57 messages
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
Shankar Kumar Chaudharyover 5 years ago
anyone have successfully updated eks from 1.14 using terraform terragrunt? using terraform-root-modules
kalyan Mover 5 years ago
How can we restrict aws IAM users not to generate their own access or secret keys by themselves.
Erik Osterman (Cloud Posse)over 5 years ago
uselessuseofcatover 5 years ago
Hi! Is there any way to increase Security groups per network interface other than through service quotas. Maximum number is 16, is there any way to have it set on, let's say 30 or 50? Should I contact AWS support? Thanks!
btaiover 5 years ago(edited)
I have a cloudwatch alarm for read iops where I want to set the threshold for alarming at a certain number (i.e 5000) but every night at 2am we run some sync jobs that are read intensive that spike up to higher than that number for a short period of time (i.e 7000) is there a way to configure the alarm threshold to be higher for that short period of time
Andreas Pover 5 years ago
Hey all is there a way to create multiple databases in an RDS instance as part of terraform provisioning ??
Matt Gowieover 5 years ago
Anyone know any tooling to keep AWS Config files (+ Kube config files as well) up-to-date across an org? I’m considering writing a script around a gomplate template for this but before I do I figured I should check that this isn’t already a thing.
RBover 5 years ago
Requesting upvotes https://github.com/aws/containers-roadmap/issues/256 (for ecs automatic asg draining)
Mr.Devopsover 5 years ago
Can anyone tell me if it’s possible to decrease an FSX once it has been increased?
kalyan Mover 5 years ago
is there any software that can restrict the users to just view the code. instead of modifying or downloading the code. even copy/Paste?
RBover 5 years ago
if you can view the code, couldn't you also copy and paste the code ?
Issifover 5 years ago
screenshot and paste the image 🧌
Alex Jurkiewiczover 5 years ago
The most suitable software is a contract making them pay you lots of money if they copy the code, I think.
Ryan Smithover 5 years ago
Does anyone have any experience around Aurora Failures in Prod?
(We're going through planning on migrating to Aurora, but just curious of pitfalls to be aware of.. like.. "too many writes will knock Aurora over" or something based on past experience, instead of hypothetical: 'it should be great!')
(We're going through planning on migrating to Aurora, but just curious of pitfalls to be aware of.. like.. "too many writes will knock Aurora over" or something based on past experience, instead of hypothetical: 'it should be great!')
Stephen Bennettover 5 years ago
hi, for the
cloudposse/elasticache-redis/aws module, there is no mention of tags. anyone able to tel me how to?RBover 5 years ago
So what kind of problems are you folks trying to or have successfully solved recently?
Maarten van der Hoefover 5 years ago
Has anyone played with https://github.com/aws-samples/aws-secure-environment-accelerator/ before ? It's massive.
uselessuseofcatover 5 years ago
Hi, one noob question - what about ALB outbound traffic? When client make request on port 443, for example, to some application the request will go through ALB to that EC2 instance and then response will go through ALB again (on high number unprivileged ports), so I was wondering, if I restrict egress traffic on my EC2 instances' SG, should I also do the same for ALB? Is there a reason to restrict egress traffic on ALB? Thakns!
EvanGover 5 years ago
Does anyone here use a framework for testing CIS Benchmark foundations in AWS? I've seen things like: https://github.com/mberger/aws-cis-security-benchmark#description, but I'm wondering if they're worth the risk.
Francesco Ciocchettiover 5 years ago
Hi Everyone. I just stared experimenting with IRSA on EKS and it is working great.
I just have one quesiton about the
What happens when the
I know from the k8s documentation ( so one where audinece is not external ) that it will renew at 80% ... is it the same in this case ?
I just have one quesiton about the
projected volume with the JWT token from AWS volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: <http://sts.amazonaws.com|sts.amazonaws.com>
expirationSeconds: 86400
path: tokenWhat happens when the
expirationSeconds expire ?I know from the k8s documentation ( so one where audinece is not external ) that it will renew at 80% ... is it the same in this case ?
