20200203 - CfgMgmtCamp 2020 - Autopilot, but never let go of the wheel, Simon McCartney

by Thierry de Pauw on


Autopilot, but never let go of the wheel, Simon McCartney

AXON: body camera's, medical stuff

In the beginning ...
wrapper script for Terraform
./tf.sh -c aws -e dev -a plan

Evolved too ...
- git checkout -b JIRA-001
- vi aws/foo.tf
- PR
- ...

which then resulted in ...

Lesson 1: pin the versions of your tools

function checkTerraformVersion in the wrapper script

Lesson 2: understand why your wrapper exists

  • to make workflow easier
  • authentication ...
  • always run command (terraform init)

Lesson 3: Cloud authentication techniques

  • Hashicorp Packer Azure RM builder requires different parameters in the JSON depending on authentication type in use
  • use jq to filter out part of the packer template

=> BONUS: Comments in Packer JSON!

Lesson 4: enforce non-interactive modes

  • most people terraform apply "yes" in interactive mode
  • non-interactive: plan/apply -out=path automation tool needs to store & retrieve for approving workflows

Sidebar: never start in Bash

  • it's my default starting point, it shouldn't be
  • when at line 5 I already complain about the choice => Python & Go are better options

Lesson 5: start with low privileges API creds

  • all of our interactive users had root-mode everywhere
  • this cause pain:
    • when adding team members who still had training wheels
    • when we correctly refused to give automation services root privileges

Sidebar: secrets management

  • in terraform it is problematic, everything is public
  • git-crypt: because we didn't use remote state, it was in version control
  • invest as early as possible in a vault