A long while ago I wrote about how to configure centralised State Locking for Terraform using Dynamo DB. This configuration has become battle tested and fairly low cost solution for anyone using Terraform in AWS and scales well with pretty advanced configurations but it isn’t without it’s drawbacks. DynamoDB can be a bit confusing to navigate if you’re unfamiliar with it and releasing state locks can be a similarly scary . . .
Recently I found myself working with AWS ECS (Elastic Container Service) to host a simple application and using using AWS Fargate as the underlying compute. This pairing bills itself as a simple means of deploying containers without the hassle of standing up and configuring your own servers. That’s an attractive offer but I quickly ran in to some issues when trying to deploy to private subnets. Like so many other . . .
If you’re trying your hand at implementing a CI pipeline with Github Actions and AWS you would be forgiven for finding yourself going in circles with some pretty confusing documentation when it comes to trying to get authentication working. Most of the examples and a lot of the blog posts out there tell you to just create an account, export the Access Key ID and Secret Access Key to environment . . .
If you’re using Terraform in AWS you’ll very quickly find yourself needing to work with AWS Subnets. This can be a surprisingly fussy and in a lot of Terraform configs you tend to see the same solution being employed; inputting a list of Subnet IDs and CIDRs as a variables. Whilst there isn’t exactly anything wrong with this and it does work, it can be a bit clunky, messy and . . .
A little while ago I migrated my UniFi Controller to Kubernetes, part of that process involved migrating my WPA2 Enterprise WiFi network in to the cluster. It’s quite an involved process and not one I’ve seen anyone try to do, so this post is going to look at how you can do that integration…as well as some of the reasons you might not want to do it in the real . . .
A while ago I wrote an article breaking down how to deploy Hashicorp Vault using NGINX as a reverse proxy. It has been a popular article but after it had been up for a couple of years I got some comments that my proposed method wasn’t recommended and that using an HTTP Reverse Proxy generally is insecure for a few reasons. I don’t like the idea of putting bad information . . .
I’ve talked a lot here about certificates and how to set up a PKI in the past, it’s a topic I enjoy a lot and seems to be generally loathed. I was pretty pleased to discover cert-manager, which is a Kubernetes application designed to automate the creation and lifecycle management of TLS certificates within a Kubernetes environment. Despite being such a popular system, it still seems to create quite a . . .
If you’ve ever worked with AWS in the real world you are probably very used to seeing IAM Users and Roles which are terrifyingly over-permissioned. In my experience it’s pretty common to find them in the wild with access to every attribute of a specific service or just as often the native AdministratorAccess Managed Policy assigned. The principle of least privilege is a concept that you often hear about a . . .
Recently I had cause to revisit a topic that often seems to cause problems for people coming to Ansible for the first time, especially for people (like me) who don’t have a development background. How to iterative over inventory variables or facts using a simple Jinja2 template. It can be a fussy task to get your head around and the documentation isn’t the greatest to the newcomer, so this is . . .
Recently I’ve been having some fun moving my lab and home infrastructure to Kubernetes. I had a feeling that deploying the UniFi Controller was going to be a bit of a painful process but it’s not so bad. Has This Already Been Done? Well, allegedly. The UniFi Controller has long been a Linux application so theoretically there are no real issues in the way. My initial searching led me to . . .