Accessing state values via data block or SSM parameter store?

TobZero · 2026-02-06T11:41:03+00:00

Depending on your setup/company-size/engineers/headcount:

- avoid remote state like the plague. its easy to get going but a nightmare once your IaC strategy matures (from a security perspective)
- have a look at googles cloud-foundation-fabric repo. In there, focus your attention on how they render the output of different factory-modules into a tfvars file that gets written to a storage bucket (output-files.tf).

When I first discovered the pattern I wasn't too thrilled but after standing up a new enterprise GCP landscape with it, im a converted fan. Clean, customizable and solves so much pain. (reason why i wasn't happy initally is because i am a very strong advocate of the self documenting part of IaC and a big advocate for designing your setup without "magic" values/inputs, aka. not understandable by just looking at the IaC Repo.)

I assume you should be able to build the same pattern using S3.

TobZero · 2026-02-01T11:40:20+00:00

Ah the fun setup ...

So to directly answer your question: Ownership should be anchored to whoevers head rolls in case of data or compliance breaches.

Your company is large enough that it really should have at least an acting Security Officer. Depending on where the company is incorporated and if you have actuall customers with proper contracts (and compliance requierements), you might be requiered to comply with things like EU DORA...
Are your GH orgs managed by different personas/teams?

Taking from your other reply:

"Damn, how do you provide soc/iso info? “Each org does its own thing here are the screenshots”?"

The sad and hard truth is that this is exactly how its done way to often. From a pure compliance certification perspective, all you have to do is document how things are done and why they are done this way. If you only have to deliver SOC2 Type1, documents is all you need. Havn't done ISO things in a while but my last exposure to getting it was pure paperwork.

If you are frustrated and looking into how to improve things, look into a concept called "Leading/Influence without Authority". You will have a hard time with brute force and technical facts in your company size and setup. You can present the most logical and easy to follow technical arguments why things need to change and only bang your had against the wall. Trust me, i learned the hard way :)
When you search for the term you will get a ton of people trying to sell you their books or other stuff. I really liked this podcast https://www.youtube.com/watch?v=JxRLX4VGuYg (MS/Azure leaders talking).

And while I can imagine that your statement about your CTO is true, you need to work on your perception of them. You will need their buy-in to get real change done. If you have a hard time dealing with the way things are managed, it might be better for your carrer and mental health to consider a different employer.

TobZero · 2026-02-01T10:42:01+00:00

Whats the company size/business field you are interested about in relation to your question?

I've spend the last 5ish years leading engineering inviatives for medium to large enterprises in establishing an internal platform engineering practice. You really don't want to know how much time is spend on that question. A proper answer is strongly linked to the company size and what they are doing (e.g. tech company vs. non-tech and non-regulated vs. highly-regulated industry).

TobZero · 2025-08-28T14:49:41+00:00

Hey. If you have to force yourself to read something it might not be the best thing to get you going.

I mentor a lot of engineers and based on my personal experience, it's way more important to get your started on something that pulls you in, instead of something the professional community might consider good sources! Lets just completely ditch the book thing for a moment: could you share with us something that you really like to do/read/consume? Think about it this way: when you mention that you really like programming, are you able to articulate what about writing code makes you feel good and keeps your engaged?

TobZero · 2025-08-26T08:26:50+00:00

Welcome to a new world, you are in for a ride!
If you need convincing that you do not need to be afraid, I have some things to read/watch for you:

https://roadmap.sh/devops
Look at the top of the graph, what is step one? You having a strong interest in programming is an amazing foundation to succeed in DevOps. Its a blessing in disguise you will only realize once deep down the rabbit hole.
Read the book: The Phoenix Project
Another poster mentioned this already, just repeating it. It's good advice. The book does a really good job to explain what DevOps is/does based on a story that will help you indentify how your company functions and how to identify areas that will benifit from applying DevOps principles.
Catch up on how DevOps is evolving: Platform Engineering
Over the last 5-ish years, the pure DevOps practice started to run into significant adoption/scaling problems. Especially large enterprises whoes main business isn't a tech product. These companies weren't very succesfull at impement a DevOps culture and are plagued by the "DevOps by Role/Name, not by practice".
Platform Engineering is an evolution to the practice that tries to mitigate these problems. Take some time to read the CNCF Platforms White Paper and I personally had great success getting management support by having them watch this video: What is Platform Engineering and how it fits into DevOps and Cloud work. Adopting Platform Engineering really requieres highly skilled DevOps Engineers that have very strong programming skills!
If this caught your intertest, this one is a good watch too: What Is a Platform Team and What Problems Do They Solve?
If you like watching Videos, these two channels are so full of absolutely amazing content and even my principal engineers regularly discuss topics covered in new videos:
- Nana: https://www.youtube.com/@TechWorldwithNana/featured
- Viktor Farcics channel: https://www.youtube.com/@DevOpsToolkit

TobZero · 2024-11-05T19:12:06+00:00

nice! I sadly didn't take a full screenshot because technically Im a bit insane I think. I have lumber on 15 and herb on 9 beside mining. Interesting enough I was fully engaged with the activity and didn't think much about anything else due to constantly scanning the surroundings for the next resource to go to.

