#refarch (2023-11)
Cloud Posse Reference Architecture
2023-11-06
![Michael Dizon avatar](https://avatars.slack-edge.com/2021-01-15/1664383757488_b5214d00b8fce4726a7c_72.jpg)
i’ve used the dns-delegated
component to launch a hosted zone in one of my workload accounts (prod), but I’m not sure how to create dns records in the subdomain (service.prod.example.net). am i supposed to deploy dns-primary
in the prod
account in addition to the dns
account?
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
we typically will have another component or service add records to the hosted zone once created. So for example, say that you’ve created [prod.example.net](http://prod.example.net)
with dns-delegated
and you might have external-dns
deployed. Then if you add an annotation to the “service” app in your cluster, external-dns will add/update the dns record to the hosted zone for you
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
more on external-dns: https://docs.cloudposse.com/components/library/aws/eks/external-dns/
This component creates a Helm deployment for external-dns on a Kubernetes cluster. external-dns is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable.
2023-11-08
2023-11-21
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
@Dan Miller (Cloud Posse) your PR… https://github.com/cloudposse/terraform-aws-components/pull/904/files#diff-3cdcf3533e53e86fc193966f5d8208159900d1f4283640730436ba958d400c66L5-L6
…breaks the module due to… https://github.com/cloudposse/terraform-aws-components/blob/main/modules/spacelift/worker-pool/iam.tf#L28
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
╷
│ Error: Reference to undeclared local value
│
│ on iam.tf line 28, in locals:
│ 28: role_arn_template = module.account_map.outputs.iam_role_arn_templates[local.identity_account_name]
│
│ A local value with the name "identity_account_name" has not been declared.
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
oh man yes it does. thanks for pointing that out. Will fix right now
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
np…our workers are down so started investigating
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
what
• Added back local definition for local.identity_account_name
for the spacelift/worker-pool
component
why
• This value is used in the [iam.tf](http://iam.tf)
policy
• Only local.identity_account_id
should have been removed, not local.identity_account_name
references
• https://sweetops.slack.com/archives/C04NBF4JYJV/p1700604335106819
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
@Dan Miller (Cloud Posse) semi-related: https://github.com/cloudposse/terraform-aws-components/blob/main/modules/spacelift/worker-pool/templates/user-data.sh#L6.
This is now breaking workers (see log):
$(aws --region ${ecr_region} ecr get-login --registry-ids ${ecr_account_id} --no-include-email)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
Note these args are invalid as well:
--registry-ids ${ecr_account_id} --no-include-email
$(aws --region ${ecr_region} ecr get-login --registry-ids ${ecr_account_id} --no-include-email)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
cloud-init[1842]: Unknown options: --registry-ids,123456789,--no-include-email
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
I noticed a similar issue and I just pinned a specific AMI until we have a chance to fix this
spacelift_ami_id: ami-05aae360ff018f5a0
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
havent looked into it too much, but I suspect Spacelift changed what’s installed on their image
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
yeah, must’ve upgraded their AWS CLI
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
just using what is in our Makefile for non-geodesic commands.
$(aws --region ${ecr_region} ecr get-login-password | docker login --username AWS --password-stdin ${ecr_account_id})
…will report back how well it works
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
ahh…forgot it needs the full domain:
$(aws --region ${ecr_region} ecr get-login-password | docker login --username AWS --password-stdin ${ecr_account_id}.dkr.ecr.us-east-1.amazonaws.com)
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
back at it, but switched it up and this needs a credential helper so i’ll prob just punt on it and lock the AMI
![johncblandii avatar](https://avatars.slack-edge.com/2020-04-14/1062347993890_6fd142c15ffef426eeba_72.png)
the above AMI wasn’t found. ended up just using this one: ami-05e8730417b8c3199
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
Ah yeah it’s likely regional
![Hans D avatar](https://secure.gravatar.com/avatar/4f534e0b78001931f441c8011a95edeb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
![Hans D avatar](https://secure.gravatar.com/avatar/4f534e0b78001931f441c8011a95edeb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
and yes, the very much outdated aws cli command used currently is the reason. @Dan Miller (Cloud Posse) you can peek in our repo to see how we fixed it currently
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
2023-11-22
![Hans D avatar](https://secure.gravatar.com/avatar/4f534e0b78001931f441c8011a95edeb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
When using the latest ami for the spacelift worker pool, things might get broken (see ^^^). Response from spacelift:
[…] you have a very good point about this being an unannounced breaking change. we’ll prepare an announcment today, and we’ll try to think about introducing semver into this process. sorry for the inconvenience.