Open source IAM-as-code through IAMbic

Hello everyone!
We are working on an open-source IAM-as-code solution called IAMbic, and recently added AWS Service Control Policy support (AWS guardrails, typically used for compliance).
IAMbic represents your IAM in Git as YAML Files (called iambic templates). An example repository of templates managed by IAMbic is here. The goal is that you can download IAMbic, and go from your cloud to code in \~10 minutes without needing to write any code. Any changes you make (via clicking in the cloud console, running `terraform apply`, etc) are captured by IAMbic and updated in Git, so you have a running Git history of all IAM changes over time, and Git is an eventually consistent, reliable source of truth for permissions.
IAMbic templates are bi-directional, so when you want to start managing identities in IAMbic (like cookie-cutter engineering IAM roles or AWS SSO permission sets), You go through a GitOps workflow, get approval, and instruct IAMbic to apply the changes. We have some examples in our IAMOps Philosophy docs. If you want resources to be solely managed by IAMbic, you can instruct IAMbic to prevent drift on these resources.
You can also declaratively define temporary access or permissions in the format (Like: "I want userA to have access to the Salesforce app in Okta for 12 hours" or "I want to have S3 permissions to BucketA on the engineering role on the prod AWS account until DATE").
We're really looking for feedback because we want this to be a compelling solution. What are your thoughts? How can we make this better?

https://redd.it/13w4bb2
@r_devops

Do you sometimes also feel like you're too slow?

Small rant.
2nd year in devops - working for a company built by devs for devs.
I had enough grit to learn to be able to build solutions in Python, Java and Go (or whatever other scripting language) in a decent manner.


You throw a problem at me and I fix it.
Have an idea? No problem - I'll make it happen.


Still. They make me feel like I'm too slow, like I'm not respected because of my ops background - but I think that in reality the tasks I get are novel enough to become slogs and need quite a bit of planning, experimentation and creativity to be finished. And more often than not some help from GPT to simplify and optimize code.
Every project is a context change for me and has more often than not never been done in our environment - most of the time using new technologies - and they still get angry that I'm just a tad faster than our junior devs (and I myself am a junior, find the error).
Next to that my focus is in stability - theirs is in getting it done yesterday.
Doesn't work as expected? Pff... just debug it 100 times till it works together with the devs.
Why do it right the first time?


The ones that actually think like me are my sysadmin friends. They understand me and my worries.
They know that we have to make blood sacrifices to the observability gods (as an example).

But for real now, what is going on?
I don't have a handful of techs I use for every single project because I'm specialized in doing one thing every day and because my solutions are routine.
I don't have any framework I can use as crooks or any mentor to fall back on if the project is novel to everyone. Ok, no, even for the simplest stuff I don't have anyone to ask.
I don't even have a teammate and have to handle 30 devs.
I even do my own task planning and whatever else you need to do to keep the ball rolling in an efficient manner.


Is there someone else here in a similar situation?
Any thoughts?

https://redd.it/13vvnwg
@r_devops

Rancher vs OpenShift opinions

I'm thinking of going with Rancher for cluster management and stuff. However, I'm aware there's also OpenShift. I'm wondering which of the two do you guys recommended, and what are you basing this on? Seems to me Rancher is less opinionated and can manage any cluster, anywhere, while OpenShift seems more opinionated and likely more suited for workloads already on Open-hift. I might be wrong, just wanna hear your thoughts. I'm a noob to kubernetes.

https://redd.it/13w5mz7
@r_devops

Retriggering github workflow from github action

Hi,

​

I have a couple different github jobs that run when a PR is opened on my terraform repo. The first job is it runs terraform format, and if there's a diff, it creates a commit and pushes it. This hasn't been an issue until recent updates to our github actions.

I recently added tflint and tfsec jobs with an integration to problem matcher so I can get annotations on the files that changed in the PR. The issue is, when terraform format does actually make a change, the follow on jobs running tflint/tfsec put their annotations on the commit that triggered the action, not the commit that terraform format created. I've tried passing in the latest commit id,etc and that doesn't seem to solve the annotations being on the previous commit, instead of latest commit.

Is there some way to basically re-trigger this workflow when terraform format creates a commit. I've tried doing a couple things with passing in PATs vs the github token but it seems like the github action backend is still not firing the action. I feel like there is something obvious I'm not seeing but my rubber ducky isn't talking back lol.

