SweetOps #refarch for May, 2023

Cloud Posse Reference Architecture

2023-05-05

Michael Dizon

03:08:45 PM

is there an eta on when this PR is going to be merged? https://github.com/cloudposse/terraform-aws-s3-bucket/pull/176

#176 Add: ACL depends on ownership_controls

what

• aws_s3_bucket_ownership_controls is set first, followed by bucket ACL.

why

• Starting April 2023, AWS has changed default ObjectOwnership = Bucket Owner Preferred.
So to add ACL aws_s3_bucket_ownership_controls must be set to ObjectWriter (or) BucketOwnerPreferred first.
In this PR, aws_s3_bucket_acl depends_on aws_s3_bucket_ownership_controls resource block.
aws_s3_bucket_ownership_controls default set to BucketOwnerEnforced

references

• Ref: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Erik Osterman (Cloud Posse)

02:56:56 AM

We are planning to address the s3 issues next week. It may be a new PR, but we must address multiple modules

#176 Add: ACL depends on ownership_controls

what

• aws_s3_bucket_ownership_controls is set first, followed by bucket ACL.

why

references

• Ref: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Erik Osterman (Cloud Posse)

02:59:09 AM

We had an internal review today to discuss the options

Erik Osterman (Cloud Posse)

03:33:21 AM

This is now fixed in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/178

#178 Make compatible with new S3 defaults. Add user permissions boundary.

what

• Make compatible with new S3 defaults by setting S3 Object Ownership before setting ACL and disabling ACL if Ownership is “BucketOwnerEnforced” • Add optional permissions boundary input for IAM user created by this module • Create aws_s3_bucket_accelerate_configuration and aws_s3_bucket_versioning resources even when the feature is disabled, to enable drift detection

why

• S3 buckets with ACLs were failing to be provisioned because the ACL was set before the bucket ownership was changed • Requested feature • See #171

references

• Closes #174 • Supersedes and closes #175 • Supersedes and closes #176

2023-05-23

Lele

03:46:11 PM

hello, is there any place I can find hints on how to setup AWS infra from scratch? I’m talking about from the VERY basic empty setup.. like creating the remote state, IAM, etc.. thanks

Lele

07:03:57 PM

I guess I’m probably thinking of

:::info Part of cold start so it has to initially be run with SuperAdmin Follow the guide here to get started. :::

taken from https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tfstate-backend

but here sends to https://github.com/cloudposse/terraform-aws-components/blob/main/reference-archite[…]w-to-guides/implementation/enterprise/implement-aws-cold-start/

which is a broken link

Dan Miller (Cloud Posse)

07:59:57 PM

Hi @Lele, the documentation for these components is intended to be viewed from our docs.cloudposse.com website, but either way, we should fix these links to work from either source.

for example here: https://docs.cloudposse.com/components/library/aws/tfstate-backend/

tfstate-backend | The Cloud Posse Developer Hub

This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend. It also creates IAM roles for access to the Terraform backend.

Dan Miller (Cloud Posse)

08:03:03 PM

However, the Cold Start implementation is within our “Reference Architecture” at the time being. We have discussed creating a free-to-view, base implementation of this architecture, but that doesnt exist at the moment

Lele

03:09:21 PM

makes sense, I guess it’s just confusing that some links points to a (seemingly) broken link, when in fact it’s just a paid feature. Which totally makes sense, it just needs to be clearer from the context that that’s the case, IMO.

#refarch (2023-05)

2023-05-05

2023-05-23

2023-05-26

2023-05-29