SweetOps Newsletter – Issue #2

adminNewsletters

The SweetOps Newsletter is hand curated by Cloud Posse. We’re a DevOps Accelerator for Startups. Own your infrastructure in less than 90 days for fraction of the cost it takes to build it in-house. We built it. You drive it.

In this issue, we explore some of the links that have been shared on Slack by our SweetOps community. SweetOps is a collaborative DevOps community for engineers of all skill levels.

Are you on LinkedIn or Twitter? Follow us there for even more news on DevOps trends.


This past week we crossed 1,600 members! That's means we've grown by over 60% since July. We now span 57 timezones with over 600 DAU. An enormous amount of insightful information has been shared during this time. Thank you everyone for your contributions and generous support! Please keep them coming.

If you haven't yet signed up for our Slack team, join us!

Kubernetes News

Easily Import Secrets to Kubernetes
Easily Import Secrets to Kubernetesgithub.com

Easily populate Kubernetes secrets from 1Password (and others). This operator fetches secrets from cloud services and injects them in Kubernetes. ContainerSolutions/externalsecret-operator

Kubernetes Development Environments
Kubernetes Development Environmentsgarden.io

Garden looks interesting! It automates the repetitive parts of your workflow to make developing for Kubernetes and cloud faster & easier.

Ship Kubernetes Event Stream to Sentry!
Ship Kubernetes Event Stream to Sentry!github.com

Let's be honest. Errors and warnings in Kubernetes often go unnoticed by operators. Even when they are noticed, we might not realize with what frequency they occur and we lose the context of what else is going on in the cluster. With this tiny service deployed in your cluster, you'll get all errors and warnings loaded into Sentry where they will be cleanly presented and intelligently grouped. Plus, you can leverage all the typical Sentry features such as notifications and comments which can then be used to help operations and give developers additional visibility.

Terraform News

HashiCorp Forums are Live!
HashiCorp Forums are Live!discuss.hashicorp.com

HashiCorp has finally launched their public support forums using Discourse. This is awesome stuff! Get help from the community for all major products like Terraform, Vault and Consul.

Export ClickOps to Terraform
Export ClickOps to Terraformgithub.com
CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code – GoogleCloudPlatform/terraformer

Cloud Posse ECS Terraform Modules
Cloud Posse ECS Terraform Modulesgithub.com

We've upgraded all of our ECS terraform modules to support Terraform 0.12 (HCL2). As part of this, we've implemented terratest to all the ECS modules so we can review your contributions quicker and provide greater stability!

Security News

Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Google Project Zero security researcher reveals that the LastPass password manager could, somewhat ironically, leak the last password you used to any website you visited. Ouch.

Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted
Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restrictedthehackernews.com

A vulnerability in Sudo, tracked as CVE-2019-14287, could allow Linux users to run commands as root user even when they're restricted. How can we still be finding bugs in sudo decades later?

If you’re not using SSH certificates you’re doing SSH wrong
If you’re not using SSH certificates you’re doing SSH wrongsmallstep.com

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

(Pro tip: use teleport by Gravitational)

Kubernetes 'Billion Laughs' Vulnerability Is No Laughing Matter
Kubernetes 'Billion Laughs' Vulnerability Is No Laughing Matterthenewstack.io
A new vulnerability has been discovered within the Kubernetes API. This flaw is centered around the parsing of YAML manifests by the Kubernetes API server. During this process the API server is open to potential Denial of Service (DoS) attacks. The issue (CVE-2019-11253 — which has yet to have any details fleshed out on the page) has been labeled a ‘Billion Laughs' attack because it targets the parsers to carry out the attack.

Want more? Check out our Slack archives to learn what our community is all about.

Jobs

Are you looking for your next gig? Check out our #jobs channel in SweetOps for recent postings. Here are some recent ones that have been posted.

Brian Tai writes “AuditBoard is hiring a DevOps Engineer! AuditBoard is a fast-growing startup located in the Greater Los Angeles area. Our offices are located in El Segundo and Cerritos. Our SaaS product consists of a suite of solutions for internal auditors to improve and streamline their day-to-day work. (imagine a GitHub/Trello hybrid for auditors) We have signed and continue to sign many new customers including Walmart, Snap, Toyota, and many others in the Fortune 500. “

DevOps Engineer - AuditBoard
DevOps Engineer – AuditBoardsoxhub.recruitee.com
DevOps Engineer – AuditBoard

Amanda Heironimus posted, “PlayQ is looking for a Senior Cloud Services Engineer to join our team in Santa Monica, CA. As a foundational member of our DevOps team, you’d receive the perfect amount of support from our global team while enjoying plenty of room to grow and contribute to new and exciting projects.We empower our teams to produce meaningful and impactful work, so you’ll also have the unique opportunity to take the lead in shaping and informing our infrastructure, managing deployments, and ensuring that mission-critical systems are functioning effectively and consistently.”

Job Application for Senior Cloud Services Engineer at PlayQ
Job Application for Senior Cloud Services Engineer at PlayQboards.greenhouse.io

DevOps Accelerator

Curious about what well built infrastructure looks like? Check out what we do at Cloud Posse.

Find out if we can help you by taking our quiz.

