|
anyone have strong opinions on semgrep or a preferred alternative?
|
#
?
Dec 21, 2023 04:24
|
|
|
|
| # ? Jun 5, 2024 09:46 |
|
|
Vulture Culture posted:Once you have people looking to solve problems by injecting behaviors into each and every thing in the business, even something as small as a tag on a bunch of AWS resources, legacy configuration-as-code approaches slow you down at least as much as they speed you up I call this "too much magic" and yeah it looks great on your "accomplishments" part of your annual review/salary increase but holy poo poo more than like, two of these things in the whole stack and you end up with a bunch of unintended consequences and the new tribal knowledge is "how to modify the IaC without blowing up production" Apparently I enabled it manually at and point 
Hadlock fucked around with this message at 08:27 on Dec 21, 2023 |
|
#
?
Dec 21, 2023 06:56
|
|
|
if you want me to adopt a new tool, offer something that doesn’t require me to switch my entire infra into new managed source of truth that won’t interoperate with anything else and is so brittle that you have to go into disaster recovery if it’s internal model doesn’t match reality down to the decimal place. every single new tool is always “this is amazing if you greenfield it from the ground up in a controlled environment”. yeah? when’s the last time you worked in a place that was willing to throw away / transition out of decades of developed business process? I don’t need another finely tuned precision wondertool that jealously guards its domain, I need some contraption that runs on bunker oil and grit that brings modest benefit and runs everywhere with an eye to interoperation. it’s rare that any dept can dictate the whole stack that a tool manages in anything but tiny companies and there is rarely consideration of this from the tools design perspective beyond “i guess we will allow it to ignore tags that have changed” SSH being a ubiquitous channel into every server and ansible not requiring server agents are the two keys to its wide success compared to other, similar tools. It can be dropped into virtually any workplace and be immediately useful without onboarding agents or management servers. Stop asking my hosts to register and be managed, no one wants hosts to be registered and managed by yet another system because there’s already a half-dozen separate agents brawling over /var/log file locks keeping systems “secure” and our performance team just changed the iops value on the database drives to prevent it from melting down while generating quarterly reports Bhodi fucked around with this message at 13:56 on Dec 21, 2023 |
|
#
?
Dec 21, 2023 13:38
|
|
|
Hadlock posted:Then you have to manage a key per repo, and you have to manually go generate a new one every time a repo is created/re-created The GitHub Terraform provider has a github_repository_deploy_key resource
|
|
#
?
Dec 21, 2023 15:39
|
|
|
Hadlock posted:I call this "too much magic" and yeah it looks great on your "accomplishments" part of your annual review/salary increase but holy poo poo more than like, two of these things in the whole stack and you end up with a bunch of unintended consequences and the new tribal knowledge is "how to modify the IaC without blowing up production" Major cloud platforms are all built on this central conceit of "let's make the cloud environment itself a schemaless, ungoverned key-value store with no reference standards anywhere, and insist that people use it as a source of truth for operations, finance, and security" and just, what the gently caress were we all thinking? Vulture Culture fucked around with this message at 16:01 on Dec 21, 2023 |
|
#
?
Dec 21, 2023 15:54
|
|
|
TheBlackVegetable posted:The GitHub Terraform provider has a github_repository_deploy_key resource After my coworker deleted the monolith repo in GitHub that ran a publicly listed company (along with 50+ other repos) and I had to get on a conference call with the CTO and together we (as the only two GitHub account owners near a computer at that time) restored all the deleted repos, manually, I have since decided that GitHub repos are something that should not be managed by terraform Yeah that really happened. At like noon on a Tuesday. Somebody decided to hit "apply" without looking at the terraform output after a bad merge
|
|
#
?
Dec 21, 2023 18:23
|
|
|
That’s hilarious. The terraform plan report is a masterclass of how not to relay useful / critical information. The apply claims another victim!
|
|
#
?
Dec 21, 2023 18:36
|
|
|
Additionally I have been dealing with an issue where terraform makes changes to a resource without actually surfacing it in the plan!
|
|
#
?
