#office-hours (2022-10)

“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!

https://cpco.io/slack-office-hours

Meeting password: sweetops

2022-10-03

managedkaos avatar
managedkaos

Anyone else using Bitbucket for CI/CD? https://bitbucket.org/blog/macos-runners-bitbucket

Announcing macOS Runners in Bitbucket Pipelines - Bitbucketattachment image

We are happy to announce that Bitbucket Pipelines now supports macOS self-hosted runners. We have moved from beta to an official…

JoseF avatar

I been using Bitbucket for pipelines for a while now. What about the runners?

Announcing macOS Runners in Bitbucket Pipelines - Bitbucketattachment image

We are happy to announce that Bitbucket Pipelines now supports macOS self-hosted runners. We have moved from beta to an official…

managedkaos avatar
managedkaos

They’ve added support for macOS.

I’ve been using Bitbucket pipelines for a while as well. I think they do a great job and stay on par with pipeline offerings from GitHub and GitLab.

I think Bitbucket is one of the best pipelines that people don’t think to consider. When i saw this post about new runners, I was just curious what other folks in this community might be using it as well.

2022-10-04

Jonas Steinberg avatar
Jonas Steinberg

In case people are interested I’ll be raising the following topic tomorrow during office hours. I think it’s an interesting one and looking to get people’s feedback on it:

https://sweetops.slack.com/archives/CB6GHNLG0/p1664903787880119

Hey everyone,

Looking to have a bit of a debate on the topic of monitoring as code and whether or not *it actually matters*. More specifically: whether having monitors, dashboards, service level objects and the like actually need to be backed by IaC and within a GitOps workflow.

Many of us have monitoring products like datadog or cloudwatch in which the vast majority of monitors, dashboards, SLOs and the like have been clickops’d. For example at my current shop there are about 350 dashboards and almost none are in IaC and what’s more we don’t really know which ones are critical and which ones can be deleted. And the same goes for monitors and SLOs.

Now imagine that you used Terraformer (or equivalent, if there even is such a thing for Cloudformation) to get all these things into terraform and into all the appropriate repos. And then you even took that a step further and developed a system to do this continuously and also to clean up your monitoring product in the meanwhile, e.g. delete any dashboard not label critical or something.

My questions to the community are: • so what? All of those clickops’d dashboards are backed up by the CSP or 3rd party; if they have a catastrophic event they’ll probably be able to get them back to you? • and do we really want to be writing dashboards as code? It gets fairly ridiculous. • and as for labeling them and then automating their cleanup: will it be that much of a feng shui or cost improvement? Curious about people’s thoughts regarding this topic because now that I have everything in IaC and a potential solution for automating parity and cleanup I find myself asking, “Who cares?” And of course if there are other reasons for storing monitors, dashboards, SLOs and the like as code please bring those up as I’m always interested in learning how other people are solving problems!

1

2022-10-05

Jonas Steinberg avatar
Jonas Steinberg

@Erik Osterman (Cloud Posse) I have a meeting that goes until 12PM PT. I can skip it if I need to because I definitely want to raise the observe-as-code debate, but if you have content until 12PM and I can bring that up after that’d be great. Either way just not sure what you have on the agenda today. Thanks!

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok, we’ll defer it to 12pm

Jonas Steinberg avatar
Jonas Steinberg

@Erik Osterman (Cloud Posse) no need, I can miss the other meeting – I’ve thought a lot about this today and yesterday and I want to make sure this gets top treatment so I’ll be there during peak.

david.gregory_slack avatar
david.gregory_slack

Random one: I know the official line is that s3 buckets can’t be moved between accounts, but is that really true even at the “ask AWS support nicely” level? We’ve got a few big enough buckets that, on the face of it, it would cost a few k to copy them from one account to another, which is a blocker for my preferred approach of rebuilding key systems in new accounts to get rid of old cruft. Any stories of non-bank-breaking S3 bucket migrations would be interesting!

