refarch
Archived01,353
Cloud Posse Reference Architecture
E
erik10 months ago
archived the channel
Erik Osterman (Cloud Posse)10 months ago
Hi everyone — to reduce confusion and provide more focused support for our commercial reference architecture, we’ll be closing this channel. For future questions or requests, please visit cloudposse.com/support. Thanks for your understanding!
Cristian10 months ago(edited)
Hi guys,
We are deploying eks clusters following https://docs.cloudposse.com/layers/eks/deploy-clusters/
We are finding issues when running
The error message is:
I can see that the tarball included:
• components/terraform/eks
• stacks/catalog/eks
• workflows/eks
I think there are missing parameters on vendor.yaml, but I couldnt find the right terraform module in cloudposse repo for this.
Should be use aws-eks-cluster instead? Or should we configure the vendor to read local files and not pull anything?
We are deploying eks clusters following https://docs.cloudposse.com/layers/eks/deploy-clusters/
We are finding issues when running
atmos workflow vendor -f eksThe error message is:
INFO Vendoring from 'vendor.yaml'
Error
the flag '--component' is passed, but the component is not defined in any of the 'sources' in the vendor config file and the imports component 'iam-service-linked-roles', file 'vendor.yaml'
Error
Step 'step1' failed!
To resume the workflow from this step, run:
atmos workflow vendor -f eks --from-step step1I can see that the tarball included:
• components/terraform/eks
• stacks/catalog/eks
• workflows/eks
I think there are missing parameters on vendor.yaml, but I couldnt find the right terraform module in cloudposse repo for this.
Should be use aws-eks-cluster instead? Or should we configure the vendor to read local files and not pull anything?
Cristian10 months ago
Hi guys,
We managed to get ssosync up and running, and we also finished with the networking layer
We are now looking into adding GitHub integration (OIDC + managed runners using runs-on.com as you suggested)
While deploying
This plan has no changes:
This happens for both commands:
•
•
I tried several ways to ensure that variable is present, from adding
I also added the vars for Superadmin = true, but I am still getting the same outcome: no changes to be made.
Could you please point us on the right direction?
TIA
cc @Cyrus Dukart
We managed to get ssosync up and running, and we also finished with the networking layer

We are now looking into adding GitHub integration (OIDC + managed runners using runs-on.com as you suggested)
While deploying
github-oidc-provider, I got this warning: The root module does not declare a variable named "enabled" but a value was found in file
│ "plat-gbl-dev-github-oidc-provider.terraform.tfvars.json". If you meant to use this value, add a "variable" block to
│ the configuration.This plan has no changes:
No changes. Your infrastructure matches the configuration.This happens for both commands:
•
atmos terraform plan github-oidc-provider --stack core-gbl-identity•
atmos terraform plan github-oidc-provider --stack plat-gbl-devI tried several ways to ensure that variable is present, from adding
enabled=true on several places under catalog/github-oidc-provider.yaml to adding them into components/terraform/aws-github-oidc-provider/variables.tfand even hardcoding components/terraform/aws-github-oidc-provider/main.tf None of those attempts worked.I also added the vars for Superadmin = true, but I am still getting the same outcome: no changes to be made.
Could you please point us on the right direction?
TIA
cc @Cyrus Dukart
Cyrus Dukart10 months ago
we are on
Looks like we need to add all of these vendor files to vendor.yaml?
Question:
Should we pull components with multiversion approach? or just single version?
I.e.
MULTIVERSION
SINGLEVERSION
atmos workflow vendor -f networkLooks like we need to add all of these vendor files to vendor.yaml?
Question:
Should we pull components with multiversion approach? or just single version?
I.e.
MULTIVERSION
- component: "tgw/hub"
source: "<http://github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}|github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}>"
version: "1.536.0"
targets:
- "components/terraform/{{.Component}}/{{.Version}}"SINGLEVERSION
I.e.
- component: "tgw/hub"
source: "<http://github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}|github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}>"
version: "1.536.0"
targets:
- "components/terraform/{{.Component}}"Slackbot10 months ago
This message was deleted.
RB10 months ago
How come the atlantis atmos config workflow doesnt use atmos to do the plan and instead uses raw terraform commands in the docs ?
C
Cristian10 months ago
Hi guys,
Just a quick question regarding deploying AWS-SSOSYNC.
I have enabled the vendor and I can see that the component (ssosync) was downloaded after atmos vendor pull.
I also put my ssoconfig under stacks/catalog. However, atmos doesnt see it.
How do I deploy this component?
Just a quick question regarding deploying AWS-SSOSYNC.
