 AM

@Eamon Keane thx a bunch for sharing the KRM, wasn’t aware of GCP path; looking at the service coverage it sounds like they put great effort into it.

Erik Osterman (Cloud Posse)

06:01:37 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Zoom

06:27:25 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom

06:27:40 PM

Ralf Pieper has joined Public “Office Hours”

Zoom

06:27:51 PM

Chris Barnes has joined Public “Office Hours”

Zoom

06:27:56 PM

Dave Gregory has joined Public “Office Hours”

Zoom

06:29:37 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom

06:29:42 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom

06:30:02 PM

Vlad Ionescu has joined Public “Office Hours”

Zoom

06:30:07 PM

Christopher Pieper has joined Public “Office Hours”

Zoom

06:30:27 PM

Matt Calhoun has joined Public “Office Hours”

Zoom

06:30:39 PM

Roy Sprague has joined Public “Office Hours”

Zoom

06:30:49 PM

Zadkiel has joined Public “Office Hours”

Zoom

06:31:02 PM

Ian Bartholomew has joined Public “Office Hours”

Zoom

06:31:04 PM

Tim Gourley has joined Public “Office Hours”

Zoom

06:31:12 PM

Bradley Peterson has joined Public “Office Hours”

Zoom

06:31:14 PM

Isa Aguilar has joined Public “Office Hours”

Ralf Pieper

06:31:17 PM

I am interested in testimonials about Oracle Cloud.

Zoom

06:31:40 PM

Martin Palastanga has joined Public “Office Hours”

Zoom

06:31:46 PM

Adam Buggia has joined Public “Office Hours”

Zoom

06:31:51 PM

Josh has joined Public “Office Hours”

Zoom

06:32:01 PM

Michael Jenkins has joined Public “Office Hours”

Zoom

06:32:32 PM

Charles Smith has joined Public “Office Hours”

Zoom

06:34:28 PM

Zadkiel has joined Public “Office Hours”

Zoom

06:34:35 PM

Andrew Vitko has joined Public “Office Hours”

Zoom

06:35:01 PM

Ashwin Jacob has joined Public “Office Hours”

Zoom

06:35:11 PM

Antarr Byrd has joined Public “Office Hours”

Zoom

06:35:12 PM

Ben Smith (Cloud Posse) has joined Public “Office Hours”

Zoom

06:35:16 PM

Guilherme Borges has joined Public “Office Hours”

Zoom

06:35:19 PM

Ozzy has joined Public “Office Hours”

Zoom

06:36:25 PM

Vincent Werner has joined Public “Office Hours”

Zoom

06:36:34 PM

tamsky has joined Public “Office Hours”

Zoom

06:36:44 PM

Michael Williams has joined Public “Office Hours”

Zoom

06:37:25 PM

Yusuf has joined Public “Office Hours”

Zoom

06:40:57 PM

Naiman Daniels has joined Public “Office Hours”

Zoom

06:44:27 PM

Sherif Abdel-Naby has joined Public “Office Hours”

Zoom

06:54:14 PM

Azar AKB has joined Public “Office Hours”

Zoom

06:54:29 PM

Marc Tamsky has joined Public “Office Hours”

Zoom

07:00:51 PM

Eric Berg has joined Public “Office Hours”

Zoom

07:01:18 PM

Paul Bullock has joined Public “Office Hours”

Zoom

07:08:42 PM

Isaac M has joined Public “Office Hours”

Zoom

07:09:33 PM

13153275398 has joined Public “Office Hours”

Zoom

07:09:35 PM

Isaac M has joined Public “Office Hours”

Zoom

07:10:24 PM

13153275398 has joined Public “Office Hours”

Zoom

07:10:48 PM

Isaac M has joined Public “Office Hours”

Zoom

07:14:10 PM

Sherif Abdel-Naby has joined Public “Office Hours”

Linda Pham (Cloud Posse)

