Search results

Dealing with multiple AWS accounts with one Keycloak client for Single-Sign On

This article assumes that the user backend for Keycloak is FreeIPA. Regardless of that the instructions will apply to any other setup with minor modifications. Here we use two different AWS accounts renamed to 123412341234 and 567856785678 to protect the personal information of the innocent. The Keycloak staging cluster on which this integration was done […]

Enabling AWS EC2 instance automatic recovery with Terraform

AWS EC2 instances are subject to two types of status checks (AWS docs): System status check (issues with the underlying hardware/networking: "the AWS side") Instance status check (issues with the OS, e.g. OOM, file system corruption, broken networking, etc: "our side") The official AWS EC2 instance recovery documentation claims that automatically recovering from an EC2 […]

Creating Puppet Bolt groups based on AWS tags

The Using tags in Puppet Bolt aws_inventory target_mapping showed how to use AWS "Name" tag as the target name for Puppet Bolt. Use of tags can be extended to creating Bolt target groups: All you need to do is add a "filter" section with one filter. The "name" parameter tells Bolt that the filter is […]

To containerize in AWS or not: the cost perspective

I recently checked the pricing model for Amazon Fargate to see if migrating a fair number of EC2 instance-based workloads to containers would save money. In theory this should have been the case, as a container has less "fat" compared to a full virtual machine. In this case the workload itself was perfectly suited for […]

Using tags in Puppet Bolt aws_inventory target_mapping

We're migrating away from Ansible to Puppet Bolt and the fact that Ansible updates broke the old inventory script expedited that process. While that inventory script was quite rudimentary, it was able to automatically add human-readable names to the EC2 instance names. So, for example, you could target a node using "server_example_org" if the […]

Delegating external parties access to AWS

This blog post shows how to grant access to an AWS account for some external party. For simplicity we will call this external party a "contractor". If you want to do the same for Microsoft Azure look at this blog post instead. This method requires the contractor to have its own AWS account, but it […]

Terraform stalls when recreating security groups

Sometimes Terraform stalls when trying to remove AWS EC2 security groups and Terraform does no give any hint as to what is wrong. The problem is caused by that security group being attached to an EC2 instance or network interface. Interestingly Terraform messes up the order of the AWS API calls even when it (attempts […]

AWS to Azure resource translation table

We use Terraform for managing our Cloud infrastructure. Our customers typically use AWS and that's what we're most familiar with. Each public Cloud has its own terminology, so this page is a translation table between Terraform resource names in the AWS and Azure providers: AWS Azure aws_instance azurerm_linux_virtual_machine aws_network_interface azurerm_network_interface aws_security_group azurerm_network_security_group aws_security_group_rule azurerm_network_security_rule aws_vpc […]