I have enabled the vendor and I can see that the component (ssosync) was downloaded after atmos vendor pull.
I also put my ssoconfig under stacks/catalog. However, atmos doesnt see it.
How do I deploy this component?
Cyrus Dukart10 months ago
Hi Folks @Cristian Marquez Russo and I are just getting started creating our base setup here. Alas we are stuck on Deploy Accounts
Error:
We are certain the errors is we already have a management account set up in an organization. The challenge is we already set up SSO sync with google as our IDP. We would love to be able to use the existing organization as our root organization. Is there any easy way to bypass this .. or are we stuck having to remove the mgmt account from the org and maybe starting over with SSO?
atmos workflow deploy/organization -f accountsError:
│ Error: creating Organizations Organization: operation error Organizations: CreateOrganization, https response error StatusCode: 400, RequestID: c19fa06d-bfd3-4098-8a05-3e5a3ca707ac, AlreadyInOrganizationException: The AWS account is already a member of an organization.
│
│ with aws_organizations_organization.this[0],
│ on main.tf line 107, in resource "aws_organizations_organization" "this":
│ 107: resource "aws_organizations_organization" "this" {We are certain the errors is we already have a management account set up in an organization. The challenge is we already set up SSO sync with google as our IDP. We would love to be able to use the existing organization as our root organization. Is there any easy way to bypass this .. or are we stuck having to remove the mgmt account from the org and maybe starting over with SSO?
Igor M11 months ago
I am starting on a new project and contemplating using:
instead of the more common:
This "feels" better as folder-structure goes {tentant}/{stage}/{environment}.yaml and typically we think of the aws accounts as {tenant}-{stage}.
Any reason for me to not do this and stick with the default?
name_pattern: "{tenant}-{stage}-{environment}"instead of the more common:
name_pattern: "{tenant}-{environment}-{stage}"This "feels" better as folder-structure goes {tentant}/{stage}/{environment}.yaml and typically we think of the aws accounts as {tenant}-{stage}.
Any reason for me to not do this and stick with the default?
Brian12 months ago
Not sure where to post this GH issue, but I want to bring to your attention that
https://github.com/cloudposse/terraform-provider-awsutils/issues/82
0.20.0 release (released less than hour ago) of cloudposses's awsutils provider is crashing.https://github.com/cloudposse/terraform-provider-awsutils/issues/82
Christopher Mayoraabout 1 year ago
hey team, we are trying to deploy a website project which is using
and this is having like a conflict issue with the website repositorie
maybe we need to structure the website project in a different way?
yarn but during the deployment steps we saw that on the github-action-deploy-argocd is trying to runnpm install git-url-parse@14.0.0and this is having like a conflict issue with the website repositorie
Run npm install git-url-parse@14.0.0
297
npm error code ERESOLVE
298
npm error ERESOLVE unable to resolve dependency tree
299
npm error
300
npm error While resolving: nextjs-typescript-tailwind-capacitor-starter@0.1.0
301
npm error Found: @capacitor/core@7.0.1
302
npm error node_modules/@capacitor/core
303
npm error @capacitor/core@"^7.0.0" from the root project
304
npm error
305
npm error Could not resolve dependency:
306
npm error peer @capacitor/core@"^6.0.0" from @capacitor/browser@6.0.5
307
npm error node_modules/@capacitor/browser
308
npm error @capacitor/browser@"^6.0.4" from the root project
309
npm error
310
npm error Fix the upstream dependency conflict, or retry
311
npm error this command with --force or --legacy-peer-deps
312
npm error to accept an incorrect (and potentially broken) dependency resolution.
313
npm error
314
npm error
315
npm error For a full report see:
316
npm error /home/runner/.npm/_logs/2025-02-12T15_30_49_016Z-eresolve-report.txt
317
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-02-12T15_30_49_016Z-debug-0.logmaybe we need to structure the website project in a different way?
E
erikabout 1 year ago
Where in the refarch docs do we say to replace these placeholders?
Slackbotabout 1 year ago
This message was deleted.
Marat Bakeevabout 1 year ago
If I want to deploy a ec2 instance based VPN solution for remote access, under the reference architecture - it goes to core-network account, or core-auto? Or core-corp?
Christopher Mayoraabout 1 year ago
hey team, i forked this repo https://github.com/cloudposse-examples/app-on-eks-with-argocd but the actions on my org are not running anyone knows what can be happening no message or something that i can see on github
J
j4zzcatabout 1 year ago
'lo all
Does it make sense to create a deeper org hierarchy? and is it well supported by the terraform modules?
Does it make sense to create a deeper org hierarchy? and is it well supported by the terraform modules?