07:17:53 PM

Links from today’s session: https://medium.com/tinder/exploiting-github-actions-on-open-source-projects-5d93936d189f https://github.com/TinderSec/gh-workflow-auditor https://beta.sayhello.so/ https://github.blog/changelog/2022-08-03-github-actions-remove-offline-self-hosted-runners/ https://github.com/runatlantis/atlantis/pull/997 https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/ https://aws.amazon.com/blogs/iot/securely-ingesting-large-sized-payloads-from-iot-devices-to-the-aws-cloud/ https://docs.aws.amazon.com/iot/latest/developerguide/iot-provision.html https://github.com/cloudposse/terraform-aws-efs/issues/114

SweetOps

09:27:52 PM

DevOps “Office Hours” (2022-08-03)

2022-08-04

2022-08-05

2022-08-07

venkata.mutyala

10:14:49 PM

https://www.hashicorp.com/blog/cdk-for-terraform-now-generally-available

CDK for Terraform Is Now Generally Available

Cloud Development Kit for Terraform (CDKTF) has reached its first GA release, adding full support for Go and providing a GitHub action to use with Terraform Cloud.

2022-08-09

Isaac

05:35:27 PM

Discussion topic : I have the privilege of designing the VPC’s for my org and i’m looking for insights. What would you do differently if you had this luxury (e.g use IPAM e.t.c)? Should I go multi-account with multi-vpc or embrace the touted simplicity of Shared VPC?

Intro to Production-grade Design | Gruntwork Docs

With all the core concepts out of the way, let’s now discuss how to configure a production-grade VPC that looks

VPC sharing: A new approach to multiple accounts and VPC management | Amazon Web Services

My first interaction with AWS was immediately after the launch of the Asia Pacific (Sydney) AWS Region, just a bit over 6 years ago. Back then, the AWS Management Console had fewer services, and I quickly found the Amazon Virtual Private Cloud (VPC). In under 10 minutes, I could define a new VPC, with subnets, […]

2022-08-10

Vlad Ionescu (he/him)

05:18:41 PM

AWS Storage Day is happening: https://aws.amazon.com/blogs/aws/welcome-to-aws-storage-day-2022/ and we got a couple (small) announcements

Welcome to AWS Storage Day 2022 | Amazon Web Services attachment image

We are on the fourth year of our annual AWS Storage Day! Do you remember our first Storage Day 2019 and the subsequent Storage Day 2020? I watched Storage Day 2021, which was streamed live from downtown Seattle. We continue to hear from our customers about how powerful the Storage Day announcements and educational sessions […]

Vlad Ionescu (he/him)

05:48:11 PM

(Also, I might not make it to today’s call. Sorry!)

Erik Osterman (Cloud Posse)

06:00:52 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Zoom

06:29:13 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom

06:29:25 PM

Alex Atkinson has joined Public “Office Hours”

Zoom

06:29:28 PM

Andrew Hall has joined Public “Office Hours”

Zoom

06:29:37 PM

Alex Atkinson has joined Public “Office Hours”

Zoom

06:29:42 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom

06:29:43 PM

Jonathan Poczatek has joined Public “Office Hours”

Zoom

06:29:49 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom

06:29:59 PM

Andrew Vitko has joined Public “Office Hours”

Zoom

06:30:47 PM

Robert Jordan has joined Public “Office Hours”

Zoom

06:32:00 PM

Matt Calhoun has joined Public “Office Hours”

Zoom

06:32:08 PM

Ralf Pieper has joined Public “Office Hours”

Zoom

06:32:08 PM

Oscar Jara has joined Public “Office Hours”

Zoom

06:32:10 PM

Barak Griffis has joined Public “Office Hours”

Zoom

06:32:13 PM

Alexandr Vorona has joined Public “Office Hours”

Zoom

06:33:01 PM

Johnmary Odenigbo has joined Public “Office Hours”

Zoom

06:34:09 PM

Gerard Ceraso has joined Public “Office Hours”

Zoom

06:35:04 PM

Jan-Arve Nygård has joined Public “Office Hours”

Zoom

06:35:05 PM

Jim Park has joined Public “Office Hours”

Zoom

06:36:04 PM

Oliver Schoenborn has joined Public “Office Hours”

Zoom

06:36:54 PM

Ben Smith (Cloud Posse) has joined Public “Office Hours”

Zoom

06:37:25 PM

Shaun Wang has joined Public “Office Hours”