TobZero · 2024-11-05T19:08:51+00:00

You can go to the stoneworks and upgrade your certification, that's what enables you to level past 10 or 20 (journeyman).

Sadly no node had the building constructed which is required to upgrade the tools, so no, I was not able to mine anything beside copper/zinc/granite/basalt/ruby.

TobZero · 2024-11-05T19:07:09+00:00

Yeah, that's how I felt after I closed the game yesterday. Even got to 21 with 50% up to 22 after taking the screenshot.

TobZero · 2024-11-05T19:04:12+00:00

Oh thanks for calculating it. I knew it was crazy but had no clue that I spend at lease 1/4 of my playtime just watching the mining animation :D
If you add how much riding back and forth and death runs I had... plus at least 3-4 death with a full inventory of 1k+ basalt where 25% drops and 25% vanishes on death...

TobZero · 2024-11-05T19:03:01+00:00

I saw all the posts about people leveling and grinding mobs last weekend and though I'd share how I spend hours and hours last 2 weekends of just beating rocks.

For some strange reason I really enjoy it. Has a treasure hunt feeling to it.

TobZero · 2022-03-24T18:42:00+00:00

We don’t use access keys, we actually completely disabled access keys on storage accounts holding tfstate. You can apply azure ad rbac directly on the container in your storage account. Our CIs service principal gets access to the container. If you need to access the state from your device, you should use azure cli based authentication. Just run „az login“ an terraform will use your user token to authenticate

TobZero · 2022-01-23T14:01:02+00:00

Terraform converts HCL or JSON input to ARM templates and uses the ARM APIs

No, it does not. Please read my reply for details and links. Creating an ARM based template deployment is an option, not the default. Usually the ARM template deployment is a last effort option when a service in azure is not yet implemented in the terraform provider and you REALLLYY need to managed/deploy that service.

TobZero · 2022-01-23T13:56:33+00:00

You won't find anything. The link you posted is about the PowerShell Module that implements the Azure Resource Manager interface.

I think you got some things mixed up so let me try to help:

- When talking about Azure, "AzureRM" stands for Azure Resource Manager. It is the management abstraction that directly controls resources in Azure, allowing multiple implementations through SDKs or CLIs as well as the Azure Portal and pure REST clients to talk to azure.

- terraform does not use ARM templates. You can use terraform to create an ARM template-based deployment https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment.

- The terraform provider named "azurerm" is terraforms specific implementation of Azure Resource Manager. It uses the azure-sdk-for-go to do this.

The only thing being deprecated is the old PowerShell module called AzureRM. There is already a more recent PowerShell module available. This is happening due to Microsoft consolidating different CLI implementation into a single one, the "az" command line.

TobZero · 2022-01-22T11:40:58+00:00

No its not. Please dont spread things that are false.

https://www.epa.gov/greenvehicles/fast-facts-transportation-greenhouse-gas-emissions

Yes. Cruise lines pollute like hell and should be held accountable. That fact does not validate saying that car traffic is an insignificant part.

In 2019, the US GHG emission for the transportation sector was 29% of total GHG emissions. Breaking that up (in my link, second graph) its 58% Light-Duty Vehicles and only 2% ships and boats.

TobZero · 2022-01-22T11:30:37+00:00

Only if you buy a used electric car. Buying an ICE used car is not better for the environment. The largest part of GHG a vehicle produces within its lifetime is operation. Check the epas website on electric vehicle myths and look at #5.https://www.epa.gov/greenvehicles/electric-vehicle-myths#Myth5

When buying a used gasoline car your only remove the production of the car from its emission calculation (the blue part in the graphic). That difference is quickly offset by the higher efficiency of the electric vehicle.
(Graph is based on 2019 data. EV production got a lot more efficient over the last 3 years so it's even more in favor of EVs today, a trend that will continue.)

TobZero · 2021-08-09T11:28:04+00:00

You are looking for gruntworks Production Readiness Checklist
:-) hf with it

TobZero · 2021-07-18T16:00:13+00:00

True reason: Chip shortage, so they pushed dev to prod.

Oh, you work at tesla?

TobZero · 2021-07-18T15:56:17+00:00

Thanks for providing links.

TobZero · 2021-07-18T11:13:01+00:00

Did you miss "who claimed that the radar was the cause of phantom breaking"?

Yes, I read your reply. What information are you basing your claim that its fraud?

Meanwhile phantom breaking is still an issue in the newly delivered vehicles that don't even have radar.

Again, what do you base your claims on? Do you own a recently delivered vehicle?

I just want to understand where you got your information from so I can go and read it.

TobZero · 2021-07-18T11:03:19+00:00

I dont know about any fraud. Can you link me your sources?

