#office-hours (2023-08)

“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!

https://cpco.io/slack-office-hours

Meeting password: sweetops

2023-08-01

managedkaos avatar
managedkaos

Might be old news but first i’m seeing it: Replit is getting into app deployment/hosting. makes sense to me!

1
venkata.mutyala avatar
venkata.mutyala

Pretty slick.

1
managedkaos avatar
managedkaos
Deploymentsattachment image

Deploy and host any project on Replit

2023-08-02

managedkaos avatar
managedkaos

This one is also interesting… Digital twins of all parts of the system along with integrated plans and applies… https://www.youtube.com/watch?v=zyEOYl23pd8

jose.amengual avatar
jose.amengual

we talked about this a few office hours ago

1
managedkaos avatar
managedkaos

cool. might have missed that one.

managedkaos avatar
managedkaos
Terraform Writer

Online AI Terraform Writer is a tool that helps programmersto compose complete Terraform modules to use instantly to provision their infrastructure.

managedkaos avatar
managedkaos

and the follow on is the CI/CD writer… https://codepal.ai/cicd-pipeline-writer#

CI/CD Pipeline Writer

Generate CI/CD pipelines for any CI/CD platform with our AI-powered tool.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks for the links!

johncblandii avatar
johncblandii

this is kinda crazy

1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Wow!!

managedkaos avatar
managedkaos

I would take this to mean the LLM has internet capabilities to look up modules

managedkaos avatar
managedkaos

Or maybe the module has been around long enough to be used as a parameter to the LLM

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
1
Matthew James avatar
Matthew James

i had pretty good results with chatGPT but say to always use null-label in that new (know something about me) section which seems to make it more useful. It’d be super nice if it the openAI model got trained on stuff like code documentation more frequently.. but alas

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

In ChatGPT, I wish I could have multiple “about me” because the prompts need to be different, as I wear multiple hats.

Matthew James avatar
Matthew James

It also isn’t smart enough to like figure out when not to use those hints, it seems to wanna jam that knowledge into everything even if it only loosely relates

this1
Tyrone Meijn avatar
Tyrone Meijn

I will not be able to join, but found this an interesting article: https://blog.sicuranext.com/aws-waf-bypass/. I therefore also had a couple of questions, hopefully you can represent the topic:

• What is the general opinion of AWS WAF? Do y’all think it’s a mature product?

• Do you implement AWS WAF for your services or do you think there is a better product for it?

• If you implement AWS WAF, do you implement a lot of custom rules or only (mostly) the AWS Managed Rules?

AWS WAF Bypass: invalid JSON object and unicode escape sequencesattachment image

In recent times, the security community has been witnessing an increasing number of reports from researchers highlighting various bypass techniques targeting AWS Web Application Firewall¹. These bypasses have brought to light not only the absence of certain critical features but also the reliance on default configurations commonly used with both

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:00:41 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

SweetOps avatar
SweetOps
09:28:28 PM
venkata.mutyala avatar
venkata.mutyala

I ended up trying your suggestion and WAF -> ALB -> NLB (ALB is pointed to the private IPs of the NLB) and it seems to be working as expected. I’m unclear on what the benefit of doing WAF -> NLB -> ALB -> NLB achieves but regardless, I have a working path. Thanks for the help @Matt Calhoun!!

1
venkata.mutyala avatar
venkata.mutyala

@BATeller Thanks for the idea. I successfully tested WAF -> CloudFront -> NLB

2023-08-03

managedkaos avatar
managedkaos
Rethinking infrastructure as code from scratchattachment image

Recently I’ve been thinking a lot about infrastructure complexity, and the current state of infrastructure as code. This is problem space that many talented people are tackling.

1
Jim Park avatar
Jim Park

I think it’s definitely a good idea. Marry this to a sophisticated model for deploying and maintaining the state of infrastructure as code (infrastructure has this annoying tendency to change over time!), then I think we’ll be cooking!

Rethinking infrastructure as code from scratchattachment image

Recently I’ve been thinking a lot about infrastructure complexity, and the current state of infrastructure as code. This is problem space that many talented people are tackling.

kallan.gerard avatar
kallan.gerard

I agree with the parts, about Infrastructure under IaC will only get more complex, generic modular abstractions over IaC being unmaintainable and that IaC could learn alot from modern CSS ecosystem. I don’t agree with the solution being typescript based.

kallan.gerard avatar
kallan.gerard

I’m curious if Cuelang could provide a good-enough attribute based intermediary to raw TF and k8s manifests without the drawbacks of modules and helm etc

Mike Shade avatar
Mike Shade

the model that System Initiative is cooking up looks really cool.