Jonas Steinberg avatar
Jonas Steinberg

@david.gregory_slack I’m not sure if you are aware of the s3p library – but if you do end up copying files I cannot recommend it enough – s3p saved me hours, if not days, on cross-account recursive s3 bucket copying. Pro-tip: spin up a huge ec2 instance or container of some type beforehand, as that will also dramatically help parallelization. Fwiw.

https://github.com/generalui/s3p

generalui/s3p

list/copy/sync/compare S3 buckets 5x-50x faster than aws-cli

2
Jonas Steinberg avatar
Jonas Steinberg

I should have mentioned: this library is an order of magnitude faster than any other library you will find. At least it was when I used it last year.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

heads up, we discussed this today

david.gregory_slack avatar
david.gregory_slack

Thanks, hoped to make it but events. Will catch up.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:02 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Zoom avatar
Zoom
06:29:19 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:22 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:22 PM

Jose Figueredo has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:25 PM

Isaac M has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:33 PM

Allan Swanepoel has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:36 PM

Jonathan Poczatek has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:44 PM

Peter Dada has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:50 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:51 PM

Gabriel Zabal has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:01 PM

Michael Jenkins has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:36 PM

Matt Calhoun has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:38 PM

Guelor Emanuel has joined Public “Office Hours”

Zoom avatar
Zoom
06:31:46 PM

Ralf Pieper has joined Public “Office Hours”

Zoom avatar
Zoom
06:31:57 PM

Jared Richards has joined Public “Office Hours”

Zoom avatar
Zoom
06:32:01 PM

Jonas Steinberg has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:03 PM

Zadkiel has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:12 PM
Jonas Steinberg avatar
Jonas Steinberg

I’d like to pose a bit of an involved question on what priority observability as code is.

Zoom avatar
Zoom
06:34:00 PM

Marc Tamsky has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:24 PM

Harold Sphinx has joined Public “Office Hours”

Zoom avatar
Zoom
06:35:26 PM

Charles Smith has joined Public “Office Hours”

Zoom avatar
Zoom
06:35:54 PM

sebastian maniak has joined Public “Office Hours”

Zoom avatar
Zoom
06:38:05 PM

Adedapo Ajuwon has joined Public “Office Hours”

Zoom avatar
Zoom
06:42:55 PM

Vicken Simonian has joined Public “Office Hours”

Zoom avatar
Zoom
06:46:43 PM

Vijay Kukreja has joined Public “Office Hours”

Zoom avatar
Zoom
06:48:28 PM

Ray Botha has joined Public “Office Hours”

Zoom avatar
Zoom
06:58:21 PM

sebastian maniak has joined Public “Office Hours”

Zoom avatar
Zoom
07:00:07 PM

Eric Berg has joined Public “Office Hours”

Zoom avatar
Zoom
07:02:40 PM

PePe Amengual has joined Public “Office Hours”

Zoom avatar
Zoom
07:14:49 PM

Vicken Simonian has joined Public “Office Hours”

Zoom avatar
Zoom
07:21:08 PM

Peter Dada has joined Public “Office Hours”

Zoom avatar
Zoom
07:28:18 PM

Vijay Kukreja has joined Public “Office Hours”

Jonas Steinberg avatar
Jonas Steinberg

Thanks everyone for the awesome discussion today

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

let us know what you end up doing!

Jonas Steinberg avatar
Jonas Steinberg

I will – I heard you loud and clear on the solution-looking-for-a-problem point, as well as Matt’s “snowflake service” point. I needed to hear those, frankly. Great stuff!!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks, @Jonas Steinberg @matt @Eric Berg @Allan Swanepoel for the great discussion today.

2022-10-12

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:29 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Does anybody have experience with AWS EKS using AWS EFS?

I need a place to store/read some data (5-10MB file) very fast and have it available consistently on multiple pods.

