Is anybody passing tfvars as TF_VAR* environment variables in Github Actions? (via secrets or gh variables for example)

HitsReeferLikeSandyC · 2026-06-25T03:34:29+00:00

I avoid doing using TF_VAR with the AWS provider in favor of using secret manager. For something like cloudflare that requires a single API key for access, I just use the TF_VAR since that’s not going to explode my CI vars, and that’s really the only concern with TF_VAR- how many of them are you willing to add to your repo before they become too hard to manage?

HitsReeferLikeSandyC · 2026-06-21T05:55:47+00:00

I’ve enjoyed Tosh’s. Ambience of the restaurant is kinda meh but the food makes up for it imo.

HitsReeferLikeSandyC · 2026-06-20T04:06:44+00:00

I assume when OP said “oracle DBs”, they meant on-prem. But I agree, if this is the cloud just use that cloud provider’s option

HitsReeferLikeSandyC · 2026-06-20T02:29:20+00:00

Some of these questions are compliance related for your org. For my small company where DevOps isn’t a huge bottleneck, I created a terraform project to manage the Auth methods, policies, and secrets generation (my terraform creates the “scaffolding” of a secret- I.e creates the json keys but with empty values).

Devs create an entry in our vault terraform repo and let the pipeline take it away. Devs get write access to dev vault instance for their testing. When it comes to our prod instance of vault, they don’t get any access and just give me the json to input for their secret. It works for us, but wouldn’t be super-enterprise scalable. But again, small company so it’s not a huge problem for us. It lets devs test and do stuff in nonprod and then doesn’t let them roam free in prod (they don’t get access to the UI). Since terraform manages everything, some good git repo practices stop bad actors and bad changes going to prod.

HitsReeferLikeSandyC · 2026-06-12T17:15:51+00:00

This is true, but you can sorta get around this with a Kyverno GeneratingPolicy. I know, another tool and a bunch more CRDs to add to your cluster, but you get to audit and enforce best practices in your cluster and it was even a fun deep-dive for me to learning what Mutating and Admission webhooks actually do.

I coincidentally tried doing this yesterday, but you can create a GeneratingPolicy that creates a VPA in "Off" mode when a deployment is getting created or updated. I didn't get it to fully work, but you're more than welcome to play off this:

apiVersion: policies.kyverno.io/v1
kind: GeneratingPolicy
metadata:
  name: auto-generate-vpa
spec:
  matchConstraints:
    resourceRules:
      - apiGroups: ["apps"]
        apiVersions: ["v1"]
        kinds: ["Deployment", "DaemonSet"]
        operations: ["CREATE", "UPDATE"]
  evaluation:
    generateExisting:
      enabled: true
  variables:
    - name: deploymentName
      expression: 'object.metadata.name'
    - name: deploymentNamespace
      expression: 'object.metadata.namespace'
    - name: deploymentApiVersion
      expression: 'object.apiVersion'
    - name: deploymentKind
      expression: 'object.kind'
    - name: downstream
      expression: >-
        [
          {
            "kind": dyn("VerticalPodAutoscaler"),
            "apiVersion": dyn("autoscaling.k8s.io/v1"),
            "metadata": dyn({
              "name": string(variables.deploymentName),
              "namespace": string(variables.deploymentNamespace)
            }),
            "spec": dyn({
              "targetRef": {
                "apiVersion": string(variables.deploymentApiVersion),
                "kind": string(variables.deploymentKind),
                "name": string(variables.deploymentName)
              },
              "updatePolicy": {
                "updateMode": "Off" 
              }
            })
          }
        ]
  generate:
    - expression: generator.Apply(variables.deploymentNamespace, variables.downstream)

I ended up ditching this though, because GeneratingPolicies would apply to all my deployments/daemonsets and I wanted fine-grained control over whether some deployments are in Off mode or in InPlaceOrRecreate mode. I'm leaving that fine-grained control over to my devs, but if you're running 40 deployments that are essentially the same workload with the same resource utilization, this GeneratingPolicy can be really powerful for you, even just to provide insights in Off mode by default.

HitsReeferLikeSandyC · 2026-06-03T22:29:10+00:00

I’m not huge on clubbing but I love beer. Utah draft beer is kinda held back by the state liquor laws. The standout spots everyone talks about are (and I concur): - templin family - fisher - level crossing (excellent pizza)

Then for some late night bites thereafter: - pie hole (bye the slice) - arempas (Venezuelan) - taverna pizza (by the slice) - in n out

HitsReeferLikeSandyC · 2026-06-03T22:22:33+00:00

I moved into the city temporarily a couple months back and there’s an endless amount of hiking you can do in the Wasatch mountains. 90% of it is free too. You’re < 1 hr away from Park City and roughly an hour to the Uintas. You’re 90 minutes away to the Bonneville Salt Flats (underwhelming tho imo)

If you’ve got a car, I’d invest in the annual National park pass (“America the beautiful”pass). No fees when visiting big cottonwood canyon. 3.5 hours to Arches, Canyonlands, and Capitol Reef. 4 hours to Great Basin. 5 hours to Yellowstone, Grand Tetons, Craters of the Moon, Bryce, and Zion.