2023-08-04

2023-08-07

managedkaos avatar
managedkaos
Bram Moolenaar, Author of the Open Source Vim Code Editor, Has Diedattachment image

Vim is one of the most popular programming editors of all time, a simple text editor that still survives in the age of Visual Studio, Emacs and other, fancier, code editors.

2023-08-08

2023-08-09

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:00:38 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Alanis Swanepoel avatar
Alanis Swanepoel

if you have time (this could become quite deep) how do you protect against downfall and ras poisoning when working with multi-tenant environments (some cloud providers might be more prone to this than others, due to bad architechture)

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What does “ras” refer to?

Jonathan Eunice avatar
Jonathan Eunice

Thoughts about using AWS WAF and/or (Advanced) Shield for rate-limiting / DOS protection? WAF rate limiting seems valuable; Advanced Shield seems potentially $$.

Nenna avatar

Links from today’s office hours:

https://thenewstack.io/bram-moolenaar-author-of-the-open-source-vim-code-editor-has-died/ https://aws.amazon.com/blogs/aws/mountpoint-for-amazon-s3-generally-available-and-ready-for-production-workloads/ https://arstechnica.com/gadgets/2023/08/backblaze-probes-increased-annualized-failure-rate-for-its-240940-hdds/ https://www.warpstream.com/blog/kafka-is-dead-long-live-kafka https://opensourcewatch.beehiiv.com/p/mirantis-unveils-k0smotron-opensource-streamlined-kubernetes-management-project https://github.com/yonahd/kor https://github.com/danswer-ai/danswer https://github.com/28mm/blast-radius https://www.theverge.com/2023/8/9/23824562/slack-redesign-app-dms-activity-later https://venturebeat.com/programming-development/aws-unveils-build-a-new-accelerator-program-for-early-stage-startups-from-around-the-globe/ https://github.com/padok-team/burrito https://github.com/kubernetes/kubernetes https://github.com/Skarlso/crd-bootstrap https://www.humblebundle.com/books/devops-2023-oreilly-books?charity=12390931 https://github.com/Isawan/terrashine https://nrkbeta.no/2023/01/19/the-road-to-nrks-private-terraform-registry/ https://aws.amazon.com/about-aws/whats-new/2023/08/amazon-eks-configure-efs-shared-file-storage/ https://aws.amazon.com/blogs/aws/new-improve-amazon-s3-glacier-flexible-restore-time-by-up-to-85-using-standard-retrieval-tier-and-s3-batch-operations/ https://aws.amazon.com/about-aws/whats-new/2023/08/aws-datasync-copying-data-other-clouds/ https://downfall.page/ https://wired.me/technology/a-trippy-visualization-charts-the-internets-growth-since-1997/ https://aws.amazon.com/snowmobile/ https://www.wired.com/story/apple-new-password-manager-2fa-iphone-ipad/#intcid=_wired-bottom-recirc_ade29f42-cc7a-4779-bf6d-06662126039c_wired-content-attribution-evergreen https://docs.cloudposse.com/reference/best-practices/terraform-best-practices/#docusaurus_skipToContent_fallback https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/the-ec2-approach-to-preventing-side-channels.html https://aws.amazon.com/security/security-bulletins/AWS-2023-005/ https://aws.amazon.com/security/security-bulletins/AWS-2023-006/ https://aws.amazon.com/security/security-bulletins/AWS-2023-007/ https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore https://buildbot.net/ https://zuul-ci.org/docs/zuul/3.5.0/index.html https://buck2.build https://medium.com/@taleodor/using-monorepo-do-not-rebuild-unchanged-components-in-ci-c386e7c03426 https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/

Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)

Oh, also if you end up spending more than $3k on AWS WAF it is cheaper to just get Shield Advanced which covers the costs: https://blog.elva-group.com/how-to-save-thousands-of-dollars-on-aws-waf

Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)


if you’re spending over $3000 per month on Web ACL and Rule fees, you can effectively cap those costs at $3000 and prevent them from spiraling further as your number of AWS accounts grows by subscribing to AWS Shield and enrolling your resources

Matthew James avatar
Matthew James

Just gonna throw a comment in here, that AWS staff have confirmed to me on calls that EC2 does share cores, that’s how we have stuff like burst unlimited etc (and as the commenter shared cpu steal). There is options to not share cores and have dedicated tenant hardware in EC2 (which sometimes can be a requirement for high security environments) see (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html).