Maarten van der Hoefover 5 years ago
Shreyank Sharmaover 5 years ago
Am trying cluster migration in AWS, Both k8s clusters are in same region.
Cluster 1 : Deployed 2 Application with PV reclaim policy one as Delete and another as Retain, and annotated so it will take Restic backup.
Cluster 2: Restored those 2 applications, worked fine.
again
Cluster 1: Deployed same 2 application with Reclaim policy as Delete and Retain but not annotated so it took snapshot when i backup.
Cluster 2: Restore did not work as PV volume is failed to attach with the following
So, Snapshot restore feature will work in the same AWS region or am only getting this error????
Cluster 1 : Deployed 2 Application with PV reclaim policy one as Delete and another as Retain, and annotated so it will take Restic backup.
Cluster 2: Restored those 2 applications, worked fine.
again
Cluster 1: Deployed same 2 application with Reclaim policy as Delete and Retain but not annotated so it took snapshot when i backup.
Cluster 2: Restore did not work as PV volume is failed to attach with the following
Warning FailedAttachVolume pod/<pod-name> AttachVolume.Attach failed for volume "pvc-<id>" : Error attaching EBS volume "vol-<id>" to instance "i-<instance-id>": "UnauthorizedOperation: You are not authorized to perform this operation.So, Snapshot restore feature will work in the same AWS region or am only getting this error????
Jason Fover 5 years ago
planning out a future website structure and wondering if I can have a single cloudfront distro
with two S3 bucket origins
cloudfront distro: sample.cloudfront.net
CNAME/Alias that points foo.com to sample.cloudfront.net
S3 bucketA contains:
foo.com
foo.com/foo/*
foo.com/bar/*
S3 bucketB contains:
foo.com/bat/*
foo.com/biz/*
seems like I cannot do this at the cloudfront origin level even with using a custom behavior and a pattern match
can I:
put redirects in bucket A to redirect foo.com/bat/* and foo.com/biz* to bucket B ?
if I do that ^ should I put another cloudfront distro in front of bucket B (bucketB.cloudfront.net) and point the redirects at that ?
so that:
foo.com/*-> alias for sample.cloudfront.net -> bucketA
foo.com/foo/* -> alias for sample.cloudfront.net -> bucketA
foo.com/bar/* -> alias for sample.cloudfront.net -> bucketA
foo.com/bat/* -> alias for sample.cloudfront.net -> bucketA -> bucketA redirect to bucketB.cloudfront.net -> bucketB
foo.com/biz/* -> alias for sample.cloudfront.net -> bucketA -> bucketA redirect to bucketB.cloudfront.net -> bucketB
any other options ?
some top level router thing that points paths to cloudfront distros ?
with two S3 bucket origins
cloudfront distro: sample.cloudfront.net
CNAME/Alias that points foo.com to sample.cloudfront.net
S3 bucketA contains:
foo.com
foo.com/foo/*
foo.com/bar/*
S3 bucketB contains:
foo.com/bat/*
foo.com/biz/*
seems like I cannot do this at the cloudfront origin level even with using a custom behavior and a pattern match
can I:
put redirects in bucket A to redirect foo.com/bat/* and foo.com/biz* to bucket B ?
if I do that ^ should I put another cloudfront distro in front of bucket B (bucketB.cloudfront.net) and point the redirects at that ?
so that:
foo.com/*-> alias for sample.cloudfront.net -> bucketA
foo.com/foo/* -> alias for sample.cloudfront.net -> bucketA
foo.com/bar/* -> alias for sample.cloudfront.net -> bucketA
foo.com/bat/* -> alias for sample.cloudfront.net -> bucketA -> bucketA redirect to bucketB.cloudfront.net -> bucketB
foo.com/biz/* -> alias for sample.cloudfront.net -> bucketA -> bucketA redirect to bucketB.cloudfront.net -> bucketB
any other options ?
some top level router thing that points paths to cloudfront distros ?
PePe Amengualover 5 years ago
I don't know if cloudfront supports multiple origins but I have done this with cloudfront and a nginx proxy and many buckets with different routes
Jason Fover 5 years ago
so I have a distribution working with 2x origins, but having trouble getting the /bat/, /biz/* routes to flow to
bucketB in example above ^Jason Fover 5 years ago
404 Not Found
Code: NoSuchKey
Message: The specified key does not exist.