Zoom

06:37:47 PM

Eric Berg has joined Public “Office Hours”

Zoom

06:39:07 PM

Ruslan Butdayev has joined Public “Office Hours”

Zoom

06:39:28 PM

Mazin Ahmed has joined Public “Office Hours”

Zoom

06:40:05 PM

Jim Park has joined Public “Office Hours”

Zoom

06:41:05 PM

Charles Smith has joined Public “Office Hours”

Zoom

06:42:41 PM

Amaan Khan has joined Public “Office Hours”

Zoom

06:43:57 PM

Bridget Royer has joined Public “Office Hours”

Zoom

06:48:25 PM

Waqar Ahmed has joined Public “Office Hours”

Zoom

07:00:43 PM

Roy Sprague has joined Public “Office Hours”

Zoom

07:05:49 PM

Antarr Byrd has joined Public “Office Hours”

Jim Park

07:17:02 PM

Disclaimer: I haven’t used this, but only thought it was novel that they are essentially fighting AWS on margin for their NAT Gateways. https://www.cohesive.net/vns3/cloud-nat/

Cloud NAT - VNS3 NATe - Cohesive Networks

VNS3 NATe provides NAT Gateway functionality with additional security and control at a fraction of the cost.

Linda Pham (Cloud Posse)

07:28:26 PM

Links from today’s call: https://github.blog/2022-07-27-planning-next-to-your-code-github-projects-is-now-generally-available/ https://github.blog/changelog/2022-08-09-github-actions-self-hosted-runners-now-support-apple-m1-hardware https://bridgecrew.io/blog/checkov-enables-ci-cd-security-with-new-supply-chain-security-policies/ https://saveslack.com/ https://home.robusta.dev/blog/stop-using-cpu-limits/ https://www.hashicorp.com/blog/cdk-for-terraform-now-generally-available https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-ebs-crash-consistent-snapshots-subset-ebs-volumes-attached-amazon-ec2-instance/

SweetOps

09:47:09 PM

DevOps “Office Hours” (2022-08-10)

2022-08-11

Shawn Stout

05:13:01 AM

hello

2022-08-12

Shawn Stout

05:03:01 PM

hey is anyone around?

venkata.mutyala

03:40:49 AM

Yep!

Erik Osterman (Cloud Posse)

06:24:59 PM

yep, call starting in 6min

2022-08-15

2022-08-17

Erik Osterman (Cloud Posse)

06:01:16 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Vlad Ionescu (he/him)

06:06:11 PM

I won;’t make it to today’s call

Erik Osterman (Cloud Posse)

06:24:49 PM

summer break?

Vlad Ionescu (he/him)

08:04:53 PM

Nope, worky-worky me with a bunch of client meetings that of course are all scheduled for today

Zoom

06:30:55 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom

06:30:57 PM

Robert Jordan has joined Public “Office Hours”

Zoom

06:30:58 PM

Marc Tamsky has joined Public “Office Hours”

Zoom

06:31:00 PM

Alex Atkinson has joined Public “Office Hours”

Zoom

06:31:00 PM

Roy Sprague has joined Public “Office Hours”

Zoom

06:31:05 PM

Ralf Pieper has joined Public “Office Hours”

Zoom

06:31:06 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom

06:31:10 PM

Marc Tamsky has joined Public “Office Hours”

Zoom

06:31:12 PM

Alex Atkinson has joined Public “Office Hours”

Zoom

06:31:14 PM

venkata mutyala has joined Public “Office Hours”

Zoom

06:31:15 PM

Jonathan Poczatek has joined Public “Office Hours”

Zoom

06:31:22 PM

Thomas Poetke has joined Public “Office Hours”

Zoom

06:31:26 PM

Andrew Vitko has joined Public “Office Hours”

Zoom

06:31:37 PM

Ronnie Coleman has joined Public “Office Hours”

Zoom

06:31:38 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom

06:31:56 PM

Matt Calhoun has joined Public “Office Hours”

Zoom

06:32:24 PM

Johnmary Odenigbo has joined Public “Office Hours”

Zoom

06:32:25 PM

Jesus Martinez has joined Public “Office Hours”