Dec 21, 2023 18:40
|
|
|
yeah, plan is absolutely made up, it just happens to be true most of the time. even things like "update" are not always true even on the big providers like, for example, aws security groups used to fully delete every rule and recreate them on change. which works fine until you introduce a conflicting rule which makes the apply bomb halfway through a security group update and leaves the group with a random slice of its desired state. plan showing a change just means "I'm gonna run some api calls with the credentials you gave me. No I won't tell you what the calls are". It doesn't even guarantee that the resources that will change are the ones in the plan, unless you exclusively generate saved plans and run only them
|
|
#
?
Dec 21, 2023 18:47
|
|
|
12 rats tied together posted:which works fine until you introduce a conflicting rule which makes the apply bomb halfway through a security group update and leaves the group with a random slice of its desired state.  When stuff like this happens I know I'm gonna have a great day 
|
|
#
?
Dec 21, 2023 21:33
|
|
|
Hadlock posted:After my coworker deleted the monolith repo in GitHub that ran a publicly listed company (along with 50+ other repos) and I had to get on a conference call with the CTO and together we (as the only two GitHub account owners near a computer at that time) restored all the deleted repos, manually, I have since decided that GitHub repos are something that should not be managed by terraform Yes, don't make Resources things that should be just Data Sources is a good rule, but I wouldn't throw the baby out with the bathwater - I would still use Terraform for the repo key.
|
|
#
?
Dec 22, 2023 00:34
|
|
|
if terraform can do it there's an API endpoint that you can hit and do it yourself
|
|
#
?
Dec 22, 2023 00:51
|
|
|
I’m 99% sure our policy of aggressively setting deletion protection flags has saved our infrastructure from rogue TF applies a number of times in the last year.
|
|
#
?
Dec 22, 2023 01:06
|
|
|
yeah, we do that with all production storage love to get a support ticket asking why a run failed with "could not delete due to lock"
|
|
#
?
Dec 22, 2023 01:14
|
|
|
Hadlock posted:What happened that your environments are so different, genuinely curious. We are a staff aug account and have consultants roll off every year or two. Our group was put together a few years back from a mixture of talent with the idea that the complex tech stack would be suited to having knowledge transfer over time. It was just a perfect storm that had a bunch of devs define architecture in a piece meal way instead of looking at the solutions we offer in a more wholistic way. So there are a bunch of rube goldberg machines held together by toothpicks and duct tape and our "customers" have continued demand that is better suited to "just write some other code".
|
|
#
?
Dec 23, 2023 17:37
|
|
|
We had a separate tech fiefdom that ran our warehouse and fulfillment operations, it was a bunch of elastic beanstalk bullshit. As soon as they poo poo canned that entire engineering org we containerized everything in production inside a week and moved them to our tooling in two more weeks. Just totally absorbed the ops workflow for 30 engineers in less than two man months. We're pretty ruthless about standardizing everything on the ops side. There's almost nothing you can't stuff into a helm chart and deploy standardized these daysdrunk mutt posted:and our "customers" have continued demand that is better suited to "just write some other code". Product rules engineering and VP of eng is really just vassal to the house of product, tell me something I don't know 
|
|
#
?
Dec 23, 2023 21:22
|
|
|
Hadlock posted:Product rules engineering and VP of eng is really just vassal to the house of product, tell me something I don't know I've seen this episode. Would you like a side of JSON?
|
|
#
?
Dec 24, 2023 03:41
|
|
|
Does Azure have an "official" document (ideally JSON) that's consumable listing their regions, the display name, and their agreed-upon short names? What informs this? https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/modules/connectivity/locals.geo_codes.tf.json Ideally it would be hittable without needing auth Junkiebev fucked around with this message at 00:25 on Dec 27, 2023 |
|
#
?
