#refarch (2024-05)

Cloud Posse Reference Architecture

2024-05-05

Marat Bakeev avatar
Marat Bakeev

Hey everyone, in the reference architecture - is there some idea of an internal account for internal tools, like a kubernetes cluster with centralized grafana, for example? Which account would it be? corp? auto? or something else?

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

yes absolutely, we have several internal accounts that we refer to as “core” accounts. We deploy both auto and corp accounts but nowadays typically only deploy auto unless someone has a specific use case for corp. We primarily use the EKS cluster in auto for GitHub self-hosted runners, but that’d be a great place to deploy grafana as well. Although at the moment we’re using AWS managed grafana

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, it comes down to cost. How many “tools” type accounts make sense and how much infra you want to run in there.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So, we’ve gradually consolidated more and more “tools” type functionality into an account we generally call “auto”. Historically, we also deployed an corp account with an EKS cluster, for “corporate facing” apps, but do so less these days.

1

2024-05-06

2024-05-07

Nat Williams avatar
Nat Williams

I’ve noticed something when reading the docs/readmes for cloudposse terraform modules - the list of inputs can get really busy with all the contextual inputs that it becomes hard to find the the actual module-specific inputs. Has anyone ever talked about reorganizing the readmes to separate the inputs that are part of the context into a separate table?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes,

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We want to redo the template for terraform-docs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so that we a) move context parameters to a separate section b) avoid tables

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

With the reliance more and more on complex objects, tables just don’t cut it

Nat Williams avatar
Nat Williams

yeah, it would be nice to be able to stretch the window big and actually see everything

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, agreed. Good feedback.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We’re working a lot on improving docs, and such, but I cannot say yet when that work will be scheduled. We have an internal task already for it.

Nat Williams avatar
Nat Williams

cool. thanks

2024-05-15

Taimur Gibson avatar
Taimur Gibson

Is there a way to set an ALB idle_timeout when deployed through the ecs module? I found this in the alb module but I don’t see how to configure that same setting for an ecs defined ALB https://github.com/cloudposse/terraform-aws-components/tree/main/modules/alb#input_idle_timeout

Ben Smith (Cloud Posse) avatar
Ben Smith (Cloud Posse)

Our ECS component, which creates the cluster and the loadbalancers for the cluster includes a module for the alb. It looks like it’s missing the idle_timeout var as a pass through from the module declaration but that wouldn’t be hard to change

Ben Smith (Cloud Posse) avatar
Ben Smith (Cloud Posse)

if you are using our components, i’d suggest vendoring down the ECS Component, and making that change locally (we’d love a PR too ).

Taimur Gibson avatar
Taimur Gibson

ok thanks! I’ll check it out

Taimur Gibson avatar
Taimur Gibson

I got this working. How can I open a PR for your repo?

2024-05-16

2024-05-17

Alex avatar

Hi,

trying to deploy privileged stack for AWS-Config, under superadmin role, got error:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: error configuring S3 Backend: IAM Role (arn:aws:iam::xxx:role/xx-core-gbl-root-tfstate-ro) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│       For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Dan Miller (Cloud Posse) @Ben Smith (Cloud Posse)

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

It’s hard to determine from this message alone, but I might guess that your session for your superadmin user expired. Can you double check?

aws sts get-caller-identity

2024-05-20

Taimur Gibson avatar
Taimur Gibson

Hi, I’d like to use the

custom_bastion_hostname:
vanity_domain:

outlined in the readme for the bastion component, but it doesn’t appear that those are valid inputs/variables when I go to deploy it. Am I missing something?

https://github.com/cloudposse/terraform-aws-components/tree/main/modules/bastion

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy White (Cloud Posse)

Taimur Gibson avatar
Taimur Gibson

hi any updates on this?

Taimur Gibson avatar
Taimur Gibson

Another question I had on this - what’s the recommend way for injecting public keys into the Bastion host for users to access via SSH? Right now, we have to do it manually each time a new Bastion instance is created

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We’ve more or less stopped using keys, when we can and instead use AWS Systems Manager Session Manager. That way you don’t need to expose the bastion publicly and just use IAM

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There’s no one way to use a bastion - what’s your use-case?