Erik Osterman (Cloud Posse)about 1 year ago
I
Ismael PRabout 1 year ago(edited)
Hello everyone (again), I'm having other issue with the spacelift+atmos components to bootstrap the spaces/admin-stacks... basically I've followed the docs here
After some workarounds, I've my admin-stacks and spaces created (running atmos locally, as described in the docs), and then if I push the changes to the repo it fails (see screenshot) because seems it can not find the executables defined as before_* hooks here ... so I'm not sure what I'm doing wrong...
I've pushed all the code I'm using for the POC here in the readme you can find other issues I faced and "the workarounds" I applied to solve those... not sure if I have something else wrong that is causing all these problems...
any help is really appreciate! thanks in advance
After some workarounds, I've my admin-stacks and spaces created (running atmos locally, as described in the docs), and then if I push the changes to the repo it fails (see screenshot) because seems it can not find the executables defined as before_* hooks here ... so I'm not sure what I'm doing wrong...
I've pushed all the code I'm using for the POC here in the readme you can find other issues I faced and "the workarounds" I applied to solve those... not sure if I have something else wrong that is causing all these problems...
any help is really appreciate! thanks in advance
Ismael PRabout 1 year ago(edited)
reposting here to see if someone can give me some light on this 🙂
https://sweetops.slack.com/archives/C031919U8A0/p1736954657089969
seems is looking for the stacks in the components folder instead in the parent folder 😕 any idea?
https://sweetops.slack.com/archives/C031919U8A0/p1736954657089969
seems is looking for the stacks in the components folder instead in the parent folder 😕 any idea?
Georgi Angelovabout 1 year ago
Reposting this here :)
C
Christopher Mayoraabout 1 year ago
hey folks,
im trying to install a helm chart there is a way to upgrade the argocd because it comes
im trying to install a helm chart there is a way to upgrade the argocd because it comes
v2.5.9+e5f1194 out of the box, i tried to upgrade it but the dex connection was not working so login fails after upgrading to latestChristopher Mayoraabout 1 year ago
Hey Team, im trying to get running the efs and storage class on k8s using but im getting, this timeout error but when i do telnet to that addr is reached so connection is good, maybe is auth? do i need to have the cluster config on my
?
.kube?
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
+ create
Terraform planned the following actions, but then encountered a problem:
# kubernetes_storage_class_v1.ebs["gp3"] will be created
+ resource "kubernetes_storage_class_v1" "ebs" {
+ allow_volume_expansion = true
+ id = (known after apply)
+ parameters = {
+ "<http://csi.storage.k8s.io/fstype|csi.storage.k8s.io/fstype>" = "ext4"
+ "encrypted" = "true"
+ "tagSpecification_1" = "Environment=use1"
+ "tagSpecification_2" = "Name=inno-core-use1-auto-eks-cluster"
+ "tagSpecification_3" = "Namespace=inno"
+ "tagSpecification_4" = "Stage=auto"
+ "tagSpecification_5" = "Tenant=core"
+ "type" = "gp3"
}
+ reclaim_policy = "Delete"
+ storage_provisioner = "<http://ebs.csi.aws.com|ebs.csi.aws.com>"
+ volume_binding_mode = "WaitForFirstConsumer"
+ metadata {
+ annotations = {
+ "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "true"
}
+ generation = (known after apply)
+ name = "gp3"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
# kubernetes_storage_class_v1.ebs["io2"] will be created
+ resource "kubernetes_storage_class_v1" "ebs" {
+ allow_volume_expansion = true
+ id = (known after apply)
+ parameters = {
+ "<http://csi.storage.k8s.io/fstype|csi.storage.k8s.io/fstype>" = "ext4"
+ "encrypted" = "true"
+ "iopsPerGB" = "10"
+ "tagSpecification_1" = "Environment=use1"
+ "tagSpecification_2" = "Name=inno-core-use1-auto-eks-cluster"
+ "tagSpecification_3" = "Namespace=inno"
+ "tagSpecification_4" = "Stage=auto"
+ "tagSpecification_5" = "Tenant=core"
+ "type" = "io2"
}
+ reclaim_policy = "Delete"
+ storage_provisioner = "<http://ebs.csi.aws.com|ebs.csi.aws.com>"
+ volume_binding_mode = "WaitForFirstConsumer"
+ metadata {
+ annotations = {
+ "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "false"
}
+ generation = (known after apply)
+ name = "io2"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
# kubernetes_storage_class_v1.efs["efs"] will be created
+ resource "kubernetes_storage_class_v1" "efs" {
+ allow_volume_expansion = true
+ id = (known after apply)
+ parameters = {
+ "basePath" = "/efs_controller"
+ "directoryPerms" = "700"
+ "fileSystemId" = "fs-067c7e065d9487d35"
+ "provisioningMode" = "efs-ap"
}
+ reclaim_policy = "Delete"
+ storage_provisioner = "<http://efs.csi.aws.com|efs.csi.aws.com>"
+ volume_binding_mode = "Immediate"
+ metadata {
+ annotations = {
+ "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "false"
}
+ generation = (known after apply)
+ name = "efs"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
Plan: 3 to add, 0 to change, 0 to destroy.
