Getting error while allowing accounts and roles in Terraform for GCP



Hi All,

I am trying to allocate the roles to the user in the Terraform file in a GCP project, but I am getting the below error . Please let me know if you have a better way for doing this.

Error: Request "Create IAM Members roles/compute.networkAdmin user:[email protected] for \\"project \\\\\\"vibrant-mantis-296207\\\\\\"\\"" returned error: Batch request and retried single request "Create IAM Members roles/compute.networkAdmin user:[email protected] for \\"project \\\\\\"vibrant-mantis-296207\\\\\\"\\"" both failed. Final error: Error applying IAM policy for project "vibrant-mantis-296207": Error setting IAM policy for project "vibrant-mantis-296207": googleapi: Error 403: Policy update access denied., forbidden

I used the below piece of code :

module "projects_iam_bindings" {
source  = "terraform-google-modules/iam/google//modules/projects_iam"
version = "\~> 6.4"
projects = ["vibrant-mantis-296207"\]
bindings = {
"roles/storage.admin" = [
"user:[email protected]",
    \]
"roles/compute.networkAdmin" = [
"user:[email protected]",
    \]

https://redd.it/kuuw7y
@r_devops

Sock Shop alternatives ?

Hello everyone

I am looking for a sample cloud native applications (especially Spring boot - React) to practice my devops skills on.

I tried Sock Shop by weave but I found it a little bit overwhelming. Do you know any well coded apps to host on my machine and practice on ?

It does not have to contain infrastructure files, just the application is enough for me.

https://redd.it/kvno1w
@r_devops

AWS Lightsail now supports containers

Can something as simple as AWS Lightsail with containers fit anyone but teams working on small projects?

\>>> https://youtu.be/CWXrW2rgego

https://redd.it/kvsm9b
@r_devops

Does it make sense to create Test Plans for WIndows Updates and infrastructure testing?

I hope this doesn't sound ridiculous, I started as a SysAdmin and I'm trying to integrate more into our Dev team. We use Azure Dev Ops and I'm trying to see if it's worth while to have a Test Plan (I'm guessing this would be the best option for my idea) to check the following items:

If Windows updates were applied successfully
If Machines are reachable after reboot.
If services restarted correctly post reboot
If PowerShell Pester Tests passed
If Product related Tests pass
If Maintenance Window/Update Items are complete

While including time of items, and reaching back to Work Items.

It's a bit weird trying to add our Ops team into Azure DevOps, as our code and processes normally doesn't have a build/release, the closest thing to bugs would be errors in server configurations or server down issues, and when creating a Test Plan it's not like I can really run some of these tests. From what I see I could use this functionality more as a check list than an actual Test Case.

Am I wrong? Or does anyone have any input they'd like to share?

Thanks for your advice!

https://redd.it/kvu6rs
@r_devops

tracking infrastructure drift

Hi folks,being big users of terraform in our team, we've often been faced with infrastructure drift (when your infrastructure code doesn't match your actual resources). So we built this free and open source CLI with the goal of helping manage all kinds of drifts, and we'd love some feedback :) Here's why we built this tool :https://driftctl.com/2020/12/22/announcing-driftctl

https://redd.it/kvtqtl
@r_devops

What happened to Parler is a reminder to be cloud agnostic.

I'm not a user of Parler or follow politics, like many we have all our eggs in the AWS basket and what happened to Parler is a reminder that AWS can pull the plug on your account for whatever reason they seem fit, they hold the keys.

https://redd.it/kvtluf
@r_devops

Intrusion Detection/Prevention within Kubernetes?

Does any prior work exist to monitor the connections between pods, namespaces and or the Internet to characterize normal behavior and alert on abnormalities? For example, I'd like to know if pods that traditionally only talk to microservice X start suddenly chatting up microservice Y so I can check if that's expected new behavior. Similarly, if a pod suddenly decided it aught to start scanning ports I'd like this to be immediately seen and reflected.

https://redd.it/kv9gfp
@r_devops

Question

Hello guys I hope everyone is doing well. I have a question if any one can answer that would be great so I can’t catch up the concept of build code what does the build do for example if you are using Jenkins for CI/CD when they say build test etc. I don’t understand the term build does it gather the dependencies for the code to work on a environment or does it mean something else thanks in advance.

https://redd.it/kvd3l2
@r_devops

Dependency Tracking - Is there an wasy way?

Hi everyone. I hope this is the correct sub where to post.

I'm a junior developer, working on a project where the architect just quit, and to be honest, I have no clue whom to ask about this, so, I'm very sorry if I sound a bit naive.

I tried to google and skim through reddit posts, but to be honest, this time I don't even know what to look for.