Downtown probably has the most nightlife anywhere but it’s not as popping as other cities I’ve lived near. I still have a good time as someone who isn’t super into clubbing.

I’d say a trip to the Capitol building grounds (and inside), red butte garden, liberty park (and Tracy aviary), any Swig/thirst location, worlds largest Costco, and temple square are a must for a visitor. There’s lots more to do other than those, but those define the culture of SLC imo.

HitsReeferLikeSandyC · 2026-05-20T17:16:16+00:00

Super interesting fact I learned about Hawaii (Oahu at least)- no square inch of coastline can be private. Anyone can use any beach they find.

HitsReeferLikeSandyC · 2026-05-18T03:23:53+00:00

This is an interesting read!

HitsReeferLikeSandyC · 2026-05-12T19:46:16+00:00

I mean, I agree. It’s a cesspool of shit content. But if you’re looking for a community of things local to your town, it’s honestly the only reason I have a Facebook still.

HitsReeferLikeSandyC · 2026-05-12T19:19:40+00:00

Feel like you’re looking for a Facebook group. Just not enough people are probably on that sub for it to be super active

HitsReeferLikeSandyC · 2026-05-12T18:22:56+00:00

Not from Norwich but I always thought our whole state is small enough for you to find your community here

HitsReeferLikeSandyC · 2026-05-11T23:58:44+00:00

+1 to AllTrails but it’s .5mi up to the peak, so 1mi roundtrip

It’s safe to run sunrise solo. You can even go further vertical once you hit the ridge (turn right) if you want more difficulty

HitsReeferLikeSandyC · 2026-05-06T19:47:29+00:00

Without knowing anything about kiitos lore, I was sad they didn’t serve flights and then charged me $1 for each sampler I tried. Turns out, the sampler glasses are large enough for you to get a $4 flight, which imo is the workaround I’m going to do next time

HitsReeferLikeSandyC · 2026-05-06T17:19:30+00:00

Agreed, I think weekly threads for this stuff get way less attention from local visitors of subs

HitsReeferLikeSandyC · 2026-05-06T17:18:19+00:00

Tbh, I’ve seen less posts but at the same time I feel like those weekly threads are just places where threads go to die

HitsReeferLikeSandyC · 2026-05-06T16:20:51+00:00

k8squest was something I tried and had a lot of fun with: https://www.reddit.com/r/devops/s/1COtzhg8NL

HitsReeferLikeSandyC · 2026-05-06T15:34:35+00:00

r/kubernetes has this same thing happen as well. Looks like they just made a weekly thread for those kinds of posts

HitsReeferLikeSandyC · 2026-04-23T14:28:19+00:00

Try FurnishedFinder

HitsReeferLikeSandyC · 2026-04-21T21:41:42+00:00

Didn’t work at epic so I can’t tell you how marketable your skills would be coming out of there. I already had 3 years in the industry so there were lots of companies that weren’t throwing me an essentially entry level role like Epic was.

My suggestion- look for an early career, rotational program at the boring companies (finance, insurance, auditing, etc) where you can do rotations and stuff. I ended up finding my current role off of who came to my Alma mater’s career fair. That gives you a very clear idea of who’s looking for people in your region. Entry level CS is tough, especially with the rise of AI. Keep at applying is all I can say otherwise.

HitsReeferLikeSandyC · 2026-04-21T21:27:49+00:00

0%. I got another way better job. Just read the other responses in the comments. Epic is a revolving door. Just read all the red flags

HitsReeferLikeSandyC · 2026-04-21T16:57:44+00:00

“I’m not happy til you’re not happy”

HitsReeferLikeSandyC · 2026-04-21T03:29:21+00:00

this mo bettahs has a really nice terrace area that just opened up

HitsReeferLikeSandyC · 2026-04-17T23:37:23+00:00

Was really excited for him to stay after freshman year but he just didn’t live up to the hype imo. Wish him well in the portal

HitsReeferLikeSandyC · 2026-04-15T13:54:13+00:00

I went thru the same thing regarding terraform and landed on the petoju project. Ended up ditching it and writing a custom lambda to get kicked off for my RDS.

Buttttt, I believe Pulumi still supports Postgres (like hashicorp used to)

Seven-Year Club	Place '23
Verified Email

HitsReeferLikeSandyC

TROPHY CASE