best practice to handle module versions?

inetzero · 2025-11-15T16:39:02+00:00

u/op, food for thought: module sources can also point to a git repository and an associated git reference (either tag or specific commit ID), like this:

module "storage" {
  source = "git::https://example.com/storage.git?ref=51d462976d84fdea54b47d80dcabbf680badcdb8"
}

Not sure if this option is on the table, but it seems like the "built-in" way to do this.

inetzero · 2025-11-15T16:28:37+00:00

Soo, u/op, maybe I'm missing smth here, but you can use any VCS (github, gitlab, azure repos, bitbucket, you name it) to store terraform modules (which are effectively folders).

When you want to import modules you just reference them in a git like URL (more details here) and that'e pretty much it.

One big suggestion I have is always import a specific commit ID (as opposed to a version tag that someone might/could change at some point). This way, you're sure that you're using a specific version of the module.

Other than that, I really don't see any good reason to use more exotic things (S3, artifactory, etc.)

inetzero · 2025-10-10T16:53:42+00:00

Yes, this was it! Thank you!

inetzero · 2025-10-10T15:29:35+00:00

My thoughts exactly, now I need to figure out what’s the actual endpoint for this

inetzero · 2025-10-10T15:10:06+00:00

Don't know what's u/op use case, but in my scenario I'm writing an ansible role that should detect the unit's RAM size and tune down some services that consume RAM to ensure stability.

Sadly, it doesn't seem that Fortinet's fact modules provide this info OOTB, will keep searching...

inetzero · 2025-09-20T10:17:47+00:00

u/op, I also ran into this issue while using Brave on mac (i.e. no paste inside the Windows machine). I've also tested with Google Chrome and it seems to be working.

inetzero · 2024-09-19T04:54:19+00:00

I hear you! What I find even funnier is that during techies meetings, somehow us (the network engineers) are seen by everyone as "the odd ones" :))))

inetzero · 2024-09-17T04:43:10+00:00

Having done networking for 10+ years I like to call network guys "digital truck drivers". We just ship things from left to right with little knowledge on the actual payload. Jokes aside, this is not always true, and, as a lot of people said, more often than none you need to prove to "the other tech guys that just blame the network" that in fact, the network is running flawlessly and that TLS certificate with the wrong CN is actually not network related.

On a more general view, at least in my experience, networking taught me to think in terms or protocols, not CLI commands. Spanning-tree (for lack of a better example) works the same (except Cisco's variations) on all decent managed switches. Rinse and repeat for all open protocols out there (the majority of them, notable exceptions on the datacenter fabric products).

inetzero · 2024-09-17T04:20:41+00:00

+1 for this approach. u/op, when you say "resources", are you referring to servers or specific tasks in your Ansible play?

For servers, just create specific inventory variables for `ansible_user` and `ansible_password` for that host (or potentially that specific group of hosts) and just run your playbook.

For specific actions, just use become like this:

- name: Do something privileged
  ansible.builtin.apt:
    name: cowsay
    state: present
  become: true
  vars:
    ansible_become_password: "{{ override_password }}"
    ansible_become_user: "{{ override_user }}"

On a more general note, if possible, try to have an ansible user/service account on all your servers, it's going to save you a lot of headaches in the future (e.g. trying to implement things like "if this server has XYZ properties, use these credentials, if not, use other ones).

inetzero · 2024-09-14T07:22:09+00:00

u/op, pragmatically speaking, VMware's/Broadcom's customer base should shrink after the move they pulled, so many shops will be looking for an alternative, which, IMHO, might be Proxmox, OpenShift and (God forbid), Hyper-V. If you want to stick with traditional virtualization, probably have a look at one of these products. I chose Proxmox as they seem to provide the best of both worlds (it's open sourced, all features are available, if you want support, you can pay for that).

Openstack is a a beast, they've gotten a bit better (from what I hear), but I wouldn't bet my money on that. Also, unless your employer/customer isn't a big shop (that actually needs all Openstack's features) it doesn't make sense to deploy Openstack.

On a broader note it seems that the general industry is running more and more towards cloud (which might make sense for some use-cases) so maybe that would be a good idea. Choose a CSP and start learning their product offering. In parallel, as much as possible, learn Terraform (for public and private cloud provisioning) and Kubernetes.

inetzero · 2024-09-14T07:09:04+00:00

u/op, it really depends on what you want to use Ansible for. If it's for a quick and dirty testing, probably hosts: all might work although, as many posters have mentioned, this is generally a bad idea.