Zoom

06:32:55 PM

Marc Tamsky has joined Public “Office Hours”

Zoom

06:32:58 PM

Oskar Maria Grande has joined Public “Office Hours”

Zoom

06:33:47 PM

Isaac M has joined Public “Office Hours”

Zoom

06:34:02 PM

emem u has joined Public “Office Hours”

Zoom

06:34:14 PM

Matthew Pickens has joined Public “Office Hours”

Zoom

06:34:41 PM

Allen Lyons has joined Public “Office Hours”

Zoom

06:34:48 PM

Steven Kalt has joined Public “Office Hours”

Zoom

06:36:26 PM

Adam Buggia has joined Public “Office Hours”

Zoom

06:36:46 PM

Alex Atkinson has joined Public “Office Hours”

venkata.mutyala

06:38:02 PM

I recently heard there are cheaper alternatives to AWS Support provided by their third party partners. I’m unclear on which partners offer this but does anyone here use an alternative to AWS Support? If so, who do you pay and is it just as “good”?

Zoom

06:39:07 PM

Sam Caneer has joined Public “Office Hours”

Zoom

06:46:32 PM

Adedapo Ajuwon has joined Public “Office Hours”

Zoom

07:17:30 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom

07:21:24 PM

emem u has joined Public “Office Hours”

Linda Pham (Cloud Posse)

07:39:47 PM

Links from today’s call: https://github.com/cloudposse/terraform-aws-ecr-public https://github.com/cloudposse/terraform-aws-lakeformation https://github.com/cloudposse/terraform-aws-glue https://github.com/cloudposse/terraform-aws-athena https://github.com/cloudposse/terraform-aws-kinesis-stream https://github.blog/changelog/2022-08-10-github-pages-builds-with-github-actions-ga/ https://www.theregister.com/2022/08/12/atlassian_cloud_6999_2023/ https://github.com/jckuester/terradozer https://github.com/DontShaveTheYak/cf2tf https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

SweetOps

09:45:28 PM

DevOps “Office Hours” (2022-08-17)

2022-08-19

david.gregory_slack

05:30:32 PM

A dev asked me today whether he should store the rds-ca root cert in his Lambda’s repo (feels icky, would need a code change to update), add it at build time (redeploy to update, not loads better), or get it at run time (potentially adding an HTTP roundtrip to the front of every exec). Wondered if we could store in SSM and inject straight into the context as you can with ECS tasks, but couldn’t see how. Wondered whether Lambda’s temp storage persisted predictably enough that you could ‘memoize’/’cache’ the runtime get. Ran out of ideas. Posted in #office-hours. Any wisdom?

Joe Niland

12:57:38 AM

Just to clarify, you’re talking about downloading this file, right? https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Using SSL/TLS to encrypt a connection to a DB instance - Amazon Relational Database Service

Create encrypted connections to your Amazon RDS DB instance using SSL/TLS.

david.gregory_slack

08:02:48 AM

We seem to be able to get away with just using https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem (linked from here) but essentially yes

tamsky

06:23:11 PM

For our lambda infra we’ve stored that same cert (which also gets a slight ick from me “as-a-pattern”) alongside DB credentials in secrets manager. But we do have a backlog ticket to have a cron-task/script verify the public .pem matches the cert in our json-based secret.

david.gregory_slack

09:59:43 PM

And you grab it at the start of each invocation?

tamsky

10:58:53 PM

And you grab it at the start of each invocation? Yes — and essentially, this is free. We’re already mandated to make a call to SecretsManager to retrieve the RDS credentials (we don’t store the secret in the same account as the Lambda).

tamsky

11:15:10 PM

What type of RDS creds does your Lambda use? Where are those stored (if not using IAM)

david.gregory_slack

09:21:03 PM

Yes — and essentially, this is free. We’re already mandated to make a call to SecretsManager to retrieve the RDS credentials Possibly being slow but not completely following this. It’s free because you’re already making a call to SecretsManager and you can ‘bulk retrieve’ the cert from there along with the RDS creds in a single HTTP transaction? Or is it free because it’s just really fast? (or both?)
What type of RDS creds does your Lambda use? Where are those stored (if not using IAM) Generally we use SSM, but I believe this component recently switched to Secrets Manager as a trial.