Anyway, our project looks like a "revamped" monolith, that have been split through different maven projects, that get deployed on multiple wildfly instances.

Our problem, is that the number of modules are growing, and we're slowly losing track of all the dependencies between them.

Since I have no clue about who's supposed to take care of this aspect of the project (Management? Developers?) neither what are the best practices or tools available to avoid this kind of stuff, could you give me any hints?

Just for the sake of example, let's say we have the A1.war module.

B.war, C.war, and D.war, all uses A.war as dependency.So, everytime something changes on A's interfaces, I have to rebuild B, C and D.

It happened before, that we forgot to redeploy a module or two, and that's kinda sad. So, i'm looking for something that could...I don't really know, scan the POM and draw a dependency graph? Or some book that explain the concept of "how should thos kind of problems we avoided"?

Anything really. Any info or pointing in any direction is more than welcome.

Thanks everyone!

https://redd.it/kw0167
@r_devops

Migrating from Docker Swarm, looking for real rootless replacement

My first priority is to reduce the security holes that docker has with it default root configuration. So far its 2021 and Docker itself does not work with rootless mode under swarm that would need to scale (no overlay network for rootless daemon).

https://redd.it/kw1604
@r_devops

Solved a problem I was having with file sharing sites..

I had an annoying problem with a company project where everyone in the team and different departments was using a different file sharing site. Box, Dropbox, Google Drive, that kind of thing. Makes it really hard to have security policies for data across multiple platforms like that... especially with file sharing.

Thought I'd share the solution I found -- it securely federates and combines all the different file sharing sites together into _one_ manageable metasite without actually copying the data. Even has a google/edge extension so it's convenient.

Its called https://www.dokkio.com .. free for now it seems as they are in beta, and looks like they can handle individual and up to Enterprise.

https://redd.it/kv99j8
@r_devops

Icinga2 vs Instana for monitoring

What are your thoughts?
Instana is pretty great since it comes with easy out of the box everything.
Looking into ICinga2 I like how much power I have with Python Scripts but I been trying to set up the same ecosystem that Instana provides and I'm finding that to be much harder.

https://redd.it/kv7ujy
@r_devops

Kaholo feedback CI/CD

Has anyone here used kaholo for CI/CD?

Any feedback welcome!

https://redd.it/kv6xhr
@r_devops

Modern CI/CD pipeline for front end projects

Here is what we do in my company:

precommit and prepush \#git hooks are used to catch issues before they are pushed upstream.

`precommit` runs only on staged files (takes few seconds)
prepush runs eslint typescript and unit tests (takes up to 20 seconds)

Every time a commit is pushed:

1 ) We build a #docker image & bundle cypress and other development dependencies. This allows us to run all subsequent tasks using the same Docker image.

It is fast. Takes 2-4 minutes. 🏎

2 ) We run 5 tasks concurrently to validate our build.

ESLint
TypeScript
jest Unit tests
cypress Integration tests
Fetch, validate & compile GraphQL schema

2 ) For every commit, we deploy a review app.

Review app:

Allows anyone to preview what is being developed.
Allows anyone to preview our storybook.
Allows to leave visual reviews (WIP)

3 ) Before changes can be merged to the main branch, we use GitLab to mandate at least 1 review from the team.

In addition, we use GitLab review system to advise who is the best person to review the code based on which files have changed.

5 ) When changes are merged to the main branch, we automatically deploy to production.

We use argocd to implement gitops. This means that we have a detail log of everything that has been deployed, and in case of a critical error, reverting is as simple as "git revert" Receipt

6 ) Finally, we push changes regularly to the main branch. Small incremental updates, dozens of times a day.

This means that if things break, they are typically small things and easy to revert / patch.

We use feature flags to hide any WIP features. 🏳

Originally posted:

https://twitter.com/kuizinas/status/1349177926105792514

https://redd.it/kw6pn3
@r_devops

Grafana announces new free Grafana cloud tier with hosted Prometheus up to 10k series and 50gb of Loki logs

from their blog

Seems like a good thing for startups or people new to Loki or Prometheus that don’t need a ton of retention (limited to 14 days). small homelab projects you don’t want to deal with the extra overhead of self hosting would also be a good fit for this kind of thing

https://redd.it/kw09g1
@r_devops

CI/CD quick tip: Custom Slack deployment messages

To keep the dev team involved in production, and perhaps more importantly, share key dashboards and logs so they can quickly respond to issues, I've found custom Slack channel messages to be really useful. I made a very quick video that shows how to add a Slack app and send a custom deployment message in your CD pipeline:

https://youtu.be/UVeJINQ8MmY

How do you keep your dev team involved in production events?

https://redd.it/kw0tfg
@r_devops

Containerizing JBoss EAP with custom configuration

We have a lot of legacy apps on JBoss EAP in environments that are due for a refresh. I used to be fairly comfortable with EAP, but haven’t found much out there on modifying server configuration in the world of containers.

