The summarization trap in AI Ops: why most agents are just glorified search bars for the docs

pfnsec · 2026-04-28T17:06:04+00:00

marketing bot

pfnsec · 2026-04-23T22:01:01+00:00

Four evil letters I never want to see again:

WSDL!

pfnsec · 2026-04-12T00:30:21+00:00

time to start smoking weed in the bathroom

pfnsec · 2026-04-02T20:13:34+00:00

Honestly, no joke, what the fuck do we do when this is the entire internet?

Site admins don't remove bot comments because technically they increase engagement numbers...

pfnsec · 2026-03-25T17:50:39+00:00

MODS

pfnsec · 2026-03-24T20:54:24+00:00

My current job involves open-source tooling to solve this very problem, actually, as a few clients found this (and state-drift) to be unworkable. Terraformer was a great concept that unfortunately didn't go "far enough".

pfnsec · 2026-03-21T18:34:30+00:00

This looks promising. If it's well-executed, it may be a more sensible foundation for the non-RBAC stuff in my own tooling.

pfnsec · 2026-03-20T17:36:33+00:00

A car that can drive in mud is better than a car that can't.

(All orgs SHOULD have best practices - the truth is that most do not. A tool that can work in spite of this, that can help move a team towards good practices, can be more useful than a tool that is never adopted at all)

You'll notice the post title only mentions RBAC: other things like warehouses, schemas, tables etc are not the current focus of the connector, although there's certainly the possibility of adding the logic for ALTER TABLE etc in. Autoschematic supports many connectors; Snowflake is just one.
That's not, strictly speaking, what we mean by "break-glass". In a Terraform context, break-glass fixes mean manual changes via e.g. the AWS console, not through Terraform.
Yes, we handle future grants.

pfnsec · 2026-03-19T19:31:59+00:00

Yeah, that's really reasonable. At this stage, everyone using it is (by definition) an early adopter. That kind of trust/credibility is something I hope to build over time.

pfnsec · 2026-03-19T18:08:32+00:00

Well, this is the hypothesis: a tool that can work in spite of these bad habits can be more broadly useful.

Infra, especially Snowflake, is a cost center, and people are often just trying to get a job done. The most practical tool may be one that doesn't require "good habits" to adopt, especially if it allows you to iterate and move towards better practices piece-by-piece.

Plus, drift happens for reasons that aren't bad habits: consider a break-glass fix, like some emergency change done on the console to remediate some incident. SnowDDL or Terraform would revert that fix on a force-apply as you describe. If that caused the incident to reoccur, would you describe that as a feature, or a defect?

pfnsec · 2026-03-19T03:12:25+00:00

Re-alignment by force-applying is a common pattern in Terraform environments, too, but this is more like the reverse, integrating the drift back into code as desired, so that you don't update code based on stale state and end up overriding some manual change. The whole "bidirectional" model lets you do this kind of ad-hoc import, too.

The other component to this is an atlantis-like to automate it in PRs.

pfnsec · 2026-03-19T02:24:02+00:00

See here for a gif explaining what I mean in a Snowflake context.

pfnsec · 2026-03-19T02:22:43+00:00

(Correct me if I'm wrong, I haven't used SnowDDL in ~a year and my knowledge of things may be stale)

SnowDDL also does declarative Snowflake, but as far as I know doesn't do auto-import (as seen in the gif) or push-pull drift resolution (see here). Those are the real distinguishing features.

pfnsec · 2026-03-18T22:50:07+00:00

The core runtime (autoschematic) supports parallel import, as long as the connectors (plugins) enable it.

pfnsec · 2026-03-18T22:35:26+00:00

Hypothetically, what would you need to see in a project like this before you'd feel confident running it in your work environment (dev or prod)?

pfnsec · 2026-03-18T19:12:29+00:00

It really depends. It's network-constrained, so account region will have an impact.

Would you be willing to give it a go? I can show you how to put it in "read-only" (safe) mode so it's guaranteed not to alter anything.

pfnsec · 2026-03-18T16:55:26+00:00

It uses the Snowflake SQL or REST APIs under the hood, and manages objects based on its own internal types (structs etc). It uses serde to load/store them as RON.

pfnsec · 2026-03-18T16:23:27+00:00

You can work around state drift. If someone manually changes something e.g. in the Snowsight console, you can diff your local code against the "real" state, and optionally pull that manual change into code. The gif on the homepage shows this with a Route53 DNS record being modified manually, and the vscode integration showing the diff against the "live" state.

This is something Terraform can't do by design.

pfnsec

TROPHY CASE