This is a small outline of my first impressions of Pulumi along with some code to create VPCs and subnets across 4 different AWS regions. The punchline is that Pulumi is good. The only thing that comes close is GeoEngineer but Pulumi is still a few miles ahead in terms of capabilities. Continue reading
There are a few things I dislike about the programming industry. Much of what programmers do is driven by fads and trends. There is a lot of cargo culting with little critical analysis. This is especially true when it comes to DevOps tools and practices. Today I’m going to argue that you don’t need to deploy and manage any kind of secret token management system, e.g. Vault, if your workloads are already running in the cloud. I’m going to argue that all you need is a set of GPG/AES keys and whatever key management system (KMS) is offered by your cloud provider. Google has Cloud KMS and Amazon has AWS KMS. I’m sure Microsoft has one too but the point is they’re all equivalent and basically have the same API. For the rest of this post I’m just going to generically refer to all these solutions as KMS. Continue reading
One of my friends was recently interviewing and was asked to create an API for tic tac toe. As far as interview questions go it seems like a reasonable problem for demonstrating programming understanding but I want to one-up the interviewers by solving the game in Alloy. Continue reading
A confluence of events at work recently reminded me of the schema drift problem. The concrete instance or how it comes about doesn’t really matter because the end result is always the same: there is some code on a server somewhere that is running with a version of a schema that is no longer valid. It will continue to work as long as nothing is restarted because the ORM only validates assumptions during startup but as soon as the server is rebooted everything is broken. Continue reading
No one will remember the code you wrote but they will remember what kind of person you were. This means you should work on your people skills before working on your technical skills. Learn to define yourself by things other than the code. Learn to be kind, honest, and brave. Learn to be a person before a programmer.
Create a cron job that polls a github repository for changes and runs some tests using an LXC sandbox. For extra bonus points think about serving the test results from files using Apache or NGINX directory listings. Your polling script will also need to use GitHub’s status API to report results. For extra extra bonus points see if you can do it all with just bash and some utilities like jq.
TL;DR The dream of DevOps has yet to be realized and we continue to lack the tools to tame and manage software complexity at every level of the stack. Continue reading
Last time we had a model that spelled out what we wanted from a secure key hierarchy. This time I’ll spell out a concrete hierarchy that satisfies the properties of the model. There was one change I made based on a review from Kaoru Kohashigawa: all keys must now be somewhere or be owned by a person Continue reading
Setting up key hierarchies with the proper access rights can be a little tricky because reasoning through the implications of access and storage can get a little convoluted. Some questions I had when I was trying to do this at work was how do I set things up so that people can have the access they need without jumping through too many hoops and how many hoops do I need for non-trivial security properties? Also, which keys need to encrypt which other keys and where/how can they be stored without sacrificing security? Continue reading