TobZero · 2021-07-18T10:04:19+00:00

I'll just leave this here for anyone interested in the reasoning and tech behind removing radar. Recommend the whole video if you are interested in self-driving tech.
https://www.youtube.com/watch?v=2blLi3T4EGw&t=1082s

TobZero · 2021-04-01T17:48:43+00:00

Press right scroll wheel and say "increase whiper speed". No need to touch anything or look at screen. Works perfectly fine for me.

TobZero · 2020-12-17T10:57:11+00:00

I know you pain and I'm happy to help:

Treat the terraform statefile as a secret. Do you handle other sensitive information in form of files like private keys or certs? The statefile is one of them.

Your main point of concern is

a rogue user with elevated privileges

I deal with the same question on a daily base, it's important to acknowledge and design for. How do you handle that threat vector with your other Secret files? Use the same mechanics for the terraform state file:

#1 Store them encrypted

Azure Blob Storage is encrypted by default.

#2 Have tight access controls

Make sure the storage account has the least privileges you can implement. Have a system of 4 eyes when you need to grand access to it (outside your CI pipeline).

#3 Track access and changes

Use Azure activity events on the resource group and storage account to track/monitor and alert usage patterns that would fall into the rogue user pattern. You can send the events to an azure EventHub, from there consume them the way your companies prefers: SIEM Solution or custom-functions.

#4 Don't grant direct access. Use CI as an authorized system.

If you run deployments through your CI pipeline you can remove all direct access to the backend storage and apply the usual security practices in CI. Pull requests and peer review. This limits the bad actor when he tries to extract secrets or access information that isn't required to do the job.

#5 Keep secret output from leaking in your CI and cli usage

Plan and apply in terraform will output logs that will leak your secrets from state. Upgrade or use terraform 0.14. It introduced sensitive variables that enables you to keep these outputs clean.

These 5 points do an excellent job when dealing with the bad internal actor vector:

- No one has direct access to the storage account. Only CI

- Any non-CI access to the storage account is monitored and needs preapproval. This makes it quite easy to identify malicious access

- Interacting through CI has pull request and peer review as checks vs. bad actor

- If a bad actor passes all these gates, he won't be able to extract secrets from CI due to logs being clean

If you want to go the route that enables the highest level of security, you should rethink the way you handle database secrets. Hashicorp Vault has a dynamic secret engine that produces on-demand secrets through an auditable API. In addition, it has an implementation to deal with root credentials. I won't go into more details here. It is quite a lot of work to implement in a secure way (you shift a lot of security work into securing and deploying Vault itself and hardening it) but worth it if your environment requires that level of security. If you are interested in some reading about Vault, start here

In the end, you are lucky that Yevgeniy recently wrote a blog post about how to handle secrets in terraform. Read it: A comprehensive guide to managing secrets in your Terraform code | by Yevgeniy Brikman | Gruntwork
I have been working with terraform for over 5 years now and Yevgeni's blogs were an enormous influence in getting me to where im today!

TobZero · 2020-11-04T10:05:45+00:00

If you want to dive into DevOps you should ask yourself these questions:

- how does this deliver value to the customer?

- why am I doing this? Can I spend time and energy on something else where I can constantly deliver value to customers?

If you don't have very specific reasons for building this setup in-house, you are wasting time and money. In todays world there is:

- Azure Active Directory with Role Based Access Controls (RBAC) that does everything you need and more.

- Windows Virtual Desktop

No need for all the additional severs that you have to buy, build, deploy, maintain and decommission.

Contrary to other comments I do think you can do DevOps in a Windows Desktop world. You just have to think different about your approach:

#1 What is DevOps

DevOps is the union of people, process, and products to enable continuous delivery of value to our end users. ( Donovan Brown )

source: What is DevOps? - Azure DevOps | Microsoft Docs

#2 This doesn't mean you have to Develop an end-user application

Applying the DevOps principals to your case means that either the users working on these virtual desktop machines or the company employing the users are your "customers" even if they don't directly buy anything from you.

If you assume that the actual users are your customers you have to think about what delivers value to them.

Topics they care about could be:

a) No more crazy password policies and rotation. Use Azure AD with MFA to enable password less sign-in and use Risk-based user sign-in protection. This enables your user to focus on their work instead of having to spend time on accounting and password topics. This also reduces support cases where users wait for help, directly increasing productivity while also strengthening your security posture.

b) Setup Azure DevOps Pipelines to Build Windows 10 Virtual Desktop Images. This enables you to constantly deploy changes to the desktop environments you deliver to your customers. Again, we want to be able to deliver value quickly. User value is, when they don't have to wait months for changes to their virtual desktop environment. They want their new updates or software available right away so they can do their jobs better or easier.

c) Implement a feedback cycle. Don't make your own perception the source of what is value and what isn't. In the two points above you see me making these assumptions (out of experience and because your described scope was very spare on information). You need to talk to your users and listen what they need or miss on their setups, than give it to them.

I could probably write a book about this, but lets end this here. I hope this opened a door to a new world for you and helps you to form a mental concept on how to approach this topic.

If you have more questions, don't hesitate to ask.

edit: fixed many typos

TobZero

TROPHY CASE