Key: bat/index.htmlJason Fover 5 years ago
so all content needs to be in the /bat/ directory on the target origin ^
Alex Jurkiewiczover 5 years ago
yep
Tomekover 5 years ago
hey all, was going to cross post here as it sounds like this is a better channel for these types of questions https://sweetops.slack.com/archives/CB6GHNLG0/p1605655766298600
Darren Cunninghamover 5 years ago(edited)
I'm annoyed by the AWS Support Feedback experience. I selected
Good rather than Excellent and I got an email from the support engineers reporting manager asking why I gave the engineer a "low" grade. I can't stop thinking about how awful that is and now every time I go to fill out the AWS Support Feedback form now a little part of me dies. I felt that it was necessary to try and do something about it. http://chng.it/gmtG8xqFuselessuseofcatabout 5 years ago
Has anyone restricted outgoing traffic from ec2 instances via security groups with success? I've enabled a lot of VPC endpoints, but I still see a lot of outbound traffic towards AWS subnets for which I cannot identify the service that they belong to.
curious deviantabout 5 years ago(edited)
Hello
My company has a domain purchased say mydomain.com with GoDaddy and it is today mapped to servers running on prem. We are migrating to AWS and have our Route 53 DNS and public hosted zone setup as ourcoolcloud.com (say). We want to setup the DNS routing such that when our clients hit mydomain.com it actually gets proxied to ourcoolcloud.com. We do not want the ourcoolcloud.com to appear in the client browser and we may drop mydomain.com at some point and purchase a cooler name. We do not want to keep changing our AWS HZs. Is there some DNS voodoo we can do to make this routing happening from mydomain.com - > ourcoolcloud.com without the client seeing this in the browser ?
My company has a domain purchased say mydomain.com with GoDaddy and it is today mapped to servers running on prem. We are migrating to AWS and have our Route 53 DNS and public hosted zone setup as ourcoolcloud.com (say). We want to setup the DNS routing such that when our clients hit mydomain.com it actually gets proxied to ourcoolcloud.com. We do not want the ourcoolcloud.com to appear in the client browser and we may drop mydomain.com at some point and purchase a cooler name. We do not want to keep changing our AWS HZs. Is there some DNS voodoo we can do to make this routing happening from mydomain.com - > ourcoolcloud.com without the client seeing this in the browser ?
Alex Jurkiewiczabout 5 years ago
https://github.com/awsdocs/aws-cloudformation-user-guide/pull/438
A >1 year old trivial doc change finally getting attention, but they require YOU to rebase it. Contributing to AWS docs in a nutshell.
A >1 year old trivial doc change finally getting attention, but they require YOU to rebase it. Contributing to AWS docs in a nutshell.
Riakabout 5 years ago
Hello All,
How are you today?
'Im looking for a cloud formation stack to deploy traefik reverse proxy on ecs
How are you today?
'Im looking for a cloud formation stack to deploy traefik reverse proxy on ecs
uselessuseofcatabout 5 years ago
Hi, I have a domain, for example test.com and I want to delegate delegate.test.com to another AWS account. I was able to do that but I can only create A records for a.delegate.test.com and b.delegate.test.com for example but I need to create A record for delegate.test.com. Can I do that from the account to which I delegated the zone to? Thanks!
Stephen Bennettabout 5 years ago
using: https://github.com/cloudposse/terraform-aws-efs is it possible to turn off the creation of a security group and pass one to it instead?
Shreyank Sharmaabout 5 years ago
Hi All,
We are having an Application in Lambda, is there any way we can backup that for Disaster Recovery.
or how Amazon does this for us.
Thank you.
We are having an Application in Lambda, is there any way we can backup that for Disaster Recovery.
or how Amazon does this for us.
Thank you.
uselessuseofcatabout 5 years ago
Help, is there any way to list all services that I'm using on my AWS account?
