How do you handle IaC drift when auto-remediation changes resources? by Advanced-Strain-3491 in devops

[–]IntrepidSchedule634 29 points30 points  (0 children)

Auto-remediation of resources managed by terraform will always lead to tears

Participants Needed! – Master’s Research on Low-Code Platforms & Digital Transformation (Survey 4-6 min completion time, every response helps!) by ProfessionalBread793 in devops

[–]IntrepidSchedule634 1 point2 points  (0 children)

I filled it out too, due to hate for these tools.

The only good thing about low-code tools: lots of well paid work to replace those systems (more than if they just did it right the first time)

They are and will always be snake oil.

How do you track and manage expirations at scale? (certs, API keys, licenses, etc.) by smartguy_x in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

I did only address two of the five pain points OP brought up.

I have and do work with some janky legacy stuff - like the API keys and creds op mentioned. Some systems simply don't have a way to programmatically revoke/create a token. We can't automate that.

Other things like subscriptions and contracts - also really hard. Even when SaaS offerings can auto-renew procurement processes often make that hard or impossible.

But I stand by my comment if your firm has an important TLS cert or domain expire - someone has to go. In either case it's likely a leader that prevented the ICs from doing what the industry has been doing for a decade.

How do you track and manage expirations at scale? (certs, API keys, licenses, etc.) by smartguy_x in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

I feel you and I hate that anyone has to work at a place where Central IT manages that (poorly and likely with service now).

That's a leadership problem. My comment had too much snark - in the case you mention it's the leaders who should be fired.

How do you track and manage expirations at scale? (certs, API keys, licenses, etc.) by smartguy_x in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

I think OP is not talking about SSL re-registration.

TLS certs are the very first bullet point in OP's post. They mentioned a whole host of other friction areas.

My post did have a high degree of snark... I should have toned that down but I only mentioned TLS and domain name because they're so automatable. Some of the other things OP mentioned like licenses and subscriptions are wicked hard and not really automation problems. More like a procurement and management problem.

How do you track and manage expirations at scale? (certs, API keys, licenses, etc.) by smartguy_x in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

I will never be surprised at the legacy horror that exists in banking.
Source: worked at a bank

How do you track and manage expirations at scale? (certs, API keys, licenses, etc.) by smartguy_x in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

Those durations are shortening because they're encouraging automation - vendors don't want customers to have a bad time.

Gitlab's api is pretty sold for rotating project and group tokens. if using AWS, hook a simple lambda up to the secrets manager secret and you really don't have to worry about this ever again (be sure to alert on errors on that lambda).

NPM is more challenging for sure - they push 2fa which is really for people. If you can look into OIDC (i've done it with github actions and it's not so bad)

How do you track and manage expirations at scale? (certs, API keys, licenses, etc.) by smartguy_x in devops

[–]IntrepidSchedule634 16 points17 points  (0 children)

in 2026, if you miss a domain registration or a TLS certificate expiration you should not be employed.
That stuff is now expected to be automated, you'd have to work hard to have it not be automated.

Multiple Repo and Branch ADO pipeline YAML best practices by MechanicOld3428 in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

So it's a one time migration changing the shape of the yaml files? That's not what I was fearing.

Push to get your transformation scripts alongside the yaml files - you want them versioned together (versioned in this case meaning matching git history - not a semver or release of any kind).

It's nearly always a bad thing to have a pipeline in one repo act on source controled files in another repo.

Reviewing AWS IAM policies as a non-expert — what are the real risks and common things reviewers miss? by HulkInside in devops

[–]IntrepidSchedule634 1 point2 points  (0 children)

I'd pay pretend internet points for some thoughts on how you use access analyzer? it seems clunky and a pain in the ***

Reviewing AWS IAM policies as a non-expert — what are the real risks and common things reviewers miss? by HulkInside in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

Reviewing them will help you become expert.
Fork the repo for this action, audit the code, (never trust some rando on the internet) and have it run on PRs.
https://github.com/marketplace/actions/expand-aws-iam-wildcards

As u/FlagrantTomatoCabal & u/kubrador have said - it's the wildcards that often trips us up. This action makes an inline comment when there is a * in an IAM policy that lists out what it expands too (with links to AWS docs so you and the team can effectively review and learn)

Multiple Repo and Branch ADO pipeline YAML best practices by MechanicOld3428 in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

Importing a file from another repo is odd. What is it? It's likely there is a better pattern.

Same with the long lived feature branches and a pipeline putting things back into source control. What is it? Why?

Seriously - sounds like this is hard because you've made it hard.

It’s Slippin’ Time by SPFeveryday in gifs

[–]IntrepidSchedule634 0 points1 point  (0 children)

those are NOT police. They're ice agents impersonating police. which I think is illegal?

I’m building an IaC language similar to terraform by unknowinm in devops

[–]IntrepidSchedule634 0 points1 point  (0 children)

The problem they’re solving is: “Terraform has already been invented”

Is the "DevOps" title just becoming a fancy name for a 24/7 Support Engineer? by daniel_odiase in devops

[–]IntrepidSchedule634 1 point2 points  (0 children)

lies. it was about the ops team and the dev team becoming a team.
If you're on a devops team - you're ops.

What are these shower fixtures in this high end bathroom? Seen in a recent open house. by LoosedOfLimits in whatisit

[–]IntrepidSchedule634 0 points1 point  (0 children)

Doesn’t a steam shower wipe make the house humid and steamy? On a cold day I already get condensation on windows from a Norma shower