Zoom avatar
Zoom
06:29:59 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:01 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:04 PM

Isaac M has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:10 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:34 PM

Matt Calhoun has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:59 PM

Michael Jenkins has joined Public “Office Hours”

Zoom avatar
Zoom
06:31:35 PM

andy miguel has joined Public “Office Hours”

Zoom avatar
Zoom
06:32:33 PM

Jared Richards has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:02 PM

Amaan Khan has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:23 PM

Jose Figueredo has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:46 PM

Hao Wang has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:28 PM

Oskar Maria Grande has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:58 PM

Andrew Hall has joined Public “Office Hours”

Zoom avatar
Zoom
06:35:17 PM

Jonathan Poczatek has joined Public “Office Hours”

Zoom avatar
Zoom
06:36:08 PM

sebastian maniak has joined Public “Office Hours”

Zoom avatar
Zoom
06:36:25 PM

Jim Park has joined Public “Office Hours”

Zoom avatar
Zoom
06:37:32 PM

Alexandr Vorona has joined Public “Office Hours”

Zoom avatar
Zoom
06:41:11 PM

Shantanu Gole has joined Public “Office Hours”

Zoom avatar
Zoom
06:41:20 PM

Marc Tamsky has joined Public “Office Hours”

Zoom avatar
Zoom
06:42:50 PM

Oliver Schoenborn has joined Public “Office Hours”

Zoom avatar
Zoom
06:47:14 PM

Srivardhan T has joined Public “Office Hours”

Zoom avatar
Zoom
06:48:30 PM

Gabriel Zabal has joined Public “Office Hours”

Zoom avatar
Zoom
07:00:35 PM

Johnmary Odenigbo has joined Public “Office Hours”

2022-10-16

venkata.mutyala avatar
venkata.mutyala

I know there are a number of ways to initialize your vault cluster but personally I am a fan of being able to do things in terraform: https://registry.terraform.io/providers/rickardgranberg/vaultoperator/0.1.6

^^ Sharing in case you folks haven’t heard of it before.

2022-10-19

Allan Swanepoel avatar
Allan Swanepoel

@Erik Osterman (Cloud Posse) - during some of the office hours calls you point to your internal ?confluence? page where you show how you structure aws accounts in an ldap / ou style

Allan Swanepoel avatar
Allan Swanepoel

is there any chance that page is publicly accessible?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:19 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

jose.amengual avatar
jose.amengual

what is cloudposse?

jose.amengual avatar
jose.amengual

who are you?

Zoom avatar
Zoom
06:27:38 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:27:56 PM

John Jarvis has joined Public “Office Hours”

Zoom avatar
Zoom
06:28:04 PM

dag viggo lokoeen has joined Public “Office Hours”

Zoom avatar
Zoom
06:28:04 PM

Vlad Ionescu has joined Public “Office Hours”

Zoom avatar
Zoom
06:28:05 PM

Emile Fugulin has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:06 PM

Michael Jenkins has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:20 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:53 PM

Jose Figueredo has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:54 PM

Matt Calhoun has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:19 PM
Zoom avatar
Zoom
06:30:29 PM

Isaac M has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:34 PM

Matt Gowie has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:56 PM

Jonas Frank has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:59 PM

Allan Swanepoel has joined Public “Office Hours”

Zoom avatar
Zoom
06:31:33 PM

Jonathan Poczatek has joined Public “Office Hours”

Zoom avatar
Zoom
06:32:02 PM

RB (Ronak Bhatia) (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:03 PM

PePe Amengual has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:24 PM

Oliver Schoenborn has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:56 PM

Oskar Maria Grande has joined Public “Office Hours”

Zoom avatar
Zoom
06:35:53 PM

Isa Aguilar has joined Public “Office Hours”

Zoom avatar
Zoom
06:36:18 PM

Joshua Magady has joined Public “Office Hours”

Zoom avatar
Zoom
06:37:08 PM

Vicken Simonian has joined Public “Office Hours”

Zoom avatar
Zoom
06:39:29 PM

Brian Pauley has joined Public “Office Hours”

Zoom avatar
Zoom
06:40:57 PM

Maura Rowell has joined Public “Office Hours”

JJ avatar

Hey, popping in and out — kids’ bedtimes — but I’ll check out the recording later. Hoping to take advantage of these more; thanks for doing them!

