SweetOps Newsletter – Issue #3


Job Board

We've launched our jobs site to keep track of new opportunities posted by companies in our community. Have a job you want to post? Ping @erik on slack.

Check it out here: 👉https://sweetops.com/jobs/

“Office Hours” Pod Cast

We've launched a podcast, which is a syndicated version of our weekly “Office Hours”. Tune in on the train or in the car!

Subscribe here: 👉https://podcast.cloudposse.com

Slack Archive Search

You can now search

Slack Archive Search

We've added search functionality to our slack archives with Algolia. Now you can easily find solutions to common bugs or problems encountered by our community.

Kubernetes News

A lot of interesting links were shared related to the Kubernetes ecosystem. Here are some that stood out!

A Practical Guide to Setting Kubernetes Requests and Limits

Setting Kubernetes requests and limits effectively has a major impact on application performance, the stability of applications and the cluster, as well as cost. And yet working with many teams over the past year has shown us that determining the right values for these parameters is hard or worse yet teams don't even set them! Kubecost created this short guide to help teams more accurately set Kubernetes requests and limits for their applications.

Excellent Resource to Learn Kubernetes
Excellent Resource to Learn Kuberneteslearnk8s.io

If you want to learn more about Kubernetes, this is a phenomenal resource for learning the basics. For example, here's how to increase kubectl productivity when looking up resources, customizing the columns in the output format, switching between clusters and namespaces with ease, using auto-generated aliases, and extending kubectl with plugins!

CNCF Cloud Native Interactive Landscape
CNCF Cloud Native Interactive Landscapelandscape.cncf.io

There's an overwhelming number of cloud native technologies and open source tools. How do they all fit in? Here's a site that let's you filter and sort by GitHub stars, funding, commits, contributors, hq location, and tweets.

Terraform News

We've been hard at work upgrading all of our Terraform Modules to support Terraform 0.12 (HCL2). As part of this, we've added automated tests using a combination of bats and terratest. We publish all of our hundreds of Terraform modules in the official HashiCorp registry.

terraform-aws-eks-fargate-profile github.com

Terraform module to provision an EKS Fargate Profile to spin up a node group that run pods entirely on Fargate


Terraform module to provision a fully managed AWS EKS Node Group using terraform. Plus it works with all of our other EKS node pool modules so it's possible to run multiple different types of node pools in the same EKS cluster.


We've updated our Terraform modules for provisioning an EKS cluster to support Terraform 0.12. As part of this, we've added terratest to run automated infrastructure tests. Check it out here!

Want more news? Check out our Slack archives to learn what our community is all about.


SpotOn Senior DevOps Engineer
SpotOn Senior DevOps Engineersweetops.com

SpotOn is a cutting-edge software company dedicated to redefining the merchant services industry. SpotOn, is hiring in either Krakow, Poland or Mexico City, MX for a seasoned DevOps engineer. BTW, they use TONS of Cloud Posse Terraform modules and Codefresh! =)

SettleMint Experienced SRE
SettleMint Experienced SREsweetops.com

SettleMint makes blockchain technology deployment, development and integration practical for the enterprise. Settlement is looking for someone in Belgium for a full on helm, kubernetes, helmfile gig (fulltime) in the Blockchain space.

What is a DevOps Accelerator?

Curious about what well built infrastructure looks like? Check out what we do at Cloud Posse.

Find out if we can help you by taking our quiz.

Free Weekly “Office Hours” with Cloud Posse

You are invited to our weekly Zoom meetings every Wednesday at 11:30 am PST (GMT-8). Join us to talk shop! This is an informal gathering where you get to ask questions and watch demos.

Register here: 👉https://cloudposse.com/office-hours/

After registering, you will receive a confirmation email containing information about joining the meeting.

SweetOps Newsletter – Issue #2


This past week we crossed 1,600 members! That's means we've grown by over 60% since July. We now span 57 timezones with over 600 DAU. An enormous amount of insightful information has been shared during this time. Thank you everyone for your contributions and generous support! Please keep them coming.

