Add migration guide for CIS AWS 1.3.0 #386
Conversation
infraredgirl
requested review from
eak12913,
josh-padnick,
oredavids and
tsmit291
as code owners
|
Deploy preview for keen-clarke-470db9 ready! Built with commit 8ada2d5 |
|
Having the version number in the title makes the guide not appear in the list of guides - I guess this is a bug. |
bwhaley
left a comment
bwhaley
left a comment
There was a problem hiding this comment.
Great start! Left a few comments for your consideration on grammar/use of wording. Looking forward to doing a complete review!
Yes, this is a known issue. I think something in the code struggles with non alphanumeric characters (e.g., decimal points)? @eak12913 @oredavids Any chance of getting this fixed, as it's hard to publish a guide for CIS v1.3.0 without using decimal points 😁 |
brikis98
left a comment
brikis98
left a comment
There was a problem hiding this comment.
Thanks for putting this together!
Having seen this, I think the right thing to do is to update the Acme CIS repos too, so customers have a concrete upgrade example to look at. We need to add that to the Jira epic.
|
Thanks for making a start on this @infraredgirl 🙂 I"m having a look to add bits about IAM access analyzer now |
Would this be a blocker for you folks? If at all possible - I'd prefer to not switch context right now but I am worried that this will hold y'all up. The last time I looked at the code it was somewhat of a tangled mess of wires with at some amount of assumptions baked in about what Jekyll will do too (in addition to whatever our mess of logic is doing). In order to dive into that - I'd have to page out what I'm working on now. |
This will need to be updated once we've updated the ACME repos for the Ref Arch.
I think the guide needs to have "1.2" and "1.3" in the title. If there's some workaround way to get that without forcing you to context switch, we're happy to use that... But otherwise, this won't have the right title, or the right SEO benefits, and changing it later would change the URL, which would require redirects, which we'd prob forget, leading to 404s... So, yea, I think we need some way to have the proper title on this guide. |
I was curious to have a play around with this bug, and I have to say it's very annoying and unfortunately my lack of experience with Jekyll and playing around didn't really help! Anyway, I thought I'd share a few things I looked into, and hopefully it could be a very simple fix when combined with more knowledgeable people in how this works! https://jekyllrb.com/docs/liquid/filters/ Basically, as far as I could gather, none of the |
|
Thanks for taking a look @ina-stoyanova! - I will just finish up a few things and can try to take a look as well. If memory serves me correctly from last time, the problem is somewhere in the interplay between the following things:
There's interplay between these things and the last time I looked - I was able to figure out Jim's issue - but it still didn't solve this one. If you'd like - we can pair code? I'm no Jekyll expert and only have cursory exposure to this code from the troubleshooting I did on it last time. Otherwise I'll take it up either later today (probably too late for you) or Monday depending on how today's other tasks go. |
Yeah - I'd love to pair code if it's on Monday. Although, it's not my domain - it would certainly be useful to pair code with you! Either way - thanks for filling in my gaps :) I knew there must be more to it, as simple fixes obviously didn't work 😜Loads to learn as always! Feel free to pick it up whenever's convenient for you - but if Monday, I'll make time to work with you :) |
|
Just trying to understand what's still left on this PR? Is the following correct? [x] Fix title bug (not showing '1.3' in the guide title) N.B.: This PR could be reviewed, but not merged until this is also done: https://gruntwork.atlassian.net/browse/IAC-1683
|
|
Do we need to have dedicated section for the items that were just upgrades to the existing modules? I understand the need for dedicated sections for new modules, but I'm not sure that e.g. the S3 bucket upgrades (which are just refactors to use a different modules under the hood) need a section each? |
…n like: period, comma, semicolon (etc...)
|
@infraredgirl Could you please try to change your title to what you originally wanted it to be and double check. @ina-stoyanova and I have fixed the issue and we believe that it should no longer be a problem. |
This reverts commit 3aba818.
Works now! Thanks so much for the fix! |
|
I was originally dreading this one because I thought it was going to be a can of worms. It ended up being pretty straight forward and to correct my earlier assumption, had nothing to do with ScrollSpy or the search logic. The issue was with the |
Yes! We should make these a first-class part of the guide: "See the Acme CIS examples to see what the code changes may look like." |
Added in e80a4ee. I've linked directly to the update PRs - if there's a better location to link to please LMK! |
|
I think we can open this up for reviews! |
infraredgirl
changed the title
| allow_administrative_remote_access_cidrs_private_app_subnets = { app_vpc_cidrs = module.app_vpc.vpc_cidr_block } | ||
| allow_administrative_remote_access_cidrs_private_persistence_subnets = { app_vpc_cidrs = module.app_vpc.vpc_cidr_block } | ||
| } | ||
| ---- |
There was a problem hiding this comment.
If you're switching from vpc-app-network-acls in module-vpc to this new one, you'll also need to run state mv commands! As all the original resources are now nested one module deeper.
There was a problem hiding this comment.
|
Yup, that's what I meant!
…On Tue, Jan 26, 2021 at 3:04 PM Ana Krivokapić ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In _posts/2021-01-06-how-to-update-to-cis-13.adoc
<#386 (comment)>
:
> +Please follow the steps below to upgrade from the version 1.2.0 to 1.3.0 of the Benchmark. To see the actual relevant code
+changes, please refer to the Acme CIS examples gruntwork-io/cis-infrastructure-modules-acme#6[here]
+and gruntwork-io/cis-infrastructure-live-acme#8[here].
By call-out, do you mean a NOTE block? If so, I've updated it in 801a743
<801a743>.
LMK if you meant something else!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#386 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFNZZH37L5X3R4RQJYOZLLS33KW5ANCNFSM4VXYZMQA>
.
|
Co-authored-by: Ina Stoyanova <ina@gruntwork.io>
|
Hey @marinalimeira @infraredgirl I believe with the last few comments, this is ready to go? |
brikis98
left a comment
brikis98
left a comment
There was a problem hiding this comment.
This is also good to go after a few minor wording / typo tweaks!
Co-authored-by: Yevgeniy Brikman <brikis98@users.noreply.github.com>
|
Woohoo! Many thanks to everyone who contributed to this PR, both in terms of content and reviews! Merging now! |
https://gruntwork.atlassian.net/browse/IAC-1641
Remaining work:
ebs-encryption-multi-regiondeploy instructions