AWS Nitro however is an AWS developed hypervisor that has hardware based security offloading that’s designed to help keep tenants isolated from one another, and likely had optimisations of the cores itself to help reduce steal etc - it seems like they also some mitigations against this sidechannel style attacks in the nitro framework itself.

Dedicated Instances - Amazon Elastic Compute Cloud

Run an Amazon EC2 instance on single-tenant hardware that is physically isolated from other AWS instances and accounts.

2023-08-10

venkata.mutyala avatar
venkata.mutyala
1
venkata.mutyala avatar
venkata.mutyala

I wonder if spacelift will be impacted?

venkata.mutyala avatar
venkata.mutyala

It’s technically competing with Terraform cloud. But terraform cloud isn’t an OSS project. However the tool, terraform itself is.

Eamon Keane avatar
Eamon Keane

That’s pretty crazy. Maybe there’s enough engineers with env0, Spaceflit, infracost to fork Terraform?

Security patches only until December 2023. Providers still open source and will presumably have breaking changes so fork prob not viable, unless if maybe GCP, Oracle, AWS and Azure chip in a few million per year.

So I’d say they’ll be shutting down.

venkata.mutyala avatar
venkata.mutyala
diggerhq/open-terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. This is an open-source fork of Hashicorp’s Terraform that keeps the MPL license, following Hashicorp’s annoutcing change of license to BSL. The fork is created and maintained by Digger.dev, an open-source CI runner for IaC.

1
venkata.mutyala avatar
venkata.mutyala
What HashiCorp’s license change means for Spacelift customersattachment image

HashiCorp’s license change - what does it mean in practice and how does it impact us.

venkata.mutyala avatar
venkata.mutyala
What HashiCorp’s License Change Means for env0 Customers | env0attachment image

On August 10th, HashiCorp made an important announcement, signaling a shift in its product licensing strategy. Here’s what env0 customers need to know.

venkata.mutyala avatar
venkata.mutyala
Weaveworks statement for Terraform customers on Hashicorp license changesattachment image

Hashicorp recently announced licensing changes to many of their open source products, including Terraform. Learn how this may impact you and what it means for competing solutions.

venkata.mutyala avatar
venkata.mutyala

I *think* they updated their FAQ:

https://www.hashicorp.com/license-faq

cc: @Erik Osterman (Cloud Posse) @Vlad Ionescu (he/him)

1
venkata.mutyala avatar
venkata.mutyala
Spacelift latest statement on HashiCorp BSLattachment image

A more comprehensive update on the impact of the recent HashiCorp license change on Spacelift and our customers.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
OpenTF Foundation

The OpenTF Foundation. Supporting an impartial, open, and community-driven Terraform.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2023-08-11

ashutoshsajan1213 avatar
ashutoshsajan1213

here I am getting this error when calling this action, and I am testing with act locally

- name: Tests
        uses: cloudposse/github-action-docker-compose-test-run@main
        with:
          file: ./docker-compose.yml
          service: my-app
          command: npm test

[Run test suits/build] Success - Main Start stack [Run test suits/build] Run Main Test [Run test suits/build] docker exec cmd=[bash –noprofile –norc -e -o pipefail /var/run/act/workflow/9-composite-3.sh] user= workdir= Creating my-app_run … done /bin/sh: 0: cannot open npm: No such file | ERROR: 2 [Run test suits/build] Failure - Main Test [Run test suits/build] exitcode ‘2’: failure [Run test suits/build] Run Main Stop stacks

2023-08-12

2023-08-14

2023-08-15

jose.amengual avatar
jose.amengual

https://github.com/ergomake/layerform

I do not know if we talked about this one before

ergomake/layerform

Layerform helps engineers create reusable environment stacks using plain .tf files. Ideal for multiple “staging” environments.