If you haven't yet signed up for our Slack team, join us!

Kubernetes News

Easily Import Secrets to Kubernetes
Easily Import Secrets to Kubernetesgithub.com

Easily populate Kubernetes secrets from 1Password (and others). This operator fetches secrets from cloud services and injects them in Kubernetes. ContainerSolutions/externalsecret-operator

Kubernetes Development Environments
Kubernetes Development Environmentsgarden.io

Garden looks interesting! It automates the repetitive parts of your workflow to make developing for Kubernetes and cloud faster & easier.

Ship Kubernetes Event Stream to Sentry!
Ship Kubernetes Event Stream to Sentry!github.com

Let's be honest. Errors and warnings in Kubernetes often go unnoticed by operators. Even when they are noticed, we might not realize with what frequency they occur and we lose the context of what else is going on in the cluster. With this tiny service deployed in your cluster, you'll get all errors and warnings loaded into Sentry where they will be cleanly presented and intelligently grouped. Plus, you can leverage all the typical Sentry features such as notifications and comments which can then be used to help operations and give developers additional visibility.

Terraform News

HashiCorp Forums are Live!
HashiCorp Forums are Live!discuss.hashicorp.com

HashiCorp has finally launched their public support forums using Discourse. This is awesome stuff! Get help from the community for all major products like Terraform, Vault and Consul.

Export ClickOps to Terraform
Export ClickOps to Terraformgithub.com
CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code – GoogleCloudPlatform/terraformer

Cloud Posse ECS Terraform Modules
Cloud Posse ECS Terraform Modulesgithub.com

We've upgraded all of our ECS terraform modules to support Terraform 0.12 (HCL2). As part of this, we've implemented terratest to all the ECS modules so we can review your contributions quicker and provide greater stability!

Security News

Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Google Project Zero security researcher reveals that the LastPass password manager could, somewhat ironically, leak the last password you used to any website you visited. Ouch.

Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted
Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restrictedthehackernews.com

A vulnerability in Sudo, tracked as CVE-2019-14287, could allow Linux users to run commands as root user even when they're restricted. How can we still be finding bugs in sudo decades later?

If you’re not using SSH certificates you’re doing SSH wrong
If you’re not using SSH certificates you’re doing SSH wrongsmallstep.com

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

(Pro tip: use teleport by Gravitational)

Kubernetes 'Billion Laughs' Vulnerability Is No Laughing Matter
Kubernetes ‘Billion Laughs' Vulnerability Is No Laughing Matterthenewstack.io
A new vulnerability has been discovered within the Kubernetes API. This flaw is centered around the parsing of YAML manifests by the Kubernetes API server. During this process the API server is open to potential Denial of Service (DoS) attacks. The issue (CVE-2019-11253 — which has yet to have any details fleshed out on the page) has been labeled a ‘Billion Laughs' attack because it targets the parsers to carry out the attack.

Want more? Check out our Slack archives to learn what our community is all about.


Are you looking for your next gig? Check out our #jobs channel in SweetOps for recent postings. Here are some recent ones that have been posted.

Brian Tai writes “AuditBoard is hiring a DevOps Engineer! AuditBoard is a fast-growing startup located in the Greater Los Angeles area. Our offices are located in El Segundo and Cerritos. Our SaaS product consists of a suite of solutions for internal auditors to improve and streamline their day-to-day work. (imagine a GitHub/Trello hybrid for auditors) We have signed and continue to sign many new customers including Walmart, Snap, Toyota, and many others in the Fortune 500. “

DevOps Engineer - AuditBoard
DevOps Engineer – AuditBoardsoxhub.recruitee.com
DevOps Engineer – AuditBoard

Amanda Heironimus posted, “PlayQ is looking for a Senior Cloud Services Engineer to join our team in Santa Monica, CA. As a foundational member of our DevOps team, you’d receive the perfect amount of support from our global team while enjoying plenty of room to grow and contribute to new and exciting projects.We empower our teams to produce meaningful and impactful work, so you’ll also have the unique opportunity to take the lead in shaping and informing our infrastructure, managing deployments, and ensuring that mission-critical systems are functioning effectively and consistently.”