Free Weekly “Office Hours” with Cloud Posse

You are invited to our weekly “Lunch & Learn” meetings via Zoom every Wednesday at 11:30 am PST (GMT-8). Join us to talk shop! This is an informal gathering of 10-15 people, where you get to ask questions and watch demos.

Register here:

https://zoom.us/meeting/register/dd2072a53834b30a7c24e00bf0acd2b8 

After registering, you will receive a confirmation email and invite containing information about joining the meeting.

November 2018 Edition of the SweetOps Newsletter

adminNewslettersLeave a Comment

 

 

Welcome to the November 2018 edition of the SweetOps newsletter.

We've got a lot to share with you this month as we've been exceptionally busy! Overall, our emphasis this month has been on growing the community around our open source adoption and investing heavily in Atlantis for terraform GitOps-style automation.

 

 

New Terraform Modules

  1. terraform-aws-iam-account-settings – Terraform module to provision general IAM account settings. It will create the IAM account alias for pretty login URLs and set the account password policy.
  2. terraform-aws-iam-user – Terraform Module to provision a basic IAM user suitable for humans. Supports automatic password encryption using Keybasepublic keys.
  3. terraform-null-smtp-mail – Terraform module to send transactional emails via an SMTP relay directly from within terraform. This is perfect for sending teams email notifications when infrastructure changes.

 

You can find all of the cloudposse terraform modules in the official terraform module registry.

Important Terraform Module Updates

  1. terraform-aws-rds-cluster – we've added support for Aurora Serverless as well as fixed some idempotency issues raised by the community.
  2. terraform-aws-cloudfront-s3-cdn – we've fixed support for regional S3 endpoints with the CloudFront CDN
  3. terraform-aws-elastic-beanstalk-environment – we've received a handful of PRs to extend the module capabilities with better support for autoscaling, nodejs, ELB security groups, and cloudwatch logs.
  4. terraform-aws-dynamodb – we've added support for local secondary indexes

Many thanks to @johncblandii, @br0nhy, @bober2000, @pabardina, @rverma-nikiai, @aknysh, @jamisonhyatt and the many others who took the time to open issues, submit pull requests and review code.

 

GitOps with Atlantis and Terraform

 

We recently held a meetup during #connectweek in Pasadena (CA) where we gave a live demo using Atlantis with Terraform to provision AWS user accounts using only Pull Requests. Atlantis is the secret for enabling teams to collaborate on Terraform. We have our own fork of atlantis that we're maintaining until the essential security features we introduced get upstreamed.

 

Slides from the presentation are available on our blog.

 

Interesting Links & Projects

Here are some interesting links that circulated this month in our slack team.

  1. Very cool Open Source SIEM security and compliance dashboard for surfacing events.
  2. Interesting workaround to achieve Tillerless Helm today by running tiller on localhost.
  3. HashiCorp, the company behind Terraform, has raised an additional $100M
  4. 10 Habits DevOps practitioners must break
  5. Monitoring dashboard for Kubernetes Jobs that makes it easy to see which are running and if their latest status was “succeeded” or “failed”.
  6. Two Objects not Namespaced by the Linux Kernel and therefore shared by linux containers.
  7. Malicious Life Podcast – The True stories behind the world of cybercrime

For more links, subscribe to our @cloudposse twitter feed.

Follow us on Twitter @cloudposse

New Alpine Package Repository

 

As part of Geodesic, our framework for provisioning and automating infrastructure, we needed a better way to distribute our toolchain (aws-vault,   chamber, kops, gomplate, etc) that was fast and reliable that made it easy to version pin tools for individual customers. Previously, we shipped all tools with the geodesic docker base image pinned to a specific release, but this was bad because it forced a customer to upgrade their entire toolchain when they just wanted one upgraded package.

 

The fix was to distribute all of our tools as versioned alpine packages. Our alpine repository is available at apk.cloudposse.com. More instructions for configuring this repository can be found in the github repository where we define all packages.

 

https://github.com/cloudposse/packages

 

What does this mean if you use the make based package installer? Not much. We'll continue to support Makefile based package installations because we need a way to install these packages natively on OSX/Linux/Windows/etc that is not alpine specific. In the future, we might distribute the packages for Debian and RPM-based distros as well.

 

Terragrunt with Geodesic

 

Terragrunt is a popular tool for automating terraform deployments. It makes it easy to reuse modules, initialize terraform state, and orchestrate complex multi-stage terraform build-outs.

 

For a demo we recently did on using Atlantis with Terraform, we put together an example of using Terragrunt on Geodesic. Long and short of it is that it's easy, and there's not much to it. For an example, refer to our reference architectures. Here's an example of adding a user using terraform and terragrunt in combination with our terraform-root-modules.

 

Slack Community

Over the past month, we've seen a sharp uptick in the number of daily conversations especially in the #terraform, #release-engineering, and #kubernetes channels. We're grateful for everyone helping out to answer questions and sharing interesting articles. If you haven't already, sign up for the SweetOps slack team today.

Join Slack Community

Reviews & Testimonials

We've set up a place for our community members to leave us testimonials. If our modules or slack community have helped you, we would love to know. A few words from you would totally make our day and help us reach others.

Please leave us a testimonial, if you've found some of our open source repos helpful.

 

All the best,

 

Erik Osterman

CEO / Founder, Cloud Posse, LLC