With AWS SSO in place, I started using aws-vault locally for #terraform and AWS CLI. I learned about this tool at work. No IAM access keys with inline IAM policies! SSO + assume role for administrator access! #security #win
As of last night, all hyperbo.la AWS infrastructure is torn down. https://github.com/hyperbola/hyperbola/pull/111 #aws #terraform #devops #hypstatic
hyperbola is deployed to GitHub Pages now! Executed via DNS cutover with terraform. Now to destroy the old infrastructure in AWS. #github #hypstatic #aws #terraform #hypstatic
The terraform config for this project is on 0.12 and I have no desire to update it to 0.13. #fail #terraform #automation #hypstatic
Add in some manual #terraform state edits and deleting things in the #aws console and we're recovered #fail #win
Undeployable manifested as healthz returning 502 when adding a new instance to the ALB, marking it as unhealthy and timing out #terraform
I added code block and syntax highlighting to my new #blog. Planning on using it for an upcoming post about #terraform.
That was easy! hyperbola running on t3s now. #aws #terraform #win
for www.frklft.tires, I stopped using #terraform for managing the static content of the site. It now lives outside of my terraform code in a public directory, published explicitly with a make target #win
welp that didn't last long. CloudFlare only queries a subset of NS records to check for liveness and has determined that I no longer use CloudFlare. Working on purging them from #terraform and registrar now #fail
Even more cost savings: dynamically provisioned bastion cloudformation stack #terraform #aws
#terraform is now a package manager. Great. #fail. For some reason plugin downloads hang if the download gets an IPV6 edge node in their CDN.
thinking of removing dependency on #cloudflare. currently only used for hyperbo.la DNS. Email records are the scary part. #terraform makes this mostly easy
4. problem: https is hard. solution: ACM + #terraform + ALB + CloudFront
my #terraform life became much easier by using name_prefix instead of name. name and name_prefix parameters were never interpolated. Instead, use interpolation in tags. In practice this means config can change without rebuilding the world #win
I initially went with the unclustered variants of elasticache and rds. Once I wrapped my head around the topology, #redis cluster mode and #aurora were much easier to work with in #terraform
buliding the #aws infra took about 30 commits, two #terraform destroys, and two terraform code rewrites. some fun bits in the following posts
Converted wiki from ELB to ALB this morning ... took a couple of hours. modified #terraform config and updated #ansible ... also converted from Let's Encrypt to ACM. https://github.com/hyperbola/hyperbola-tools/commit/23fb9a7 #win
Migrated terraform state from a private github repo to a private, encrypted S3 bucket. State infra is bulkheaded from main app and protected with prevent_destroy lifecycle #win #terraform #aws
bastion is now in an ASG with an automatically bound (with user data) elastic IP. Yay fault-tolerant infra! #win #aws #terraform