Zoom avatar
Zoom
06:43:22 PM

Jared Richards has joined Public “Office Hours”

Zoom avatar
Zoom
06:45:07 PM

Andrew Vitko has joined Public “Office Hours”

Zoom avatar
Zoom
06:49:02 PM

Devendra Yadav has joined Public “Office Hours”

Zoom avatar
Zoom
06:56:13 PM

PePe Amengual has joined Public “Office Hours”

Zoom avatar
Zoom
07:04:38 PM

Andrew Nascimento has joined Public “Office Hours”

Zoom avatar
Zoom
07:07:39 PM

Jared Richards has joined Public “Office Hours”

Zoom avatar
Zoom
07:10:52 PM

Arthur Dent has joined Public “Office Hours”

Linda Pham (Cloud Posse) avatar
Linda Pham (Cloud Posse)
cloudposse/terraform-aws-ecs-cluster

Terraform module for provisioning an ECS cluster

Introducing fine-grained personal access tokens for GitHub | The GitHub Blogattachment image

Fine-grained personal access tokens offer enhanced security to developers and organization owners, to reduce the risk to your data of compromised tokens.

Design improvements to GitHub Actions navigation | GitHub Changelogattachment image

Design improvements to GitHub Actions navigation

October 2022 Pricing Change FAQ - Dockerattachment image

The price increase will allow us to continue to invest in Docker as developers’s #1 most-used, #1 most-loved and #1 most-wanted tool.

1

2022-10-26

Sean Turner avatar
Sean Turner

Q: How are people enforcing MFA in AWS? Not using AWS SSO at the moment, just IAM Users and IAM Groups. Have seen a cloudtrail solution that uses a cloudwatch metric filter and alarm which does the trick, but is probably very expensive as you need to use cloudtrail.

1
Matt Gowie avatar
Matt Gowie

Check out the policy in this AWS Doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-mfa-only.html

The relevant bit is here:

        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
            }
        }
this1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

``` module “admin_label” { source = “git://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3>” namespace = “${var.namespace}” stage = “${var.stage}” name = “${var.admin_name}” delimiter = “${var.delimiter}” attributes = “${var.attributes}” tags = “${var.tags}” }

module “readonly_label” { source = “git://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3>” namespace = “${var.namespace}” stage = “${var.stage}” name = “${var.readonly_name}” delimiter = “${var.delimiter}” attributes = “${var.attributes}” tags = “${var.tags}” }

data “aws_caller_identity” “current” {}

data “aws_iam_policy_document” “role_trust” { count = “${local.enabled ? 1 : 0}”

statement { actions = [“sts:AssumeRole”]

principals {
  type        = "AWS"
  identifiers = ["arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:root"]
}

condition {
  test     = "Bool"
  variable = "aws:MultiFactorAuthPresent"
  values   = ["true"]
}   } }

data “aws_iam_policy_document” “manage_mfa” { count = “${local.enabled ? 1 : 0}”

statement { sid = “AllowUsersToCreateEnableResyncTheirOwnVirtualMFADevice”

actions = [
  "iam:CreateVirtualMFADevice",
  "iam:EnableMFADevice",
  "iam:ResyncMFADevice",
]

resources = [
  "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:mfa/&{aws:username}",
  "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:user/&{aws:username}",
]   }

statement { sid = “AllowUsersToDeactivateTheirOwnVirtualMFADevice”

actions = [
  "iam:DeactivateMFADevice",
]

resources = [
  "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:mfa/&{aws:username}",
  "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:user/&{aws:username}",
]

condition {
  test     = "Bool"
  variable = "aws:MultiFactorAuthPresent"
  values   = ["true"]
}   }

statement { sid = “AllowUsersToDeleteTheirOwnVirtualMFADevice”

actions = [
  "iam:DeleteVirtualMFADevice",
]

resources = [
  "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:mfa/&{aws:username}",
  "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:user/&{aws:username}",
]

condition {
  test     = "Bool"
  variable = "aws:MultiFactorAuthPresent"
  values   = ["true"]
}   }

statement { sid = “AllowUsersToListMFADevicesandUsersForConsole”

actions = [
  "iam:ListMFADevices",
  "iam:ListVirtualMFADevices",
  "iam:ListUsers",
]

resources = [
  "*",
]   } }

data “aws_iam_policy_document” “allow_change_password” { count = “${local.enabled ? 1 : 0}”

statement { actions = [“iam:ChangePassword”]

resources = ["arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:user/&{aws:username}"]   }

statement { actions = [“iam:GetAccountPasswordPolicy”] resources = [“*”] }

statement { actions = [“iam:GetLoginProfile”]

resources = ["arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:user/&{aws:username}"]

condition {
  test     = "Bool"
  variable = "aws:MultiFactorAuthPresent"
  values   = ["true"]
}   } }

data “aws_iam_policy_document” “allow_key_management” { statement { actions = [ “iam:DeleteAccessKey”, “iam:GetAccessKeyLastUsed”, “iam:UpdateAccessKey”, “iam:GetUser”, “iam:CreateAccessKey”, “iam:ListAccessKeys”, ]

resources = ["arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:user/&{aws:username}"]

condition {
  test     = "Bool"
  variable = "aws:MultiFactorAuthPresent"
  values   = ["true"]
}   } }

Admin config

locals { enabled = “${var.enabled == “true” ? true : false }” admin_user_names = “${length(var.admin_user_names) > 0 ? true : false}” readonly_user_names = “${length(var.readonly_user_names) > 0 ? true : false}” }

resource “aws_iam_policy” “manage_mfa_admin” { count = “${local.enabled ? 1 : 0}” name = “${module.admin_label.id}-permit-mfa” description = “Allow admin users to manage Virtual MFA Devices” policy = “${join(“”, data.aws_iam_policy_document.manage_mfa.*.json)}” }

resource “aws_iam_policy” “allow_change_password_admin” { count = “${local.enabled ? 1 : 0}” name = “${module.admin_label.id}-permit-change-password” description = “Allow admin users to change password” policy = “${join(“”, data.aws_iam_policy_document.allow_change_password.*.json)}” }

resource “aws_iam_policy” “allow_key_management_admin” { name = “${module.admin_label.id}-allow-key-management” description = “Allow admin users to manage their own access keys” policy = “${data.aws_iam_policy_document.allow_key_management.json}” }

data “aws_iam_policy_document” “assume_role_admin” { count = “${local.enabled ? 1 : 0}”

statement { actions = [“sts:AssumeRole”] resources = [”${join(“”, aws_iam_role.admin.*.arn)}”] } }

resource “aws_iam_policy” “assume_role_admin” { count = “${local.enabled ? 1 : 0}” name = “${module.admin_label.id}-permit-assume-role” description = “Allow assuming admin role” policy = “${join(“”, data.aws_iam_policy_document.assume_role_admin.*.json)}” }

resource “aws_iam_group” “admin” { count = “${local.enabled ? 1 : 0}” name = “${module.admin_label.id}” }

resource “aws_iam_role” “admin” { count = “${local.enabled ? 1 : 0}” name = “${module.admin_label.id}” assume_role_policy = “${join(“”, data.aws_iam_policy_document.role_trust.*.json)}” }