Here's a little snippet of the github action file:

name: Terraform Pipeline
on:
pull_request:
branches:
- main
paths:
- terraform/**
permission:
id-token: write
contents: write
pull-requests: write

jobs:
format:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkou@v2
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Set up Terraform
uses: hashicorp/[email protected]
- name: Format Terraform code
id: tf-fmt
run: terraform fmt -recursive
continue-on-error: false
- name: Push changes to Pull Request
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git status | grep -q "nothing to commit, working tree clean" && echo "Formatting ok, no changes made" || git commit -am "terraform fmt - PR #${{ github.event.pull_request.number }}" && git push

otherjobs:
...

​

https://redd.it/13w4kvy
@r_devops

Creating ChangeLogs/Auto Tag Releases in mono-repo

I've been looking for a good system to automatically create ChangeLogs and tag commits for release. Seems like there are tons of options, but no consensus on what is wildly used. Any advice/articles to point me in the right direction would be amazing.

Primarily use Azure Pipelines for work, but looking at gitea actions, GitHub actions, or gitlab for personal projects and would most likely self host.

Thanks in advance!

https://redd.it/13w7ir1
@r_devops

Chef converge failing

My chef converge is failing at this resource

execute 'import-rds-certs' do
command "su - #{bamboo_user} -c \"#{bamboo_user_home_dir}/import-rds-certs.sh >> #{bamboo_user_home_dir}/import-rds-certs.log\""
user root
not_if "su - #{bamboo_user} -c \"keytool -list -storepass changeit -noprompt -keystore #{bamboo_app_dir}/bamboo-jdk/#{bamboo_jdk}/jre/lib/security/cacerts | grep 'amazon rds us-east-2 #{aws_rds_cert_year}'\""
end

The script of \\"#{bamboo\_user\_home\_dir}/import-rds-certs.sh is

#!/usr/bin/env sh

OLDDIR="$PWD"

if \[ -z "$CACERTS\_FILE" \]; then

# you should have java home configure to point for example /usr/lib/jvm/default-java/jre/lib/security/cacerts

CACERTS_FILE=$JAVA_HOME/jre/lib/security/cacerts

fi

mkdir /tmp/rds-ca && cd /tmp/rds-ca

echo "Downloading RDS certificates..."

curl [https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem](https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem) \> rds-combined-ca-bundle.pem

csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"

for CERT in xx\*; do # extract a human-readable alias from the cert ALIAS=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.\*CN=//; print') echo "importing $ALIAS" # import the cert into the default java keystore keytool -import -keystore $CACERTS\_FILE -storepass changeit -noprompt -alias "$ALIAS" -file $CERT done

cd "$OLDDIR"

rm -r /tmp/rds-ca

However, I am getting an error that I could not execute this resource

================================================================================
Error executing action `run` on resource 'execute[import-rds-certs]'
================================================================================

Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '127'
---- Begin output of su - bamboo -c "/home/bamboo/import-rds-certs.sh >> /home/bamboo/import-rds-certs.log" ----
STDOUT: ':lc' .:ll;. .;llc'
cllll;. .;llll:. .,cllllc
lllllll:' .:lllllc. .,:lllllllc
lllc;clll:'. .:llllllc, .':llllc,,clll
lll;..,clllc,. .:lll:cl:'.';clllc;. .:llc
lll; .':lllc,. .:llc..'';clllc;'. .:llc
lll;. ':llll;. .:c,'',:llll:'. .:llc
lll; .;llll:. .',:llll:,'',. .:llc
llo; .;clll:'. .';clllc;. .;lll, .:llc
lll; .,clllc,. ..,;clllc;'. .:lll;. .:llc
lll; .':llc'..,clllll:,''. .;lll:. .:llc
lll; ..'',:lllll:,.';cc. ,lllc. .:llc
lll; .':llllc,''...:olc. 'clll, .:lll
lll; ..;clllc;'.,:cc:;cllc. .clll;.:lll
lll; .,cllll:'. .,clllllllc. .:lllclllc
lll; .,:llll:,. ..,cllloc. .;llllllc
llo; .':llllc,. .';;,. ,llllll
lll;. ..;clllc;. 'clll;
lll:';cllll;'. ....
llllllll:'.
lllll:,.
Environment = local

