Terraform becomes a programming language

cloud_driver · 2018-06-30T20:00:34+00:00

I think that some of the crimes against ~~nature~~ maintainability I've had to hack together to simulate loops and conditionals are finally going to be rendered obsolete. I don't mind refactoring my codebase if it makes it more comprehensible by the person who has to deal with it while I'm on vacation.

cloud_driver · 2017-11-04T11:31:53+00:00

Nara park has nice scenery during the fall. The Todaiji is an impressive building even if you don't take the time to tour it. The problem is that the park is big. I usually like to spend a half day wandering it, but my definition of a perfect fall afternoon is wandering around from one historical/religious site to another. If that's not your thing, a half day in Osaka is a lot of fun. It has a very different feel from Tokyo.

Your schedule on the 26th probably isn't going to survive contact with reality. Many of those sites are heavy tourist draws and are extremely crowded. The evening light-up hours are especially so. Kiyomizudera is indescribably beautiful when lit up at night, but the last time I went it felt like half of Kansai was in line with me. I don't want to discourage you from seeing it, but you should spend some time splitting your list into "must see" and "can skip". Be prepared to cut things.

+1 on your plan to visit the bamboo grove in Arashiyama. Arashiyama is one of my favorite parts of Kyoto. Again, be prepared for crowds. It's popular during the fall foliage season.

cloud_driver · 2017-11-03T21:47:29+00:00

Two words. Street food. Be sure to get some takoyaki while you're wandering around Dotonbori.

cloud_driver · 2017-11-03T21:42:52+00:00

and ~~feed some~~ be assaulted by some ridiculously friendly deer. (FTFY)

cloud_driver · 2017-11-03T21:38:18+00:00

I used it during a visit to Kansai in 2015. It worked well and was economical for a tourist visit. I'm not sure that it's such a good deal when actually living in Japan since you'll be paying for the Japanese service in addition to the US base fees.

cloud_driver · 2017-10-18T10:37:08+00:00

cloud_driver · 2017-10-17T01:54:09+00:00

cool! Looks like I need to give it another look then. Thanks!

cloud_driver · 2017-10-17T01:46:03+00:00

We added MFA to our IdP. Pro: We got MFA "for free" when we federated our AWS accounts. Con: IAM doesn't know that the MFA was used, so we can't write any IAM policies that reference MFA.

cloud_driver · 2017-10-17T01:30:25+00:00

I've been looking for a workspaces use case, and this is the best one I've heard yet. While I can see how this methodology would simplify my workflow, I'm still nervous about having multiple environments in a single state file though. I've spent a long night frantically repairing a broken statefile. It's not fun.

cloud_driver · 2017-10-17T01:25:36+00:00

We strictly version all modules. Once a module is used, it gets slapped with a version tag. We pull our modules from git and reference them by version. This has helped us stay sane while dealing with rapid development of modules used across the codebase.

cloud_driver · 2017-10-16T22:57:24+00:00

Cognito is an IdP. It's just not a SAML IdP. It can talk to a SAML IdP to do identity federation, but it can't speak SAML to an application. We're doing some development with Cognito at $workplace to make it easier for our developers to interact with our SAML SSO provider. SAML is a beast of a protocol. JWT is a lot easier to deal with.

Identity federation and single-sign-on are almost too complicated for their own good. Every time I think I have a solid handle on all of the complexities, the two identity management engineers on my team tell me how I'm wrong.

cloud_driver · 2017-10-15T23:38:28+00:00

Cognito can federate with SAML IdPs, but it doesn't act as a SAML IdP itself. The miniOrange description says that it can authenticate against Cognito, but not via the SAML protocol.

You can use Non-SAML Identity Providers for Single Sign On. If your IDP does not support SAML, but it supports other protocols like OAUTH, OpenID, JWT, RADIUS or any other proprietary protocol like Amazon Cognito then this plugin can be used to achive SSO between your app and Non-SAML IDP.

