WEBVTT 1 00:00:19.360 --> 00:00:20.040 Hey Ben. 2 00:00:20.040 --> 00:00:21.340 Hey Matt. 3 00:00:21.340 --> 00:01:04.080 So we were looking at the problem with our SSL certificate for uh, twoscompliment.org. In other words, you know, we wanted to be able to like host from just twoscompliment.org, not www.twoscompliment.org, which sounds straightforward. And through the miracle of podcasting, we recorded that many weeks ago. Our, our sort of, uh, attempts to fix it, but we never quite got there. And so I figure we should probably finish the job, try and get it so that our website's actually working, and, uh, everyone can laugh at how much we've forgotten between what may be back to back episodes as far as our listener is concerned. But what, for us, a month has passed. 4 00:01:04.080 --> 00:01:09.380 Mm-hmm. , the fact that you think we're gonna get this fixed today is very ambitious. And I like that. I like that attitude. 5 00:01:09.380 --> 00:01:12.440 Well, we've got half an hour or so. Let's give it a go. 6 00:01:12.440 --> 00:01:14.440 Let's see how far we can get at least. 7 00:01:14.440 --> 00:01:17.340 So we had a whole bunch of Terraform Me stuff was how we left 8 00:01:17.340 --> 00:01:42.540 It. Yeah. So I have, so right now, if I remember this correctly, our plan was to create an AWS Route 53 domain. And then change the domain to use, uh, like the wild card certificates? 9 00:01:42.540 --> 00:02:06.620 I think so, yeah. We could use a Wild Cert. Wild Card cert, or at least a cert that has multiple hosts listed, one of which could be a wild card, but it could just have dub dub dub and the no domain, which I believe is what Compiler Explorer does. But I can't remember, I think, I think actually Compiler Explorer has like empty and star dot godbolt org or whatever. 10 00:02:06.620 --> 00:02:48.310 So I have right now, so looking at this, so we had kind of terraformed some of this up before. Um, and right now there is a certificate that we have for www.twocomplement.org. And there's a little TODO here that should be, it says should be just twocompliment.org. And then I have another little TODO here that says Subject alternative names equals, and then square brackets quote star dot twoscompliment.org. 11 00:02:48.310 --> 00:02:50.400 Right. 12 00:02:50.400 --> 00:03:15.410 Um, and I have a little bit of four each magic in the Route 53 record that I think attempts to create a record for each of the things that it sees in the certificate. And I have this, I think because I have done this once before, and gotten this to work, and I copy pasta-ed some of that in here, but now I have zero memory of how it 13 00:03:15.410 --> 00:03:16.960 Will all fitted into together 14 00:03:16.960 --> 00:03:24.740 how we even got here, let alone how it works. So this is what happens when you put things down for a month and then, 15 00:03:24.740 --> 00:03:27.220 And then don't pick him up again. Right, 16 00:03:27.220 --> 00:03:36.860 Right. Uh, let me go check. I have a project on my GitHub that I think this maybe came from. So let me go see if that is even remotely true. 17 00:03:36.860 --> 00:03:39.660 And if so, we can crip from that. 18 00:03:39.660 --> 00:03:59.520 Yeah. And I guess I should try tastypenny.com. And that does work. And it is secure. So I have done this on that site. Yeah. My recipe tracking website called tastypenny. I have , I have done this 19 00:03:59.520 --> 00:04:01.060 Tasty Penny? 20 00:04:01.060 --> 00:04:09.870 Tasty Penny. Yeah. I don't even know where is that thing. Yeah. You know, it's like all recipe websites are terrible 21 00:04:09.870 --> 00:04:10.520 Because 22 00:04:10.520 --> 00:04:11.320 It's all like, 23 00:04:11.320 --> 00:04:19.600 They're not really recipes said websites. They're advertising websites that were trying to put as many adverts between the obvious thing you want, which is the damn recipe. 24 00:04:19.600 --> 00:04:35.820 Right. And try to, you know, get enough SEO from the text that they're putting on there about like, oh, I traveled to Paris three years ago and I had this wonderful, you know, whatever. Yeah. But yeah, I can't even find, am I like not logged in? Oh, I'm logged in as, yeah. Okay. That's what's going on there. I'm not, 25 00:04:35.820 --> 00:04:36.480 Oh, you on, I can't see 26 00:04:36.480 --> 00:04:38.640 My right now, repositories. Oh, no, 27 00:04:38.640 --> 00:04:39.720 I see you're logged to GitHub. 28 00:04:39.720 --> 00:04:46.400 Right. I'm trying to find where this stuff came from. So I'm going to GitHub, but I'm logged in as a different user, so I can't see my press. 29 00:04:46.400 --> 00:04:48.400 Whoa. You have more than one user. 30 00:04:48.400 --> 00:04:52.340 I do. I have an aquatic user for my official Aquatic things, and I 31 00:04:52.340 --> 00:04:52.880 Have Oh, I see. Oh, I, 32 00:04:52.880 --> 00:04:56.420 Me, which is less official. 33 00:04:56.420 --> 00:04:58.700 You're less official. I you're not the official Ben Rady. 34 00:04:58.700 --> 00:05:03.120 I am not the official Ben Rady. I am the, I'm just the casual Ben Rady. 35 00:05:03.120 --> 00:05:05.480 I see 36 00:05:05.480 --> 00:05:21.880 . Um, okay. So yes. Tastypenny. Uh, here's some Terraform. It says site. And Yes, I think that is exactly where that came from because that looks very similar except some commented out stuff. 37 00:05:21.880 --> 00:05:27.200 Uh, before we get too excited, if I go to Tastypenny, or if I could type Tastypenny. dot org? com? 38 00:05:27.200 --> 00:05:27.360 Com. 39 00:05:27.360 --> 00:06:06.760 Com. No dub dub dub. It is working. No ads, no junk, just Tasty apparently is the uh is the little, uh, byline for this and. Connection is secure, it says, and certificate is valid. And the co common name is tasty penny.com. And there you go. And looking at the, yeah, you just got a certificate and it only mentions tastypenny.com in this certificate. Now I'm gonna go to www dot tasty penny.com and connection is Secure Cookies, all the things. Maybe it redirected me then 40 00:06:06.760 --> 00:06:08.140 It might have. 41 00:06:08.140 --> 00:06:14.640 I see. But obviously in the interim, it, it was, it served up something which did not upset my browser. Yeah. In terms 42 00:06:14.640 --> 00:06:17.240 Of you could curl it if you wanted to know for sure. 43 00:06:17.240 --> 00:06:37.320 I certainly could, but yeah. That's awesome. Alright, so this is going to be a good thing to crib from because it works. That's what I'm checking is like, before we get all excited and changing it, let's just see that like we're heading the right way. Uhhuh and I will curl it actually. 44 00:06:37.320 --> 00:06:49.580 While we're going. Yeah. So yeah, when I do a curl dash v I see server certificate, subject, see on Tastypenny start date, expire date, which is uh, in May. Okay. We'll keep that in mind. . Uh, and then, uh, 45 00:06:49.580 --> 00:06:51.080 Picking up rocks 46 00:06:51.080 --> 00:06:57.540 Subject alt name host www tasty penny.com max. I see certs star tasty penny.com. 47 00:06:57.540 --> 00:06:59.120 Perfect. Okay. So that's a good 48 00:06:59.120 --> 00:07:00.120 Sure. Amazon 49 00:07:00.120 --> 00:07:05.260 Analog then of that. And we know what to look for when we, when we do it for twos compliment. 50 00:07:05.260 --> 00:07:27.140 Yeah. So, you know, the question with this is how do you fix the airplane while it's in the middle of the air? And, uh, I would hate to, uh, you know, apply some terraform change here that all of a sudden makes our podcast disappear for, you know, 24 hours or however long the DNS is poisoned or whatever it might be. You know, 51 00:07:27.140 --> 00:07:50.320 So how about this? Can we make a change straight away to change the TTL of the DNS down to like two days and just apply exactly as is, but with a really low ttl, which means that already, or like two hours, which means that we're starting to promote the idea that we're gonna screw this up and we wanna be able to undo it. Right. You know? Exactly. Yes. A good friend of mine once told me that if you can't test it properly, then at least make it cheap to roll back. 52 00:07:50.320 --> 00:08:15.700 Oh, yeah. Okay. That sounds like that guy was making **** up as he went along. . Uh, okay. Um, let's see here. So right now the Route 53 record is set to 60, which is in seconds, right? Oh, 53 00:08:15.700 --> 00:08:23.480 Right. I think so. Right. So we might be, uh, I mean DNS is it's own mysteries 54 00:08:23.480 --> 00:08:33.340 The question is, I don't think that currently AWS is the name server for twos compliment. I'm using the other provider. 55 00:08:33.340 --> 00:08:44.040 That means that we can make all the changes we like here and just use NS lookup with the server being, or host or dig or whatever the cool kids use these days, um, and test that it's doing the right thing. 56 00:08:44.040 --> 00:08:44.660 Right. 