#office-hours (2023-07)
“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours
Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!
https://cpco.io/slack-office-hours
Meeting password: sweetops
2023-07-03
For the upcoming office hours: Using the new TF import functionality to move existing infra into the atmos style stacks
2023-07-05
@here office hours is starting in 30 minutes! Remember to post your questions here.
Hi! I am not sure if I can join the meeting, but a question I have is: What is the recommended way to remove the existing stacks where in the setting of:
• using atmos to generate vars and backend for each Terraform workspace
• with Atlantis configuration (per repo config) I appreciate any help you can provide.
• with Atlantis configuration (per repo config)
Note, we now have GitHub Actions support with general feature convergence with Atlantis. If you’re starting from scratch, I recommend this approach.
Thank you for the update! This is the document, right?
Yes, however, I think we haven’t yet written the integration guide.
@Dan Miller (Cloud Posse) can link you to what we have
The documentation that I’ve written is still in PR review. I’ll link here once it’s published. Should be the EOD today
Thank you for the update!
Links from today’s office hours:
https://github.com/common-fate/common-fate https://github.com/aws/containers-roadmap/issues/876#issuecomment-1546760257 https://github.com/shihanng/tfvar https://twitter.com/stefanprodan/status/1676216365819088899 https://twitter.com/stefanprodan/status/1676216365819088899 https://symops.com/ https://aws.amazon.com/blogs/security/temporary-elevated-access-management-with-iam-identity-center/ https://docs.datadoghq.com/logs/guide/forwarder/?tab=terraform https://github.com/fluxcd/flux2/releases/tag/v2.0.0
2023-07-07
2023-07-11
Curious to see what folks are thinking about Datadog Workflow Automation and how they might use it. . Will you add automation to your monitoring?
Reminds me of PagerDuty’s acquisition of Rundeck to add automation to incident management. And yet, I don’t know of anyone that’s actually used PD+RD not saying no one’s applied it, I just don’t know anyone that has. Interested in hearing folks experience with this one as well.
https://www.datadoghq.com/blog/automate-end-to-end-processes-with-datadog-workflows/
interesting product, seems it can be used for disaster recovery
2023-07-12
@here office hours is starting in 30 minutes! Remember to post your questions here.
4
2
3
3
2
3
https://github.com/GlueOps/terraform-module-provider-versions https://github.com/GlueOps/terraform-registry-proxy cc: @BATeller @Erik Osterman (Cloud Posse)
Thank you!
Anytime. Docs are a bit light but if you need any help with either let me know. Happy to jump on a call and walk you through it.
OH, almost forgot. There is something called network mirror that you may want to read up on. It requires modifying your .terraformrc but in theory you could point your terraform applies to use some folder path for all the providers. the .terraformrc is something that the terraform cli will pick up. I believe for TFC it requires self-hosted agents and with spacelift i believe it’s supported.
We never looked at it because we didn’t want to self-hosted agents
will this work in a version controled modules structure ?
for example if I add this to my vpc module that is tagged 1.2.3 and I want to update the providers versions when I will apply the infra for VPC 1.2.3 that will automatically take the latest versions for all the providers, right ?
Yes, I believe it should work in those situations. I’ve personally been using it at the same level as my modules so that if something were to go wrong I could branch the repo (https://github.com/GlueOps/terraform-module-provider-versions) and point back to alternative versions quickly.
so the provider versions module is always used in the other module with the latest version
if i would want to version this module as well, my problem of creating multiple pr’s for each sub module repo will be back to square 1
Yeah, so in my situation we assume that we can move all of our stack together to the latest versions (https://github.com/GlueOps/terraform-module-provider-versions). If one part of our stack has an issue we rollback and keep everything on the older version until we can resolve that issue. One situation where we have had to rollback is with the tfe provider for terraform cloud: https://github.com/GlueOps/terraform-module-provider-versions/blob/main/versions.tf#L43 rather than try and fix the issue we are looking to migrate off to spacelift or another solution.
