#geodesic - October 2020

what’s the place to start with geodesic? example repos like root.cloudposse.co haven’t been updated for a while. is reference-architectures repo the latest example to follow?

A while ago it was mentioned that geodesic will move to being based on Debian.
At least I’m pretty sure I remember that!

Is there a timeline for this yet?

No timeline, but a big step to being able to support that was migrating our repos to Cloudsmith which is done ✅️

It is something we may need to do for one of our current customers, because some things (e.g. teleport shell tsh) no longer run on alpine

Thanks Erik!

I'd be happy to test it, if you need testers.

ok! follow along in #cloudsmith - we'll be transparent in the process there for adopting deb

I am trying to use Geodesic and following the cold start documentation (https://docs.cloudposse.com/reference-architectures/cold-start/)
Things were going ok until I got to the PROVISION IAM PROJECT TO CREATE ROOT IAM ROLE section. I believe that maybe the cd command here is supposed to be cd root-iam because the module identified is not used in the iam directory and the plan identifies nothing to perform.
So I moved over to the root-iam directory and performed the same steps but when I try to apply I only get 403 errors.

* module.organization_access_group_root.aws_iam_group.readonly: 1 error(s) occurred:

* aws_iam_group.readonly: Error creating IAM Group instinct-root-readonly: InvalidClientTokenId: The security token included in the request is invalid
	status code: 403, request id: b06f7a1d-bd11-49d9-9fd9-b0b69dfebd02
....
....

Does anyone have ideas what might be going on here? I have tried all combinations of using the actual root AWS account, the admin account setup at the top of that page, and have disabled MFA in case it was getting in the way.
I have been stuck for way to long on this step and can’t seem to find anything in the archives (though i could be missing something)

Sorry! that documentation is out of date. We have a new reference arch coming out by the end of the year that is revamped for 0.13+ (we've used this for the past year with our customers but haven't open sourced it yet)

Yes, I did see the notice at the top so I did expect to bump into some issues due to outdated docs. After getting stuck with Geodesic I also tried using the reference-architecture repo and got stuck trying to run make root.
I am very excited to hear about a new release coming out, but unfortunately I am unable to wait to setup this architecture. I am committed to using your tooling as I believe in your design and approach to dev ops and the amazing infrastructure you produce for your clients.
Is there a path forward at this point?

We're in a similar boat as chris. We've used the reference-architecture repo in the past with success, but we are now in the process of setting up a new project and want to be prepared to transition to the new arch when it's made available.

Do you have any tips, @Erik Osterman (Cloud Posse), in terms of setting up a new project so that transitioning into the new architecture is as painless as possible? We're prepared to refactor things when the time comes, but are hesitant to follow the current/previous approach since it would seem the new approach is going to differ significantly.

🙇 i'm sorry - I really wish we could release the new ref arch faster. it leverages entirely new root modules (plus all of our public modules), uses yaml based configuration, runs in geodesic, works with terraform cloud... but unfortunately, we just don't have the available hands right now. I started working with a community member (@Matt Gowie) to release it faster, but realized there's too much tacit knowledge required to setup. we are starting a new engagement in the next few weeks. as part of this, we will be taking this opportunity to publish more of the reference architecture.

strategically, this is very important for us - it's definitely happening - but is a large initiative

thanks for the update!

@Nathan Margaglio I tried to use reference-architecture but got stuck there… if you have notes that you could share it would be much appreciated.
I am currently working on figuring out the next steps on moving from setting up the accounts to setting up services (e.g. EKS) and the correct way to structure the repo… lots more reading to do.

I am really at a cross roads of determine what is the best way to get started at this point and get something working that also has some path forward.

FWIW, I set up one client using the reference-architecture last year. It’s going well, but there are a few limitations with using the full terraform featureset (due to the -from-module approach.)

For all clients since then I’ve simplified things and have been using Terragrunt and Terraform natively. To be fair, all of these clients are on Mac/Linux or I am managing it all for them (on Mac.) None of them need CI/CD with Terraform. So the simple approach is working well.

For authentication, i’m using aws-vault with my AWS account assuming roles in the clients’ and the awscli’s credential_process option.

That said, I am really looking forward to see what the Cloudposse team have been working on for their updated reference architecture!

This Terragrunt reference architecture could help some of you in the meantime. It’s not exactly how I’m using it, but pretty close.

Thanks for the information. I will look at that as well.
I have pushed through and it appears I have got everything setup using the reference-architecture repo. I am going to make a gist of my notes and where I bumped into issues for anyone else that is trying to use it at this time.