archived the channel

Hi everyone — to reduce confusion and provide more focused support for our commercial reference architecture, we’ll be closing this channel. For future questions or requests, please visit cloudposse.com/support. Thanks for your understanding!

Hi guys,

We are deploying eks clusters following https://docs.cloudposse.com/layers/eks/deploy-clusters/
We are finding issues when running

atmos workflow vendor -f eks

The error message is:

INFO Vendoring from 'vendor.yaml'
 Error 

the flag '--component' is passed, but the component is not defined in any of the 'sources' in the vendor config file and the imports component 'iam-service-linked-roles', file 'vendor.yaml'
 Error 

Step 'step1' failed!
To resume the workflow from this step, run:
atmos workflow vendor -f eks --from-step step1

I can see that the tarball included:
• components/terraform/eks
• stacks/catalog/eks
• workflows/eks
I think there are missing parameters on vendor.yaml, but I couldnt find the right terraform module in cloudposse repo for this.

Should be use aws-eks-cluster instead? Or should we configure the vendor to read local files and not pull anything?

Hi guys,
We managed to get ssosync up and running, and we also finished with the networking layer

We are now looking into adding GitHub integration (OIDC + managed runners using runs-on.com as you suggested)

While deploying github-oidc-provider, I got this warning:

 The root module does not declare a variable named "enabled" but a value was found in file
│ "plat-gbl-dev-github-oidc-provider.terraform.tfvars.json". If you meant to use this value, add a "variable" block to
│ the configuration.

This plan has no changes:

No changes. Your infrastructure matches the configuration.

This happens for both commands:
• atmos terraform plan github-oidc-provider --stack core-gbl-identity
• atmos terraform plan github-oidc-provider --stack plat-gbl-dev
I tried several ways to ensure that variable is present, from adding enabled=true on several places under catalog/github-oidc-provider.yaml to adding them into components/terraform/aws-github-oidc-provider/variables.tfand even hardcoding components/terraform/aws-github-oidc-provider/main.tf None of those attempts worked.

I also added the vars for Superadmin = true, but I am still getting the same outcome: no changes to be made.

Could you please point us on the right direction?

TIA

cc @Cyrus Dukart

we are on atmos workflow vendor -f network

Looks like we need to add all of these vendor files to vendor.yaml?

Question:
Should we pull components with multiversion approach? or just single version?

I.e.

MULTIVERSION

    - component: "tgw/hub"
      source: "<http://github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}|github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}>"
      version: "1.536.0"
      targets:
        - "components/terraform/{{.Component}}/{{.Version}}"

SINGLEVERSION

I.e.
    - component: "tgw/hub"
      source: "<http://github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}|github.com/cloudposse/terraform-aws-components.git//modules/tgw/hub?ref={{.Version}}>"
      version: "1.536.0"
      targets:
        - "components/terraform/{{.Component}}"

This message was deleted.

How come the atlantis atmos config workflow doesnt use atmos to do the plan and instead uses raw terraform commands in the docs ?

Hi guys,
Just a quick question regarding deploying AWS-SSOSYNC.
I have enabled the vendor and I can see that the component (ssosync) was downloaded after atmos vendor pull.
I also put my ssoconfig under stacks/catalog. However, atmos doesnt see it.
How do I deploy this component?

Hi Folks @Cristian Marquez Russo and I are just getting started creating our base setup here. Alas we are stuck on Deploy Accounts

atmos workflow deploy/organization -f accounts

Error:

│ Error: creating Organizations Organization: operation error Organizations: CreateOrganization, https response error StatusCode: 400, RequestID: c19fa06d-bfd3-4098-8a05-3e5a3ca707ac, AlreadyInOrganizationException: The AWS account is already a member of an organization.
│ 
│   with aws_organizations_organization.this[0],
│   on main.tf line 107, in resource "aws_organizations_organization" "this":
│  107: resource "aws_organizations_organization" "this" {

We are certain the errors is we already have a management account set up in an organization. The challenge is we already set up SSO sync with google as our IDP. We would love to be able to use the existing organization as our root organization. Is there any easy way to bypass this .. or are we stuck having to remove the mgmt account from the org and maybe starting over with SSO?