RBabout 5 years ago
my attempt at lifecycle hook niche awesome list https://github.com/nitrocode/awesome-aws-lifecycle-hooks
PePe Amengualabout 5 years ago
and this is why I tell people DO NOT DEPLOY in us-east-1
voidSurfrabout 5 years ago(edited)
hey guys, just dipping my toe in with https://registry.terraform.io/modules/cloudposse/tfstate-backend/aws/latest
and I can't get it to create the bucket, lol
and I can't get it to create the bucket, lol
Initializing the backend...
Successfully configured the backend "s3"!
...
Error: Failed to get existing workspaces: S3 bucket does not exist. <--
The referenced S3 bucket must have been previously created. If the S3 bucket <-- uhhh, what?
was created within the last minute, please wait for a minute or two and try
again.
Error: NoSuchBucket: The specified bucket does not exist
status code: 404, request id: 08C447AD410DF430, host id: a6btOtHixZYbFcNJ8E+gpLoFP9vw4MIvFfibWxHrtQwB+tf2HSDJ9bbMvmGRBDt9BmqW/XoZUzY=voidSurfrabout 5 years ago
can someone help me to understand this?
Joan Portaabout 5 years ago
Hi guys! QQ we are in AWS, and we are finding some global cron scheduler to run tasks. I know Rundeck but something more SaaS? Something that dev teams do not depend on IT operations to create things in terraform like lambdas triggered by cloud events, or ECS tasks that run based on events…. need something easy and fast for dev’s. Thx!!!!!
Vlad Ionescu (he/him)about 5 years ago
AWS Kinesis incident details: https://aws.amazon.com/message/11201/
RBabout 5 years ago
Is there a simple explanation of minimum security group configuration for an internal load balancer, target groups, and ec2 instances ? I'm a bit confused
RBabout 5 years ago
Anyone know if the a) asg instance refresh or b) manual termination invokes the lifecycle hooks?
Steve Wade (swade1987)about 5 years ago
is anyone able to help me understand VPC peering, I have created a terraform module and applied it but am struggling to understand one thing ....
I want to peer the private subnets from account X with the database subnets from account Y
Where do I need to enable dns resolution to allow the instances in the private subnet to use internal hosted zones in account Y ?
I want to peer the private subnets from account X with the database subnets from account Y
Where do I need to enable dns resolution to allow the instances in the private subnet to use internal hosted zones in account Y ?
bazbremnerabout 5 years ago(edited)
Anyone using ACM private CA (PCA) with root CA and subordinate CAs in separate accounts (as recommended by the best practice section of the PCA docs)? I'm bashing my head against the wall trying to work out how to have the root CA sign the subordinate's certificate and import the certificate to get it into an active state.
bazbremnerabout 5 years ago
If I try a RAM share of the subordinate into the root CA's account (which uses the RAM-managed permissions) trying to sign the subordinate from the root account fails with
1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----... which makes me suspect that the root CA/account can't read the CSR for the subordinate, but of course I can't change the permissions since RAM manages them. Can't see what the alternative workflow would look like - I don't see anything in the docs.bazbremnerabout 5 years ago
Oh and yes, trying to view the CSR of the subordinate as shared by RAM in the root CA account just beachballs, which is another tint on the permissions side of things.
bazbremnerabout 5 years ago
Going the other way, and sharing the root CA into the account with the subordinate doesn't work with the "Import CA" -> "ACM private CA" flow in the console, as the root isn't presented as an option.
bazbremnerabout 5 years ago
...And Terraform doesn't support most of the PCA operations.
Rob Williamsabout 5 years ago
Hey folks
Whats the recommended way to partition environments and related infra?
want to keep prod env as much isolated as possible, but still want to ensure pace of development. We are a relatively new startup ~6 eng, so am just setting things and process up.
Whats the recommended way to partition environments and related infra?
want to keep prod env as much isolated as possible, but still want to ensure pace of development. We are a relatively new startup ~6 eng, so am just setting things and process up.
Vlad Ionescu (he/him)about 5 years ago
re:Invent gets extended: https://twitter.com/txase/status/1333559564998828032