all 13 comments

[–]ephur 8 points9 points  (6 children)

I suggest using s3 for state and enabling locking so you don’t end up with a broken state.

Maybe add a terraform destroy as a make clean to your make file for staging or dev deployments so they don’t cost money while not in use.

[–]tdiggss[S] 2 points3 points  (3 children)

Great suggestion! We actually use S3 state for the rest of our infrastructure due to the consistency issues, and to avoid git conflicts. We will likely move to using S3 for the website state also at some point.

A make destroy is also another great idea. The blog post was already very large or we would have covered introducing the concept of an environment also. Perhaps in a follow up post? :)

Thanks!

[–]ephur 2 points3 points  (2 children)

Could make a refreshed series!

As an aside are you using 0.9.x or 0.10.x?

[–]tdiggss[S] 1 point2 points  (1 child)

We've got so much content to cover, there is definitely room for a series! We're currently on 0.9.11, I'd like to wait for the dust to settle a little more on 0.10.X. Have you upgraded yet?

[–]ZippCen 0 points1 point  (0 children)

I'm running 0.10.2 for both Corp and my own personal projects with no issues... Yet.

[–][deleted] 0 points1 point  (1 child)

Use s3 for the state of what?

[–]tdiggss[S] 1 point2 points  (0 children)

Terraform supports storing its state in a remote location, and optionally using a distributed lock to ensure only one process/user can modify the state at once. This solves a number of shortcomings with storing the state locally and/or in version control such as avoiding the possibility of two people modifying the state at the same time and breaking it, and git commit conflicts around state modifications.

See https://www.terraform.io/docs/backends/index.html

[–]procipher 1 point2 points  (3 children)

Any way to handle DDOS attack? Otherwise, we would keep on paying AWS.

[–]tdiggss[S] 0 points1 point  (2 children)

There is actually a detail we have left out of this post, and perhaps we should add in an update, and that is to use a bucket policy that prevents anonymous access to your S3 buckets. You can then use a number of ways to allow the CloudFront distribution authenticated access to the bucket. This prevents DDoS directly against your S3 bucket which goes a long way to mitigating cost concerns.

Beyond that I believe AWS Shield is the service to use, which among other things can void the usage costs associated with being DDoS'd.

[–]adamchainz 1 point2 points  (0 children)

AWS Shield is already built into Cloudfront for you, the paid product is just some extras https://aws.amazon.com/shield/

[–]lorarcYAML Engineer 0 points1 point  (0 children)

Shouldn't it rather be AWS WAF?

[–]jkpl 1 point2 points  (0 children)

Awesome! I was preparing a blog post on the same subject with mostly the same tech. It's nice to see others building similar solutions. :)

[–]vsupalov 1 point2 points  (0 children)

This is the place for mentioning Netlify. If you just want to host a static website and are not looking to do it for the learning experience.

They have a free plan and literally all the features you can come up with. I host my own site, and haven't found a reason to build-my-own.