╷
│ Error: Get "<https://0652A3BDF1CD1452BD5E6A105A4FC989.gr7.us-east-1.eks.amazonaws.com/apis/storage.k8s.io/v1/storageclasses/gp2>": net/http: TLS handshake timeoutChristopher Mayoraabout 1 year ago
Hey folks. we are trying to deploy an ec2 instance and have access to it but needs a key-pair using this module https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ec2-instance
but i don't see the option or a variable to do it, this have to be done separately?
but i don't see the option or a variable to do it, this have to be done separately?
Matthew Clarkabout 1 year ago(edited)
Hi folks. We're trying to swap transit gateway with vpc peering.
We pulled the vpc-peering component -
We're getting this error:
We pulled the vpc-peering component -
<http://github.com/cloudposse/terraform-aws-components.git//modules/vpc-peering|github.com/cloudposse/terraform-aws-components.git//modules/vpc-peering>We're getting this error:
╷
│ Error: Cannot assume IAM Role
│
│ with module.vpc_peering.provider["registry.terraform.io/hashicorp/aws"].accepter,
│ on .terraform/modules/vpc_peering/accepter.tf line 2, in provider "aws":
│ 2: provider "aws" {
│
│ IAM Role (arn:aws:iam::216989127967:role/inno-plat-gbl-dev-terraform) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 896f3d54-01de-48e6-9abb-5181b3fa6cd7, api error AccessDenied: User:
│ arn:aws:iam::182399693862:user/SuperAdmin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::216989127967:role/inno-plat-gbl-dev-terraform216989127967 refers to a plat account. The role exists in question exists, but only records core-identity as a trusted entity while this VPC peering request is coming from core-network. I'm struggling 1) to understand if this would be considered bad practice to enable this additional trusted entity between two non-identity accounts, and 2) the best way to handle this specifically for cross account vpc peering (as a TGW alternative). It appears we need to explicitly create new roles in each of the requester/accepter accounts (seems that's not abstracted)RBabout 1 year ago(edited)
Ref https://aws.amazon.com/ru/blogs/networking-and-content-delivery/vpc-block-public-access/
I recall that the refarch only required a single vpc per region per account. I know technically it's possible in atmos to create more than 1 vpc but is one vpc per region account still the standard or is it better to create multiple vpcs per region per account now ? If so, how do you recommend segmenting the vpcs?
Today, the AWS Well-Architected Framework describes a single account with a single VPC as an anti-pattern.
I recall that the refarch only required a single vpc per region per account. I know technically it's possible in atmos to create more than 1 vpc but is one vpc per region account still the standard or is it better to create multiple vpcs per region per account now ? If so, how do you recommend segmenting the vpcs?
Erik Osterman (Cloud Posse)over 1 year ago
Taimur Gibsonover 1 year ago
hi @Dan Miller (Cloud Posse) - I'd like to use the
I can do this in the console, but I can't figure out the syntax using the ALB component (https://github.com/cloudposse/terraform-aws-components/tree/main/modules/alb )
Is this possible to do with the current reference architecture?
alb component to set up a 301 redirect. ex:<http://test.example.com|test.example.com> should redirect to <http://app.example.com|app.example.com>I can do this in the console, but I can't figure out the syntax using the ALB component (https://github.com/cloudposse/terraform-aws-components/tree/main/modules/alb )
Is this possible to do with the current reference architecture?
Shirisha Sudhakar Raoover 1 year ago
@Andriy Knysh (Cloud Posse)
I have used the reference architecture to setup a transit gateway to connect 2 VPCs in different accounts.
However, I am having trouble understanding how the transit gateway offers a connection to the internet. Is that not a part of the reference architecture and is something we should setup separately on our own?
If so, how can this be achieved?
There is a line in the reference architecture VPC section that states this
So ideally, transit gateway setup should provide connection to the internet right?
I have used the reference architecture to setup a transit gateway to connect 2 VPCs in different accounts.
However, I am having trouble understanding how the transit gateway offers a connection to the internet. Is that not a part of the reference architecture and is something we should setup separately on our own?
