#office-hours (2021-07)

No worries! It happens to everybody!

#hugops

no issue, although I’m glad because I missed it

Thanks guys

For my largest terraform project (couple dozen root modules), we utilize develop , master , and release branches to add some release process around promoting changes. This works well in some regards, but it’s also difficult in that upgrading our automation to tf v1.0 for example requires that we roll everything forward as fast as possible because that change isn’t held in isolation on the branch.

Anyway, looking to refresh on this topic. And particularly hear about how CloudPosse handles it.

My company was using branches the same way when I arrived and I got us off it as fast as I could for those same reasons and moved to directory separation. It was an exhausting process managing promotion of changes across branches.

the most asked question, I would move away from branches and use folder separation, we also used dev,qa, and prod branches before, it was a nightmare. suggest to only use features short-life branches and PRs for review the code added. everyone is talking about mono-repo mono-branch as single source of truth, with daily PRs.

now the magic happen in your CICD, it should be smart to know which folder to apply in which order, you can control releasing by promoting changes through environments, with simple testing at the end of the delivery to make a perfect deployment.

I like the idea to apply git-flow into Terraform, but I guess only small part of it could be helpful in IaC

it was a nightmare heavy emphasis on this

Yeah interesting that both of you have this position. I hear ya… though I don’t exactly know how I would make that fit into the SweetOps methodology. Will be a good topic for discussion.

you forgot Varnish

which was built as a reverse proxy

https://hub.docker.com/r/jwilder/nginx-proxy

If I remember correctly it had trouble with path based, but host based works great

https://github.com/nginx-proxy?type=source

thanks, yes I’m looking for path based

RE: aws-controllers-k8s - IAM is not supported, this was the biggest bummer for us and we gave up, moved all to terraform

https://github.com/aws-controllers-k8s/community/issues/222

also if you read the thread - there’s really no way to implement it securely. You will end up giving a controller iam:* which is a huge hole

I think this is the main showstopper there

A team i work with has been using crossplane.io with some success.

wow, pretty useless without the ability to create IAM. In the end, we’re back to using something like terraform.

@Matt Gowie order up^

Also found out about clairvoyance the other day but I haven’t personally been able to test run it myself.

https://github.com/reulan/clairvoyance

Via corresponding hashicorp talk here: https://www.youtube.com/watch?v=zlwhw3YGlUc

@oskar my team is using spacelift which has native drift detection. there is also an interesting connection between increasing drift and lack of environmental progression automation; in other words: the less automation between deployments from environment-to-environment…the more drift!

thanks for chipping in jonas i’ve heard good things about spacelift, thanks for recommending it. very much agree on the automation side - yet some contexts / apis / providers can at least run into some “transition time” and in some cases do simply provide better ux through their respective native gui interface in some maybe (?) rarer cases (specific example would be setting up an alert in newrelic or datadog). yet again i agree - eg a “gitops” cicd workflow definitely should best practice and a default (i.e. atlantis). by that there should - as a strong guideline - very seldom be any outside-of-terraform manipulation of infrastructure.

i’m just asking to be looking at it from this “exceptional” perspective. maybe the alert example would be a good one to talk about!

@oskar you lost me lol. what now?

tl;dr there (unfortunately) are scenarios where even over a longer time we can regularly expect drift - e.g. setting something up through a very user friendly web interface for a specific resource comes to mind (e.g. complex alert plus rule in datadog). how do people in the community handle those kind of cases?

that is literally what spacelift does.

well that’s one feature.

that’s awesome. will definitely look further into it for sure

right now we’re working on altering when drift_time > x.

ok what does that mean exactly? are you talking about “auto-syncing” things after a while?

(or semi-auto)

it is not configuration management or eventually consistent: no.

i see, will look into it thanks for the rec again

So if you had the time you could get a yaml –> atmos(terraform) –> waypoint workflow going on. pretty sure.

ack

heh, well, this is the enigma of waypoint, it’s different things to different people

IMO, it’s honestly flat-out a CI/CD platform. It’s self hosted. It offers some “providers” (e.g. jenkins plugins). It handles build. It handles deploy. It handles release.

So in otherwords, waypoint would be used to build, deploy, and release serverless apps, k8s apps, etc.

it presents a clean HCL DSL for defining it (as opposed to the YAML approach favored by circle, github actions, gitlab ci, etc)

It’s really interesting!! I’m definitely giving it a try, hopefully will be able to use it for production

Yes, but at the same rate, it’s kind of awkward that we’re using terraform for IaC and yet the statebucket is not controlled by terraform

modifying that state bucket (e.g for compliance) in Terragrunt requires a PR to terragrunt, vs managing it in terraform https://github.com/cloudposse/terraform-aws-tfstate-backend

Don’t put secrets in TF :)

More specifically, move to using other mechanisms for secrets, such as AWS’s Secrets Manager.

addendum for people who haven’t read about it yet. it’s very much centred around k8s - relying on cortex and loki. blog articles have a strong docker ~2013-ish vibe so beware - could be too good (marketing) for their own sake (yet).

https://github.com/opstrace/opstrace https://opstrace.com/blog/cloud-provider-integrations https://opstrace.com/blog/a-giant-leap-for-alerts

this looks like a whole grafana.com backend stack assembled in one project

yeah it would be awesome if only for helping run and maintain prometheus/grafana stacks but apparently can be much more and manageable (at least that seems to be the promise). pulling in cloud level events etc.