Hostname = <sensitive info>

Username = bamboo
IP Address = <sensitive info>
OS Version = Amazon Linux 2

Box Admin = <sensitive info>
################################################
STDERR: /home/bamboo/.bashrc: line 2: $'\r': command not found
/home/bamboo/.bashrc: line 9: syntax error: unexpected end of file
/home/bamboo/.bash_profile: line 21: rbenv: command

not found
/home/bamboo/.profile: line 2: $'\r': command not found

: No such file or directory ---- End output of su - bamboo -c "/home/bamboo/import-rds-certs.sh >> /home/bamboo/import-rds-certs.log" ---- Ran su - bamboo -c "/home/bamboo/import-rds-certs.sh >> /home/bamboo/import-rds-certs.log" returned 127

I am just confused, what do

STDERR: /home/bamboo/.bashrc: line 2: $'\r': command not found
/home/bamboo/.bashrc: line 9: syntax error: unexpected end of file
/home/bamboo/.bash_profile: line 21: rbenv: command not found
/home/bamboo/.profile: line 2: $'\r': command not found

have to do with the "su - #{bamboo\_user} -c \\"#{bamboo\_user\_home\_dir}/import-rds-certs.sh" command?

https://redd.it/13w60lw
@r_devops

Should I have worked first as a developer before coming to a DevOps role?

I'm a career shifter from a non-technical industry. The first job was a technical support role, then moved to a bank for DevOps role after a year there. 1 year of working here and I still feel like I'm missing out on a lot on how our services work with one another.

https://redd.it/13wc1d5
@r_devops

Beginner DevOps Question

Hi I am just starting learn DevOps and received a practice assignment from my teacher.

1) I received java project and I used to Apache Maven to generate a .war file.

2) Now I am supposed to deploy the .war file in WildFly server in a docker container.

I am somewhat stuck in the second task since I fail to understand how docker file works. If anyone could help me make some progress in this exercise, I would appreciate it. I need help with creating a docker file and understanding its part in the whole process.

Thanks for any help and sorry if I am posting in the wrong sub.

https://redd.it/13wchyl
@r_devops

What do most people do for environment deployments with Git?

I had a similar question before, but now I just want to see what everyone else does either at their companies or personally. Currently using dev and prod branches introduces merge conflicts as the commits get extremely messy after a few months.

How do you separate dev, pre-prod (my company calls it go), and prod in their repositories for deployments?

I want to find a method that's just smooth and almost automatic when someone updates the helm chart.

https://redd.it/13wdtjr
@r_devops

How do I become a DevOps engineer?

Currently, I am a Quality Engineer with a total experience of around 1.5 yr out of which for 1 year. I have been on the bench not doing anything.

https://redd.it/13w1rna
@r_devops

'ekscli' vs. 'aws eks'

I see on https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html you can wither use the GUI, ekscli, or aws cli to manage your cluster and interactions.

ekscli looks neat, but I imagine I will also need to use the normal aws eks style due to other aws command line options (e.g. aws sts).

What tool would you recommend getting framliar with and why?

https://redd.it/13vs5hd
@r_devops

How to prepare for DevOps Engineer Technical Interview and scenario based questions?

I am having 2 YOE (Currently on a Career Gap). I am currently looking to get into DevOps. Started learning AWS, Docker Kubernetes, Shell Scripting but the technical interview seems to be more overwhelming and focused on troubleshooting the scenarios? How to effectively prepare for those ? What are the tools that one must know before entering into DevOps scene.

https://redd.it/13vsi3v
@r_devops

What are some opinions and experiences when choosing between Elasticsearch and Loki?

Title says it all. Looks like Loki is a little better on resources, but curious to others' experiences with ES or Loki, choosing one or the other, for storing application and system logs.

https://redd.it/13wjs0p
@r_devops

Prevent access to .env on a shared VM (Guacamole)

I possess a VM that is shared among multiple users, and we all use the same Guacamole account with a shared username and password. My objective is to install a Node JS application on the server while ensuring that other users cannot access the .env variable. One potential solution could involve encrypting the .env variable to secure its contents.


Can this be done by Containerization? I believe the root user can access the docker secret variables

https://redd.it/13wka9v
@r_devops

What are my (AWS) options for running one single container reliably?