57 00:08:44.660 --> 00:08:45.900 So right now, I, how 58 00:08:45.900 --> 00:08:48.380 Would we, how would we confirm that that is true? 59 00:08:48.380 --> 00:09:05.000 I'm gonna do NS lookup and I'm gonna do set type equals any and I'm gonna do twos and sorry for my offensively loud keyboard twoscompliment.org. And it tells me non authoritative answer name server is ns2.hover.com and then, 60 00:09:05.000 --> 00:09:05.380 Yeah, 61 00:09:05.380 --> 00:09:21.940 That's blah, blah, blah, blah. And then address is 2 16, 40, 34, 41, whatever. Yeah. Okay. Yeah. Now, beautiful. If I were to set the server to be, do have you have, do you happen to have a a, a AWS DNS IP there? 62 00:09:21.940 --> 00:09:28.340 Uh, let me go see if I can do that. One moment please. 63 00:09:28.340 --> 00:09:34.300 And meanwhile, I'm looking at the Tasty Penny website going, this looks great. , 64 00:09:34.300 --> 00:10:01.200 I wanna, I, I, I have some updates I wanna make to it. Uh, I want to make it a little bit more tablet friendly, cuz it's not right now, but it, you know, it has some good recipes on it. Uh, yeah, I wanna sign into the console. I don't know if you've got this thing recently where I've finally had to separate my amazon.com, you know, ordering 65 00:10:01.200 --> 00:10:01.580 Oh shopping, 66 00:10:01.580 --> 00:10:09.120 Shopping, shopping password and my AWS password. Yeah. Through a reminder of like, it used to be that Amazon was a bookstore. 67 00:10:09.120 --> 00:10:42.480 Yeah, that's right. Yeah, it is pretty bonkers. At one stage, actually, I had a problem where, um, I enabled two factor authentication on one or other of the two and it affected the other, even though they were supposedly independent. I think there's still some link between the two. They're different account names now. And I, that was the one and only time I ever spoke to an, an Amazon person on the phone while they were trying to reset it out. Oh, this is an interesting problem. I'm like, yes, yes it is. I can't log into either. And this is kind of panicking me right now. . 68 00:10:42.480 --> 00:10:43.540 Hmm. Uh, okay, 69 00:10:43.540 --> 00:10:46.660 Well this padding. Yeah. Has that allowed you to find the IP address of 70 00:10:46.660 --> 00:10:52.480 Yes, yes, yes. So I have the twos compliment name servers. 71 00:10:52.480 --> 00:10:53.020 Yep. 72 00:10:53.020 --> 00:10:54.460 There's four of them. 73 00:10:54.460 --> 00:10:55.900 Anyone will do, 74 00:10:55.900 --> 00:11:05.050 Let's go NS dash 60 eight.aws dns dash zero eight.com. 75 00:11:05.050 --> 00:11:41.480 Wow. That's a beautiful thing. Oh, the, so it has an IPv6 address. There you are. That's crazy. Okay, so now I've just said server that, and I'm typing twoscompliment.org again. And now it tells me, uh, the name servers are, now I can see the other DNS uh, servers at Amazon, which are like NS 1, 1 50 and one 1600, all this kind of crazy things. And apparently it has an address of 202.251.192.68 is what it's resolving to, which is that the alias to the load balancer? 76 00:11:41.480 --> 00:11:44.180 Yeah, it's a cloud front distribution. 77 00:11:44.180 --> 00:11:52.410 Yeah. Okay. So I'm gonna, I, what I'm gonna do is I'm gonna look up, no, yeah, it doesn't, oh wait, it's refusing me. I want me do this on another one 78 00:11:52.410 --> 00:11:54.660 1, 2 0 5, uh, 79 00:11:54.660 --> 00:11:57.350 2 51 1 2 2 68. 80 00:11:57.350 --> 00:11:57.800 Uh 81 00:11:57.800 --> 00:12:57.000 Oh. That says NS 68 aws D n I mean, it could be the same IP addresses for all I know. So yeah, we need to look up what the cloud front, um, distribution is set to, just to see if just, I mean obviously this is just us testing the water here, like this should, should all work out. But while you do that, um, what this means is, yeah. CloudFront is essentially a caching proxy in front of all of the, um, aws, uh, infrastructure. And, um, when one creates one, one tells it where to get the information from that it's gonna be proxying and, and edge caching and it gives you a sort of a unique, uh, distribution name and then that maps to an IP address or a DNS that you then use to point your web services at. And then whatever you land on knows how to serve up from CloudFront, your web server, your web traffic, your web, whatever. 82 00:12:57.000 --> 00:13:02.000 So I have arn, I have a distribution name, but I'm having a hard time finding, 83 00:13:02.000 --> 00:13:02.800 What is the distribution? 84 00:13:02.800 --> 00:13:05.800 An address? Oh, wait, no, maybe this is, maybe, 85 00:13:05.800 --> 00:13:09.620 I think it is and I I think it might actually be a full FQDN 86 00:13:09.620 --> 00:13:17.900 D n I mean the distribution name is a Okay. Yeah, I think I do. Yeah. Okay. Uh, this is, this is gonna be a little painful. You ready for this? 87 00:13:17.900 --> 00:13:21.560 Okay, then. Alright. Right. Well maybe, yeah, go on. Is it as something or other? 88 00:13:21.560 --> 00:13:27.220 It's, no, it's, it's a big long stream string of care characters.cloudfront.net. 89 00:13:27.220 --> 00:13:44.440 Okay. So why, if you've got that in your console, why don't you copy that and just do host space that and see if you get an IP address that looks like this one and then that will sort of con confirm while you do that. I'm another copy, www.twoscompliment.org 90 00:13:44.440 --> 00:13:57.620 Uh, I see 54 2 30 18 99. Okay. 54, 2 30 18 49, 54, 2 30 18, 82 54, 2 30, 18 69. 91 00:13:57.620 --> 00:14:16.220 Got it. None of those matched because I've just realized that NS lookup was giving me a bad answer. It tried to connect and it got time out. And then what it's doing is it's just telling me all about the domain. There is no, i, there is no, uh, a, uh, record associated with twocomplement.org. So that's what we need to fix. 92 00:14:16.220 --> 00:14:17.320 Okay. 93 00:14:17.320 --> 00:14:22.560 There's also no a, there's no a record associated with dub dub dub dot two complement do org. Right. 94 00:14:22.560 --> 00:14:32.600 Cuz isn't there not going to be, isn't it gonna be this like different kind? Oh, what are the, what is the name of that type of DNS record that's like, it's not specific to Amazon, but it's like, 95 00:14:32.600 --> 00:15:19.420 Well, it, it's called sort of alias around. So like the, the, the underlying problem here is that there is no such thing really, as much as people would love there to be, there is no such thing in DNS as an, uh, a c name, which is what we really want for. The, um, uh, the, the naked domain. Like, so what you might want mm-hmm. is do dub dub do whatever to be the address of a machine. And then if someone puts in the thing without the dub dub dub, you say, Hey, this is the same as dub dub dub dot. Which is a c name, a kind of a symbolic link if you like at the DNS level. But unfortunately you can't have a C name record for a naked domain itself. You have to have an A record. And the problem with that is that the, the C name actually needs to point at the cloud front distribution because Amazon wanna move it around. They wanna change it. Yeah. 96 00:15:19.420 --> 00:15:19.980 Yeah. 97 00:15:19.980 --> 00:15:51.540 And so what typically happens is that DNS providers will have a product where they track the DNS entry for the cloud front end that you've got and they'll just keep periodically changing your A record. But Amazon natively supports this, so we should just be able to configure it. So I think we're just missing the configuration in the Terraform and an app, an application should just make this work here without affecting the real twoscompliment.org Cause it is still being served up by hover.com. 98 00:15:51.540 --> 00:16:21.280 Right, right, right. So I'm actually looking at this now, and this, this makes sense to me, which is I've actually got some commented out stuff in this Terraform that does, I think exactly that. And that is what my Tastypenny Terraform does. And looking at my Tastypenny configuration in Route 53, I can see an a record there. Um, that is a very strange looking a record because the value of it is that big long list of characters cloudfront.net. Right? Well, not the same 99 00:16:21.280 --> 00:16:22.900 One. Oh, that's interesting. Yeah. 100 00:16:22.900 --> 00:16:30.360 Um, uh, and that is for, uh, the www one and for the sort of bare domain. Yeah, 101 00:16:30.360 --> 00:16:30.620 That sounds, 102 00:16:30.620 --> 00:16:36.180 So that to me seems like Amazon, you know, doing an a record, you know, trick. 