Matthew James avatar
Matthew James

saw this on HN looks interesting

ergomake/layerform

Layerform helps engineers create reusable environment stacks using plain .tf files. Ideal for multiple “staging” environments.

2023-08-16

Matthew James avatar
Matthew James

https://registry.terraform.io/providers/ansible/ansible/latest/docs not sure if this got covered previously but it seems like folks are having a crack at ansible provider for TF. This is kinda interesting to my team as we do a lot of local exec to run ansible to configure machines after creation esp for stuff that you don’t want/cant point in an asg.

kunalsingthakur avatar
kunalsingthakur

you need to put the ansible playbook inside terraform or use git provider to point to repos to fetch collection of playbook

kunalsingthakur avatar
kunalsingthakur

yes instead of local-exec this is also good way to use it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:00:36 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Zain Zahran avatar
Zain Zahran

Few questions on Atmos & Terraform

  1. What is the best way to handle global or shared variables across different Atmos components? How do you combat warnings about excess variables when some components only require a subset?
  2. When using the terraform s3 backend property, how come things are stored as component/stack and not stack/component? Is there ways to change that or is it an important design choice?
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Sorry all! will bring back up next wednesday

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Zain Zahran feel free to post this question in atmos

Zain Zahran avatar
Zain Zahran

Sounds good - will do, thanks!

2023-08-17

2023-08-22

Alex Atkinson avatar
Alex Atkinson
venkata.mutyala avatar
venkata.mutyala

Yes Igor announced this in office hours. He said he was going behind opentf

Alex Atkinson avatar
Alex Atkinson

I missed the last one.

venkata.mutyala avatar
venkata.mutyala

No worries. He mentioned it once and I don’t think I ever saw a formal update outside of that office hours call.

Alex Atkinson avatar
Alex Atkinson

Ha

Alex Atkinson avatar
Alex Atkinson

Well, we need something to take the place of Hashicorps Terraform sooner than later.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

DiggerHQ is a contributor to the whole OpenTF initiative

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The open-terraform repo was a bit premature.

1
Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)

I’d argue OpenTF is also going

3
Matt Gowie avatar
Matt Gowie

@Vlad Ionescu (he/him) you attending office hours today? Would be interested to hear what you mean.

Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)

I will, but I don’t wanna expand too much on it because it’s… cold and mean.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Kelsey Hightower on X

I believe OpenTF, a fork of HashiCorp’s Terraform project, will end up growing Terraform adoption in the long run.

Take HTTP for example, which has many implementations, the adoption is higher than ever. TF has just become the HTTP of configuration management.

kunalsingthakur avatar
kunalsingthakur

Why?

1
Alex Atkinson avatar
Alex Atkinson

I’m going to trademark “Open ClickOps”

4

2023-08-23

Max Lobur (Cloud Posse) avatar
Max Lobur (Cloud Posse)

Did opentf ever get any answer from hashicorp?

venkata.mutyala avatar
venkata.mutyala
CNCF Announces Graduation of Kubernetes Autoscaler KEDAattachment image

The project was started in 2019, accepted into the CNCF Sandbox in March 2020 and moved into the Incubator in August 2021. Today it is used in…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:12 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

elvis lim avatar
elvis lim

Where to get the link to the office hours zoom session?

elvis lim avatar
elvis lim

never mind I see it in the annoucements

William Galloway avatar
William Galloway

I tried to sign up for the office hours but i get a generic web error “invalid meeting id”

Gabriela Campana (Cloud Posse) avatar
Gabriela Campana (Cloud Posse)

Hi @William Galloway Did you manage to join the office hours yesterday?

David Lozano avatar
David Lozano

Hello, maybe someone can give me some feedback on this question on today’s office hours.

Can atmos projects be managed/deployed by spacelift?

2023-08-24

managedkaos avatar
managedkaos

OK this one has me very, very interested. I’ve always thought of Excel as the perfect tool to bridge engineering and business tasks. This would make it that much more awesome.

2023-08-29

venkata.mutyala avatar
venkata.mutyala
OpenTF on Xattachment image

OpenTF fork preview

End-to-end encryption for state files!

This feature has been blocked since 2014.

It’s experimental for now; official RFC coming soon.