I am starting on a new project and contemplating using:

name_pattern: "{tenant}-{stage}-{environment}"

instead of the more common:

name_pattern: "{tenant}-{environment}-{stage}"

This "feels" better as folder-structure goes {tentant}/{stage}/{environment}.yaml and typically we think of the aws accounts as {tenant}-{stage}.
Any reason for me to not do this and stick with the default?

Not sure where to post this GH issue, but I want to bring to your attention that 0.20.0 release (released less than hour ago) of cloudposses's awsutils provider is crashing.

https://github.com/cloudposse/terraform-provider-awsutils/issues/82

hey team, we are trying to deploy a website project which is using yarn but during the deployment steps we saw that on the github-action-deploy-argocd is trying to run

npm install git-url-parse@14.0.0

and this is having like a conflict issue with the website repositorie

Run npm install git-url-parse@14.0.0
297
npm error code ERESOLVE
298
npm error ERESOLVE unable to resolve dependency tree
299
npm error
300
npm error While resolving: nextjs-typescript-tailwind-capacitor-starter@0.1.0
301
npm error Found: @capacitor/core@7.0.1
302
npm error node_modules/@capacitor/core
303
npm error   @capacitor/core@"^7.0.0" from the root project
304
npm error
305
npm error Could not resolve dependency:
306
npm error peer @capacitor/core@"^6.0.0" from @capacitor/browser@6.0.5
307
npm error node_modules/@capacitor/browser
308
npm error   @capacitor/browser@"^6.0.4" from the root project
309
npm error
310
npm error Fix the upstream dependency conflict, or retry
311
npm error this command with --force or --legacy-peer-deps
312
npm error to accept an incorrect (and potentially broken) dependency resolution.
313
npm error
314
npm error
315
npm error For a full report see:
316
npm error /home/runner/.npm/_logs/2025-02-12T15_30_49_016Z-eresolve-report.txt
317
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-02-12T15_30_49_016Z-debug-0.log

maybe we need to structure the website project in a different way?

Where in the refarch docs do we say to replace these placeholders?

This message was deleted.

If I want to deploy a ec2 instance based VPN solution for remote access, under the reference architecture - it goes to core-network account, or core-auto? Or core-corp?

hey team, i forked this repo https://github.com/cloudposse-examples/app-on-eks-with-argocd but the actions on my org are not running anyone knows what can be happening no message or something that i can see on github

'lo all
Does it make sense to create a deeper org hierarchy? and is it well supported by the terraform modules?

Hello everyone (again), I'm having other issue with the spacelift+atmos components to bootstrap the spaces/admin-stacks... basically I've followed the docs here

After some workarounds, I've my admin-stacks and spaces created (running atmos locally, as described in the docs), and then if I push the changes to the repo it fails (see screenshot) because seems it can not find the executables defined as before_* hooks here ... so I'm not sure what I'm doing wrong...

I've pushed all the code I'm using for the POC here in the readme you can find other issues I faced and "the workarounds" I applied to solve those... not sure if I have something else wrong that is causing all these problems...

any help is really appreciate! thanks in advance

reposting here to see if someone can give me some light on this 🙂
https://sweetops.slack.com/archives/C031919U8A0/p1736954657089969

seems is looking for the stacks in the components folder instead in the parent folder 😕 any idea?

Reposting this here :)

hey folks,

im trying to install a helm chart there is a way to upgrade the argocd because it comes v2.5.9+e5f1194 out of the box, i tried to upgrade it but the dex connection was not working so login fails after upgrading to latest

Hey Team, im trying to get running the efs and storage class on k8s using but im getting, this timeout error but when i do telnet to that addr is reached so connection is good, maybe is auth? do i need to have the cluster config on my .kube
?