Also, when we do our updates, we go through all the usages of our modules and ensure a plan works cleanly. We also do a plan before the updates to ensure there is no pending drift/changes.
got it
thanks
so no way for you to create a new env with older providers
Something that bothered me recently, I guess I’ll ask in case there is time: Has anyone found a linter that will enforce deprecation warnings on outputs? That is, if you make a module that consumes deprecated outputs of another tfstate, the linter warns or even fails the module.
I haven’t. Typically at the workspace level (and also at the module level) we output maps, lists, or variables. So its purposefully structured and narrowed scope. Because of this I don’t think there’d be a way to even know if the related resource or attribute is depreciated, at least from the perspective of the workspace calling the remote state (or the calling module).
However, you may be able to write a custom rule with tflint to achieve this?
Links from today’s office hours:
https://github.com/kubernetes/kubernetes/pull/116429 https://www.awsdocsgpt.com/ https://fly.io/blog/litefs-cloud/ https://factoryfactoryfactory.net/ https://www.hashicorp.com/blog/terraform-apply-as-code-the-multispace-pattern https://tacosprice.com/ https://github.com/diggerhq/tacoscalculator https://www.datadoghq.com/blog/automate-end-to-end-processes-with-datadog-workflows/ https://kubevirt.io/2023/KubeVirt-v1-has-landed.html https://seths.blog/2005/03/dont_shave_that/ https://github.com/charmbracelet/mods https://cruft.github.io/cruft/ https://warpforge.io/ https://earthly.dev/ https://masterpoint.io/updates/passing-on-crossplane/ https://medium.com/gitlab-magazine/multi-cloud-maturity-model-2de185c01dd7
2023-07-19
@here office hours is starting in 30 minutes! Remember to post your questions here.
https://github.com/hashicorp/terraform/releases/tag/v1.6.0-alpha20230719 just got released an hour ago. Terraform will be moving terraform test out of experimental
Links from today’s office hours:
https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/amp/ https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/ https://github.blog/changelog/2023-07-13-github-actions-oidc-integration-with-aws-no-longer-requires-pinning-of-intermediate-tls-certificates https://github.blog/changelog/2023-07-13-github-actions-oidc-integration-with-aws-no-longer-requires-pinning-of-intermediate-tls-certificates https://www.bleepingcomputer.com/news/security/github-goes-passwordless-announces-passkeys-beta-preview/ https://twitter.com/iamvlaaaaaaad/status/1681036216685191168 https://aws.amazon.com/about-aws/whats-new/2023/07/aws-codebuild-github-actions/ https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html https://statusgator.com/ https://endoflife.date/amazon-eks https://www.youtube.com/watch?v=AbSehcT19u0 https://steampipe.io/
Steampipe is like the old saw or az interactive, but using sql commands
2023-07-20
2023-07-23
2023-07-24
Question for office hours:
How do you folks handle dependencies between repos? For example,
I update Repo A and cut a release/tag. Repo B needs to be updated with the tag from Repo A and then a release gets cut for Repo B. Repo C needs to be updated with the tag from repo B.
Also, there are situations where Repo B will have a release not dependent on Repo A and there are situations where Repo C will not have a release dependent on Repo A or B.
Are there any solutions for this? or do folks usually handroll their own automation to make this easier?
I try to avoid chained dependencies like that as best as possible. Otherwise using solutions like dependabot, renovate, which can watch private repos for new releases and create a PR for apps that consume them.
Perfect question for today’s special guest.
2023-07-26
@here office hours is starting in 30 minutes! Remember to post your questions here.
we ran out of time, but was going to ask if anyone has used github.com/nikita-skobov/monorepo-git-tools (mgt)
Links from today’s office hours:
https://github.com/SpotOnInc/renovate-config https://tinyurl.com/cp-renovate https://github.com/SpotOnInc/renovate-config/ https://www.youtube.com/watch?v=l28pukLJvss&list=PLIsz9zLIWsDI71mpnceqPivLAX4kiWEOE https://grem1.in/post/terraform-lockfiles-maxymvlasov/ https://github.com/antonbabenko/pre-commit-terraform https://docs.renovatebot.com https://github.com/renovatebot/.github/blob/main/default.json https://github.com/kelseyhightower/nocode https://medium.com/forto-tech-blog/automated-versioning-of-terraform-modules-with-github-actions-semver-style-800f91ed5037