My team has just me doing "deployment stuff" and we're a tiny startup. I have one microservice/container with code that won't go into our monolith. I need to find somewhere to run it in production (on internal VPC's 10.10 network).

The ones I can think of:
\- ssh & docker run with restart/service options
\- nomad "cluster" -- seems heavy to me for one container?
\- lambda -- my "microservice" is a nodejs script that listens to port80, but probably convertable to lambda runtime interface

Things I don't know anything about (yet):
\- kubernetes -- also maybe too heavy for one container?
\- rancher? -- What is this? can it help me?

https://redd.it/13woti9
@r_devops

Cloud Dependencies Need to Stop F—ing Us When They Go Down

https://thenewstack.io/cloud-dependencies-need-to-stop-f-ing-us-when-they-go-down/

https://redd.it/13wqex0
@r_devops

Thoughts about my thoughts on performance / alerting metrics?

Curious for some feedback from folks, I was laid off a few weeks back and find myself dealing with the whole process of recruitment.

Something I consider a significant success that I like to talk about in interviews was writing a whole slew of "synthetic user transactions" as a method of gauging platform health.

That involved working with the app developers to plumb transaction time values for things like login, password reset, interaction X or Y as part of the API call responses.I came about with about 15 of them which fired every few minutes (or in some cases more regular) as a much more effective way to gauge how the entire system was working as opposed to "CPU High 90% - call Pagerduty".

I was (I guess I still am) quite proud of that as a monitoring solution. They were just AWS lambda functions performing tasks and checking the response times - but in that particular case it made it so much easier to identify what was bottle-necking and or "crapped out".

Thing is, I've had some fairly frosty reception to that when explaining it to recruiters / hiring managers and I'm wondering if I've missed something?

My take has long been, if you're paying for an instance of <insert service here> it's fine for it to hit it's peak CPU / memory / cache / whatever, you're paying for that - I'd care more about if the user experience is suddenly gone terrible?

I appreciate this is more of an SRE question.

https://redd.it/13ws7qv
@r_devops

how to package on-prem solution?

I have a SaaS (AWS stack) and want to package it for on-prem offering.
I don't have experience with "enterprise software" but from what I've seen most projects charge an annual license + annual support built in.

If I go and replicate the AWS stack on their environment (using client user/pass and then they change it), I'm thinking that:
a. I'm giving away all the source code.
b. How do I ensure that they don't resell the solution? This would probably need a contract but I don't know what kind and I worry it will complicate things.
c. If I give away all the infrastructure and code, how can I get paid for the second year?
d. I could also charge based on their users, but how can I monitor this?


I would appreciate if anyone is aware of a structure/packaging that makes sense for this, or any thoughts on this matter.

https://redd.it/13wuj9a
@r_devops

Architecture of OTT Platform

Totally noob in devops.

I was wondering if there's any way to understand how a typical flow or architecture works for a OTT platform.

https://redd.it/13ww6oc
@r_devops

Looking for advice on releasing my app while still incomplete

Hey everyone! I’m looking for advice on the most cost-effective way to release my app while there are still lots of things incomplete. Should I use a single server instance (AWS, GCP, Digital Ocean…) with all databases (mongo, postgres, redis), and codebases (node, golang, react, nextjs) of 3 different apps installed in ONE server; or use different cloud services for Database, Docker, Kubernetes etc.?

I need to release my MVP to show early users and get feedback. But it consists of 3 different loosely connected apps and I’m sure there are obvious insecurities. I would have to disable some authorization features in my MVP for the 3 apps to send API calls to each other, including from the client. I need to do so because I need users to test-use it and get their feedback to fix and improve ASAP (to get traction and raise investment). If I put them in a single server, I’m afraid a hacker can easily get access to root, users' data and confidential codebase (my startup is still in stealth mode).

Also, I need a server that is much more powerful than the free-tier server provided by AWS or GCP. I have a few thousand AWS credits but are not able to use them yet. What is the most cost-effective way to deploy my MVP? Any advice would be greatly appreciated!

What would you do if you were me?

PS: I have little experience with DevOps. Mainly backend > AI/ML > frontend. Therefore the questions.

https://redd.it/13wvg70
@r_devops