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform planned the following actions, but then encountered a problem:

  # kubernetes_storage_class_v1.ebs["gp3"] will be created
  + resource "kubernetes_storage_class_v1" "ebs" {
      + allow_volume_expansion = true
      + id                     = (known after apply)
      + parameters             = {
          + "<http://csi.storage.k8s.io/fstype|csi.storage.k8s.io/fstype>" = "ext4"
          + "encrypted"                 = "true"
          + "tagSpecification_1"        = "Environment=use1"
          + "tagSpecification_2"        = "Name=inno-core-use1-auto-eks-cluster"
          + "tagSpecification_3"        = "Namespace=inno"
          + "tagSpecification_4"        = "Stage=auto"
          + "tagSpecification_5"        = "Tenant=core"
          + "type"                      = "gp3"
        }
      + reclaim_policy         = "Delete"
      + storage_provisioner    = "<http://ebs.csi.aws.com|ebs.csi.aws.com>"
      + volume_binding_mode    = "WaitForFirstConsumer"

      + metadata {
          + annotations      = {
              + "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "true"
            }
          + generation       = (known after apply)
          + name             = "gp3"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # kubernetes_storage_class_v1.ebs["io2"] will be created
  + resource "kubernetes_storage_class_v1" "ebs" {
      + allow_volume_expansion = true
      + id                     = (known after apply)
      + parameters             = {
          + "<http://csi.storage.k8s.io/fstype|csi.storage.k8s.io/fstype>" = "ext4"
          + "encrypted"                 = "true"
          + "iopsPerGB"                 = "10"
          + "tagSpecification_1"        = "Environment=use1"
          + "tagSpecification_2"        = "Name=inno-core-use1-auto-eks-cluster"
          + "tagSpecification_3"        = "Namespace=inno"
          + "tagSpecification_4"        = "Stage=auto"
          + "tagSpecification_5"        = "Tenant=core"
          + "type"                      = "io2"
        }
      + reclaim_policy         = "Delete"
      + storage_provisioner    = "<http://ebs.csi.aws.com|ebs.csi.aws.com>"
      + volume_binding_mode    = "WaitForFirstConsumer"

      + metadata {
          + annotations      = {
              + "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "false"
            }
          + generation       = (known after apply)
          + name             = "io2"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # kubernetes_storage_class_v1.efs["efs"] will be created
  + resource "kubernetes_storage_class_v1" "efs" {
      + allow_volume_expansion = true
      + id                     = (known after apply)
      + parameters             = {
          + "basePath"         = "/efs_controller"
          + "directoryPerms"   = "700"
          + "fileSystemId"     = "fs-067c7e065d9487d35"
          + "provisioningMode" = "efs-ap"
        }
      + reclaim_policy         = "Delete"
      + storage_provisioner    = "<http://efs.csi.aws.com|efs.csi.aws.com>"
      + volume_binding_mode    = "Immediate"

      + metadata {
          + annotations      = {
              + "<http://storageclass.kubernetes.io/is-default-class|storageclass.kubernetes.io/is-default-class>" = "false"
            }
          + generation       = (known after apply)
          + name             = "efs"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.
╷
│ Error: Get "<https://0652A3BDF1CD1452BD5E6A105A4FC989.gr7.us-east-1.eks.amazonaws.com/apis/storage.k8s.io/v1/storageclasses/gp2>": net/http: TLS handshake timeout

Hey folks. we are trying to deploy an ec2 instance and have access to it but needs a key-pair using this module https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ec2-instance

but i don't see the option or a variable to do it, this have to be done separately?

Hi folks. We're trying to swap transit gateway with vpc peering.

We pulled the vpc-peering component - <http://github.com/cloudposse/terraform-aws-components.git//modules/vpc-peering|github.com/cloudposse/terraform-aws-components.git//modules/vpc-peering>

We're getting this error:

╷
│ Error: Cannot assume IAM Role
│ 
│   with module.vpc_peering.provider["registry.terraform.io/hashicorp/aws"].accepter,
│   on .terraform/modules/vpc_peering/accepter.tf line 2, in provider "aws":
│    2: provider "aws" {
│ 
│ IAM Role (arn:aws:iam::216989127967:role/inno-plat-gbl-dev-terraform) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 896f3d54-01de-48e6-9abb-5181b3fa6cd7, api error AccessDenied: User:
│ arn:aws:iam::182399693862:user/SuperAdmin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::216989127967:role/inno-plat-gbl-dev-terraform

216989127967 refers to a plat account. The role exists in question exists, but only records core-identity as a trusted entity while this VPC peering request is coming from core-network. I'm struggling 1) to understand if this would be considered bad practice to enable this additional trusted entity between two non-identity accounts, and 2) the best way to handle this specifically for cross account vpc peering (as a TGW alternative). It appears we need to explicitly create new roles in each of the requester/accepter accounts (seems that's not abstracted)

Ref https://aws.amazon.com/ru/blogs/networking-and-content-delivery/vpc-block-public-access/

Today, the AWS Well-Architected Framework describes a single account with a single VPC as an anti-pattern.

