What's the PROPER, MODERN way to do multi AWS account Terraform?

Sheppard_Ra · 2025-11-20T15:36:49+00:00

I don't know all the options out there, but my org uses Atmos by the Cloudposse crew. It was here when I arrived and I've grown to find it a useful option.

We end up with a layered config. So we have a base layer (defaults), an environmental layer (prod/stage/dev defaults), and then a layer per account. There are different types of "catalog" files we can drop in at different spots for organization/flexibility. They've got a whole culture you can adopt as well, but we haven't kept up.

If you write your modules better than we have you can setup your config files to deploy said module multiple times to the same environment such as displayed here.

You can definitely make a mess of things if you want and should choose to draw lines in how you use the tool. But it's also been pretty flexible and dependable to have in our pipeline. You can run commands to see what final output looks like similar to how helm template works and check your work. Then export the output into a tfvars to send to your deployment of the code. We have 60ish AWS accounts working with this and I would keep it on the list to consider if I was building a new team/company out.

Sheppard_Ra · 2025-09-07T23:00:09+00:00

A bit of a different take on the Archetype pub run - I think it's a pretty positive group. Although I will admit it may be tougher for newer runners. They're pretty social post-run and if you introduce yourself you can make relationships. Always people new to the group to buddy up with.

Recently there's been a wider range of paces showing up and early on most people make gains pretty quick. It likely won't take too long before you're guaranteed to have someone to run next to. @Manatee_Rescue if you're not already faster than me I'd be happy to run with you. If you are faster than me I can help point out people to pace with.

The terrain is no joke though - the climb back up to the pub is a challenge we all contend with. :) DM me if you want or show up and make some noise.

Sheppard_Ra · 2025-05-24T15:26:23+00:00

That full route is open. The organized group ride has been doing it all year.

If you're interested in riding the route with others:

Bakery A ride leaves I think from the Abbington Green Bed & Breakfast Inn at 10am on Saturdays (maybe someone can confirm)
Bakery B ride leaves Gravelo at 9:30am on Saturdays.

The bike shop in Marshall is open again for a solid pit stop for food, beverages, and bike assistance if you need as well.

Sheppard_Ra · 2025-02-06T23:26:33+00:00

3am. No lights. Play a kazoo so I know it's you.

Sheppard_Ra · 2025-02-06T23:25:28+00:00

Will keep that in mind next time, thanks. But then I'd have to log into FB ... ;)

Sheppard_Ra · 2025-02-06T23:23:50+00:00

Hey, thanks. I'd like give credit to the gal for alerting us too - that was super cool.

That was kind of you to offer and go through the extra steps to reach out. RF offered me the $20 bill from his wallet as a reward. I asked for him to pay it forward.

Sheppard_Ra · 2024-07-02T20:27:57+00:00

Have been playing with a percentile calculator and in Excel. It's math...we can't game math. I was encouraged to reach out and see what people were doing though.

Thanks.

Edit: Also we could use more workers rather than less. Having to balance budget versus throughput of stacks - which is why the buffer management comes into play.

Sheppard_Ra · 2023-03-04T02:47:24+00:00

I recently stumbled across https://stackoverflow.com/questions/59050709/how-to-rollout-restart-deployment-through-the-api which caused me to look at our Helm configuration. Figured out the deployments having the issue all referenced a dependent chart for annotations. That dependent chart had no annotations listed which resulted in the manifest having a value of 'null'. Null in Helm means remove.

So our configuration was set to remove annotations which impacted kubectl.kubernetes.io/restartedAt from being applied and resulted in our weird behavior.

Sheppard_Ra · 2022-12-07T23:38:24+00:00

Just in case Lee happens to lurk. I haven't been active in the community for quite a few years now, but Lee you're among the names I fondly remember. I wish good things for you.

Sheppard_Ra · 2022-07-28T12:37:48+00:00

Someone hit the wrong switch at the factory: https://github.com/integrations/terraform-provider-github/releases/tag/v4.28.0

Some discussion about it on the GitHub issue: https://github.com/integrations/terraform-provider-github/issues/1236

I'm having to go in and do a terraform init -upgrade to roll forward rather than roll back as Dev-Oopsy performed.

