5 messages
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
S
Sean Nguyen2 months ago
Hey all, our org has recently grown quite a bit. We have new engineers who are making large contributions to our Terraform codebase (yay!).
That being said, I’ve been seeing some quite poor IAM policies for application IRSAs come through (copying policies from AWS docs w/ blanket Allows).
There are some cultural/review process issues which can help address this, but I was wondering if anyone had any useful resources for automatically catching quality issues with IAM policies defined via Terraform?
I’m thinking along the lines of Spacelift REGO policies or linters which we can run as PR checks?
That being said, I’ve been seeing some quite poor IAM policies for application IRSAs come through (copying policies from AWS docs w/ blanket Allows).
There are some cultural/review process issues which can help address this, but I was wondering if anyone had any useful resources for automatically catching quality issues with IAM policies defined via Terraform?
I’m thinking along the lines of Spacelift REGO policies or linters which we can run as PR checks?
H
Harry Skinner2 months ago
Just dropped a quick write-up on using Karpenter to achieve "scale-to-zero" for dev clusters.
We managed to eliminate 100% of idle compute costs (vs running fixed ASGs). It’s a huge win for Dev environments that sit empty at night. Subscribe for more.....
Link to the full case study if you're interested: https://www.linkedin.com/pulse/burn-rate-alert-why-your-safety-buffer-servers-just-odpmc
We managed to eliminate 100% of idle compute costs (vs running fixed ASGs). It’s a huge win for Dev environments that sit empty at night. Subscribe for more.....
Link to the full case study if you're interested: https://www.linkedin.com/pulse/burn-rate-alert-why-your-safety-buffer-servers-just-odpmc
T
Tech2 months ago
How do you optimize CloudWatch (Log Delivery) spend when send VPC flow logs to S3?
J
Juan Pablo Lorierabout 2 months ago
hi, I use msk-apache-kafka-cluster version ~>2.5.0 module to manage my clusters and only for 1 cluster I get changes to the cluster with my plan but the plan shows no attributes changes.
If I try to apply, I get this error
If I modify manually the cluster to generate a real change, the plan and apply works fine.
I've tried destroying the cluster and creating it again with terraform but it still gets this issues
If I try to apply, I get this error
Error: updating MSK Cluster (arn:aws:kafka:us-east-1:xx:cluster/xxxxkafka/32a87522-10c3-40e2-8d44-2472cce4a1fd-14) security: operation error Kafka: UpdateSecurity, https response error StatusCode: 400, RequestID: 63c63899-ef76-4098-96df-169739e3aeea, BadRequestException: The request does not include any updates to the security setting of the cluster. Verify the request, then try again.If I modify manually the cluster to generate a real change, the plan and apply works fine.
I've tried destroying the cluster and creating it again with terraform but it still gets this issues
W
Wojciech Rybakiewiczabout 2 months ago
hey all 👋
wanted to share something small I built recently and get your thoughts.
in my day job I kept running into CloudWatch alarms that technically existed,
but in practice didn’t really protect anything - no actions, disabled actions,
or alarms stuck in ALARM / INSUFFICIENT_DATA for a long time that everyone just kind of accepted.
I ended up writing a tiny, read-only CLI to audit alarms across regions in one place and surface those cases:
https://github.com/wrybakiewicz/cw-alarm-audit
honestly just curious - is this something you’ve seen as well ? or do you handle this problem in a different way ?
wanted to share something small I built recently and get your thoughts.
in my day job I kept running into CloudWatch alarms that technically existed,
but in practice didn’t really protect anything - no actions, disabled actions,
or alarms stuck in ALARM / INSUFFICIENT_DATA for a long time that everyone just kind of accepted.
I ended up writing a tiny, read-only CLI to audit alarms across regions in one place and surface those cases:
https://github.com/wrybakiewicz/cw-alarm-audit
honestly just curious - is this something you’ve seen as well ? or do you handle this problem in a different way ?