Admin Admin Podcast #099 Show Notes – Making it all a bit modular

Jon recently passed his AWS Certified Security – Speciality exam, congratulations!

Jon mentions how we’re starting to go to more in-person meetings again. Stu and Jerry have been to a few more in-person meetings recently, whereas Al has transitioned to working from home more.

Al mentions how his team and current workplace are trying to adopt a more SRE mindset.

Stu mentions how he is working very heavily with SLIs, SLOs and Error Budgets. He also mentions that a couple of the people on his team come from development primarily, which means he is starting to pick up new ways of doing development (e.g. TDD).

Al mentions how it’s interesting working alongside developers in your team, especially when you come from an infrastructure/networking/sysadmin background. Al is also starting to learn .NET.

Jerry mentions his new role includes Kubernetes and Rancher.

Al talks about Terraform. Al mentions how they are starting to consider adopting/refactoring their current codebase to use Terraform Modules.

Stu talks about using Modules to enforce requirements (e.g. tags for costing resources), consistency and turning business logic into code. Stu also mentions versioning your modules, like using Git tags to reduce breakage but improve the modules.

Stu also mentions his views on Community/Public Terraform modules (i.e. using ones created and open sourced), compared to creating your own. Jon mentions similar views on community Ansible Galaxy modules.

Jon mentions about how to structure your Terraform code, so that plans/applies do not take a long time to complete. The structure can also help with permissions/access for other teams.

Stu mentions using Terraform Data Sources or Remote State for separating concerns within Terraform code.

Jerry mentions that it is possible to abstract far enough so that a team just needs to define a configuration file to create their app, and the Terraform code and modules provide this to them, without them needing to understand Terraform.

Jerry mentions Terragrunt, a Terraform wrapper to abstract Terraform code. It makes code "DRY" (Don’t Repeat Yourself), allowing even less code to be defined within your Terraform codebase.

Stu talks about pipelines and Git strategy, especially with Terraform. Some examples are available here (including GitHub Actions and CircleCI).

Jon mentions an option for testing Terraform in pipelines could be creating ephemeral environments that the Terraform code runs against, so it shows real infrastructure changes.

Al and Stu talk about linting code. Jon mentions pre-commit for taking steps before a commit finishes (meaning code cannot be pushed into a Git repository until the pre-commit rules finish).

Al and Jon talk about public versus private endpoints (i.e. exposing web services to the internet by default, or having it private by default).

Jon mentions HTTP Request Smuggling, as a way of finding ways of bypassing/making a request go to an endpoint that isn’t necessarily exposed to the internet directly.

Jon also mentions some Bastion-style techniques for accessing infrastructure without needing to expose the bastion to the internet instead (e.g. AWS’s SSM).