103 00:16:36.180 --> 00:17:49.120 Trick behind the scenes. Let me, I'm gonna have a very quick look at how I did this for some other website that I'm, I'm involved in, uh, Route 53 tf, where the hell all this stuff? Uh oh. Yeah. I actually have modules for this because it's, uh, so awful that I have so many stupid things. Main tf uh, okay. I set a CName and the records are the, yeah. Something like Route 53 address a FQDN. So it's kind of looking up somewhere else. I'm trying, this is obviously makes for great radio, um, uh, zone the alias name. Yeah. Okay. It looks like it's an alias that I'm setting. So I do, for both the, the A record and the AAAA record, I have, um, an alias stanza inside of the Terraform itself. So it's not an address record, even though it could be. And it has a name, a zone ID and some other bits and pieces in it. And I dunno if that corresponds to the thing that you are looking at now. 104 00:17:49.120 --> 00:17:51.880 Yeah, I think that is, I think we're looking at the same thing here. 105 00:17:51.880 --> 00:18:22.780 So I've got, yeah, alias name equals, and then I've got a variable which holds the CloudFront distribution domain name, and then another thing that's CloudFront distribution dot hosted zone id. And that essentially configures the A and the AAAA for the top level name, which is, in my case, you know, godbolt.org or godbo.lt or compiler explorer.com for all the times it's instantiated, which is like the four each that you've got. But I think we only need one of these. So you could probably just write it out longhand right now. 106 00:18:22.780 --> 00:18:40.440 Yeah. Well I, I think this would actually just work if the certificate was the, if I switched, so kind of parsing through this now and having some vague memory of what we did here. Yeah. Um, I think the, this will all work if we can just, 107 00:18:40.440 --> 00:18:40.440 "just" 108 00:18:40.440 --> 00:18:53.900 change this certificate to be a wild card certificate. So if I were to change that in the Terraform and then try to run it. What would it just replace the existing certificate with a wildcard certificate? 109 00:18:53.900 --> 00:18:59.660 I think so. I think so. I, I have some magic to do that too if needs be. So why don't we try, try that. 110 00:18:59.660 --> 00:19:01.040 Let's give that a try. Okay. 111 00:19:01.040 --> 00:19:03.620 What could go wrong? We could, I mean, right. 112 00:19:03.620 --> 00:19:10.660 Well, in theory people could start getting certificate errors going to, to twoscompliment because I do think that this is the real certificate. This 113 00:19:10.660 --> 00:19:19.320 One will be the real certificate. Yes. Right. The DNS can do whatever it likes, but we're about to tell CloudFront to use a different certificate when it's pretending to be us. 114 00:19:19.320 --> 00:19:22.860 Yes. Which is probably why I stopped here. , 115 00:19:22.860 --> 00:19:25.340 I mean, Yolo. 116 00:19:25.340 --> 00:19:26.740 Let's do it. 117 00:19:26.740 --> 00:19:30.020 Did you make a new certificate? Actually, you already made a certificate. 118 00:19:30.020 --> 00:19:41.920 Well, I, I was gonna, I mean, can Okay, wait a second. Stop. If I change this Terraform, it's not going to make a new certificate. I have to go and do it. Manuel-y? 119 00:19:41.920 --> 00:19:51.600 Uh, I don't remember if you, I mean you can absolutely have certificates created in Terraform two. I don't know if Did, did we do that last time? 120 00:19:51.600 --> 00:19:56.700 Okay, well let's do this, let's start by making the change in the Terraform and doing a terraform plan and seeing what Terraform says. 121 00:19:56.700 --> 00:19:58.380 What the heck it thinks. 122 00:19:58.380 --> 00:20:08.800 Yes. Always, always a good start. Where are we now? Is what am I, is what I have on my computer an accurate representation of what the cloud provider thinks I've got. 123 00:20:08.800 --> 00:20:30.780 Right. Right. Well, I mean, so I did this once and it said it was up to date, but I'm gonna change it. And now we're gonna do a plan again, and then we're gonna see what Terraform says about what it feels like it wants to change. And I'm gonna make this look very much like the existing one that I have for my recipe project. Right. 124 00:20:30.780 --> 00:20:38.300 Okay. And I found the certificate stanza that I have for my site so we can steal from if needs be. 125 00:20:38.300 --> 00:20:42.220 Okay. So I'm gonna do Terraform plan. 126 00:20:42.220 --> 00:20:44.560 Yep. What is it saying? It say refreshing. 127 00:20:44.560 --> 00:20:59.420 It says three to add, one to change, two to destroy. And so it is going to Yeah, say AWS acm certificate twos compliment.org must be replaced. 128 00:20:59.420 --> 00:21:04.580 Awesome. Okay. Cuz you've changed the subject alternative names in there, right? Uh, I 129 00:21:04.580 --> 00:21:13.020 Think it's, uh, I changed the subject alternative names and I also changed the domain name from www.twoscomplement.org to twoscomplement.org. 130 00:21:13.020 --> 00:21:14.920 Perfect. Perfect. 131 00:21:14.920 --> 00:21:36.800 Uh, and then it says AWS CloudFront distribution. S3 distribution will be updated in place. And then it says, uh, AWS route 53 twoscompliment.org bracket star twoscompliment.org will be created. And then another aw, uh, route 53 record for twos compliment.org will be 132 00:21:36.800 --> 00:21:40.300 Created. That sounds good to me. Let's do it. 133 00:21:40.300 --> 00:21:43.420 What could go wrong? Well, let's get a list. 134 00:21:43.420 --> 00:21:46.040 Many things, 135 00:21:46.040 --> 00:21:46.920 . All right. 136 00:21:46.920 --> 00:21:52.860 All right. So do I have an applied, do I have a, oh, I do have a Terraform apply. All right. Firing the rockets. 137 00:21:52.860 --> 00:21:56.440 Firing the rockets 138 00:21:56.440 --> 00:22:07.440 Rockets. Um, if we wanted to troll our audience, we should cut off the audio in the middle of this supply . It's like, wait a second. That, how does that that doesn't, 139 00:22:07.440 --> 00:22:11.180 Yeah. 140 00:22:11.180 --> 00:22:14.480 Doesn't work like that. 141 00:22:14.480 --> 00:22:23.740 Well, ironically, you're stitched then for me, so I'm like, oh, he's joking about the connection going down, and then I'm like, you froze on my screen. 142 00:22:23.740 --> 00:22:25.580 Oh, man. Which was 143 00:22:25.580 --> 00:22:27.460 Epic trolling in its own right. 144 00:22:27.460 --> 00:22:30.500 All right. It says destroying still destroying, still destroying. Still 145 00:22:30.500 --> 00:22:31.780 Destroying. It's destroying 146 00:22:31.780 --> 00:22:34.240 Everything. Oh. And we got an error. 147 00:22:34.240 --> 00:22:37.120 All right. Is there some crate before destroy thing that I've, I've got in mind? 148 00:22:37.120 --> 00:22:57.980 No, this is a, uh, what does it say? Access denied not authorized to perform ACM request certificate. So this is where we go into the IAM console and we give this service user that we're running as has a whole bunch of permissions that shouldn't probably have, and then we dial 'em back later. 149 00:22:57.980 --> 00:22:58.340 Far too clever. I just 150 00:22:58.340 --> 00:23:02.880 Have, cause I don't, I don't actually myself manage the, I, no, I don't know. I don't manage the IAM 151 00:23:02.880 --> 00:23:04.460 Here. 152 00:23:04.460 --> 00:23:40.880 Okay. So where is this user? Tastypenny. And, uh, yeah, we're gonna attach a permission and this is gonna be, um, what is the name of this service? Certificate? Something AWS certificate. I think it's this one. I don't even know. Who knows? AWS Certificate Manager Private. 153 00:23:40.880 --> 00:23:46.820 Yeah. You, this is outside of my purview of understanding. Well, that's not even the right word. 154 00:23:46.820 --> 00:23:55.480 We'll try this one. Yeah. And see what happens. And if this doesn't work, then we'll remove that. We'll take that out. You know, if it ain't fixed, don't break it. 155 00:23:55.480 --> 00:23:58.560 If it, yeah, if it don't, don't leave it broken. More broken. 156 00:23:58.560 --> 00:23:59.060 Yeah. That's 157 00:23:59.060 --> 00:24:04.340 Like's, yeah. The programming by coincidence thing. I think we've talked, have we talked about that before? 158 00:24:04.340 --> 00:24:07.360 Um, maybe, maybe not. 159 00:24:07.360 --> 00:24:08.700 Yeah, maybe not. Maybe 160 00:24:08.700 --> 00:24:31.340 We have not. Yeah, so that didn't do it. So I'm removing the policy because that did not fix the problem, so I don't want to create a whole other problem by putting something in there that wasn't in there before. Uh, but I AWS certificate, so this guy should have this already. ACM. 161 00:24:31.340 --> 00:24:38.480 Association of Computer Machinists. Yeah. No, not that. What, 162 00:24:38.480 --> 00:24:46.300 What? Oh, I guess I can go and look at this actually and see what it's, yeah. This, this user. I th I thought 163 00:24:46.300 --> 00:24:47.920 Are, are you the right user though? Is that, 164 00:24:47.920 --> 00:24:52.520 Oh, it's a different user. I'm an idiot. I'm looking at the Tastypenny user, which 165 00:24:52.520 --> 00:24:53.880 Clearly does work, which 166 00:24:53.880 --> 00:25:15.760 Already works. Yeah. Like this. I did this already. This is the one that works. I guess I should have thought of that before. It's like you have a user that does this. Go look at what they do. I'm a doofus. I think I was maybe thrown off by the, uh, fact that, uh, our, the user that I have for this has the original podcast name. Can we talk about the original podcast? 