If so, how can this be achieved?
There is a line in the reference architecture VPC section that states this
# Use PrivateLink in private-only VPCs at least until we have
# a connection to the internet via Transit Gateway.So ideally, transit gateway setup should provide connection to the internet right?
Igor Mover 1 year ago(edited)
Do you recommend using Helmfile via ArgoCD for app deployments to EKS? Are there advantages to this approach rather than using Kustomize? (It it that it's easier to spin up preview environments via Helmfile?)
Erik Osterman (Cloud Posse)over 1 year ago
@RB @Hans D @Jonathan Eunice any of you have an ECR pull thru cache component?
RBover 1 year ago
Is there an adr available for deciding on opentofu vs terraform ?
E
erikover 1 year ago
New docs are live! https://docs.cloudposse.com/
You can now access all the docs without registration.
You can now access all the docs without registration.
Taimur Gibsonover 1 year ago
Is there a way in the refarch to set up S3 event notifications to go to SNS/SQS? Can't find anything in the documentation about it
U
Unknown Userover 1 year ago
This channel will receive notifications from cloudposse/community for:
discussionsErik Osterman (Cloud Posse)over 1 year ago
/github unsubscribe cloudposse/community pulls commits releases deployments issues
U
Unknown Userover 1 year ago
✅️ Subscribed to cloudposse/community. This channel will receive notifications for
issues, pulls, commits, releases, deployments, discussionsErik Osterman (Cloud Posse)over 1 year ago
/github subscribe cloudposse/community discussions
Erik Osterman (Cloud Posse)over 1 year ago
@Marat Bakeev was this fully answered? https://github.com/orgs/cloudposse/discussions/12 any thing we can mark as the answer?
Marat Bakeevover 1 year ago
Do you guys have plans to update ArgoCD version? I think the one you have enabled (2.5.9) has a security issue, plus later versions add support for ApplicationSet Progressive Syncs.
Dan Miller (Cloud Posse)over 1 year ago
@Marat Bakeev following up from office hours today 🧵
Taimur Gibsonover 1 year ago
Hi, how would I use
assume_role_conditions in the iam-role module to set a condition to require an STS external ID for role assumption? https://github.com/cloudposse/terraform-aws-components/tree/main/modules/iam-role#input_assume_role_conditionsErik Osterman (Cloud Posse)over 1 year ago
@U079VSXEQ5D
Erik Osterman (Cloud Posse)over 1 year ago(edited)
(optional) @Marat Bakeev @Amir Jakoby workshop starting now!
Evgenii Vasilenkoover 1 year ago
Hi team, can someone explain me how to get an access to Cloud Posse Reference Architecture?
I found this link on this page https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster but it's leading to https://docs.cloudposse.com/reference-architecture/ and after that I got redirected to https://docs.cloudposse.com/account/confirmation/
where I see
I found this link on this page https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster but it's leading to https://docs.cloudposse.com/reference-architecture/ and after that I got redirected to https://docs.cloudposse.com/account/confirmation/
where I see
Your registration must be approved by an administrator.Taimur Gibsonover 1 year ago
Hello, can I get some advice on how I can set a Lambda function to run on a daily schedule? It looks like it can use an SNS topic or Eventbridge Schedule, but I don't see how to format that in TF. Thanks!
Marat Bakeevover 1 year ago
Hey everyone, what would be the implications of disabling the SCP for DenyEC2InstancesWithoutEncryptionInTransit?
The way I understand AWS docs for this, is that it's some sort of additional encryption on certain Nitro-based instances. The wording in the SCP document kinda sounds like there is no encryption in transit at all, unless one of the instances is used.
Am I wrong?
The way I understand AWS docs for this, is that it's some sort of additional encryption on certain Nitro-based instances. The wording in the SCP document kinda sounds like there is no encryption in transit at all, unless one of the instances is used.
Am I wrong?
Marat Bakeevover 1 year ago
Not sure if #refarch or #kubernetes question... https://docs.cloudposse.com/components/library/aws/eks/cluster/ example says that running addons on fargate is not recommended, and a managed node group is preferred.
What's wrong with fargate?
What's wrong with fargate?
Taimur Gibsonover 1 year ago
Hi, I'd like to use the
outlined in the readme for the
https://github.com/cloudposse/terraform-aws-components/tree/main/modules/bastion
custom_bastion_hostname:
vanity_domain:outlined in the readme for the
bastion component, but it doesn't appear that those are valid inputs/variables when I go to deploy it. Am I missing something?https://github.com/cloudposse/terraform-aws-components/tree/main/modules/bastion