#aws - January 2022

Is updating a securitygroup with lambda really the only way to protect endpoints behind Cloudfront from other traffic?

Okay so multi-account AWS question for CI setup... I have SSO setup and access via federated credentials myself both through console and CLIv2 fine. Trying to figure how best to accomplish the same for CI/CD process as move it from single account to multi. Do I just do it outside of SSO and setup IAM or can it be made to work within SSO federation

Hi colleagues, we have a gitlab pipeline running and it already checks terraform init if it fails and then pipeline stops running. I want to build upon this and set up a terraform drift check, where the pipeline will fail if it detects something else than the usual no changes detected. any ideas that can point me to the proper direction please?

I have mysql database A (Outside the AWS, db server is On-premises) on windows On-premises. How can I take a snapshot and create a ec2 in AWS. Please help.

Hi all, we are using the module --> github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=0.17.1

Right now, when we try to create the peering between 2 cross accounts and running the module i see:

data.aws_vpc.accepter[0]: Refreshing state...
data.aws_region.accepter[0]: Refreshing state...
data.aws_caller_identity.accepter[0]: Refreshing state...
data.aws_region.requester[0]: Refreshing state...
data.aws_vpc.requester[0]: Refreshing state...
data.aws_caller_identity.requester[0]: Refreshing state...
data.aws_subnet_ids.accepter[0]: Refreshing state...
data.aws_subnet_ids.requester[0]: Refreshing state...
data.aws_route_table.requester[7]: Refreshing state...
data.aws_route_table.requester[5]: Refreshing state...
data.aws_route_table.requester[1]: Refreshing state...
data.aws_route_table.requester[2]: Refreshing state...
data.aws_route_table.requester[4]: Refreshing state...
data.aws_route_table.requester[0]: Refreshing state...
data.aws_route_table.requester[3]: Refreshing state...
data.aws_route_table.requester[6]: Refreshing state...
data.aws_route_table.accepter[11]: Refreshing state...
data.aws_route_table.accepter[19]: Refreshing state...
data.aws_route_table.accepter[25]: Refreshing state...
data.aws_route_table.accepter[5]: Refreshing state...
data.aws_route_table.accepter[24]: Refreshing state...
data.aws_route_table.accepter[18]: Refreshing state...
data.aws_route_table.accepter[4]: Refreshing state...
data.aws_route_table.accepter[9]: Refreshing state...
data.aws_route_table.accepter[8]: Refreshing state...
data.aws_route_table.accepter[6]: Refreshing state...
data.aws_route_table.accepter[14]: Refreshing state...
data.aws_route_table.accepter[27]: Refreshing state...
data.aws_route_table.accepter[20]: Refreshing state...
data.aws_route_table.accepter[15]: Refreshing state...
data.aws_route_table.accepter[16]: Refreshing state...
data.aws_route_table.accepter[13]: Refreshing state...
data.aws_route_table.accepter[10]: Refreshing state...
data.aws_route_table.accepter[26]: Refreshing state...
data.aws_route_table.accepter[17]: Refreshing state...
data.aws_route_table.accepter[23]: Refreshing state...
data.aws_route_table.accepter[3]: Refreshing state...
data.aws_route_table.accepter[2]: Refreshing state...
data.aws_route_table.accepter[12]: Refreshing state...
data.aws_route_table.accepter[22]: Refreshing state...
data.aws_route_table.accepter[21]: Refreshing state...
data.aws_route_table.accepter[1]: Refreshing state...
data.aws_route_table.accepter[0]: Refreshing state...
data.aws_route_table.accepter[28]: Refreshing state...
data.aws_route_table.accepter[7]: Refreshing state...

but then i receive the error:

Error: query returned no results. Please change your search criteria and try again

  on accepter.tf line 67, in data "aws_route_table" "accepter":
  67: data "aws_route_table" "accepter" {


Releasing state lock. This may take a few moments...
[terragrunt] 2022/01/13 13:56:46 Hit multiple errors:
exit status 1

someone of Cloud Posse could help?

has anyone run into this error in EKS Cannot enforce AppArmor: AppArmor is not enabled on the host we’re using aws linux 2 ami. I’ve read that appArmor (by default) is supported in ubuntu and not RHEL distribution. This is causing pods to fail with status blocked

We're sending events to a firehose delivery stream using the aws javascript sdk. Recently we started getting this error:

Error [UnknownError]: Not Found
code: 'UnknownError',
statusCode: 404,
time: 2022-01-14T23:05:38.457Z,
requestId: 'UUID_HERE',
retryable: false,
retryDelay: 73.07054542342854

Anyone have tips on how to troubleshoot this? Is there some way to get more info using the uuid in the requestId field?

anyone knows how to contact AWS SSO Team, there is a long waited feature about create users and groups in Identity store, using API or CLI or CDK, I would love to forward this concern to them

Lot of people are waiting for this

Hi there 👋 Has anyone here experience with Site-to-Site VPN?