Job Application for Senior Cloud Services Engineer at PlayQ
Job Application for Senior Cloud Services Engineer at PlayQboards.greenhouse.io

Free Weekly “Office Hours” with Cloud Posse

You are invited to our weekly “Lunch & Learn” meetings via Zoom every Wednesday at 11:30 am PST (GMT-8). Join us to talk shop! This is an informal gathering of 10-15 people, where you get to ask questions and watch demos.

Register here:


After registering, you will receive a confirmation email and invite containing information about joining the meeting.

November 2018 Edition of the SweetOps Newsletter

adminNewslettersLeave a Comment



Welcome to the November 2018 edition of the SweetOps newsletter.

We've got a lot to share with you this month as we've been exceptionally busy! Overall, our emphasis this month has been on growing the community around our open source adoption and investing heavily in Atlantis for terraform GitOps-style automation.



New Terraform Modules

  1. terraform-aws-iam-account-settings – Terraform module to provision general IAM account settings. It will create the IAM account alias for pretty login URLs and set the account password policy.
  2. terraform-aws-iam-user – Terraform Module to provision a basic IAM user suitable for humans. Supports automatic password encryption using Keybasepublic keys.
  3. terraform-null-smtp-mail – Terraform module to send transactional emails via an SMTP relay directly from within terraform. This is perfect for sending teams email notifications when infrastructure changes.


You can find all of the cloudposse terraform modules in the official terraform module registry.

Important Terraform Module Updates

  1. terraform-aws-rds-cluster – we've added support for Aurora Serverless as well as fixed some idempotency issues raised by the community.
  2. terraform-aws-cloudfront-s3-cdn – we've fixed support for regional S3 endpoints with the CloudFront CDN
  3. terraform-aws-elastic-beanstalk-environment – we've received a handful of PRs to extend the module capabilities with better support for autoscaling, nodejs, ELB security groups, and cloudwatch logs.
  4. terraform-aws-dynamodb – we've added support for local secondary indexes

Many thanks to @johncblandii, @br0nhy, @bober2000, @pabardina, @rverma-nikiai, @aknysh, @jamisonhyatt and the many others who took the time to open issues, submit pull requests and review code.


GitOps with Atlantis and Terraform


We recently held a meetup during #connectweek in Pasadena (CA) where we gave a live demo using Atlantis with Terraform to provision AWS user accounts using only Pull Requests. Atlantis is the secret for enabling teams to collaborate on Terraform. We have our own fork of atlantis that we're maintaining until the essential security features we introduced get upstreamed.


Slides from the presentation are available on our blog.


Interesting Links & Projects

Here are some interesting links that circulated this month in our slack team.

  1. Very cool Open Source SIEM security and compliance dashboard for surfacing events.
  2. Interesting workaround to achieve Tillerless Helm today by running tiller on localhost.
  3. HashiCorp, the company behind Terraform, has raised an additional $100M
  4. 10 Habits DevOps practitioners must break
  5. Monitoring dashboard for Kubernetes Jobs that makes it easy to see which are running and if their latest status was “succeeded” or “failed”.
  6. Two Objects not Namespaced by the Linux Kernel and therefore shared by linux containers.
  7. Malicious Life Podcast – The True stories behind the world of cybercrime

For more links, subscribe to our @cloudposse twitter feed.

Follow us on Twitter @cloudposse

New Alpine Package Repository


As part of Geodesic, our framework for provisioning and automating infrastructure, we needed a better way to distribute our toolchain (aws-vault,   chamber, kops, gomplate, etc) that was fast and reliable that made it easy to version pin tools for individual customers. Previously, we shipped all tools with the geodesic docker base image pinned to a specific release, but this was bad because it forced a customer to upgrade their entire toolchain when they just wanted one upgraded package.