167 00:25:15.760 --> 00:25:22.660 I don't think we talked about, oh my golly. This is all these things. Yeah. Programming by. We, I should be taking notes. 168 00:25:22.660 --> 00:25:23.920 , uh, all right. Certificate. 169 00:25:23.920 --> 00:25:28.880 All right. Certificate. Give me all your certificates 170 00:25:28.880 --> 00:25:31.740 Are belong to us. Oh, I've just gotten 171 00:25:31.740 --> 00:25:33.360 Certificate manager. 172 00:25:33.360 --> 00:25:48.080 I dunno if this is, this is certainly completely off topic, but I've just been given the okay to push an update to compile Explorer, which I will do in the background of this. So the continued tapping noises will be me pushing a kind of cool thing to compiler Explorer. 173 00:25:48.080 --> 00:25:50.840 Okay. We're creating, we're creating a certificate. Alright. 174 00:25:50.840 --> 00:25:51.840 Oh, uh, 175 00:25:51.840 --> 00:25:55.460 That's, that's a good sign. 176 00:25:55.460 --> 00:26:12.020 I'm pushing Compiler Explorer 6 7 25 2 production from the staging environment, unrelated to this podcast. But, you know, we're all tap, we're both tapping away our keyboards if we've got a filter to the air with talking or some description. 177 00:26:12.020 --> 00:26:26.560 So, yeah. So it's interesting to talk about how we would do this if this were not just our hobby podcast. Right. So cuz right now we are literally testing this in production, right. . Um, which, which I've heard is a bad idea. 178 00:26:26.560 --> 00:26:36.040 I've seen, we've all seen the meme, the, the most interesting man in the world meme, you know, with him, with his little beer going, you know, I don't often do testing, but when I do, I do it in production. 179 00:26:36.040 --> 00:26:36.960 I do it, I do it in production. And that 180 00:26:36.960 --> 00:26:49.900 That's not our, that's not our, our our mo in our day job. So if anyone's thinking that this is the kind of cowboy activity that we would do, if it was anything other than you and me chatting . No. So what, how would we, Ben, how would we do this? 181 00:26:49.900 --> 00:27:05.380 How, how would we do this if it was, well, so obviously you want to have a separate environment for testing this out, but the trick with creating that separate environment is how do you know that your separate environment is a copy of the state of the environment that you want to change for real. 182 00:27:05.380 --> 00:27:06.520 Right. Right. 183 00:27:06.520 --> 00:28:14.760 Um, which has the additional problem of it is it's gonna take you some time to make these changes and in a large enough organization or in a large enough project, that means that the environment, the production environment may change while you are working on making the changes, right? Yes. So you might be able to make a copy of your production environment as it stands right now. And then make some changes to it, test those changes out. And while you're doing that work, someone else might be doing the same thing and making other infrastructure changes to the main environment. So when you finish that, you need a mechanism for basically reapplying the changes that you made on top. It's almost like a, like a fast forward in git right? Yeah. Where it's like, yeah, yeah, yeah. You need to reapply the changes that you made on top of the environment as it exists now, not as it existed when you started working on the, on the new thing that you wanted to add. Yeah, yeah, yeah. Right. Yeah. Um, so I feel like the only way to even have a hope of being able to do this is to just automate everything. Infrastructure is code style with Terraform. Like, I, I feel like, 184 00:28:14.760 --> 00:28:43.600 And have the only thing that pushes any of this stuff to be the main branch of your GitHub repo so that you've kind of post hoc, already merged everything in at the point of where things are applied. Um, you kinda get a merge commit queue at that point, right? The only thing that's really making changes to your production deployment is the, the, the, the head of the line where all of the, the intermediate branches have to definitionally have been merged in. Otherwise it goes, oh, I'm rejecting you because you know, you're not at the latest, you know, oh, I have to get it again or whatever. That kind of feel or are you Yeah, 185 00:28:43.600 --> 00:29:56.840 No. Yeah. I, I think it, I think it is that and, and then being able to sort of rebuild your test environments based on changes that are, have been actually deployed. So being able to either tear them down and build them again. And reapply the new things that you did or merge a change in, in a way that's realistic. Like, like, you know, it's, it's probably like the order of operations, uh, potentially can result in this in the same environment where it's like I had some environment and then I applied someone else's change and then I applied my own change. Uh, that is probably, that is representative of what is gonna happen in the main environment when you merge your change. Flipping them might not, right? Like if you apply yours first and then there's, like, you might get the same thing hopefully if Terraform works the way that it says on the tin. Uh, but you might not, right? Yeah. So you have to like, think about like how that's all gonna get applied. Uh, so speaking of Terraform, that doesn't work. Uh, it said error updating CloudFront distribution, right? The specified SSL certificate doesn't exist, isn't in the US East one region isn't valid or doesn't include a valid certificate chain. 186 00:29:56.840 --> 00:29:58.240 Okay. Well, 187 00:29:58.240 --> 00:30:03.080 So I don't know if we destroy our other certificate and made a new one or what just happened 188 00:30:03.080 --> 00:30:09.910 To here. I think you do up arrow return and see what it does the second time because some of these things have disgusting. Like, oh, it takes a while at the back end of, 189 00:30:09.910 --> 00:30:09.980 Of, 190 00:30:09.980 --> 00:30:13.540 Of, um, which is not ideal. 191 00:30:13.540 --> 00:30:17.580 Especially a certificate, right? Yeah. Um, all right. I'm gonna go look at the cloud front distribution. 192 00:30:17.580 --> 00:30:19.520 Yeah, that's a good idea. Um, 193 00:30:19.520 --> 00:30:26.560 And see what state it's in right now. Uh, it says it's enabled, uh, can you curl the site real fast and just see if it returns anything? 194 00:30:26.560 --> 00:30:28.580 I can certainly curl it 195 00:30:28.580 --> 00:30:31.340 If it gives you some sort of weird certificate error. 196 00:30:31.340 --> 00:30:34.280 Um, 197 00:30:34.280 --> 00:30:40.220 Oh, hang on a second. Dub dub, dub dub twoscomplement.org importantly. Cause that's exactly what we're trying to fix, , 198 00:30:40.220 --> 00:30:41.240 Right? 199 00:30:41.240 --> 00:30:48.720 You see, this is why it's a problem for me. This is why we have to fix it. Cause I I'm too lazy to type dub dub dumb or even say it properly. Yeah, no, it's working fine still. 200 00:30:48.720 --> 00:30:54.780 Okay. Whatever it is. Yeah, it probably created the new certificate and was trying to flip the, uh, 201 00:30:54.780 --> 00:30:55.640 The, the, the cloud front to it 202 00:30:55.640 --> 00:30:57.500 Over. It was like, no, 203 00:30:57.500 --> 00:31:04.040 I, you've got the console open too, so you can actually have a look in the ACM certificate thingamajig and see if it's there or not, or 204 00:31:04.040 --> 00:31:05.320 Oh yeah. Good call. 205 00:31:05.320 --> 00:31:16.440 I know. So we've deliberately not shared screen so that I have to ask Ben what he's seeing so that, that you dear listener can actually sort of hopefully follow along. I dunno how much anyone will be able to follow on what we're 206 00:31:16.440 --> 00:31:45.080 Doing here. Yeah, I see. Okay. So, um, yes. So I see four certificates in here. Uh, two of them are twos compliment ones, one is the www one that is, uh, issued and in use and eligible for renewal. And another one is, uh, without the www its status is pending validation. Ah. 207 00:31:45.080 --> 00:31:45.840 So, 208 00:31:45.840 --> 00:31:48.100 So we may have to wait. Uh, 209 00:31:48.100 --> 00:32:01.420 There's usually a DNS validation. That's how these things. Did you have, what type validation did you have? Is it, I mean, this is, it could be that it's, you might have an email right now because it's like, Hey, are you really sure this is your certificate? 210 00:32:01.420 --> 00:32:02.680 Oh, interesting. 211 00:32:02.680 --> 00:32:28.560 Uh, mine set up for dns, which I think because Route 50, whatever monkey, uh, uh, is in cahoots with itself, it can basically set its own DNS records and reque. Right? Oh. But there's the problem. Now we've got two, now we have two problems. We can't, we won't be able to use DNS validation because you honestly haven't flipped the flag yet for the real DNS provider to be Amazon. 212 00:32:28.560 --> 00:32:31.140 Yeah. I could copy those things over into the other one though. Right? 