One of my clients set up the VPN with BGP (dynamic routing). The Management Console reports both tunnels as "IPSEC IS UP" but the tunnels' statuses remain "DOWN". When I initiate traffic from inside the VPC to an on-premise server, the connection times out. We assume that something is wrong with the dynamic routing at the AWS end but can't figure out what needs to be adjusted. Any suggestions are welcome 🙂

Sorry to bother you guys. Has anyone seen this before. My AWS Global Accelerator disabled itself, and now i cannot re-enable it, or create a new one. I have a single accelerator, but when i attempt to make a new one to try to replace it, i now get an error saying I'm maxing out my accelerator licensing (which should be 20 by default) https://imgur.com/lidRFkt

In fact deleting the one that existed....still has the license issue even after i try to create a new one lol https://i.imgur.com/5mfyHrv.png

I’m getting a 404 while trying to use the ecs-codepipeline module. The PAT I have set in GITHUB_TOKEN has repo, admin:repo_hook, and admin:org_hook permissions. But I’m still getting this error when applying in Terraform Cloud:

    Error: POST <https://api.github.com/repos/my-org/my-repo/hooks>: 404 Not Found []
    with module.project_module.module.ecs_codepipeline.module.github_webhooks.github_repository_webhook.default[0]
    on .terraform/modules/project_module.ecs_codepipeline.github_webhooks/main.tf line 7, in resource "github_repository_webhook" "default":

    resource "github_repository_webhook" "default" {

And indeed, when I check that URL with curl in Terminal, it’s 404. I found this bug in the github_repository_webhook provider module repo, but none of the suggestions solved my issue. One other person in October seems to have reported the same problem in here, but unfortunately there were no replies. 😞 Would love some other ideas, because I’m out of them…

not sure which channel is appropriate to ask so will do here:

anyone is using cdkk8s in prod? if so what was the driver factor for adopting it instead of s'thing more "common" used for a while in K8s community?

Has anyone encountered an issue with AWS Orgs where Consolidate Billing does not activate properly?

When I logging into the child accounts, either with root or SSO, and click on a service I get redirect to a page saying "Your service sign-up is almost complete".

Mind you the management account has already existed for years and has payment methods assigned.

Hello, can someone point me to the best documentation for installing the AWS ALB Loadbalancer for EKS via CloudPosse ? I have successfully installed my EKS cluster with https://github.com/cloudposse/terraform-aws-eks-cluster/blob/master/examples/complete/main.tf, but I'm finding the ALB/ingress piece somewhat confusing as far as locating the correct modules to load. I am finding this: https://github.com/cloudposse/terraform-aws-alb-ingress , but my question is , is this the actual "AWS Load Balancer Controller" that is referenced here https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html ? According to that AWS doc, I did kubectl get deployment -n kube-system aws-load-balancer-controller after my cloudposse eks cluster was up , and the load-balancer controller was not installed. I am assuming I need to incorporate this into my Terraform https://github.com/cloudposse/terraform-aws-alb-ingress ? Thanks in advance!

@Robert see thread

Hi everyone, some of the CloudPosse crew might remember me from our time at Checkatrade... hope all's well!

I'm currently invovled in a project that is seeking to migrate some of its infrastructure onto the AWS China region and wondered whether anyone had any experience with that or knew any good resources to look for gotchas....

One decision we're looking to make is whether it is realistic to have one Terraform for both global/Chinese AWS, or whether they are too divergent.... any thoughts appreciated!

Hey folks, we have 2 users are making infrastructure changes (shared state remote in gitlab in this case). Both of us are Federated user: AWSReservedSSO_AWSAdministratorAccess level (for this subaccount). I'm trying to rebuild a VPC, and I'm seeing: eni-xxx - API error: "You do not have permission to access the specified resource." -- If this was created by TF by one user, why wouldn't another admin user be able to remove it? Am I missing something?

Hi everyone, I have problem to import "pyodbc" into Lambda function. I published lambda layer from this link: https://github.com/alexanderluiscampino/lambda-layers. Then attach this lambda layer to my lambda function. When I try to list the "opt" directory when lambda function running, I see the lambda layer is unzipped (attach screenshot) but I got the error when I import pyodbc:

[ERROR] Runtime.ImportModuleError: Unable to import moodule 'app': No module name 'pyodbc'
Does anyone have exp about this case?

I’m trying to transition an EC2 setup to CloudPosse so I can use it with ecs-codepipeline. I’m attempting to mostly follow the ecs-web-app example, but I can’t make sense of the ecs_alb_service_task.ecs_load_balancers attribute. Specifically, the container_name and container_port elements of the object you need to pass.

What is the container associated with a load balancer? I have an alb already created, and I see listeners, security groups, a VPC… but nothing about a container. The containers (ultimately 3 of them) which I’m associating with the load balancer are wrapped several layers deep inside the alb-service-task, so it’s not clear to me what is being requested here. And will the port be 80/443? The documentation pointed to about this load_balancer object doesn’t help at all:

Name of the container to associate with the load balancer (as it appears in a container definition).

😕 Anybody able to shed some light on this?

ooo Firehose can now delivery directly to Honeycomb

When I create an ssh key-pair with generate_ssh_key=true, how do I save the key so I can use it later? I’m using Terraform Cloud.

I’m looking at aws-named-subnets and trying to figure out how it works. It takes a CIDR subnet specifier, and then an array of subnet names. What IPs or CIDR blocks will it put in which subnets? If it’s passed a CIDR block of say 192.168.0.0/24 (254 available addresses) and 3 subnet names, what will be the IP ranges (or CIDR subnets) of the 3 generated subnets? Will it just partition the given CIDR block as evenly as possible? Does it follow the calculation laid out in aws-dynamic-subnets?

Does anyone know if this would be a good module to use for S3 events notifications pushed to SNS topic and further routed to subscribed SQS queues: https://github.com/cloudposse/terraform-aws-sns-topic/tree/0.18.0#input_allowed_aws_services_for_sns_published
Or is there a better fit from the pool of Cloudposse TF modules ?

We are also using https://github.com/cloudposse/terraform-aws-s3-bucket/tree/0.43.0 for S3 buckets …

Ok , I see, it seems like none of the modules handles creation of the glue resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification