#aws - May 2023 | Slack Archive

24 messages

Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/

Apr 2023

May 2023

Jun 2023

Balazs Vargaalmost 3 years ago

hello all,
in aurora serverless, I see my cpucreditbalane dropped to 0 after a recovery triggered by aws.
Is it counting same as ec2 T instances? https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/unlimited-mode-examples.html

Paulaalmost 3 years ago(edited)

Hi! im using this module https://registry.terraform.io/modules/cloudposse/ecs-alb-service-task/aws/0.68.0 in version 0.66.2 im trying to update to the latest version because everytime i change an environment variable i have to delete the service and recreate it because it doesnt take the latest task definition (generated by codepipeline) to create the new one. i tryied using redeploy_on_apply but i couldnt find any configuration which correctly takes the latest. My configuration looks like this:

module "ecs_alb_service_task" {
  source  = "cloudposse/ecs-alb-service-task/aws"
  version = "0.66.2"
  namespace                          = var.cluster_name
  stage                              = module.global_settings.environment
  name                               = local.project_name
  attributes                         = []
  container_definition_json          = module.container_definition.sensitive_json_map_encoded_list

  #Load Balancer
  alb_security_group                 = var.security_group_id
  ecs_load_balancers                 = local.ecs_load_balancer_internal_config

  #Capacity Provider Strategy 
  capacity_provider_strategies       = var.capacity_provider_strategies
  desired_count                      = 1
  ignore_changes_desired_count       = true
  launch_type                        = module.global_settings.default_ecs_launch_type

  #VPC
  vpc_id                             = var.vpc_id
  subnet_ids                         = var.subnet_ids
  assign_public_ip                   = module.global_settings.default_assign_public_ip
  network_mode                       = "awsvpc"

  ecs_cluster_arn                    = var.cluster_arn
  security_group_ids                 = [var.security_group_id]
  ignore_changes_task_definition     = true
  force_new_deployment               = true
  health_check_grace_period_seconds  = 200
  deployment_minimum_healthy_percent = module.global_settings.default_deployment_minimum_healthy_percent
  deployment_maximum_percent         = module.global_settings.default_deployment_maximum_percent
  deployment_controller_type         = module.global_settings.default_deployment_controller_type
  task_memory                        = local.task_memory
  task_cpu                           = local.task_cpu
  ordered_placement_strategy         = local.ordered_placement_strategy

  label_order                        = local.label_order
  labels_as_tags                     = local.labels_as_tags
  propagate_tags                     = local.propagate_tags
  tags                               = merge(var.tags, local.tags)

  #ECS Service
  task_exec_role_arn                 = [module.task_excecution_role.task_excecution_role_arn]
  task_role_arn                      = [module.task_excecution_role.task_excecution_role_arn]

  depends_on = [
    module.alb_ingress
  ]
}

any suggestions?

Bart Coddensalmost 3 years ago

I have a customer that has a huge oracle database: 120 TB, the limit on RDS is 64 TB, any suggestions ?

Balazs Vargaalmost 3 years ago

is aurora serverless v1 HA compatible ?

Curtisalmost 3 years ago

Hi there, I wrote a blog post that y'all may be interested in. It discusses how to manage cross-account AWS IAM permissions for different teams with an open-source Python tool called IAMbic. Would love feedback!

https://www.noq.dev/blog/aws-permission-bouncers-letting-loose-in-dev-keeping-it-tight-in-prod

Alex Atkinsonalmost 3 years ago

For AWS Identity center, is there a way to see which accounts a group has access to via the cli? There's no way in the console afaict.

Matt Gowiealmost 3 years ago

Does anyone know of any tools that will scan a set of AWS accounts for best practices? Any that are recommended? My company has a list of 40+ best practices that we've identified and I'm looking for solutions to quickly check these best practices against a set of accounts or AWS organization.

venkataalmost 3 years ago

Just an FYI - if you plan to upgrade to the latest EBS addon for EKS (1.18.0.build1) you may want to wait: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1591

We use kube-stack-prometheus and have a CPUThrottling alarm going off from our upgrade.

Balazs Vargaalmost 3 years ago

we have clusters using spot instances and we use cluster autoscaler. sometimes we see 504. I found few issues in autoscaler github page. how could I avoid 504 when autoscaler scale down instances?

Vicentealmost 3 years ago

Hi all! do memory db for redis patch updates cause any dowmtime?

Aadheshalmost 3 years ago

Hey Everyone. Curious to know if anyone is using Turbonomics as your Cloud Financial/Cost Management tool and how is your experience when compared to Cloud Health (or) Cloudability?

Aadheshalmost 3 years ago

Turbomic says it has automated execution actions for Rightsizing Instances. But how does it manage (or) sync the state files if the instances are managed through Terraform?

