Discussions related to ansible configuration management
do you all bake amis with config secrets too? we’ve been deploying quasi-immmutable machines that pull config from ssm param store via confd
Confd is a nice approach
Gomplate also supports SSM.
Or you can just have your ansible scripts use environment variables and call ansible with chamber
All options support headless operation
Definitely discourage baking secrets into images as rotation is painfully slow and keeping an immutable “log” of secrets is not advisable
(Also, goes without saying, all suggestions assume use of IAM instance profiles to obtain STS access credentials)
what’s the draw of gomplate over confd?
one issue we’ve had with this quasi-immutable amis + confd approach is dependency order.. a ssm value gets changed, but the instance isnt rebooted (or the service on it restarted)
I would strongly caution against automatic restarts of services as one wrong value and you nuke your cluster
That’s why Kubernetes for example takes a rolling restart approach. Changes to config Maps are not immediate. Pods need to be explicitly restarted.
…Yeah. I haven’t touched Ansible in ages.