213 00:32:31.140 --> 00:32:36.460 You certainly could. If it tells you what the, uh, challenge is that it's put in the dns, then you can put them 214 00:32:36.460 --> 00:32:43.600 In. I mean, I could go if it, if it added it automatically, I could go look. Right. Go look around 53 and be like, what did you add to this thing? 215 00:32:43.600 --> 00:32:44.260 Yeah, yeah, that's 216 00:32:44.260 --> 00:32:51.700 True. And just copy those over. Uh, but yes, I agree with your assessment of the situation here. 217 00:32:51.700 --> 00:33:02.340 Yeah. Which may have been, I, this rings a bell from the last time we did this and like, hey, yeah, this thing might take a while , which won't be good, won't be good radio of like, yeah. We just have to wait two days. 218 00:33:02.340 --> 00:33:07.780 Yeah, yeah, yeah. Um, so I don't see any new records. 219 00:33:07.780 --> 00:33:17.260 Maybe it's not set up to do it that way. So I mean, if you look at the acm, it's the certificate. Does it say why or how to au to do that thingamajig? 220 00:33:17.260 --> 00:33:26.460 Um, it says pending validation, renewal status, number of additional names. 221 00:33:26.460 --> 00:33:32.060 And you don't have an email or something. I can't remember how this works if it's not set that way. 222 00:33:32.060 --> 00:33:33.290 Not that I see. 223 00:33:33.290 --> 00:33:39.960 Just checking my email. Cause some of those addresses you put a little forwarder on. I don't know that it's 224 00:33:39.960 --> 00:33:43.020 Yeah. Nothing in my, uh 225 00:33:43.020 --> 00:33:43.800 Oh, right. 226 00:33:43.800 --> 00:33:45.160 Spam folder real fast, just to make sure. 227 00:33:45.160 --> 00:33:50.980 Yeah, I can't help. I'm gonna go and find my, my certificates 228 00:33:50.980 --> 00:33:52.600 No 229 00:33:52.600 --> 00:33:56.120 Certificate manager. Oh, of course. I need to log back in again. 230 00:33:56.120 --> 00:33:57.920 How did I do this for, 231 00:33:57.920 --> 00:33:59.560 For your magic penny. 232 00:33:59.560 --> 00:34:00.900 Yeah. 233 00:34:00.900 --> 00:34:35.360 This, I'm just looking at mine and I can see Yeah. In use CS renewal. Elig durability. Right. Okay. Um, so I can see, oh no, that's, yeah, I can see that if I, I've gone to one of my certificates and I can see that it has in the sort of more information inside the console itself, under the acm, uh, it's got a list of domains and it tells me status and renewal. It's just type and then it's got cname, name and cname value. And those are the two things that need to be put into the route rty thing. Oh. And there's even a button that says create records in Route 53, but you can click 234 00:34:35.360 --> 00:34:36.120 Oh, 235 00:34:36.120 --> 00:34:39.940 Well, but obviously you don't wanna do that because we don't necessarily 236 00:34:39.940 --> 00:35:02.200 Yeah, yeah. Right. Okay. Let's, I'm gonna go into my other registrar, dudad, right. And I'm gonna go to choose compliment.org. Why is there oh one ? I've got two domain names for twoscompliment.org. One of them is the misspelling. 237 00:35:02.200 --> 00:35:04.760 be very careful. Very careful. 238 00:35:04.760 --> 00:35:09.180 Yes. But I gotta make sure I, I mean, it's not gonna hurt anything if I do the wrong one, but like what 239 00:35:09.180 --> 00:35:10.160 Fewer things 240 00:35:10.160 --> 00:35:16.920 If that, uh, so dns, and then we're gonna add a record and it's gonna be a cname record, 241 00:35:16.920 --> 00:35:21.060 Which you can copy paste from, thankfully from the other thing. 242 00:35:21.060 --> 00:35:21.280 Yep. Yep. And then that's 243 00:35:21.280 --> 00:35:27.960 Gonna be how, honestly, how much of software engineering or administration is goes through the clipboard. I mean, it's just, 244 00:35:27.960 --> 00:35:35.100 Oh my God. So much. So very much. And I'm gonna set the TTL to five minutes. 245 00:35:35.100 --> 00:35:36.020 Wonderful. 246 00:35:36.020 --> 00:35:44.520 Gonna. Add this record, and then I'm gonna do this same thing again for the wild card. Yep. 247 00:35:44.520 --> 00:35:47.600 Yeah, you've got the two I, I can see for each of my domains, I've got two 248 00:35:47.600 --> 00:35:47.600 Mm-hmm. 249 00:35:47.600 --> 00:35:49.110 Thingies. 250 00:35:49.110 --> 00:35:51.120 And then, 251 00:35:51.120 --> 00:35:56.050 And then of course we have to hope that it notices this within. 252 00:35:56.050 --> 00:36:09.880 Yeah. All right. So yeah, I've got set two of them set here. Um, and it's, it's probably a good sign that I ha actually had another one for the www certificate. Yeah. That is in here. I can see it. 253 00:36:09.880 --> 00:36:11.240 Right. Okay. So, 254 00:36:11.240 --> 00:36:14.200 So now there's actually three, right? Right. 255 00:36:14.200 --> 00:37:13.370 But these are all like, interim. So like, just to sort of recap in case that we're, we're, we are trying to prove to Amazon that we own that domain name. And one of the many ways that we can prove that is to make a change to the dns records with some magical things that they've given us. These are the C name records that, that we've just been talking about. Mm-hmm. . Um, this allows Amazon to say, we believe you own that domain and therefore we will issue you a certificate for that domain that says you own the domain and we signed the traffic and all that kind of stuff. Now, this is an interim step because eventually Amazon themselves will be the people that are serving up the domain name, and therefore they can, it, it just, they just know we own it because we've transferred it to them in some capacity. Nut we're not there right now. So as an intermediate step where we wanna just be able to test it by getting ourselves a new certificate, we are going to issue the certificate, uh, use your existing DNS to prove that we own it, and then apply the certificate and then finally we can move things over if we're happy. The certificate looks good. 256 00:37:13.370 --> 00:37:13.730 Mm-hmm. 257 00:37:13.730 --> 00:37:14.080 . 258 00:37:14.080 --> 00:37:21.080 Okay. Exactly. Is there a way to poke the AWS certificate manager and say, Hey, can you, 259 00:37:21.080 --> 00:37:22.180 Can you take another look 260 00:37:22.180 --> 00:37:24.820 Now? Range to target one ping only, please. Yeah, 261 00:37:24.820 --> 00:37:29.050 Yeah, yeah. Come on. One ping only. That's a good, 262 00:37:29.050 --> 00:37:29.740 Uh, 263 00:37:29.740 --> 00:37:31.420 That's amazing. 264 00:37:31.420 --> 00:37:38.040 I don't know if there is, maybe, maybe I can do this here. I can delete it. I don't think I want to do that. Uh, request. 265 00:37:38.040 --> 00:37:39.880 Yeah. Does that maybe gonna make a 266 00:37:39.880 --> 00:37:48.040 New one? I can say that's probably gonna make it, well, this is where we manage x free events. Yeah. This might be we just wait, you know, 10 minutes 267 00:37:48.040 --> 00:37:48.640 For, so 268 00:37:48.640 --> 00:37:49.160 We just wait. 269 00:37:49.160 --> 00:37:53.740 Well, compiler explorer is 67% through doing an update very excitingly in another window. All 270 00:37:53.740 --> 00:37:53.740 Right. 271 00:37:53.740 --> 00:37:56.550 Mm-hmm. behind you. 272 00:37:56.550 --> 00:37:58.280 Mm-hmm. . 273 00:37:58.280 --> 00:37:59.380 So that's, 274 00:37:59.380 --> 00:38:00.700 Uh, oh man. 275 00:38:00.700 --> 00:38:25.940 So then we were talking, right, two things. We talked about one, obviously we just, we, we sort of briefly mentioned was the idea that in our day job, the way that we do this is that the CI build in main applies the production configuration. And so it's been through all the testing and there's not like the two people fighting over two independent things, uh, changes along the way because you always are seeing the union of whatever has been merged into trunk 276 00:38:25.940 --> 00:38:26.820 Mm-hmm. , correct. Yeah. 277 00:38:26.820 --> 00:39:14.940 Then how do you test it? How do you test a separate like thing? How would we, um, so in Compiler Explorer, I have some very hard coded staging and beta, or beta just to con uh, de confuse people. Honestly, I've had this conversation so many times with Americans, they're like, what beta? And they're like, thinking like egg beaters or like uhhuh, , like pub, uh, boxes. No, not that kind of beta, no. Um, beta. And so, um, those are very special case for me. And they share kind of a lot of infrastructure as well, because at one stage I was trying to save money, uh, . Nowadays, I think actually I probably, this is a false economy, but there are better ways of doing it, or at least there are different ways of doing it. Um, rather than having just some very special hardcoded things that we've sort of pushed things through, uh. And I know you've been involved in a lot of those recently. So do you wanna talk a little bit about, like, some ideas that you've had about how it should be done? 278 00:39:14.940 --> 00:39:35.600 Yeah. I, I don't remember if we've talked about this on the podcast or not, but we lately have been doing a thing, uh, with a, a data warehouse project that I'm working on where the branch in GitHub represents an environment. So we don't have a production environment. We have a main environment because we have a main branch, 279 00:39:35.600 --> 00:39:39.080 Because the main branch is that Right? It's not special case in any way. 280 00:39:39.080 --> 00:39:44.500 It's not special case. It's, there's like a couple of additional protections for deleting things. 281 00:39:44.500 --> 00:39:45.080 Got it. 282 00:39:45.080 --> 00:39:45.880 And that's it. 283 00:39:45.880 --> 00:39:47.320 But other than that 284 00:39:47.320 --> 00:40:18.460 That, you have to, other than that, it's identical to every other branch and identical to every other environment. And so when you create a new branch, it, you know, says, oh, this environment doesn't exist. I guess I need to apply this Terraform, I apply the Terraform every time. So Terraform just has more, more work to do this time. Uh, and it, you know, spins up all of the infrastructure that this project requires, and it's doing that obviously from a fork of the Terraform file that was just in the main branch. 285 00:40:18.460 --> 00:40:19.040 Got it. 286 00:40:19.040 --> 00:40:45.460 And is therefore a copy of the infrastructure that is running in the main and environment. So you wind up making an exact copy of whatever the environment was at that time. Right? Right. Um, and so that will all get created. It will then automatically deploy, uh, to that environment. And now you have a completely separate running copy of that system. 287 00:40:45.460 --> 00:41:35.340 There's a different URL that you can go to that's got your branch name in it. And you can Yeah. Uh, and you can play around with it. You can test things out, uh, and then as you push changes to that branch, it goes through the exact same process. It applies any terraform changes. If you have them, it deploys the new version of the software that you built. Uh, and then you can sort of iterate and continue on working in that. And then when you have something that you're confident is correct, you know, all the tests are passing and maybe you've done some exploratory testing, um, I think this is especially important with the sort of cloud-based services that you use on some of these projects because it's very difficult to test them, obviously, like from your, you know, your workstation, your laptop. So the only real way that you have to test them, uh, in any sort of exploratory sense is, um, by using them for real 288 00:41:35.340 --> 00:41:41.860 Exactly. As we, or at least been doing right now, except that because we don't have this set up, we are experimenting directly in prod. Right? 289 00:41:41.860 --> 00:42:22.460 Exactly right. Exactly right. And so once you are confident that your changes work and that all your software works with any other infrastructure changes that you have made, you can at automatically merge those things back into the main branch. So your infrastructure changes and your software changes that may be interdependent on each other, all get merged into the main environment at the same time, uh, the same sort of Terraform application process that you used in your branch then gets applied to the main branch, your new software version gets deployed, and if everything goes according to plan, uh, now you've updated your environment while, while doing so in a way that gave you high confidence that the changes that you were making were actually going to work before you tried to do them for real. 290 00:42:22.460 --> 00:42:47.520 Right. Right. And presumably, like we've discussed before, if it, if it doesn't at that moment in time, the hope is you could just revert that commit to main and it goes back to everything before. As long as Terraform does it, its job. And as you know, if anyone from HashiCorp is listening, never, I don't distrust it in any way. Uh, it, it's pretty reliable. So you can almost bet the farm on, on it doing the right thing most of the time. 291 00:42:47.520 --> 00:43:43.280 Yeah. Yeah. There are gonna be some situations in which you can't figure out some path to go from wherever you were, wherever you are. But really, I would say 99 times out of a hundred, uh, it does exactly what you, it would expect it to do. Right. So if you revert that change in the, in the main environment, it's gonna then have a different Terraform configuration and then Terraforms gonna try to change that configuration. Um, you obviously have to be careful of things, and this is why we have a few individual protections in place. If you were to say add a, um, an S3 bucket or add a data store, add some other thing, roll that into production, write some data to that data store, and then realize that you had another unrelated problem, if you were to roll that back, it might, it's going to delete your data store. Right. By default. Yeah. And so you want some additional protections in there to say like, Hey, if you ever try to do this, just don't . Right. Right. Um, 292 00:43:43.280 --> 00:44:44.860 Sounds awesome. Uh, from my own personal experience, the trickiest part of this is when you start doing refactoring in Terraform and you wanna like say, well, I do have 10 running e c two instances, but they've got terrible names in the Terraform. And I wanna rename them in Terraform, which means I have to do this unfortunate two-stage thing where I changed the name and I don't wanna delete them and recreate them. I want them to be this. And there's ways and means inside terraform of like using state to actually say, okay, I'm renaming this thing in the actual, uh, state. And if you go full automated, you, you don't have the little breathing room to do that. Where I'm like, I have to kind of literally call around people and say, okay, I'm doing some like surgery on Terraform, I'm gonna rename this thing, which means I have to rename it in the backing store, which is a Terraform command, and then I'm gonna change the text file, and then I'm gonna do Terraform plan. Then it should say no changes needed. I'm like, good, because I didn't really change anything. Right. So I dunno if you've had any, uh, experiences with that stuff yet, or do you just say, I 293 00:44:44.860 --> 00:45:03.120 Haven't had to go through that process yet. Um, right. Part of it is because, and, and I think this also is sort of related to another, uh, potential trade off with this approach that I'm talking about, is that your branches can get very expensive. Yeah. Right? Like if you have lots of infrastructure that has like a per hour cost to it, 294 00:45:03.120 --> 00:45:06.340 Right. Load balancers, for example. Exactly. 295 00:45:06.340 --> 00:45:26.840 Uh, then, you know, running a branch can be, can be very expensive. Right. And so one sort of side effect that, that I have kind of seen or felt working on this project is that it leans, it, it, it, it leans me toward using more like serverless things and things that can basically scale from zero. 296 00:45:26.840 --> 00:45:35.220 Scale to zero. Right. So Yeah. Yeah. If you have like auto scaling groups, you say, well, they start out zero and the first request that comes in, unfortunately it's gonna be delayed, but that's fine for this. 297 00:45:35.220 --> 00:45:36.560 Right. Yeah, exactly. 298 00:45:36.560 --> 00:45:38.840 Or, or as you say, lambda type things or Yeah, 299 00:45:38.840 --> 00:46:08.600 Yeah. Lambda type thing. I mean, there's lots of them out there. Right. But it sort of has, has me using those things more because I know that, you know, we're gonna be creating a lot of these branches and we wanna be able to iterate and it's like, yeah, if you use them, you want to scale up to be able to test them. But you know, if you're not using some particular functionality in a branch because you're testing something else, you don't wanna pay for it. Yeah. Um, so, you know, for better or worse, it's, it's sort of like the architectural direction of this project has headed in, in that way. Um, just for cost reasons. 300 00:46:08.600 --> 00:46:47.660 That's really interesting. As I say, like, well on the extreme end of like what compiler explorer does, I'm like deliberately sharing a whole bunch of things so that I don't pay the cost for the low balancers and the storage or whatever. And the other thing that we deliberately don't bifurcate is the storage of a whole bunch of stuff because we have, you know, three terabytes of crap and you know, there's no way I'm gonna keep deploying that to a new environment every time one gets spun up. And similarly, I wanna be able to create a short link in one domain and test that it still works on the old version or the new version and stuff like that. And that's sharing that tables behind the scenes. So there's some sort of edge cases with that. But I would also like to be able to say, no, I just want a whole new copy of the whole thing somewhere else so I can make a wholesale test. 301 00:46:47.660 --> 00:46:55.440 Mm-hmm. mm-hmm. and I have the advantage on this project of, it's a data warehouse, so one of the things that it is supposed to be really good at is copying data around. 302 00:46:55.440 --> 00:46:56.060 I suppose so. 303 00:46:56.060 --> 00:47:02.300 And so what I want to copy data from one environment into another. Turns out we have a lot of great tools for that. Um, you already, 304 00:47:02.300 --> 00:47:04.060 That's part of your mo Yeah, 305 00:47:04.060 --> 00:47:14.820 Yeah. Yeah. So we sort of lucked into that, but otherwise it would be kind of painful. Like you'd either have to have a thing where you have, you know, like maybe read permissions into the main environment for many of the branch environments so that you can sort of test things out. 306 00:47:14.820 --> 00:47:21.750 Right. And every time you do it, you're sort slightly eroding the nice guarantees that you had before about like the isolation of things and whatever. Right. 307 00:47:21.750 --> 00:47:22.020 Exactly. 308 00:47:22.020 --> 00:47:29.780 Sometimes you just, this is what I mean, this is what makes it engineering and not science or art. Right. It's like Right. There are trade offs all the way through this. 309 00:47:29.780 --> 00:48:31.060 Right, right, right. And we have had one situation thus far on this project. It's been going for about six-ish months now, something like that. We've had a one situation where a change in a branch environment leaked over into the main environment. Oh. And this was because of this thing. We had some data in the main environment, uh, that was being reused for testing in the branch environment. And additionally we had a permission that was set incorrectly. Right. And what had happened was basically the, uh, system running in the test environment saw this main environment data and said, oh, I need to go disable this object, this thing, this resource. But it was the main resource. Right. Um, and it went in and it disabled it in the middle of the day. Right. Um, and so it shouldn't have had the permissions to do that, but, you know, permissions in, in AWS and in Terraform can be a little tricky to get Correct 310 00:48:31.060 --> 00:48:35.900 As, as discussed today, you know. Exactly. It's not necessarily the easiest thing to get. Right. 311 00:48:35.900 --> 00:48:40.480 Yeah. Yeah. It's not like you can write tests for those kinds of things, so you just have to sort of like, I 312 00:48:40.480 --> 00:48:42.040 Don't know if they mean I know they, 313 00:48:42.040 --> 00:48:44.740 Cause if there's a testing framework for AWS permissions? That would be kinda amazing. 314 00:48:44.740 --> 00:48:55.580 AWS has a built in, um, permissions thing where you can run what if scenarios, but it's a very much as a service. It would be cool if there was a standalone thing. Oh yeah. I've 315 00:48:55.580 --> 00:48:55.580 Seen that, 316 00:48:55.580 --> 00:49:09.280 That allowed you to sort of write these things where assert like given this environment and this mm-hmm. User assert that they would not succeed in deleting this file. That would be pretty Right. Pretty cool. Right. Maybe something exists. 317 00:49:09.280 --> 00:49:33.340 I guess you could, you could maybe do a thing where you like decorate parts of the AWS SDK and you say, run as if I had this policy. Right. And then you could like, try to do operations against a, basically like an, a non-existent environment and say like, you know, you don't have to give me the result, but just tell me what I would've been would I have been permissioned to perform this action 318 00:49:33.340 --> 00:49:38.780 Order? The the real trick though is that it's so incredibly complicated. It's not like there is a policy. 319 00:49:38.780 --> 00:49:39.360 Well, that's true. 320 00:49:39.360 --> 00:49:58.440 You know, the user, the IAM role has a policy, the user has a policy, the machine you're running on has a policy. The then on the receiving end, like, oh, the, the bucket has a policy that grants anyone with like a name who's, you know, ends in a queue, they're fine. They can write to me. You can do literally anything Right. As well as the other way around. So, I mean, who knows? 321 00:49:58.440 --> 00:49:58.780 Yeah, yeah. 322 00:49:58.780 --> 00:50:01.380 Yeah. How is our certificate doing? 323 00:50:01.380 --> 00:50:02.700 Uh, let's give it 324 00:50:02.700 --> 00:50:12.960 One more check. Let's give it a go. Cause we're running out time here and we might, this might be a a, a ramly third part coming where we actually get it to work for reals. 325 00:50:12.960 --> 00:50:18.460 Yep. Yep, yep, yep. Okay. Drum roll, uh, certificates. It says it's issued. Oh, let's try running the Terraform then. Terraform 326 00:50:18.460 --> 00:50:27.780 That would this what a wonderful way to end if we actually, well I say end, we still got more work to do, right? Because we always have more work to do 327 00:50:27.780 --> 00:50:37.320 Uhhuh Yeah. Issued in use. No. So hopefully that will turn to Yes here in a second when we modify our cloud front distribution, which says it's modifying. 328 00:50:37.320 --> 00:50:38.600 Okay. 329 00:50:38.600 --> 00:50:39.740 So that's cool. 330 00:50:39.740 --> 00:50:51.280 And then the, has it made the DNS change? Cause I, that's something I've still got open in the terminal is I'm still got DNS looking up to complement org to sort of see if there're Oh, I guess once the cloud point. Yeah. It has to be after the cloud front, um, 331 00:50:51.280 --> 00:51:05.000 Stuff. Cause yeah, so I would expect the CloudFront distribution would use the new certificate, but I don't know. I'm trying to remember. 332 00:51:05.000 --> 00:51:09.940 But you haven't put the alias in into the, the dns. 333 00:51:09.940 --> 00:51:17.560 Yeah. And even if you, yeah, let's see here. Actually no, I think it might. I think it might. Okay. Let me go take a look here. 334 00:51:17.560 --> 00:51:26.200 So I'm still not getting it on that and I'm talking directly to it, to the DNS. That should be reserving up these requests. Yeah. There's no caching going on, so I dub up. 335 00:51:26.200 --> 00:51:31.720 I don't, I don't see it in the console. I'm hopeful that when this Terraform applies that it will actually 336 00:51:31.720 --> 00:51:56.680 Got it. So at the moment it's modifying the cloud front a uh, um, thing. And presumably yes, because in the, um, in the new DNS records, you use a VAR that comes from the the CloudFront domain that is its unique name. It's probably depends upon it. So it's waiting for that to be applied before it does it, even though we know that it would be kind of okay. So, all right. Well we CloudFront takes a while. 337 00:51:56.680 --> 00:51:59.070 Oh crap. No, that's still commented out. Okay, well 338 00:51:59.070 --> 00:52:01.450 That's quick to apply though. So we can probably, 339 00:52:01.450 --> 00:52:04.900 Yeah, I'm gonna have to, I'm gonna have to add that in there. 340 00:52:04.900 --> 00:52:09.410 Yeah, that's all good. And compiler explorer is rolled out, which uh, is other good news. Um, 341 00:52:09.410 --> 00:52:17.100 Okay. And then yeah, so that's applying. 342 00:52:17.100 --> 00:52:22.180 Yeah. The cloudfront takes a while as it has to kind of get permit, uh, the Okay. From all of its geographically diverse, uh, regions before it says Alis gut. 343 00:52:22.180 --> 00:52:26.380 My guess is that I'm also gonna have to add in a couple of these guys 344 00:52:26.380 --> 00:52:42.400 Here. We're so close. We're so close. I'm actually gonna say to the people who I'm supposed to be now meeting that I'm not going to be there. Most of whom have said they can't make it anyway, so this is fine. , Apparently we have a day job as well. 345 00:52:42.400 --> 00:52:43.420 There is that 346 00:52:43.420 --> 00:53:05.500 Should probably check on the other computer that I'm not being hassled or harangued. Long silence will be cut from the podcast during the edit. 347 00:53:05.500 --> 00:53:06.840 Yeah, we can as we wait, we can do that. 348 00:53:06.840 --> 00:53:07.880 We can, the magic will. 349 00:53:07.880 --> 00:53:18.820 Okay. So that applied. So I'm gonna do one more plan for these other Route 53 changes and then I think, 350 00:53:18.820 --> 00:53:19.960 I think we're at it and then 351 00:53:19.960 --> 00:53:34.740 Getting close. No, I have an undeclared resource probably cuz I spelled twoscompliment wrong would be my guess. , 352 00:53:34.740 --> 00:53:38.400 I do that all the time. 353 00:53:38.400 --> 00:53:44.560 Yeah. Uh, well, I put a.com instead of a.org. That'll do it. That'll do it. 354 00:53:44.560 --> 00:53:48.140 That's not really a misspelling, is it? I mean, strictly speaking, 355 00:53:48.140 --> 00:53:53.140 . No, it's just wrong. . All right, let's do this plan. 356 00:53:53.140 --> 00:54:10.480 Okay. What does the plan say? So good. The story so far that the CloudFront domain is using the new certificate, and now we are about to apply the DNS changes that will be still not used by the internet at large, but will be used by my console that is set up to use Amazon directly. 