#aws - May 2022

Years ago when I was using ECS on EC2 I used the ASG TERMNATING lifecycle hook to setup a "graceful" termination operation which would drain the ec2 container instance of containers before terminating it. Is this still required with ECS on EC2 in 2022? Or is there more integration between ECS and ASG now?

TLDR:
How do you achieve static IPs for a Root Domain hosted behind CloudFront without using Route53 Aliases?

Details:
I am working with a client that started with a website running on a single EC2 instance. An Elastic IP (EIP) was associated with the instance. The IP was used to create A records in a third-party DNS for routing the root and the “www” endpoints to the instance.

<http://root.com|root.com>, <http://www.root.com|www.root.com> → 3rd-party DNS (A) → EIP → EC2

After much refactoring, the site is now running behind CloudFront and an ALB. The CloudFront endpoint is published as a CNAME for the “www” endpoint and works great. The root, however, is still using the old EIP as a A record because you can’t use CNAMEs with the root.

<http://www.root.com|www.root.com> → 3rd-party DNS (CNAME)→ CloudFront → ALB
<http://root.com|root.com> → 3rd-party DNS (A)→ EIP → EC2 (Redir to www with NGINX)

Of course, the “easiest” (!) way to get the root domain pointed at CloudFront is to create an ALIAS record in Route53. Ha! I say “easiest” because moving the zone from the third-party DNS hosting into Route53 would take far too much effort for this one little redirect. For example, retraining people to use AWS instead of the DNS tool they have been using for years among many, many other potential snares and time sinks.

So I’ve looked at a couple solutions.

The current one works but I don’t want to have to run/manage an NGINX server for redirects. It’s also not highly available; if the server goes offline then redirects will fail. So use an ALB, right?

Since the IPs for ALBs change, but NLBs can have an EIP assigned to them, I tried assigning an EIP to a Network Load Balancer backed by an ALB that listens on ports 80 and 443. The listeners have a rule that redirects the request to “www”. I should add, content doesn’t need to be served from the root domain; it should all come from “www”.

<http://root.com|root.com> → 3rd-party DNS (A)→ EIP -> NLB -> ALB -> Redirect to WWW

This works for the most part but I feel like an NLB and and ALB for redirecting a request is overkill. I figure there has to be a better, cheaper solution. (this one is about $30/month not including traffic which should be pretty minimal)

So I looked at AWS Global Accelerator. This provides static IPs that can be pointed at a few different AWS resources; ALBs are there but sadly not CloudFront (AFAICT).

<http://root.com|root.com> → 3rd-party DNS (A)→ Global Accelerator -> ALB (live site!)

In my early exploration of this, its only working for HTTP requests… not for HTTPS requests. So if someone enters “https://root.com”, the redirect won’t ever happen. Bummer! This one is about $18/month not including traffic.

So before I settle on the EIP->NLB->ALB approach, I ask the question: How do you achieve static IPs for a Root Domain hosted behind CloudFront without using Route53 Aliases?

Hi all!
im trying to create self managed node groups on EKS using Terraform eks module and terragrun.
I want to add toleration ,taints and labels to each node group, so i tried to use bootstrap_extra_args = "--node-labels=<http://node.kubernetes.io/lifecycle=spot,node/role=os-client|node.kubernetes.io/lifecycle=spot,node/role=os-client>" and

bootstrap_extra_args = <<-EOT
      [settings.kubernetes.node-labels]
      ingress = "allowed"
      EOT 

but none of them create the node group with the labels/taint .
someone know what is the right way to do it ?
Thanks !!

Having a strange issue with AWS SSM where I am unable to copy paste into their RDP client - CTRL-V, CTRL-SHIFT-V, and Right-clicking doesn't seem to work.
Has anyone encountered this issue before?
For reference, I'm using PopOS 21.10 and the instance is running Windows Server 2022

Have anyone seen this before :
CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReadSeeker: failed open: failed to do request: Get https://prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com/

How do you authenticate your ci/cd if you have MFA enforcement for all access including the CLI?