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

So, the easiest way I could think to restore this is to leverage a lambda.

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

Here’s an example that uses a tag on the EC2 instance to determine what the FQDN will be:

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)
Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

to be clear, that example uses cloudformation, so you would need to translate the small IAM policy here into the policy var for our component here

lambda | The Cloud Posse Developer Hub

This component is responsible for provisioning Lambda functions.

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

Also the cloudformation leverages Event Bridge for running the lambda when an ec2 is running.

Unfortunately, the cloudwatch_event_rules variable on our lambda is detached. That said, you can quickly edit the lambda component to attach the rule using this terraform example , and instead of using the schedule parameter for the rule, set a event_pattern similar to the cloudformation template.

Use terraform to set up a lambda function triggered by a scheduled event source

I would like to run an AWS lambda function every five minutes. In the AWS Management Console this is easy to set up, under the lambda function’s “Event Sources” tab, but how do I set it up with Ter…

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

quick summary:

• create a lambda component

• copy in the sample lambda code (python)

• add three terraform resources for event, event target, and event permissions

• add policy json to permit the lambda to discover ec2 public ips, tags, and update route53

Taimur Gibson avatar
Taimur Gibson

Thanks, this is helpful! I will look into this

Taimur Gibson avatar
Taimur Gibson

Our use case for this is SSH tunnels. Users (and some services) need to SSH tunnel through the Bastion Host in order to access some RDS databases

Taimur Gibson avatar
Taimur Gibson

I think you can SSH tunnel with an SSM session, but that won’t work for all of the situations we need to use it for

Taimur Gibson avatar
Taimur Gibson

If we do utilize the SSM route more, won’t we also have to keep updating the instance ID in our documentation every time a new bastion is created?

Taimur Gibson avatar
Taimur Gibson

It probably won’t happen very often I suppose

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Is the bastion the right approach? Why not use our Client VPN module instead?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So much simpler.

Taimur Gibson avatar
Taimur Gibson

We are using that as well

Taimur Gibson avatar
Taimur Gibson

VPN -> Bastion -> RDS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Why not VPN -> RDS? What is the value-add of the bastion?

Taimur Gibson avatar
Taimur Gibson

additional layer of security, single point of entry that we can quickly and easily take down in the event of a compromise

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ClientVPN - single point of entry that you can quickly and easily take down in the event of a compromise

Taimur Gibson avatar
Taimur Gibson

I suppose so, this was a security decision that I was not part of though, so I’m working with what we have

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, have you considered solutions like Tailscale? Very inexpensive, more tailored to this use-case.

Taimur Gibson avatar
Taimur Gibson

I’ll look into that as well

Taimur Gibson avatar
Taimur Gibson

I was also wondering if it’s possible to put an ALB in front of the Bastion host

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For enterprises, they usually use Zscaler or StrongDM for this.

Taimur Gibson avatar
Taimur Gibson

and then have a DNS hostname attached to the ALB, use that to distribute traffic to the Bastion

2024-05-21

2024-05-28

2024-05-29

Marat Bakeev avatar
Marat Bakeev

Not sure if refarch or #kubernetes question… https://docs.cloudposse.com/components/library/aws/eks/cluster/ example says that running addons on fargate is not recommended, and a managed node group is preferred. What’s wrong with fargate?

cluster | The Cloud Posse Developer Hub

This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and Fargate

1
Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

if you deploy karpenter to fargate and use karpenter to provision all other nodes, then those nodes will never be available before the cluster component is deployed. if the nodes arent available when creating the cluster, then we arent able to ensure the addons are fully functional during the cluster deployment.

this came up for us when we wanted to enable a CoreDNS addon but werent provisioning a node group initially. We needed to create a managed node group with the basic addons we needed first, and then allow karpenter to scale up additional nodes from there

cluster | The Cloud Posse Developer Hub

This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and Fargate

Marat Bakeev avatar
Marat Bakeev

I think AWS recommends running coreDNS on fargate too. Need to check, thank you!

2024-05-30

    keyboard_arrow_up