357 00:54:10.480 --> 00:54:22.500 So yeah, we're, we're creating two, we're removing a, uh, a Route 53 entry and adding two more. Oh. Um, oh, because one of them, God, love it. 358 00:54:22.500 --> 00:54:24.260 Oh, What happened? 359 00:54:24.260 --> 00:54:26.160 I think I did a.com somewhere. 360 00:54:26.160 --> 00:54:27.940 Oh, really? 361 00:54:27.940 --> 00:54:34.800 Maybe it doesn't, hopefully after this runs, I just, I just named something.com. It wasn't actually like a domain name. 362 00:54:34.800 --> 00:54:42.160 Oh, okay. Right. It was just resource name com. Like a variable name. Effectively, in, in, yeah. All right. Yes. 363 00:54:42.160 --> 00:54:43.800 Okay. Well, so still running, but 364 00:54:43.800 --> 00:54:50.000 Look really cool in the, in the edit because it'll just work first time. Mm-hmm. Every time. Mm-hmm. 365 00:54:50.000 --> 00:54:53.160 . Yep. 60% of the time 366 00:54:53.160 --> 00:54:55.600 works a hundred percent of the time. 367 00:54:55.600 --> 00:54:56.140 Uhhuh. 368 00:54:56.140 --> 00:55:01.500 All right. So we're ways in an application, uh, 369 00:55:01.500 --> 00:55:06.120 Try to create record. Set a record, but it already exists. 370 00:55:06.120 --> 00:55:14.680 Oh, did you manually make one before or, or have you duplicated it accidentally in the Terraform and Terraform hasn't noticed this mistake, which is 371 00:55:14.680 --> 00:55:16.360 I think that is exactly what I did. Yeah, 372 00:55:16.360 --> 00:55:28.190 That's, that's my Emma. Because like Terraform will go, this looks valid to me and it'll do the plan, and it said, this is what I'm gonna do. And then Amazon turns around and says, no, no, those are the same thing. You fool, you already got one of those. 373 00:55:28.190 --> 00:55:29.660 Mm-hmm. . 374 00:55:29.660 --> 00:55:31.460 I told them we already got one 375 00:55:31.460 --> 00:55:48.900 Two that I was already declared main tf. Oh, yeah. Is that what this is? Oh yeah. Okay. So we, I do have. In this thing. The, yes, the verification records. 376 00:55:48.900 --> 00:56:06.300 Oh, I just went to just the naked twoscompliment org, and that has applied. I can see that it has lots of a records for all of the various different service. So that is excitesightful. We just need dub dub dub to be the same, which are you are working on, presumably. 377 00:56:06.300 --> 00:56:07.260 Yes. 378 00:56:07.260 --> 00:56:23.820 And see, this is one of those examples, incidentally, if you've already created one of those, um, things in the console, and you've got it in Terraform as well, which, then that's one of those things where you adopt an existing, you know, Terraform import, and that's harder to do in an automated environment, unfortunately. Mm-hmm. . But then, you know, 379 00:56:23.820 --> 00:56:29.660 Yeah. I really feel like you gotta be all Terraform or No, Terraform, you know what I mean? Yeah. Like living in the middle ground is just 380 00:56:29.660 --> 00:56:55.640 That's true. But like, you know, you have legacy projects, for example, course, where you need a lot of adopting of what's there. And my, my usual trick is to, um, write a skeleton of my best guess as to what I think a, a resource that I already have looks like, and then import it. Mm-hmm. and then go plan, and then basically copy the inverse of everything it says it's gonna do back into the terra form. It's like, oh, I'm gonna delete that. Oh yeah. Add that. All right. What does it say? What does our survey say? 381 00:56:55.640 --> 00:57:00.500 Uh, it's saying try to create resource set twoscomplement.org a record, but it already exists. 382 00:57:00.500 --> 00:57:18.600 That's because it does already exist. Now I can see dub dub dub twos com org is also those addresses. So that's good. Good from a It's working. Yeah. But not necessarily good from, it's, uh, it's gonna work each time we apply cuz it thinks there's something there that is, 383 00:57:18.600 --> 00:57:27.760 This is almost certainly something that I'm just like copying wrong here. What in the great googly moogly . 384 00:57:27.760 --> 00:57:39.800 Sometimes when we say stupid things like this, it makes me worry. Uh, not worry. It makes me feel sad for you when you have to do the transcription of these, because the automatic stuff has got no hope with a lot of these words. . 385 00:57:39.800 --> 00:57:47.780 Yeah. True facts. Uh, so those two records look right, 386 00:57:47.780 --> 00:57:50.820 And yet it thinks, 387 00:57:50.820 --> 00:57:52.760 And yet 388 00:57:52.760 --> 00:58:04.700 Did you switch from having one that was managed by, oh, it should be deleted then. No, I was gonna say, um, did you move from a four each or to a four each from not a four each or stuff like that? Is that potentially. 389 00:58:04.700 --> 00:58:04.700 No. 390 00:58:04.700 --> 00:58:18.500 The problem, I don't, no. I've had that before where it's tried to like, create something before it destroyed the old version and they happened to have the same name, and it didn't realize that they were gonna stomp over each other. But that doesn't sound like this 391 00:58:18.500 --> 00:58:31.400 Dvo records source name, value and type. Uh, you know, the other thing I'm gonna do is I'm gonna open this up in, uh, some Jet Brains tools so that I can get the Terraform plugin to tell me if I've done anything consciously stupid. 392 00:58:31.400 --> 00:58:52.440 But the thing is, Terraform would tell you itself, right. You know, Terraform validate and Terraform itself plan will do at least its side. Usually the problems come when it tries, when the rubber hits the road and it doesn't know it, it doesn't properly model what the provider is going to do when it actually applies these things. Mm-hmm. . So it does, has no idea that those things already exist. 393 00:58:52.440 --> 00:59:06.660 All right. Here's what I'm gonna do. Yep. I'm gonna comment out the verification. No, I, the two ones that we need are the, the, the top level domain and the dub dub dub. So I'm gonna comment out the record for the verification, cuz we did that manually once already. Yeah. 394 00:59:06.660 --> 00:59:16.760 And we can always just blast those all the way in both the console and here or whatever. Yeah. Let's apply this. Let's try and get the closure of knowing that it applies cleanly and then I think we're pretty much done here. 395 00:59:16.760 --> 00:59:19.900 Yeah, yeah, yeah. Yeah. 396 00:59:19.900 --> 00:59:23.220 Did that apply cleanly now? Is that, will that you It's gone. Ah it's going. 397 00:59:23.220 --> 00:59:31.050 I mean, we'll see. We'll see. But it's, it's trying to, it's trying to do it 20 seconds lapse, stay on Target, 398 00:59:31.050 --> 00:59:31.260 . 399 00:59:31.260 --> 00:59:41.000 Oh, console's looking good though. I got two records both point to the cloudformation 400 00:59:41.000 --> 00:59:45.100 That's what we wanted to see. I mean, I'm seeing that on my side as well here. So I think we're, we're 401 00:59:45.100 --> 00:59:49.720 There. Yep. Yep. And yes, Terraform apply complete. 402 00:59:49.720 --> 01:00:32.120 Complete. Okay. Then I think Awesome. Think we can declare almost complete victory at this point. We don't fully understand why those, those other records were either they're not there or whatever. Maybe Amazon's putting them in automatically as well as you trying to put them in manually or something like that. That would be my guess now because it's, it's managed by them already. Um, so you just, just leave them out and then Terraform never needs to know they exist. Right. And it'll just work. So final work for this then is to, uh, double check the certificate Looks good. Which I think it probably must do. And then point the top level domain registrar at aws. Change the domain, the DNS records, um DNS servers. Sorry to put be Amazon's ones and or move the whole thing. It's up to you how you own them. 403 01:00:32.120 --> 01:00:32.700 Yep. No, and then that should, 404 01:00:32.700 --> 01:00:48.110 And then finally we should bump the TTL back up to something kind to, uh, everybody. That's the other last thing that No, everyone forgets myself included, is that like, well if you don't need it to be 60 seconds, then it might as, I mean who knows who say anyone pays attention to these TTLs properly anyway. 405 01:00:48.110 --> 01:00:50.140 . Right, right. Cool. Cool, 406 01:00:50.140 --> 01:00:53.450 Cool. Well, there we go. We got success. We did it. 407 01:00:53.450 --> 01:00:53.840 We got success. 408 01:00:53.840 --> 01:01:01.640 Hopefully by the time this airs, people will actually be able to go to https to compliment org and it will just work. 409 01:01:01.640 --> 01:01:04.100 It'll just work. Fabulous. Awesome. 410 01:01:04.100 --> 01:01:06.860 Okay, my friend. Until next time. 411 01:01:06.860 --> 01:01:09.860 Until next time.