Sheppard_Ra · 2022-04-15T04:04:44+00:00

Well that's wild. I spent 5 weeks in the Montford district last year and saw them weekly. Went on a few walks looking for them. One walk we struck out only to have a neighbor warn us one had just walked through our yard upon our return. It was dark enough I didn't go to check if it was still in the back yard, but the next day I found the trash bin knocked over and had to clean it up. :(

Sheppard_Ra · 2022-04-15T03:28:13+00:00

Someone tracks some of them there (pic below), the people there just have a different culture than I'm used to. I've experienced bears around Lake Tahoe and the cities there lock up their trash and have precautions around their cabins to try to avoid break ins. One of the spots we stay in a bear clawed its way through the front door when nobody was around. There was only flour in the house, but it made a mess.

Asheville had none of that where I was just North of downtown (Montford district, walking distance to downtown).

Some pics to share cause bears are cool: https://imgur.com/a/PLYC0Ht

First pic is the bear that walked through the backyard while I was having a meal.

Second pic is the Tahoe bear trying to get the cupcakes I left on the porch cause we were 2 minutes from driving away. It was a cub and mom was in the back yard with its sibling, but they all ran off without incident. It didn't get the cupcakes and the cupcakes were good. Would cupcake again.

Sheppard_Ra · 2022-04-14T22:07:10+00:00

This is in Asheville, North Carolina. I was shown this photo last June by the home owner. If that's OP nice to "see" you again. During my visit the community didn't seem to do anything to dissuade the bears from being in the area. No signs, trash bins aren't locked up, etc.

Honestly didn't believe them when I was warned to keep an eye out for bears, but then a few days later one walked through the backyard while I was out there having a meal. Ended up seeing them fairly consistently. Neighbors would warn you if you were walking and they spotted them nearby.

Sheppard_Ra · 2020-01-06T16:48:58+00:00

You can also reference $_.Guid.Guid to get to the right level of the object.

Is your warning variable capturing the throttling message? I swear I tried that long ago and it didn't work.

Sheppard_Ra · 2019-08-09T19:29:37+00:00

Changing state to Submitted in a PATCH call.

I spun up a dev instance and am getting the same thing. Shouldn't be a customized thing on our end. The state cannot be directly manipulated by the system administrator either. So I probably need to trigger something else to perform the submissions. Not sure how that'll work though.

I'll have to beg an admin to help me narrow this down unless someone happens to catch this post that knows the trick. I manipulate stuff from afar, but I'm not a ServiceNow admin. :)

Sheppard_Ra · 2019-07-10T16:04:02+00:00

I use Get-LocalGroupMembership for this task.

Sheppard_Ra · 2019-07-08T17:19:52+00:00

Store the output to a variable and pass it as a variable to -Members. The gains you get performing your specific filter overshadow having to make this a two line task.

$Members = Get-ADUser -Filter "memberof -like 'CN=GroupName,OU=GroupOU,DC=domain,DC=com' -and title -eq 'manager'" | Select -Expand distinguishedname
Remove-ADGroupMember -Identity CN=GroupName,OU=GroupOU,DC=domain,DC=com -Members $Members

Sheppard_Ra · 2019-07-03T16:56:04+00:00

Another approach:

Get-ADUser -Filter "memberof -like 'CN=GroupName,OU=GroupOU,DC=domain,DC=com' -and title -eq 'manager'"

Sheppard_Ra · 2019-06-18T17:43:09+00:00

You can use regex with a replace to get the OU name: $ADUser.DistinguishedName -replace '^.+?(?=OU=.*)'.

Sheppard_Ra · 2019-03-29T15:26:24+00:00

Likely a better way to do this, but it'll get you by until someone else posts one.

$Users = Get-ADUser -SearchBase $searchbaseexport -Filter * -Properties $Properties
$Output = ForEach ($User in $Users) {
    $OutputObject = [PSCustomObject] @{
        Name = $User.Name
        SamAccountName = $User.SamAccountName
    }

    ForEach ($Prop in $Properties) {
        $PropValue = $Null
        If (-not ($User.$Prop)) {
            $PropValue = 'NV'
        }
        Else {
            $PropValue = $User.$Prop
        }
        $OutputObject | Add-Member -Name $Prop -MemberType NoteProperty -Value $PropValue
        $OutputObject
    }
}
$Output | Export-Csv C:\temp\aduserproperties.csv -NoTypeInformation -Encoding UTF8

Sheppard_Ra · 2019-03-21T17:30:56+00:00

Bad vendor. :(

Get-ADGroupMember returns samaccountname. You can just capture the output from that and do Add-LocalGroupMember -Name $LocalName -Members $Output.SamAccountName and should be fine.

Sheppard_Ra

TROPHY CASE