Thanks, this is interesting!

2022-08-22

2022-08-24

Erik Osterman (Cloud Posse)

06:00:14 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Eric Berg

06:19:34 PM

Q: Is there a deep-dive video covering the Cloudposse Way? Things like how contexts work, incl. the fixtures files, as well as overall phlosophy, etc.?

Erik Osterman (Cloud Posse)

06:21:10 PM

I want to host a Cloud Posse Activation Day

Erik Osterman (Cloud Posse)

06:21:17 PM

I’ll start a list

Erik Osterman (Cloud Posse)

06:21:30 PM

Don’t know yet when we will host it

Matthew

07:09:25 PM

I would be interested in knowing more about an Activation Day.

david.gregory_slack

09:25:07 PM

Bit late to the party but I’m definitely up for an Activation Day, with one or two of my dudes. We’re on UK time, but I’m hopeful we could work something out.

Eric Berg

06:22:35 PM

Also, I’m building out TF for Aurora and would appreciate any input on the process.

venkata.mutyala

07:06:09 PM

Interested. [email protected]

Zoom

06:28:42 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom

06:28:46 PM

Robert Jordan has joined Public “Office Hours”

Zoom

06:28:52 PM

Adnan M. has joined Public “Office Hours”

Zoom

06:28:53 PM

Eric Berg has joined Public “Office Hours”

Zoom

06:29:27 PM

Marc Tamsky has joined Public “Office Hours”

Zoom

06:29:27 PM

Vlad Ionescu has joined Public “Office Hours”

Zoom

06:29:50 PM

Michael Jenkins has joined Public “Office Hours”

Zoom

06:29:57 PM

Allan Swanepoel has joined Public “Office Hours”

Zoom

06:29:59 PM

venkata mutyala has joined Public “Office Hours”

Zoom

06:30:17 PM

Vincent Werner has joined Public “Office Hours”

Zoom

06:30:21 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom

06:30:59 PM

Luis Masaya has joined Public “Office Hours”

Zoom

06:31:17 PM

Isaac M has joined Public “Office Hours”

Zoom

06:31:29 PM

Ralf Pieper has joined Public “Office Hours”

Zoom

06:31:38 PM

Bridget Royer has joined Public “Office Hours”

Zoom

06:31:53 PM

Roy Sprague has joined Public “Office Hours”

Zoom

06:32:04 PM

Jim Park has joined Public “Office Hours”

Zoom

06:32:07 PM

Marcos Soutullo has joined Public “Office Hours”

Zoom

06:32:29 PM

venkata mutyala has joined Public “Office Hours”

Zoom

06:33:57 PM

Ralf Pieper has joined Public “Office Hours”

Zoom

06:35:06 PM

Oliver Schoenborn has joined Public “Office Hours”

Zoom

06:35:11 PM

Matthew Pickens has joined Public “Office Hours”

Zoom

06:35:54 PM

Alexandr Vorona has joined Public “Office Hours”

Zoom

06:37:28 PM

Igor M has joined Public “Office Hours”

Zoom

06:37:39 PM

Andrew Vitko has joined Public “Office Hours”

Zoom

06:38:09 PM

Adedapo Ajuwon has joined Public “Office Hours”

Zoom

06:38:16 PM

Matt Calhoun has joined Public “Office Hours”

Zoom

06:38:40 PM

Ori Yhezkel Mualem has joined Public “Office Hours”

tamsky

06:39:08 PM

Q: Wondering if anyone knows of operational tools (other than k8s) that manage (config-as-code) and/or sync Consul’s service resolver configs:

• https://www.consul.io/docs/connect/config-entries/service-resolver

Configuration Entry Kind: Service Resolver | Consul by HashiCorp

The service-resolver config entry kind controls which service instances should satisfy Connect upstream discovery requests for a given service name.