we’ve been doing cortex in-house for 1 year. A ton of efforts but it pays off. Grafana pricing for us was 10k+ month, while we packed it in under 1k

I’d love to see if that thing really gives a working opinionated setup

same same. very excited to learn about this project (again don’t know if it really is as good as it looks at first sight!)

reminds me the most: https://www.kubernetic.com/

used for a long time - positive feedback

probably not as extensible as this open source chatbot framework though - have not put much time into it myself yet and i’m biased as a clojure fan. still: https://github.com/yetibot/yetibot

wow… yeti looks amazing

yeah it totally is. if you are only a little into lisp you should check it out. and if you are into babashka (https://github.com/babashka/babashka) definitely check it out!

I was raised on Lisp …but that was a very long time ago.

haha it’s like riding the bicycle - never forget it really

there is not much to forget actually ;D

looks sane to me. anything specific that bugs you there? if you look for other perspectives, i’m in the same mindspace unfortunately.

very good question thanks for sharing. i really also like the “dynamic” view @marc slayton has on this as well. and to paraphrase maybe what you got at for the “static” approach you painted here jonas - not too many layers with the parametrization as @Erik Osterman (Cloud Posse) put it. and maybe also disregarding some of those differences to even simplify further as @roth.andy has said. hope i got this right. either way, thanks again very interesting topic to me as well.

sound like good rules of thumb for the “static” view on this kind of “o11y” (charity majors probably disagrees indeed btw ).

ha, yeah.

sorry to hijack this thread again but @marc slayton somebody was asking about which APM solution you are using before the zoom closed. i’m also curious

Any chance to have a global multiplier for an environment? Maybe a set of multipliers, say one for timeouts, another for RPMs. They you’d customize only multipliers. Of course you still should have a bypass to override a single value, when needed.

I missed the office hours yesterday so didn’t see this until I was watching the recording but this is actually exactly the rabbit hole I started down just yesterday for AWS Cloudwatch Alarms. I’m approaching this using the CloudPosse YAML Config module and the built in Parameters variable.

The only thing I haven’t figured a solution out for yet is setting default parameter values if not set in var.parameters

This is what my YAML File looks like:

ConsumedReadCapacityUnits:
  metric_name: "ConsumedReadCapacityUnits"
  metric_namespace: "AWS/DynamoDB"
  treat_missing_data: "ignore"
  comparison_operator: ${ConsumedReadCapacityUnits_comparison_operator}
  description: ${ConsumedReadCapacityUnits_description}
  metric_value: ${ConsumedReadCapacityUnits_metric_value}
  evaluation_periods: ${ConsumedReadCapacityUnits_evaluation_periods}
  period: ${ConsumedReadCapacityUnits_period}
  statistic: ${ConsumedReadCapacityUnits_statistic}
  threshold: ${ConsumedReadCapacityUnits_threshold}
  dimensions: 
    TableName: ${ConsumedReadCapacityUnits_TableName}

And I pass this into the YAML Config module:

  parameters = {
    ConsumedReadCapacityUnits_TableName           = "terraform-registry-touching-gorilla"
    ConsumedReadCapacityUnits_threshold           = "1"
    ConsumedReadCapacityUnits_period              = "300"
    ConsumedReadCapacityUnits_evaluation_periods  = "1"
    ConsumedReadCapacityUnits_metric_value        = "1"
    ConsumedReadCapacityUnits_description         = "Alarms when ."
    ConsumedReadCapacityUnits_statistic           = "Average"
    ConsumedReadCapacityUnits_comparison_operator = "GreaterThanOrEqualToThreshold"
  }

if you remove the cross-platform requirement you seem to be having would you be able to unbiasedly recommend it over make still? even if you / your team knows make well?

thanks for sharing btw. i didn’t know taskfile.dev

Personally I think Make is the default simply because it’s always been there. I don’t see any advantage in it. Wasn’t intended as a devops task runner tool, was meant for C development, so lots of clunky work arounds for devops usage.

Imo, a single curl bootstrap of task means it’s super easy to get going and if I had to pick it would be a no brainer for me

got it, so to paraphrase to you a more modern take. i would agree.

You get basic templating too and cross platform support can’t be discounted even if no one uses it yet, cause you never know!

version: '3'

includes:
  build: ./Taskfile_{{OS}}.yml

You can use templating and fingerprint work for incremental builds. https://taskfile.dev/#/usage?id=by-fingerprinting-locally-generated-files-and-their-sources

The CI jobs in 3 seoncs bootstrap with snap install –classic task or whatever it is and you are good.

that is nice. thanks, will check it out.

Give this a shot as a starter sometime.

It’s NOT perfect. If you have Python devs then use a python task runner, Go use mage, etc.. If you need something instead of Make though, it’s fantastic.

I did a starter write up (have more in the ci-configuration repo i linked in main room), but as I started I tried to note some of the nice base configurations I setup. I plan on improving too with vars.yml instead of embedding the color formatting into the main taskfile.

https://www.sheldonhull.com/docs/task/

Cheers

very nice - coming up on my reading list - thanks for sharing again