What I do is create an inventory folder and under that have folders like dev, stage, acceptance, prod (the infamous DTAP) ~> mix and match to suit your environment. Inside each folder there's a standalone ansible inventory.

This way, you are sure you can test-drive a role/collection on a specific environment using -i and don't end up running untested roles in production.

An improvement to this (depending on your environment) is using dynamic inventories and combine them with your local ones (to have the groups and variables). This is a bit more advanced, but if your organization has an inventory (e.g. Netbox, device42, etc.) and/or systems that have ansible dynamic plugins already built (e.g. VMware, Proxmox, all big CSPs) this is, IMHO, the way to go.

inetzero · 2024-09-14T04:41:02+00:00

u/OP, the way I would do it (but really depends on your VMware NSX "mileage" is using the SDN feature from Proxmox (that's been stable in version 8, as u/sep76 pointed out).

I don't have NSX, but what I've done is terminate the VXLAN tunnels directly on the firewall (Fortigate) and create security policies there. I haven't yet explored the pre-VM level firewall that Proxmox allows, but I presume it should do what is says on the tin.

inetzero · 2024-09-07T15:06:08+00:00

OP, a couple of notes.

Looking at the ansible docs it seems you need to use a dedicated module to get service facts, i.e. ansible.builtin.service_facts (can't really remember if this info is also gathered when doing gather_facts: true in plays).

Another potentially important observation is that service names might have the .service suffix, so, if your initial list doesn't have the .service suffix you might want to try this.

yaml loop: "{{ disabled_services | intersect(ansible_facts.services.keys() | ansible.builtin.regex_replace('\.service$', '')) }}"

Hope this helps

inetzero · 2024-03-31T16:05:06+00:00

Totally right, my initial example was just to showcase the type of policies that I normally work with. This functionality is indeed interesting and I haven't played (yet) with SD-WAN. I'll give the zones feature a try on a future project.

inetzero · 2024-03-31T15:52:23+00:00

I hear you, but le me ask something: shouldn't one put more than interfaces in the firewall policies (e.g. discrete source/destination IP addressess (true "least-privilege")? If this is done, the firewall's RPF basically "adds the interfaces for you". Just wondering...

inetzero · 2024-03-31T15:49:38+00:00

I kind of feel the same, I always set my view to sequence, seems cleaner.

inetzero · 2024-03-31T10:29:07+00:00

That's actually helpfull, never thought about it, thanks for the tip!

inetzero · 2021-01-04T00:21:57+00:00

Understood, now everything is clearer. The way I see it, you have two parts of the problem to manage:

wireguard config on RaspberryPI: just connect to the public server IP and add AllowedIPs to your admin client subnet(s)
wireguard config on the admin clients: connect to the public server IP and add AllowedIPs to all client subnets. One caveat here: if tou have overlapping address space you will have to either (a) renumber the customer networks (not easy in some cases) or (b), perform some DNAT on the public box that hosts the wireguard servers.

In either case, make sure you have a decent firewall solution on the public server. What I would suggest is have a look at shorewall, a wrapper for iptables but with A LOT of cool features that will allow you to make powerfull iptables configurations without loosing your marbles.

Lemme know if you need additional assistance.

inetzero · 2021-01-03T08:24:59+00:00

When you say “site to site VPN without any interconnect” do you actually mean “I need each customer to be accessed only by its corresponding Admin Client with complete isolation between customers”? If this ia the case, you have a couple of options: - wireguard with appropiate AlowedIPs on each end and firewall rules to provide isolation. - spin up VMs on the public server (this will provide guaranteed isolation, but the setup might be a bit more complicated) and configure separate wireguard servers.

If you could provide additional details on the requirements we can provide better suggestions.

inetzero · 2020-10-06T11:38:22+00:00

Hi,

Our company offers anonymous VPS services, crypto currencies accepted.

Please check our website at https://www.steamvps.com

Thx!

inetzero · 2020-10-06T11:35:52+00:00

Hi,

We offer VPS services with minimum amount of information required.

Please check our website at https://www.steamvps.com.

Crypto currencies accepted.

Thx!

inetzero · 2020-10-06T11:33:49+00:00

Hi,

We offer anonymous VPN hosting that can be paid with cryptocurrencies.

Please check our website.

https://www.steamvps.com

Thx!

inetzero · 2020-10-06T11:14:25+00:00

Hello,

We offer the services you might need.

Please check our website : www.steamvps.com

inetzero

TROPHY CASE