Renesh reddyalmost 3 years ago

Hi all

Is there a way to add files( 2 files) to ECS fargate containers ?
( we are using github as source code, not able to add in github due to security reasons )

Matt Gowiealmost 3 years ago

Does anyone have strong opinions on how to do AWS Lambda while also managing the infrastructure via Terraform? There are a bunch of options out there, but I've never personally seen an implementation that I liked. My team and I are working on how to do this better and are evaluating Serverless framework (CloudFormation 😢), AWS SAM (has TF support, but doesn't look great), and classic "build our own".

Would love to hear someone who has implemented a solution that doesn't feel disjointed and has strong opinions from real experience!

Junioralmost 3 years ago

Hi All, I was wondering if anyone had experience with setting up control tower on an existing AWS account that's part of AWS Organizations. I want to separate our current environments into their own account and implement tarraform moving forward. I want to make sure i don't affect our current environment during this process. Any advice would be awesome. Thanks!

managedkaosalmost 3 years ago(edited)

The Control Tower question got me thinking about another thing I’ve been wondering about for some time:

For SMBs, how do you manage the root account credentials for a multi-account organization?

That is, given a single AWS account that will be used to spawn off sub accounts, how do you govern access to the root email address and the 2FA keys associated with the account?

I’m specifically looking at this from the perspective of a small business or sole proprietorship that needs to keep things secure but also ensure business continuity.

Brent Galmost 3 years ago

Anybody know how to purge-with-fire unattended-upgrades in cloud-init? Because that satan of a package is blocking cloud-init itself from installing packages. I tried throwing a systemctl stop/mask into a cloud-boothook section, but that just threw errors.

managedkaosalmost 3 years ago

using cookup.ai to generate IAM policies….

Input: give permission to read from the ecr repo named container123456, and permission to start and stop ec2 instances in the us-east-1 region.

Result:
Here is the AWS IAM Policy that corresponds to the plaintext description you provided:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage"
      ],
      "Resource":[
        "arn:aws:ecr:us-east-1:123456789012:repository/container123456"
      ]
    },
    {
      "Effect":"Allow",
      "Action":[
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource":"arn:aws:ec2:us-east-1:123456789012:instance/*"
    }
  ]
}

good response but I had to format the code myself… 🤷‍♂️🏾

Anup Dubeyalmost 3 years ago

Hi All,
I wanted to initiate a discussion regarding our kubernetes platform and how we handle services running on Kubernetes with 100% spot instances. Specifically, I would like to address a scenario where a service is running on Kubernetes with two pods in a production environment, each deployed on different spot nodes. In this situation, if one of the nodes experiences spot interruption, resulting in the pod being rescheduled to another node, and that second node also gets interrupted same time other pod also reschedule on another node in initialize state, we will encounter an outage as both pods end up in an "initialize" state.
Anyone who’s aware of how we are taking care this running 100% on spot???

Mark Lakewoodover 2 years ago(edited)

Hi all. Im just starting to use the cloudposse module for eks clusters. Really liking it so far. Currently I have a bitbucket pipeline that uses OIDC to assume a role in AWS to run the terraform. That role has the administrator policy. I've enabled the aws auth configmap and put that role inside the config map, and attached it to the "cluster-admin" group, which I assume has full powers to update anything cluster wide. So my terraform looks like this

  map_additional_iam_roles = [
    {
      rolearn  = "arn:aws:iam::***:role/workers"
      username = "system:node:{{EC2PrivateDNSName}}"
      groups   = ["system:bootstrappers", "system:nodes"]
    },
    {
      rolearn  = data.aws_iam_role.AdminRole.arn
      username = "admin-user"
      groups   = ["cluster-admin"]
    },
    {
      rolearn  = aws_iam_role.infrastructure-management.arn
      username = "pipeline"
      groups   = ["cluster-admin"]
    }
  ]

Mark Lakewoodover 2 years ago

This works well when I use data.aws_iam_role.AdminRole.arn to login from my command line. This is temporary creds generated through AWS SSO. However when I use aws_iam_role.infrastructure-management.arn it fails

Mark Lakewoodover 2 years ago


Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: configmaps "aws-auth" is forbidden: User "pipeline" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
│ 
│   with module.workload_1.kubernetes_config_map.aws_auth[0],
│   on .terraform/modules/workload_1/auth.tf line 138, in resource "kubernetes_config_map" "aws_auth":
│  138: resource "kubernetes_config_map" "aws_auth" {
│ 
╵

Mark Lakewoodover 2 years ago

Ahh I think I worked it out. I need to use "system:masters" as the group. because cluster-admin is a clusterrolebinding but not a group. The issue is I dont know how I work out what groups there actually are?

Vicenteover 2 years ago

Hi! I am having issues enrolling an AWS Account under control tower. I am receiving an error saying

AWS Control Tower cannot enroll the account. There's an error in the provisioned product in AWS Service Catalog: ProvisionedProduct with Name: null and Id: *********** doesn't exist

Is there any way to reconcile control tower and service catalog to create a new product when trying to enroll the account?

April 2023 Browse by date June 2023