Hi 👋 - Is anyone making use of MQ triggers for Lambda in a private VPC?

Hello everyone ! We've been facing an issue with some latency-sensitive services that we deployed to EKS and are being exposed using Nginx Ingress Controller. The issue is related with the Conntrack table (used by iptables) filling up and then it starts dropping packages. The solution to this problem is simply increasing the Kernel parameter net.ipv4.netfilter.ip_conntrack_max to a higher value, piece of cake. As we are using the EKS/AWS maintained AMI for the worker nodes, this value comes predefined with a relatively small value (our services/apps handle several thousands of reqs per sec). We've been exploring different ways of properly setting this value, and the most preferred way would be modifying the kube-proxy-config Config Map, which contains Conntrack specific config

conntrack:
  maxPerCore: 32768
  min: 131072
  tcpCloseWaitTimeout: 1h0m0s
  tcpEstablishedTimeout: 24h0m0s

The problem is that kube-proxy is being managed as an EKS add-on, so, if we modify this config, by, let's say, Terraform, it will be overridden by the EKS add-on. But we don't want to self-manage Kube Proxy, as that would slow down our fully automatic EKS upgrades that we handle with Terraform.
Any ideas or suggestions ?

for ses servers. If I use the api to send email... can I get the servers ip addresses? or is it just https://docs.aws.amazon.com/general/latest/gr/ses.html this ?

Hey! I have a question about the MWAA module. When I set it up with an S3 bucket, it seems it gets upset that the bucket doesn't have a requirements.txt file in it. It seems like a chicken-and-egg problem though, since the bucket is created alongside the MWAA module, so it's naturally empty at first..

error updating MWAA Environment (dev-jake): ValidationException: Unable to access version <blah> of dev-jake-dags/airflow/dags/requirements.txt

Is there a way to either have the S3 module create an empty requirements.txt file when it creates the bucket, or have the MWAA module accept that the bucket is empty to start with?

Hi folks, for aws dynamic subnet, I set public_subnets_enabled to false, but the module still creates a public subnet anyway. Here the count should have some conditional judgment I guess, like count = var.public_subnets_enabled ? local.subnet_az_count : 0 ?

I want to know how many EBS snapshots I have over my full organization, can you query this somehow ?

I am querying aws config and I get this json output:

[
"{\"COUNT(resourceId)\":7}"
]

I am looking for a query to just list the number

any ideas ?

Anyone else try the AWS Single Sign-On fro a delegated member account announced yet? I just tried it and I’m wondering if the bug I’m experiencing is only on my end. I can’t open the permission sets page as a user with with AdministratorAccess in the delegated member account.

Hey friends. I've launched my cluster with https://github.com/cloudposse/terraform-aws-eks-cluster . It's running great. However, I'm trying to integrate the IAM roles for service accounts for a given deployment, to remove the dependency of the instance profiles. However, it seems to not be working. It looks like everything is done correcting in the link below but I'm not sure. The article mentions something like, Amazon EKS Pod Identity Webhook but I'm not seeing anything here that might indicate that its installed.

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html

Has anyone set up SA roles in a new cluster with the CP modules? Did it work following their doc above? If not, what was required to get it working?

We're testing out AWS AFT (Account factory for Terraform), is anyone else using it?

does anyone know of a way (using a lambda in account Y) to watch the cloudtrail event stream in other accounts to process them?

hey all, was wondering if anyone had some good criteria for why you would create an eventbus and not just use the default? Is it just for logically partitioning rules and events for easier identification?

As we deploy out CI/CD pipeline I'm leaning towards creating an event bus for ec2 state changes, but would be interested in how others are using event buses? Thanks.

When using AWS Organizations, is it possible to delegate AWS Cost Management and Billing such that I can view the consolidated billing in a member account rather than in the management account?

Anyone has a good tutorial on how to add people to eks clusters? https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
This hasn't been very helpful for me. Currently I just add users manually to configmap, but it's really not something I want to be doing long term.