Dec 27, 2023 00:21
|
|
|
Junkiebev posted:Does Azure have an "official" document (ideally JSON) that's consumable listing their regions, the display name, and their agreed-upon short names? What informs this? https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/modules/connectivity/locals.geo_codes.tf.json The problem I am trying to solve is the construction of resource names. I have the ability to consume "East US 2" from the dictionary I'm using to create the objects, but I can't determine a good way to construct "East US 2" means the eTLA for that region should be "eus2"
|
|
#
?
Dec 27, 2023 00:33
|
|
|
stop thinking there's logic behind it, a random pm is assigned short naming duty and they just make it up
|
|
#
?
Dec 27, 2023 00:47
|
|
|
Junkiebev posted:Does Azure have an "official" document (ideally JSON) that's consumable listing their regions, the display name, and their agreed-upon short names? What informs this? https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/modules/connectivity/locals.geo_codes.tf.json Powershell has a get-azlocation command, and you should be able to pipe that to converto-json.
|
|
#
?
Dec 27, 2023 00:53
|
|
|
Junkiebev posted:The problem I am trying to solve is the construction of resource names. I have the ability to consume "East US 2" from the dictionary I'm using to create the objects, but I can't determine a good way to construct "East US 2" means the eTLA for that region should be "eus2" Seems like regex and/or a lookup table ought to solve your problem. I'd create/populate a cloud k:v resource and then reference that
|
|
#
?
Dec 27, 2023 01:06
|
|
|
NihilCredo posted:Powershell has a get-azlocation command, and you should be able to pipe that to converto-json. az cli also does this and outputs json already
|
|
#
?
Dec 27, 2023 01:30
|
|
|
Nothing emits the “official” (optionally-extended) three-letter-acronym that I can find. Is it a thing?
|
|
#
?
Dec 27, 2023 02:36
|
|
|
vanity slug posted:stop thinking there's logic behind it, a random pm is assigned short naming duty and they just make it up I fear this to be the case, but this is also too horrible to entertain given that there are “official” conventions which take it as an input… Is the CAF repo the closest thing out there?
|
|
#
?
Dec 27, 2023 02:39
|
|
|
Junkiebev posted:I fear this to be the case, but this is also too horrible to entertain given that there are “official” conventions which take it as an input… Maybe check the azure NuGet libraries for an enum?
|
|
#
?
Dec 27, 2023 10:10
|
|
|
I had a chat with a recruiter yesterday about a contract to hire position where the organization has apparently purchased Terraform but hasn't started using it because nobody knows how (why did they purchase it then???). I have a little bit of TF experience but I've told the recruiter I don't think I'm the right person to lead a rollout of TF. But apparently the recruiter can't find anybody with any terraform experience beyond using it with a small simple project? That seems shocking to me, you'd think the talent pool would be a bit deeper out there.
|
|
#
?
Dec 27, 2023 16:27
|
|
|
Depends on the salary band. I've started getting recruiter emails pretty much daily again (thanks jpow/fed!) but they're lowballing me on salary by about 10-25% so that's a hard no In my experience they're generally looking for someone with 3-4 years minimum with terraform to lead an initial deployment of the technology. Most of those guys have offers from other places for more than management is willing to pay because it's pretty high in demand
|
|
#
?
Dec 27, 2023 19:56
|
|
|
Seems like aws-load-balancer-controller has the ability to assign specific security groups to load balancers As far as I can tell, ingress-nginx can modify open ports on the lb sg based on the ports listed on the service, but there's no other mechanism to control the security group directly There's a requirement to do site to site security via IP whitelist (instead of VPN, because reasons) Right now looks like migrating away from ingress-nginx to the AWS one for better control. I'll create the whitelist security group via terraform then apply/specify it using helm values, I guess
|
|
#
?
Dec 27, 2023 22:21
|
|
|
Number of times I had the correct solution, but got an error and started over because I didn't wait for the load balancer to finish provisioning: somewhere around 6
|
|
#
?
Dec 28, 2023 02:06
|
|
|
Hadlock posted:Number of times I had the correct solution, but got an error and started over because I didn't wait for the load balancer to finish provisioning: somewhere around 6
|
|
#
?
