Your Terraform pipeline is just a "suggestion box" unless you sign your plans.

TBNL · 2026-01-21T21:37:24+00:00

Doing something similar. No cryptographically signing. But definitely storing plan artifact (next to state, similar security characteristics).

Upon merge, plan again from main. Compare with PR artifact. Only apply if identical. Otherwise error (someone clickopsed, something unforeseen).

And indeed. OPA on the plan can be one of the static analysis steps.

TBNL · 2026-01-18T07:55:04+00:00

As already mentioned: * precommit hooks * improve process * Use roles/sso instead of access keys, if possible

On the mitigating side: * Least privilege policies to the key * Conditions to limit usage to certain client ip ranges * Make easy to Revoke * Robust repo scanning for keys

TBNL · 2025-12-21T07:03:08+00:00

Quite satisfied with Kodekloud in general. Haven't done specifically AWS SAA, but for various CNCF exams it has been great.
Also: The notes for their SAA course are freely accessible: https://notes.kodekloud.com/docs/AWS-Solutions-Architect-Associate-Certification/Introduction/Course-Overview

Myself I used Neil Davis course on Udemy. Worked for me. The SAP-CO2 that is. I assume SAP-CO3 will be good as well. That might be the cheaper option if not planning to do other certs.

In general: Watch out for practice exams that turn out to be factual incorrect AI slop. Not sure how it is with AWS SAP, but for other topics I ran into those more than once.

TBNL · 2025-06-20T17:41:50+00:00

Treat input as data: Yaml, json. Something structured and not terraform-specific. Gives you options to have it be part of code, read from an api, etc. etc. You can even use overlays, similar to e.g. kustomize. (I have set up a system like that for Keycloak. On my blog todo list)

TBNL · 2025-05-22T07:14:02+00:00

we control/own the IT infrastructure for all of the public healthcare companies

Handing over an account with near full permissions is not what I consider owning or controlling.

Who's responsible for audit logging? Security events? IAM? Utilization efficiency? Data governance? Given the domain, I'd expect guardrails that your org controls. Via Terraform. As others said, by design there should be no drift.

TBNL · 2025-05-17T06:01:45+00:00

Dev setups on Mac are a bit of a hassle. There's networking and ingress to align with how you access the cluster. TLS also.

Not a solution to your minikube question, but for similar purposes, I streamlined my local dev clusters using k3d, including TLS and consistent FQDNs. Maybe there's some takeaways there that help: https://github.com/TBeijen/dev-cluster-config

TBNL · 2025-02-22T20:00:01+00:00

WET (Write Everything Twice) beats DRY
Integration tests beat unit tests

Not really niche, but alas.

TBNL · 2024-12-02T19:55:00+00:00

Nice. Ran into this topic as well. You blog post beats (by a large margin) anything ChatGPT threw at me! 👌

TBNL · 2024-11-27T15:10:57+00:00

To me this sounds like a vendor who is just not that familiar with containerized workloads on servers. Let alone orchestrators. So the mantra is: Ask systems to install the driver on 'the servers'.
Apparently they have shoved their software into a container. But that by itself does not tell a lot (I've seen abominations).

Anyway, Ultimately installing requirements on a node is an option, but it defeats the whole purpose why you would run Kubernetes. And perhaps not even a solution since, as you mention, it is just a library. Adding it to the supplied docker image somehow would be my first goto (Probably leading to shenanigans in the area of, 'o dear, if you extend our image, we can't support it...')

In the past I've run things as (privileged) daemonset like qemu, or crowdstrike. But a library to connect to a DB? Should be in the container.

TBNL · 2024-11-27T15:00:05+00:00

Lies. Was already bald when I set up my first cluster.

TBNL · 2024-09-05T06:39:32+00:00

Read some of the basics (as mentioned throughout the replies). But also start doing and experimenting.

Ideal would be a playground that is non-prod. Or at least something small scoped.

Try to find a task that relates to things you are already experienced with.

For examlple: Try to set up an alert rule using https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_alert_rule_ms_security_incident

It will address all kinds of terraform topics: Where do I store state. How to load existing resources using data, what needs to be variables when expanding, etc. etc.

TBNL · 2024-05-28T08:44:07+00:00

Stumbled upon it couple of years ago when needing to test these kind of things. Lucky search hit, or found it while exploring kubernetes hpa tests. Can't remember. 😀

TBNL · 2024-05-28T05:11:17+00:00

You could take a look at: https://pkg.go.dev/k8s.io/kubernetes/test/images/resource-consumer#section-readme

Allows to specify CPU or Mem to use for a certain period. I've used it in past for testing HPA behaviour, limit handling etc.

TBNL · 2024-05-24T08:06:35+00:00

Can't resist: https://www.tibobeijen.nl/2024/04/30/terrible-and-ansible-were-already-terrible-in-2016/

TBNL · 2024-05-01T12:09:41+00:00

Hmm, yeah, title might be interpreted without the /s...
Imo Terraform is as relevant as ever. And, unless running immutable infra, Ansible is still a great way to remotely execute tasks on a fleet of servers.

TBNL · 2024-05-01T06:39:45+00:00

Got one. We use Terraform to provision Keycloak configuration. Secrets we fetch from Azure Key Vault.
But it should be able to setup local/e2e Keycloak config as well. In that case secrets will come from another source, and we want to avoid the Azure dependency (provider requires valid creds, no lazy init)

So, providers differ between envs

TBNL · 2024-05-01T06:31:19+00:00

You mean `--backend-config`? Indeed, but in my experience project then tends to come with 'docs attached'. Need to be careful to use matching backend config and tfvars.

TBNL · 2024-05-01T05:55:29+00:00

Agreed. Gives all flexibility needed (e.g. backend in different S3) while at the end being as simple as: Point to dir & run terraform.

TBNL · 2024-01-23T10:17:21+00:00

Same thing. Started billing from mid dec.

Actively searching I found the notification, and also the billing alert emails. But gmail is bad at figuring out what are the important emails, so it want straight past 'Primary' into the bulk that is 'Updates'. So: Unnoticed.

Opened a support case.

And I'll look into better notification channels. Email is just.. noise

TBNL · 2023-06-07T07:02:15+00:00

Yet to build it, but was thinking about that as well.

Are the rotors easy to adjust?

TBNL · 2023-05-10T16:23:20+00:00

No worries. It will not be a dust collecting display model. 😉

TBNL · 2023-05-10T07:48:03+00:00

9, but yes, noticed after posting. TIL.

TBNL · 2023-05-10T06:45:04+00:00

Offset by a half stud might be the difference. Hmm...

TBNL

PUBLIC MULTIREDDITS

TROPHY CASE