January 16, 2023

CloudFormation vs Terraform

At work, we use CloudFormation, dating back to when the org first onboarded into AWS. Since then Terraform has come out and I’ve used in AWS and other provider settings. There are some differences, which are interesting to note, but I think in general I stand behind Terraform.

CloudFormation tracks state better. It is easy to trust CF to tear down a stack COMPLETELY, but there are some limitations then. It is difficult to programatically get resources, sometimes even information, when they are from outside the stack. This comes up rarely as an issue for full time Cloud Formation users, but there’s an itch for those who aren’t to just want an API call to answer to fill in gaps. Reaching outside the somewhat limited CloudFormation options is impossible. Terraform allows this, as it is all just in front of the standard SDK, but that also means the state can get away from a user if they are not careful. Less so with the AWS (fully-baked provider), but I’ve lost my state or resources don’t import correctly, meaning I don’t have unequivocal definition of state.

January 11, 2023

Serverless

Decemeber got away from me in terms of projects, but this time I actually seemed to learn, create, and achomplish something. I actually learned some HTML and JavaScript to create a serverless application on AWS. Using a Lambda function backed by DynamoDB, APIGateway responds to requests from the aforementioned HTML living in a public S3 bucket. The webpage is rough, but its not my forte or experience so I hope to hash it out more fully in the future. The experience was fun and defintely useful, so I hope I can make further stacks in similar manners. There are already ideas floating around in my head about what to do next, so stay tuned.

November 30, 2022

Load Overload

There’s nothing like a vacation to get away and reset some practices in order to get things back on track. I was able to take the time to get away from my work enough to get excited about what I do again. Problem is, I talk to too many people about too many different things, and get REALLY excited about them all. I am driven to be an expert about all of them because they all genuinely interest me and I love doing things, but there’s only so much time to do it all.

November 1, 2022

libvirt passthrough

Quick note on using a windows gaming vm on a libvirt host. Using pcie passthough can be a pain if using nvidia drivers, doing blacklisting on the drivers. Huge pages and the looking glass performance improvement page cpu tweaks did work, but when carving out ram and doing cpu pinning, you start to wonder about why even using a vm. It really is like having a hard resource divider, and not a resource pool dynamic allocation, because speed matters. Maybe its down to the age of the gear, not actually really able to play the games I was trying. The software and hardware support will come into its own in the next few years regardless.

September 25, 2022

Terraform Rundown

I want to show off some Terraform code, and how and why descisions were made in writing the project. This is to demonstrate some features of Terraform, as well as how I’ve used it for some local infrastructure. Again, Infrastructure as Code is all about following Patterns, one of which is relying on Primitives to exist, like a secret or user management service. That being said, we can define Primitives using IaC methods, which is an iterative pattern all of its own.

September 20, 2022

glauth and Keycloak

Finally, I have an application looking at keycloak over oauth2, which is in turn fed over ldap. Single sign on is more of a reality, but perhaps more important is having mfa in either keycloak or glauth. The deployment wasn’t easy, as the several of the elements weren’t plug and play.

glauth config:

[backend]
  datastore = "config"
  baseDN = "dc=bootingup,dc=net"
  nameformat = "cn"
  groupformat = "ou"

[[users]]
   name = "reader"
   uidnumber = 5001
   primarygroup = 5501
   passsha256 = ""
   mail = "[email protected]"
    [[users.capabilities]]
    action = "search"
    object = "*"

[[users]]
   name = "max"
   uidnumber = 5002
   primarygroup = 5503
   passsha256 = ""
   mail = "[email protected]"
   
[[groups]]
  name = "svcaccts"
  gidnumber = 5501

[[groups]]
  name = "users"
  gidnumber = 5502

LDAP federation in keycloak:

September 16, 2022

Machine-Gunning Your Pets: When to give up eBay Builds

There is so much to consider when building infrastructure. There’s no way around that. In the pursuit of making things easier for ourselves, engineers have come up with so many good tools, methods, and patterns that provide excellent results and make things easy on us. So why is it so hard to actually stand them up sometimes? Why is there so much hand-wringing and tail chasing to actually go out and do the thing that you set out to do? We keep going to eBay and buying some used iron to make our problem go away, right now, and end up wishing the landscape looked as pretty as our neighbours. The answer is just to build something that you can maintain as long as the infrastructure will exist.

August 21, 2022

Still Working

I took a bit of a step back to get some more perspective, but also because my environment seems to be struggling a bit. I have all my resources from different in a single project, from the “primitives” to the multiple applications, and it just was not happy spinning things up. It appears that single project IaC is a mammoth task; the other projects I’ve looked at seem to limit to individual services. That seems like a decent approach; roll out each service one by one, allowing the operator to handle the dependency order. I wrote an ansible script in the beginning to handle that (and pre-reqs), so I may split my terraform code into primitives (or multiple, if that needs to be split down further), and main application service stacks. Kubernetes seems to do this itself, but because I was rolling with docker, it all seemed to blend together. So, my choice of tool lead me into bad practices that I may have avoided if I knew what I was doing. Good to know; that’s what testing is for.

August 8, 2022

Reading Up

I stayed up late too many nights struggling over what would be the best way to tackle some problems with IaC deployments, that I could not solve myself or by reading other blogs; my brain was too focused on my small deployment, and blogs typically covered even smaller and very specific cases. Learning a quick and easy way to Terraform a container is one thing, but how does that process carry over to Terraforming a VM with Ansible managing the config. Do I use cloud-config to enroll in Ansible roles, or use Terraform actions to hit the configs? How do I go about dependencies that are crucial to the stack I am creating? I was scrabbling for best practices.

July 30, 2022

IAC Epiphanies

Writing my services in IAC (being Terraform and Ansible), as well as being able to for the most part start from a clean state, has been a hugely thought provoking and ultimately rewarding exersise. I have embraced the infrastructure as code ethos, and would gladly die on that hill after seeing it work as it should. Getting away from pets, hand crafted deployments, and hero efforts has given me the insights that I want to share.