Dec 28, 2023 18:12
|
|
|
Yeah but it's a blind call. Something like "load balancer: provisioned!" In a big blob of text. Sent before the lb is online and starts looking for traffic. Whether or not the load balancer finds a healthy end point and starts delivering traffic live traffic is outside the responsibility of the controller. There's actually two additional conditions that don't surface in the logs but it's too early to type up an essay about it right now. It's explained in the documentation but the docs are pretty opaque about how the security groups and created and maintained
|
|
#
?
Dec 28, 2023 18:31
|
|
|
my proposal to do a session for hashitalks was accepted I'm assuming they accept anyone that submits
|
|
#
?
Jan 3, 2024 23:15
|
|
|
The Fool posted:my proposal to do a session for hashitalks was accepted Congrats! Care to share what it’s going to be about?
|
|
#
?
Jan 4, 2024 08:04
|
|
|
going to do a thing on using the tfc/tfe api with a real world example of managing ephemeral workspaces
|
|
#
?
Jan 4, 2024 14:58
|
|
|
The Fool posted:going to do a thing on using the tfc/tfe api with a real world example of managing ephemeral workspaces This sounds very cool, would this be including practical/sensible approaches to the solves? Could see this helping my team stop doing the stupid on just duplicating repositories to isolate state management.
|
|
#
?
Jan 5, 2024 03:18
|
|
|
Which after posting that, had me actually realize y'all would be a good group of folks to ask this question to; We are a team that builds capabilities and offerings for consuming teams, which means we own many products within various contexts. How the gently caress do you build awareness on "path to production" throughout the variances? Like, devs will just prefer a singular unified lifecycle and make life hard because of this; when there is no sensible approach to unify, what are some good methods of getting dev buy in kind of poo poo.
|
|
#
?
Jan 5, 2024 03:24
|
|
|
I have an "example-application" repo that's a python flask app that has a metrics endpoint and a corresponding helm chart in a different repo. It turns a "hello world" on / and Prometheus metrics endpoint on /metrics + /healthz. Very easy to absorb for even the greenest developer. I think not including the .GitHub folder and .gitignore the whole repo might be 200 LOC. Any new ci/CD functionality is added to that first. If a developer wants to consume the tooling they can either start from scratch and use that as a model, or copy-paste it wholesale and make their changes This gets most developers 99% of the way to success, IMO
|
|
#
?
Jan 5, 2024 03:35
|
|
|
Hadlock posted:I have an "example-application" repo that's a python flask app that has a metrics endpoint and a corresponding helm chart in a different repo. It turns a "hello world" on / and Prometheus metrics endpoint on /metrics + /healthz. Very easy to absorb for even the greenest developer. I think not including the .GitHub folder and .gitignore the whole repo might be 200 LOC. Any new ci/CD functionality is added to that first. The "starter kit" pattern works for direct context relation, and really is great for the more narrow scoped variances (e.g, k8s, lambda, containerized apps in general). But your response does make me realize I am approaching the solve in a wrong manner; so thank you for that! =)\ ETA: The realization is that instead of trying to design a unified pattern across the team, have a formalized pattern per-product that is clearly defined which might have overlap but that's a different problem to solve (e.g, sensible defaults) drunk mutt fucked around with this message at 03:56 on Jan 5, 2024 |
|
#
?
Jan 5, 2024 03:54
|
|
|
|
| # ? Jun 5, 2024 09:46 |
|
|
drunk mutt posted:How the gently caress do you build awareness on "path to production" throughout the variances? Like, devs will just prefer a singular unified lifecycle and make life hard because of this; when there is no sensible approach to unify, what are some good methods of getting dev buy in kind of poo poo. Kind of sounds like eng as a whole needs the eye roll kind of training? Talk to your boss about scheduling a series of (mandatory) 3 or 4 x 20 minute training sessions over the course of a month and then offer an open question session for the following 40 minutes. Note down any grievances aired and either correct them or better document that stuff where necessary TL;DR do more brown bag sessions
|
|
#
?
Jan 5, 2024 04:43
|
|