I recall that the refarch only required a single vpc per region per account. I know technically it's possible in atmos to create more than 1 vpc but is one vpc per region account still the standard or is it better to create multiple vpcs per region per account now ? If so, how do you recommend segmenting the vpcs?

hi @Dan Miller (Cloud Posse) - I'd like to use the alb component to set up a 301 redirect. ex:
<http://test.example.com|test.example.com> should redirect to <http://app.example.com|app.example.com>
I can do this in the console, but I can't figure out the syntax using the ALB component (https://github.com/cloudposse/terraform-aws-components/tree/main/modules/alb )

Is this possible to do with the current reference architecture?

@Andriy Knysh (Cloud Posse)

I have used the reference architecture to setup a transit gateway to connect 2 VPCs in different accounts.
However, I am having trouble understanding how the transit gateway offers a connection to the internet. Is that not a part of the reference architecture and is something we should setup separately on our own?
If so, how can this be achieved?

There is a line in the reference architecture VPC section that states this

# Use PrivateLink in private-only VPCs at least until we have
# a connection to the internet via Transit Gateway.

So ideally, transit gateway setup should provide connection to the internet right?

Do you recommend using Helmfile via ArgoCD for app deployments to EKS? Are there advantages to this approach rather than using Kustomize? (It it that it's easier to spin up preview environments via Helmfile?)

@RB @Hans D @Jonathan Eunice any of you have an ECR pull thru cache component?

Is there an adr available for deciding on opentofu vs terraform ?

New docs are live! https://docs.cloudposse.com/

You can now access all the docs without registration.

Is there a way in the refarch to set up S3 event notifications to go to SNS/SQS? Can't find anything in the documentation about it

This channel will receive notifications from cloudposse/community for: discussions

/github unsubscribe cloudposse/community pulls commits releases deployments issues

✅️ Subscribed to cloudposse/community. This channel will receive notifications for issues, pulls, commits, releases, deployments, discussions

/github subscribe cloudposse/community discussions

@Marat Bakeev was this fully answered? https://github.com/orgs/cloudposse/discussions/12 any thing we can mark as the answer?

Do you guys have plans to update ArgoCD version? I think the one you have enabled (2.5.9) has a security issue, plus later versions add support for ApplicationSet Progressive Syncs.

@Marat Bakeev following up from office hours today 🧵

Hi, how would I use assume_role_conditions in the iam-role module to set a condition to require an STS external ID for role assumption? https://github.com/cloudposse/terraform-aws-components/tree/main/modules/iam-role#input_assume_role_conditions

(optional) @Marat Bakeev @Amir Jakoby workshop starting now!

Hi team, can someone explain me how to get an access to Cloud Posse Reference Architecture?
I found this link on this page https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster but it's leading to https://docs.cloudposse.com/reference-architecture/ and after that I got redirected to https://docs.cloudposse.com/account/confirmation/
where I see Your registration must be approved by an administrator.

Hello, can I get some advice on how I can set a Lambda function to run on a daily schedule? It looks like it can use an SNS topic or Eventbridge Schedule, but I don't see how to format that in TF. Thanks!

Hey everyone, what would be the implications of disabling the SCP for DenyEC2InstancesWithoutEncryptionInTransit?

The way I understand AWS docs for this, is that it's some sort of additional encryption on certain Nitro-based instances. The wording in the SCP document kinda sounds like there is no encryption in transit at all, unless one of the instances is used.
Am I wrong?

Not sure if #refarch or #kubernetes question... https://docs.cloudposse.com/components/library/aws/eks/cluster/ example says that running addons on fargate is not recommended, and a managed node group is preferred.
What's wrong with fargate?

Hi, I'd like to use the

custom_bastion_hostname:
vanity_domain:

outlined in the readme for the bastion component, but it doesn't appear that those are valid inputs/variables when I go to deploy it. Am I missing something?

https://github.com/cloudposse/terraform-aws-components/tree/main/modules/bastion