Question: Hi there 👋, I wanted to know a graceful way to delete

aws_vpc_endpoint

resource in terraform? I wasn't able to do it with terraform destroy for a stack where I'd created s3 gateway endpoint. It required me to login and delete the

vpc_endpoint

from console. Can you guys provide some inputs?

This message was deleted.

Looking at the Cloudposse terraform-aws-documentdb-cluster, I’m not finding an option to provision an elastic cluster. Is that in a separate module, or perhaps doesn’t exist (yet)?

set the channel topic: aws Discussion related to Amazon Web Services (AWS). Please use #CB6GHNLG0 for Terraform questions.

Hi everyone, I'm working on a data restoration process involving large batches of archived files stored in S3 Glacier Deep Archive. The recent data we store is tarred into single files for efficiency, but the older data we're trying to restore consists of thousands of individual files per batch, which is making the restoration process challenging. S3 doesn’t support folder restores and requires files to be restored individually. As you can imagine, trying to restore such a large number of individual files using bash scripts is causing timeouts and issues with tracking the progress. Has anyone experienced a similar issue with restoring large numbers of individual files from S3 Glacier? We’re considering S3 Batch Operations, but I’d love to hear if anyone has other strategies or best practices for efficiently handling this kind of large-scale restore, especially when dealing with a massive number of files. TIA

Hey Folks!! I'm currently exploring a startup idea at the intersection of DevOps and Generative AI. As someone with hands-on experience in DevOps, I’d love to hear your perspective on the current challenges practitioners face and where you think GenAI could meaningfully help. If you're open to it, I’d really appreciate a quick 30-minute chat. Would love to learn from your experience — and happy to share more about what I’m thinking too! Please like or comment on this message and I can reach out to you directly. Thanks so much for considering, and hope to connect! 🙏 🙏

Question on Detaching and Re-enrolling Accounts in AWS Control Tower via Account Factory: I’m working on updating AWS alias, root email, and account name and need some clarification regarding the detachment and re-enrollment of accounts in AWS Control Tower. 1. The accounts are provisioned via AWS Control Tower using Account Factory, where each account is specified in the .

yaml

template. 2. Detaching from Control Tower for Updates: To update account aliases, root email addresses, and account names, do I need to detach the account from Control Tower by removing the corresponding

AWS::ServiceCatalog::CloudFormationProvisionedProduct

resource in the

.yaml

template? and Once the updates are done, should I re-enroll the account back into Control Tower by adding the account back to the template and redeploying? I couldn't find much or it's a bit unclear for me from the AWS Docs. can someone shed some light on whether I am thinking the process correctly or not Resource Block (to remove for detachment):

yaml


AccountName:
  Type: AWS::ServiceCatalog::CloudFormationProvisionedProduct
  Properties:
    ProductId: !Ref pProvisionedProductId
    PathId: !Ref pPathId
    ProvisioningArtifactId: !Ref pProvisioningArtifactId
    ProvisionedProductName: !Ref pAccountName
    ProvisioningParameters:
      - Key: AccountEmail
        Value: !Ref pAccountEmail
      - Key: AccountName
        Value: !Ref pAccountName
      - Key: ManagedOrganizationalUnit
        Value: !Sub "dev (${pDevOuId})"
      - Key: SSOUserEmail
        Value: aws-mgmt+usw2-controltower@.com
      - Key: SSOUserFirstName
        Value: AWS Control Tower
      - Key: SSOUserLastName
        Value: Admin

Parameter Block (to ensure re-enrollment):

yaml


pAccountName:
  Type: String
  Default: account-name

TL;DR: To update the alias, root email, and account name, do we need to detach the account from Control Tower by removing the

AWS::ServiceCatalog::CloudFormationProvisionedProduct

resource and its associated parameters in the YAML? Once the updates are complete, should we re-enroll the account by adding the resource and parameter blocks back to the YAML and redeploying? Any insight is much appreciated. TI

AWS news: Lambda billing will now charge for cold starts https://aws.amazon.com/blogs/compute/aws-lambda-standardizes-billing-for-init-phase/

I’ve been thinking about switching to elasticache serverless for redis (we’re currently using non-clustered with replication group) and noticing that you can’t create a user / pass with the terraform resource… how are people adding that additional layer without using replication group nodes? is it just not needed as a general rule? (rely on security groups + TLS)

Hey folks— quick pulse check: is anyone else seeing AWS costs creep up again this year? We’ve been digging into 400+ AWS environments and spotting some recurring patterns — things even seasoned teams miss. We’re putting together a free tactical webinar: 2025 Cloud Fitness: 5 Pro-tips for Healthier AWS Infrastructure No fluff — just 5 expert-backed fixes to cut waste and boost performance this year. • Focused on actionable steps • Backed by real-world infra data • 30 minutes + live Q&A Grab your seat here: https://www.cloudkeeper.com/cloud-fitness-healthier-aws-infrastructure-webinar-2025?utm_source=Slack&utm_medium=slack_webinar&utm_campaign=cfc

does anyone have strong opinions on EKS network flow monitoring (e.g. cross-AZ) for people that aren't using a CNI that provides things like Hubble? i've found AWS Network Flow Monitoring to be... not good, kubecost to be inaccurate (and not good), most open source solutions to not work, VPC flow logs to be painful, and the class of Datadog, Splunk, etc. to be expensive.

It looks like Terraform will add enhanced region support as part of the AWS provider v6. I'm curious how this will work in root and child modules.

Hi Team, I've a question around integration of AWS LakeFormation & IAM Identity Center. I'd like to grant external-users (AD Users/SAML users) access to AWS Lakeformation resources i.e S3, Redshift, etc and classify access using Tags. (aka. More fine grained permissions). I'd be great if someone can provide me general guidance, or something like a rough flowchart for this use-case.

Who uses shared vpcs? do they work now? how is your experience?

Has anyone been using diagrams as code on a larger scale? Which frameworks have you been using?

I found few automations using shell scripting https://github.com but i wnat to put it on action if anyone is aware

I feel like people would have an idea on how to solve this.. I am in need to let some cloud managed tools to connect into my aws vpc via an ssh bastion. Currently we have an ec2 instance setup which kinda works but I am wondering if we can host the ssh server within our eks cluster and enable external access like this. Has anyone here done something like that before?

#CCT1E7JJY https://zop.dev/resources/blogs/dev-test-stage-environments-are-quiet-at-night-so-why-is-your-cloud-bill-loud

This message was deleted.

Does anyone know what will happen to Bitnami images hosted on public ECR? We reference these images, and I was curious if these will move to something like

<https://gallery.ecr.aws/bitnami-legacy/>

👋🏼 Curious how others are handling S3 Access Logs when facing requirements like; 1. CMK (customer managed keys) for encryption 2. WORM (write once read many) compliance policies with deletion blocked 3. MFA delete required enabled 4. Alerts when manual deletion happen (not lifecycle rules) According to AWS docs, you can't have 1 and 2 for a logging destination bucket. And, it seems 3 is unsupported on Atmos/Terraform.

Hello guys

Need help with some aws thing, this is maybe dumb, but i think i am wasting too much time on this and thought to get help from community. I am getting this error,i am able to access this instance using connect endpoint via another role, assigned the same perms to the second role but getting this error i tried editing the inbound rule for its sg by allowing all traffic from 10.0.0.0/8 which includes my all vpcs cidr not sure what should i do now has someone faced this before

I thought I'd share IaC source for creating "shareable" AWS Lambda test events… Background: aws.amazon.com/about-aws/whats-new/2022/03/aws-lambda-console-test-events • Introduced in 2022, this way of distributing sample events so that multiple developers can test Lambda functions realistically, not locally, hasn't received much attention. The documentation covers manual creation, not IaC. Sample: github.com/sqlxpert/stay-stopped-aws-rds-aurora/blob/b9c2457/stay_stopped_aws_rds_aurora.yaml#L883-L970 • I like CloudFormation. The Terraform resources are aws_schemas_registry and aws_schemas_schema . • The

lambda-testevent-schemas

registry serves every Lambda function in an AWS account and region, so you've got to be able to create it conditionally, and it has to survive the deletion of your project. Consider a removed block with

destroy = false

. • Test events for internal projects will be more specific than mine, and won't need editing. Test execution can be automated but extra keys with instructions for humans might be useful nevertheless. I hope this will be helpful to someone!

Hey SweetOps community 👋 I’m looking to learn how other teams are handling ECS deployments — specifically how they’re structuring and automating the process of deploying applications on ECS. We’re reviewing and refreshing our ECS deployment strategy and patterns, and we’d love to hear from others in the community who are running workloads on ECS. If you or your team are deploying apps to ECS, I’d love to know: • How do you typically deploy? (e.g., GitHub Actions, CodePipeline, Terraform, custom tooling, etc.) • What deployment patterns or architectures are you using? (e.g., blue/green, rolling updates, canary, etc.) • How do you decouple application and infrastructure releated configs? • What have you found works best (or doesn’t)? • Are there any lessons learned or gotchas you’d share? The goal is to gather insights into common practices and trade-offs teams are making so we can align our approach with the broader DevOps community and current best practices. If you’re open to sharing your experience or discussing this further, please drop a comment or DM me — we’d really appreciate your input! Thanks in advance!

Hello SweetOps people, l have a new project to build a Window Server in AWS but looks like there are currently no Windows AMIs created. What is the best way to go about this? I have the requirements.

Many AWS services are moving to maintenance mode. I was once interested in CodeCatalyst and Proton...glad we didn't end up using them. https://aws.amazon.com/about-aws/whats-new/2025/10/aws-service-availability/