Zoom

06:43:57 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom

06:46:53 PM

Brian Choate has joined Public “Office Hours”

Zoom

06:47:03 PM

PePe Amengual has joined Public “Office Hours”

Zoom

06:49:00 PM

Sherif Abdel-Naby has joined Public “Office Hours”

Zoom

06:51:19 PM

Brian Choate has joined Public “Office Hours”

Zoom

06:51:29 PM

Mazin Ahmed has joined Public “Office Hours”

Zoom

06:53:12 PM

Sherif Abdel-Naby has joined Public “Office Hours”

Zoom

07:01:07 PM

Vincent Werner has joined Public “Office Hours”

Zoom

07:01:40 PM

Antonio Rodriguez has joined Public “Office Hours”

Zoom

07:03:56 PM

PePe Amengual has joined Public “Office Hours”

Zoom

07:06:18 PM

Ozzy has joined Public “Office Hours”

Zoom

07:12:02 PM

Antarr Byrd has joined Public “Office Hours”

Zoom

07:15:00 PM

Sherif Abdel-Naby has joined Public “Office Hours”

Allan Swanepoel

07:27:32 PM

https://ctrltilde.com/jwks-and-node-jose/

JWKs and node-jose attachment image

After weeks of searching for documentation and examples on how to use node-Jose for: * Create an endpoint to expose the public part of the keys * Create an endpoint that returns a signed JWT with those keys * Validate the token issued as a client * Rotate the keys by an endpoint I

Linda Pham (Cloud Posse)

07:28:42 PM

Links from today’s call: https://github.com/cloudposse/terraform-aws-dms/tree/main/examples/complete https://github.blog/changelog/2022-08-23-github-actions-enhancements-to-openid-connect-support-to-enable-secure-cloud-deployments-at-scale https://github.com/multycloud/terraform-provider-multy https://docs.multy.dev/vm_sizes https://github.com/apache/libcloud https://registry.terraform.io/providers/devops-rob/terracurl/latest/docs/resources/request https://github.com/SvenHamers/terraform-provider-oauth https://doordash.engineering/2022/08/09/how-to-handle-kubernetes-health-checks/ https://aws.amazon.com/about-aws/whats-new/2022/08/aws-support-launches-managing-cases-slack/ https://github.com/apache/libcloud https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Replication.html https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.upgrade.html

GitHub Actions: Enhancements to OpenID Connect support to enable secure cloud deployments at scale | GitHub Changelog attachment image

GitHub Actions: Enhancements to OpenID Connect support to enable secure cloud deployments at scale

Virtual machine sizes | Multy

Below is a breakdown of Multy virtual machine sizes and how they relate to the respective supported cloud providers.

Allan Swanepoel

08:13:03 PM

There was a question regarding RDS / Database certificates today - here is a short example of how I run it on my dev machine with docker-compose

SweetOps

09:40:21 PM

DevOps “Office Hours” (2022-08-24)

2022-08-29

Sean Turner

01:05:30 PM

Q: Anyone use AWS code artifact? love it? hate it? We are considering it for pip. CI would push (already uses OIDC with circle CI), and devs would pull for docker container based environments. Are there any weird edges? At my last gig we were using nexus artifactory and nexus would not respect a package being yanked from pip. Nexus would continue to serve that yanked version (until a new version was pushed out) as the latest which was a hassle.

Azar

05:07:24 AM

are we talking for ECR for Images?? or In previous life used code artifact for helm packages. before that was using s3 as source package manager.. artifact made it little easier with roles isolate the specific permissions only for CD roles

Azar

05:09:57 AM

https://github.com/hypnoglow/helm-s3

This is the plugin i was referring for s3

hypnoglow/helm-s3

⎈ Helm plugin that allows to set up a chart repository using AWS S3.

Sean Turner

01:05:02 PM

No it’s for python and node packages ect

https://aws.amazon.com/codeartifact/

Erik Osterman (Cloud Posse)

07:27:32 PM

I think the biggest limitation from our POV is it’s limited in the supported artifacts

Sean Turner

07:29:23 PM

As in how only pypi and npm and maven ect. are supported?

2022-08-30

Azar

05:08:29 AM

https://aws.amazon.com/blogs/aws/new-aws-support-app-in-slack-to-manage-support-cases/

this was discussed in the previous office hours, highlights on one of the points discussed.. looks like 100 account per slack channel

After you authorize your Slack workspace, you can add your Slack channels by choosing Add channel. You can add up to 20 channels for a single account. A single Slack channel can have up to 100 AWS accounts.