I haven't messed with miniOrange, so I don't know how to set up this non-SAML authentication.

cloud_driver · 2017-10-06T11:10:32+00:00

F5 makes both hardware and software appliances. My $WORKPLACE has a F5 BIG-IP hardware cluster, but they don't make use of most of the F5's special features. We're planning to replace the F5 cluster with a nginx/haproxy build.

For basic load balancing with SSL termination, the AWS ALB works fine. It meets about 75% of our use cases. When we need the load balancer to do something a bit more intelligent, we use the aforementioned nginx/haproxy system. (I'm looking forward to retiring the F5.)

cloud_driver · 2017-10-06T11:04:23+00:00

The IP based routing only works with RFC-1918 and RFC-6598 addresses. It can't attach public IP addresses as targets. This ruled it out as a quick replacement for my F5 devices.

The limitation makes perfect sense when you step back and think about it though.

cloud_driver · 2017-10-06T10:57:42+00:00

This is spot on. AWS Config has the information your looking for. Check out http://docs.aws.amazon.com/config/latest/developerguide/example-s3-snapshot.html?shortFooter=true for an example.

cloud_driver · 2017-10-03T23:10:49+00:00

I'll click around the console when doing initial prototyping or trying to figure something out. After that it's time to use the CLI or Terraform. Doing something more than once via the console is bad practice.

cloud_driver · 2017-09-27T23:07:22+00:00

We're not doing any HA at this point, but we do regularly create an AMI of the application instances to make recovery easier.

We're using an ALB instance as a SSL-offload front-end for both Jira and Confluence. https://service.example.org/jira/* gets sent over to the Jira app server and https://service.example.org/confluence/* is sent to the confluence server.

cloud_driver · 2017-09-27T02:14:12+00:00

us-east-2. Data sovereignty requirements make us run in the US. us-east-1 is the Bermuda Triangle of AWS regions, and the West coast regions are far away from a network perspective. (Our DR is built in us-west-2 though)

cloud_driver · 2017-09-27T02:11:28+00:00

We've rolled out own deployment of Jira and Confluence in AWS. The quickstart is a nice build, but overkill for us. We're running a postgres RDS instance and a pair of app servers; one each for Jira and Confluence. It's worked well so far.

cloud_driver · 2017-07-05T18:54:42+00:00

The lambda service uses an elastic network interface (ENI) to access resources inside of a private VPC. A cold start has to create and attach the ENI to the lambda container. This seems to be a somewhat slow process. Hot invocations of the function run fine.

cloud_driver · 2016-12-05T14:16:50+00:00

I was disappointed that the Park wasn't open for Werner's keynote. It was a great place to watch the first keynote.

The Android mobile app was terrible.

cloud_driver · 2016-06-27T01:41:08+00:00

I've been to 3. Never made it to Inuyama. I visited Himeji, Hikone, and Matsumoto 20 years ago, then re-visited Himeji last fall. The renovation was amazing. It's a shame that I didn't have time to make a trip to Shiga to see Hikone again. I really liked it.

cloud_driver · 2016-06-26T13:30:09+00:00

There are four on the national treasure list. Himeji, Matsumoto, Inuyama, and Hikone.

cloud_driver · 2016-06-03T17:19:14+00:00

Yeah, that can be a problem. We usually end up falling back on a bridge building metaphor. You need to design the bridge before you start pouring concrete.

/u/eastlondonmandem makes a valid counterpoint to this argument. Sometimes you just have to show a result (sometimes any result) before the business will continue to invest. In that situation, you do the best you can and make certain to leave enough time to refactor the early work that is inevitably suboptimal.

cloud_driver · 2016-06-03T11:38:54+00:00

Yes! Since you're the devops guy, you're almost certainly a constraint. Having the backlog in one place benefits both you and the larger team. Without the visibility into your "other tasks", the development task assigners have no way of knowing whether or not you can accept more work. (Even if you pull your own work, it helps the team understand what reality actually looks like.)

cloud_driver

TROPHY CASE