resource “aws_iam_group_policy_attachment” “assume_role_admin” { count = “${local.enabled ? 1 : 0}” group = “${join(“”, aws_iam_group.admin..name)}” policy_arn = “${join(“”, aws_iam_policy.assume_role_admin..arn)}” }

resource “aws_iam_group_policy_attachment” “manage_mfa_admin” { count = “${local.enabled ? 1 : 0}” group = “${join(“”, aws_iam_group.admin..name)}” policy_arn = “${join(“”, aws_iam_policy.manage_mfa_admin..arn)}” }

resource “aws_iam_group_policy_attachment” “allow_chage_password_admin” { count = “${local.enabled ? 1 : 0}” group = “${join(“”, aws_iam_group.admin..name)}” policy_arn = “${join(“”, aws_iam_policy.allow_change_password_admin..arn)}” }

resource “aws_iam_group_policy_attachment” “key_management_admin” { group = “${aws_iam_group.admin.name}” policy_arn = “${aws_iam_policy.allow_key_management_admin.arn}” }

resource “aws_iam_role_policy_attachment” “admin” { count = “${local.enabled ? 1 : 0}” role = “${join(“”, aws_iam_role.admin.*.name)}” policy_arn = “arnawsiam:policy/AdministratorAccess” }

resource “aws_iam_group_membership” “admin” { count = “${local.enabled && local.admin_user_names ? 1 : 0}” name = “${module.admin_label.id}” group = “${join(“”, aws_iam_group.admin.*.id)}” users = [”${var.admin_user_names}”] }

Readonly config

resource “aws_iam_policy” “manage_mfa_readonly” { count = “${local.enabled ? 1 : 0}” name = “${module.readonly_label.id}-permit-mfa” description = “Allow readonly users to manage Virtual MFA Devices” policy = “${join(“”, data.aws_iam_policy_document.manage_mfa.*.json)}” }

resource “aws_iam_policy” “allow_change_password_readonly” { count = “${local.enabled ? 1 : 0}” name = “${module.readonly_label.id}-permit-change-password” description = “Allow readonly users to change password” policy = “${join(“”, data.aws_iam_policy_document.allow_change_password.*.json)}” }

resource “aws_iam_policy” “allow_key_management_readonly” { name = “${module.readonly_label.id}-permit-manage-keys” description = “Allow readonly users to manage their own access keys” policy = “${data.aws_iam_po…

Aritra Banerjee avatar
Aritra Banerjee

We are using a product called gravitational teleport, where mfa is added to github, people login via their github profile and only a particular team has access to the aws console itself

Sean Turner avatar
Sean Turner

Interesting, thanks. We have some non technical users so doing things through github isn’t as ideal unfortunately

Aritra Banerjee avatar
Aritra Banerjee

They have enterprise plans as well with AD integration

Aritra Banerjee avatar
Aritra Banerjee

We are using the free version

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:08 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Zoom avatar
Zoom
06:29:30 PM

Erik Osterman (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:37 PM

Isaac M has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:50 PM

Oliver Schoenborn has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:52 PM

Vlad Ionescu has joined Public “Office Hours”

Zoom avatar
Zoom
06:29:56 PM

Joe Caulfield has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:09 PM

Linda Pham (Cloud Posse) has joined Public “Office Hours”

Zoom avatar
Zoom
06:30:33 PM

Eric Berg has joined Public “Office Hours”

Zoom avatar
Zoom
06:31:15 PM

Ralf Pieper has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:05 PM

Oliver Schoenborn has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:11 PM

Paul Bullock has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:27 PM

Maura Rowell has joined Public “Office Hours”

Zoom avatar
Zoom
06:33:41 PM

Jared Richards has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:15 PM

Brian Pauley has joined Public “Office Hours”

Zoom avatar
Zoom
06:34:52 PM

Jared Richards has joined Public “Office Hours”

Zoom avatar
Zoom
06:35:22 PM

sebastian maniak has joined Public “Office Hours”

Zoom avatar
Zoom
06:37:13 PM

Joshua Magady has joined Public “Office Hours”

Zoom avatar
Zoom
06:39:55 PM

Amaan Khan has joined Public “Office Hours”

Zoom avatar
Zoom
06:42:38 PM

Amaan Khan has joined Public “Office Hours”

Zoom avatar
Zoom
06:44:50 PM

Jim Park has joined Public “Office Hours”

Zoom avatar
Zoom
06:47:00 PM

Matt Gowie has joined Public “Office Hours”

Zoom avatar
Zoom
06:50:05 PM

Sean TUrner has joined Public “Office Hours”

Zoom avatar
Zoom
06:50:37 PM

Olad Oke has joined Public “Office Hours”

Zoom avatar
Zoom
07:01:19 PM

Srivardhan T has joined Public “Office Hours”

Zoom avatar
Zoom
07:09:35 PM

Olad Oke has joined Public “Office Hours”

Linda Pham (Cloud Posse) avatar
Linda Pham (Cloud Posse)
Terraform: why data sources and filters are preferable over remote state

Why Terraform data sources are preferable over remote state, with use-cases using multiple filters based on tags to filter resources dynamically

Terraform For Expressionsattachment image

Using the for expression in Terraform to filter, group, order and mutate information. With this knowledge in hand you will easily be able to construct complex objects based on existing information/configuration or from configuration passed in via input variables or ingested. Easily create multiple instances of resources or data sources using the for_each meta-argument.

    keyboard_arrow_up