Erik Osterman (Cloud Posse)

07:26:46 PM

Thanks @Azar!

2022-08-31

Mazin Ahmed

04:49:29 PM

Q: I’m trying to import google_project_iam_policy that looks like this:

data "google_iam_policy" "iam_policy_data_mazin_test_roles_containeranalysis_ServiceAgent" {
    binding {
        role = "roles/containeranalysis.ServiceAgent"

        members = [
    "serviceAccount:[email protected]"
]
    }
}

resource "google_project_iam_policy" "iam_policy_mazin_test_roles_containeranalysis_ServiceAgent" {
  project     = "mazin-test"
  policy_data = data.google_iam_policy.iam_policy_data_mazin_test_delete_roles_containeranalysis_ServiceAgent.policy_data
}

Based on documentation, it should be imported as:

$ terraform import google_project_iam_policy.my_project your-project-id

However when running this one followed by terraform plan, it shows that the role is being deleted instead. I’m not sure if it’s related to importing data sources, or if there is a better way to import GCP IAM roles. Any ideas?

Mazin Ahmed

07:30:28 PM

https://www.terraform.io/internals/debugging - I will try debugging it with this feature Thanks @matt!

Erik Osterman (Cloud Posse)

06:00:31 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Zoom

06:29:54 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom

06:29:59 PM

venkata mutyala has joined Public “Office Hours”

Zoom

06:30:10 PM

Mike Martin has joined Public “Office Hours”

Zoom

06:30:14 PM

Vlad Ionescu has joined Public “Office Hours”

Zoom

06:30:17 PM

Andy Miguel (Cloud Posse) has joined Public “Office Hours”

Zoom

06:30:21 PM

Robert Jordan has joined Public “Office Hours”

Zoom

06:30:33 PM

Luis Masaya has joined Public “Office Hours”

Zoom

06:30:55 PM

Antonio Rodriguez has joined Public “Office Hours”

Zoom

06:30:57 PM

Allan Mohr has joined Public “Office Hours”

Zoom

06:31:00 PM

Andrew Vitko has joined Public “Office Hours”

Zoom

06:31:31 PM

Matt Calhoun has joined Public “Office Hours”

Zoom

06:31:32 PM

Ashwin Jacob has joined Public “Office Hours”

Zoom

06:31:37 PM

Michael Jenkins has joined Public “Office Hours”

Zoom

06:31:38 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom

06:31:40 PM

Isa Aguilar has joined Public “Office Hours”

Zoom

06:32:02 PM

Omer Sen has joined Public “Office Hours”

Zoom

06:32:17 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom

06:34:21 PM

Mike Drummond has joined Public “Office Hours”

Zoom

06:34:23 PM

Isaac M has joined Public “Office Hours”

Zoom

06:34:58 PM

Life Lofranco has joined Public “Office Hours”

Zoom

06:35:58 PM

SYED HUSSAIN has joined Public “Office Hours”

Zoom

06:37:42 PM

Jim Park has joined Public “Office Hours”

Zoom

06:37:56 PM

Brian Pauley has joined Public “Office Hours”

Zoom

06:38:11 PM

Roy Sprague has joined Public “Office Hours”

Zoom

06:38:12 PM

Adnan M. has joined Public “Office Hours”

Vlad Ionescu (he/him)

06:39:11 PM

https://typefully.com/iamvlaaaaaaad/august-24-fargate-outage-N4rzykR

August 24 Fargate outage | Vlad Ionescu (he/him)

As an ECS on Fargate fan, I got a lot of questions about the recent incident / outage. Let’s talk about it… 1/43 TL;DR: meh. Incidents happen and this one did not teach us anything new about building on AWS. I expect more profound drama during these roaring 20s!

Zoom

06:39:27 PM

Ben Smith (Cloud Posse) has joined Public “Office Hours”

Zoom

06:42:13 PM

Eric Berg has joined Public “Office Hours”

Zoom

06:42:44 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom

06:44:09 PM

Dana Carney has joined Public “Office Hours”