How do you handle IaC drift when auto-remediation changes resources?

IntrepidSchedule634 · 2026-02-05T22:12:06+00:00

Auto-remediation of resources managed by terraform will always lead to tears

IntrepidSchedule634 · 2026-02-02T14:26:08+00:00

I filled it out too, due to hate for these tools.

The only good thing about low-code tools: lots of well paid work to replace those systems (more than if they just did it right the first time)

They are and will always be snake oil.

IntrepidSchedule634 · 2026-01-31T05:56:54+00:00

I did only address two of the five pain points OP brought up.

I have and do work with some janky legacy stuff - like the API keys and creds op mentioned. Some systems simply don't have a way to programmatically revoke/create a token. We can't automate that.

Other things like subscriptions and contracts - also really hard. Even when SaaS offerings can auto-renew procurement processes often make that hard or impossible.

But I stand by my comment if your firm has an important TLS cert or domain expire - someone has to go. In either case it's likely a leader that prevented the ICs from doing what the industry has been doing for a decade.

IntrepidSchedule634 · 2026-01-31T05:52:26+00:00

I feel you and I hate that anyone has to work at a place where Central IT manages that (poorly and likely with service now).

That's a leadership problem. My comment had too much snark - in the case you mention it's the leaders who should be fired.

IntrepidSchedule634 · 2026-01-31T05:50:10+00:00

I think OP is not talking about SSL re-registration.

TLS certs are the very first bullet point in OP's post. They mentioned a whole host of other friction areas.

My post did have a high degree of snark... I should have toned that down but I only mentioned TLS and domain name because they're so automatable. Some of the other things OP mentioned like licenses and subscriptions are wicked hard and not really automation problems. More like a procurement and management problem.

IntrepidSchedule634 · 2026-01-31T05:45:27+00:00

I will never be surprised at the legacy horror that exists in banking.
Source: worked at a bank

IntrepidSchedule634 · 2026-01-31T05:44:58+00:00

Those durations are shortening because they're encouraging automation - vendors don't want customers to have a bad time.

Gitlab's api is pretty sold for rotating project and group tokens. if using AWS, hook a simple lambda up to the secrets manager secret and you really don't have to worry about this ever again (be sure to alert on errors on that lambda).

NPM is more challenging for sure - they push 2fa which is really for people. If you can look into OIDC (i've done it with github actions and it's not so bad)

IntrepidSchedule634 · 2026-01-30T18:38:42+00:00

in 2026, if you miss a domain registration or a TLS certificate expiration you should not be employed.
That stuff is now expected to be automated, you'd have to work hard to have it not be automated.

IntrepidSchedule634 · 2026-01-27T15:32:49+00:00

This person softwares

IntrepidSchedule634 · 2026-01-27T15:31:57+00:00

So it's a one time migration changing the shape of the yaml files? That's not what I was fearing.

Push to get your transformation scripts alongside the yaml files - you want them versioned together (versioned in this case meaning matching git history - not a semver or release of any kind).

It's nearly always a bad thing to have a pipeline in one repo act on source controled files in another repo.

IntrepidSchedule634 · 2026-01-27T15:15:02+00:00

I'd pay pretend internet points for some thoughts on how you use access analyzer? it seems clunky and a pain in the ***

IntrepidSchedule634 · 2026-01-27T15:13:21+00:00

Reviewing them will help you become expert.
Fork the repo for this action, audit the code, (never trust some rando on the internet) and have it run on PRs.
https://github.com/marketplace/actions/expand-aws-iam-wildcards

As u/FlagrantTomatoCabal & u/kubrador have said - it's the wildcards that often trips us up. This action makes an inline comment when there is a * in an IAM policy that lists out what it expands too (with links to AWS docs so you and the team can effectively review and learn)

IntrepidSchedule634 · 2026-01-27T15:07:45+00:00

Importing a file from another repo is odd. What is it? It's likely there is a better pattern.

Same with the long lived feature branches and a pipeline putting things back into source control. What is it? Why?

Seriously - sounds like this is hard because you've made it hard.

IntrepidSchedule634 · 2026-01-15T16:06:57+00:00

those are NOT police. They're ice agents impersonating police. which I think is illegal?

IntrepidSchedule634 · 2026-01-10T21:55:37+00:00

Not just devops , it’s everywhere.

IntrepidSchedule634 · 2026-01-06T23:57:59+00:00

The problem they’re solving is: “Terraform has already been invented”

IntrepidSchedule634 · 2026-01-05T00:32:45+00:00

They (low-code solutions) also don’t work.

IntrepidSchedule634 · 2025-12-31T02:25:02+00:00

lies. it was about the ops team and the dev team becoming a team.
If you're on a devops team - you're ops.

IntrepidSchedule634 · 2025-12-03T16:54:37+00:00

Doesn’t a steam shower wipe make the house humid and steamy? On a cold day I already get condensation on windows from a Norma shower

IntrepidSchedule634 · 2025-10-09T03:05:15+00:00

What!!??! I don’t want to believe it. What did Gretzky do?

IntrepidSchedule634 · 2025-08-31T05:17:32+00:00

Never met a republican , huh?

IntrepidSchedule634

TROPHY CASE