To be clear Red Hat’s documentation does cover clustering and some other aspects, but I hadn’t seen anything on managing arbitrary bits EAP configuration without having to manage all of the configuration XML.

After some experimentation I found it wasn’t too bad. I wrote it up at https://medium.com/@chethosey/configuring-eap-subsystems-with-galleon-9c824684a7bd in case it’s helpful to anyone else.

I also have some experience with configuring data source and injecting JDBC drivers via Galleon, which I could write up if anyone is interested.

https://redd.it/kw7jsq
@r_devops

PLEASE stop shoehorning devops where it doesn't belong OR WHERE YOU AREN'T READY FOR IT

Excuse my personal rant, but as a seasoned sysadmin, I'm pulling my hair out with this BS, and all these organizations that can't seem to grasp that what works for software development (Agile, scrum, devops etc) doesn't necessarily work for your infrastructure and operations teams the way it does for developer teams, yet you do your best time and time again to make us "cross functional" because it works so well for you.

Why? because you can't treat hardware, maintenance, compliance, and networking like software when it isn't. Listen. I get it. You read a book about all the cool things and infrastructure as code and software defined networking. Then you forgot that your infrastructure is aged and you have no budget or interest in adding what is necessary to make things redundant, high availability, or anything else. You don't know why ordering storage systems without dual controllers means that your entire stack has to go down to update the firmware.. which is why it hasn't been patched since it was purchased. You don't get why on-site servers aren't infinite resources like the cloud is, or why you can't "just use the cloud" to fix all of your problems. You don't understand that a network doesn't have limitless bandwidth and too many bright "decentralized" ideas clogs the pipes faster than eating at chipotle.
"What do you mean there's only so many IP's available" said the developer who automated the build out of containers that reserve their own IPs without checking IPAM because they've never heard of it.

I don't know when or why someone thought "empowering" developers meant to give them free reign on systems they don't understand in order to shit out "value" as fast as humanly possible, and then complain that trying to implement process and policy "slows things down". For the love of all that is holy this is purely unsustainable and this virus has apparently infected everyone.

I'm sure some of you in here can't relate because you're from competent strategic organizations that have implemented appropriate structure, but the rest of the industry is burning shit down underneath themselves. This helps to highlight why things like cybersecurity are a freaking pipe dream. It's all spit, lies, and bubblegum, and the world runs on it.. slow the F*** down!

https://redd.it/kvx9vh
@r_devops

How the heck do I solve the problem of maintainable template projects?

I'm running the CI show at my clients shop where we do pretty much greenfield development for 9 different building security devices like card readers and such. There are two base Linux platforms (a beefy one and a tiny one) and each device is built from one of the platforms as a base and then a set of services and configurations are added on top of that to make the final firmware for each device.

We have an internal tool that let's developers create services, this tool creates a git repo and does some ghetto templating work by copying over a hello world project and replaces a few magic strings in the template files depending on the command line args passed to the tool.

This all works fine, until a change in the template is required. At this point it's just a horror show to keep all the service repos synchronized. The Cmake files for each project is customized so you can't just copy the new file over but you have to open it in each repo and manually perform the change. It's very tedious.

The minimum functionality I'm after is having the CI yell at me if I change the template and one of the repos is out of sync when it's committed. The optimal solution would be some automation to update all of the repos.

Is there some templating framework that supports this out of the box?

https://redd.it/kw2k2r
@r_devops

CD for production env good idea?

We have had terrible experience, doing CD for well tested (what we thought) code. We always somehow end up with big failures, every time for some newly discovered reason. We are now doing updates in our production environments, manually, using simple scripts, doing updates one by one.

At this time, the only colleagues using CD's are frontend developers, only on testing environments, so they can see their code running inside a kubernetes environment instantly.

Where do other fellow devops use CD's? Anyone doing CD in production? If yes, what other tools are you using? If not, please share your update procedures.

https://redd.it/kw5rz8
@r_devops

Is it possible to have a Jenkins linked choice param?

The issue I am trying to solve is when a dev pushes code to dev branch in GIT Jenkins triggers with a hook. Currently in the hook and job config I have to specify choices for server a server b, config a config b, profile a or profiler b, etc. What I want is if its Server A then choose Config A and Profile A. My hook url is getting crazy trying to add each param in the url where it would be much easier to say Server=A in the url and Jenkins knows the rest of the build information based on the server chosen.

https://redd.it/kw0kt0
@r_devops