The fix was to distribute all of our tools as versioned alpine packages. Our alpine repository is available at apk.cloudposse.com. More instructions for configuring this repository can be found in the github repository where we define all packages.




What does this mean if you use the make based package installer? Not much. We'll continue to support Makefile based package installations because we need a way to install these packages natively on OSX/Linux/Windows/etc that is not alpine specific. In the future, we might distribute the packages for Debian and RPM-based distros as well.


Terragrunt with Geodesic


Terragrunt is a popular tool for automating terraform deployments. It makes it easy to reuse modules, initialize terraform state, and orchestrate complex multi-stage terraform build-outs.


For a demo we recently did on using Atlantis with Terraform, we put together an example of using Terragrunt on Geodesic. Long and short of it is that it's easy, and there's not much to it. For an example, refer to our reference architectures. Here's an example of adding a user using terraform and terragrunt in combination with our terraform-root-modules.


Slack Community

Over the past month, we've seen a sharp uptick in the number of daily conversations especially in the #terraform, #release-engineering, and #kubernetes channels. We're grateful for everyone helping out to answer questions and sharing interesting articles. If you haven't already, sign up for the SweetOps slack team today.

Join Slack Community

Reviews & Testimonials

We've set up a place for our community members to leave us testimonials. If our modules or slack community have helped you, we would love to know. A few words from you would totally make our day and help us reach others.

Please leave us a testimonial, if you've found some of our open source repos helpful.


All the best,


Erik Osterman

CEO / Founder, Cloud Posse, LLC



How to use Terraform with Teams using Atlantis (#GitOps)

adminMeetupLeave a Comment

GitOps is where everything, including infrastructure, is maintained in Git and controlled via a combination of Pull Requests and CI/CD pipelines. Reduce the learning curve for new devs by providing a familiar, repeatable process. Use Code Reviews to catch bugs and increase operational competency. Provide transparency to the rest of the team with Pull Requests. This presentation had a live demo of using Atlantis with Terraform that showed how to easily add and remove users from AWS IAM safely & securely using simply GitHub Pull Requests.

Erik Osterman is the founder of Cloud Posse, a DevOps professional services company that specializes in cloud migrations and release engineering. Previously he was the Director of Cloud Architecture, for CBS Interactive where he led cloud strategy across the organization.


Effortless Blue/Green Deployments on Kubernetes with Helm

adminMeetupLeave a Comment

Last night was our first ever Pasadena “DevOps Mastermind” meetup.

First speaker up was Dan Garfield. He talked about how to achieve Blue/Green deployments. Blue/Green has been around for a long time but what are the “best practices” when using Kubernetes? How does it change when using Helm? Last night we learned from Dan the differences as he demonstrated how to pull it off effectively with repeatability using Codefresh. When using Helm, the picture changes slightly, keeping a history so rollbacks work properly is critical and requires structuring your Helm Chart accordingly. Check out the slides!

Dan Garfield is a Google Developer Expert, Chief Evangelist of Codefresh, and Kubernetes, Helm, Istio, and Docker meetup organizer. His talks have been featured at Kubecon, Swampup, DeveloperWeek, and many other places. He focuses on DevOps, and Deployment Strategies in a micro-service world.

Effortless Helm Chart Deployments (Video & Slides)

adminDevOps, Meetup, Release Engineering & CI/CDLeave a Comment

Learn how to deploy complex service-oriented architectures easily using Helmfiles. Forget umbrella charts and manual helm deployments. Helmfile is the missing piece of the puzzle. Helmfiles are the declarative way to deploy Helm charts in a 12-factor compatible way. They're great for deploying all your kubernetes services and even for Codefresh continuous delivery to Kubernetes. We'll show you exactly how we do it with a live demo, including public repos for all our helmfiles.