Share your feedback & join the discussion on GitHub.

https://t.co/K2iyYBivf2

4
fast_parrot1
party_parrot1
nyan_parrot1
fiesta_parrot1
cool-doge1
1
Sean avatar
Amazon VPC CNI now supports Kubernetes Network Policies | Amazon Web Servicesattachment image

Introduction Today, we’re excited to announce the native support for enforcing Kubernetes network policies with Amazon VPC Container Networking Interface (CNI) Plugin. You can now use Amazon VPC CNI to implement both pod networking and network policies to secure the traffic in your Kubernetes clusters. Native support for network policies has been one of the […]

2

2023-08-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:35 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Matt Gowie avatar
Matt Gowie

Office hours topic for next week: What are folks using for using internal dev documentation / wikis? A client has their docs split across many areas and we’re looking to help them with this. I started to reach for GitHub’s Wiki, but quickly realized it is no where near as full featured as I would like. Would love to hear of the free + open source options that are easy to use and enable simple, private access for dev teams.

2
Alanis Swanepoel avatar
Alanis Swanepoel

Historically used wordpress, but ghost is alot lighter.

venkata.mutyala avatar
venkata.mutyala

We have started using docusarus for some of our public facing docs. I believe cloudposse is using the same toolchain. So far it seems pretty powerful/flexible. If you have someone on the team that knows javascript it would probably help especially if you use some of their plugins or build your own. It also looks like a major release is coming out with breaking changes so before you lift and shift, you may want to just wait for the latest version: https://github.com/facebook/docusaurus/releases

Build optimized websites quickly, focus on your content | Docusaurusattachment image

An optimized site generator in React. Docusaurus helps you to move fast and write content. Build documentation websites, blogs, marketing pages, and more.

Moshe Eshel avatar
Moshe Eshel

I’m curious about other ideas in this space, this issue has been trouble since I started thinking about internal docs (going back at least 10 years). Never found anything that was everything,

Used StackOverflow for Teams (enterprise product) - which we had to work hard for developers to adopt, and still not completely - getting people to write questions, to edit and to answer - isn’t easy Google Docs - it just becomes a hot mess, although it’s a great document editing tool, and the search is phenomenal Confluence - a bit better than GDocs IMO (it has a better feel IMO for documentation, and automating stuff is slightly easier for dev workflows), my personal method is drafts in Gdocs and then you can actually copy/paste into Confluence without losing any significant formatting. Github Issues/Wiki - personally I love markdown as a format, and this is a great way to document a project, but search sucks, and if you have 600+ repos you are f&%^d Wiki (generic) - this is ugly and not fun, very hard to work with and navigate, if anyone offers - just say no! This problem requires a product that someone thought about for the specific use-case not a general use utility. Slack - no as well, nice for communication, sucks for authoritative docs

My current thought (project in research really) is a portal maybe based around backstage (or similar) - in which we have the documentation (SDKs, articles, etc) along with the service info (production state, deployments and status) - but we didn’t yet start at all (we don’t have a backstage installation yet)

Curious to see what others are doing

2023-08-31

omerfsen avatar
omerfsen

Guys have a question for ArgoCD or actually how to install helm release on different variables for different environments. So I think for ArgoCD we can provide different values.yaml file for each env but..

  1. so configuration switches are ok so we can use different values.yml for each environment. (or there may be other things which i am not aware hence this message?)
  2. What about Secrets? How you make sure argocd installs secrets securely or how do you handle secrets on an ArgoCD managed k8s env and installing helm charts requires secrets
venkata.mutyala avatar
venkata.mutyala

I am using external-secrets operator with hashicorp vault. However it doesn’t work well until after you have your cluster up and running. So the developers use it but when I’m deploying argocd and other core cluster components I am managing my secrets outside of vault/external-secrets/kubernetes

1
Moshe Eshel avatar
Moshe Eshel

on AWS we use Secrets Manager, there is a nice K8S plugin that can inject secrets, probably also an ArgoCD integration - never checked that, but the store is pretty good (as is HashiCorp Vault which we also worked with). What we do is save the paths, and that is the pointer, you can assign different permissions on each “folder” which allowed us to give developers permissions on their secrets, but not the more secretive secrets controlled by SecOps - but managed in the same service (this is supported by both tools).

omerfsen avatar
omerfsen

For cm and secrets change i will Use reloader stakater

    keyboard_arrow_up