nanoservices - a service whose overhead outweighs it’s utility
block template:
block_type label_one label_two {
key = value
embedded_block {
key = value
}
}
var.somevariable
local.someobject.somevar
module.someobject.somevar
last resort prefer puppet,chef, ansible
local - executes on local server
remote - executes on remote server
can happen at creation or destruction
example file provisioner with heredoc syntax:
provisioner "file" {
content = <<EOF
access_key =
secret_key =
EOF
destination = "/home/aws-user/.s3cfg"
}
example random int
resource "random_integer" "rand"{
min = 10000
max = 99999
}
merge() - takes two maps and merges them.
terraform init
terraform plan
terraform apply
precedence: env, file, command line
use workspaces as recommended by Hasihcorp
terraform workspace new Developement
terrform plan -out dev.tfplan
terrform apply "dev.tfpaln"
use vars from workspace
locals {= lower(terrform.workspace)
env_name
= {
common_tags = local.env_name
Environment
} }
3 options: varibales file, env var, secrets management
use env vars for credentials by simply exporting and referencing them
"bucket" {
module = "some-bucket"
name = ".\\Modules\somefiles"
source
}
"aws_s3_bucket_object" {
resource = module.bucket.bucket_id
bucket ...]
[ }
registry.terraform.io
code and deploy without need to worry about infra and scale
only available for node.js and python as of 4/7/22
PAAS - good for web apps
supports more languages than Compute Services
Postgres and MySQL
== s3
block storage
16 persistent disks
== NAS
blob storage
dist transaction support
depends on true time, 200ms clock drift globally
M.P.R. or N.C.S.
Moving -> Network
Processing -> Compute
Remembering -> Storage
working with buckets
gsutil
gsutil ls gs://some_bucket
gsutil mb -l somelocation gs://some_bucket
gsutil label get gs://some_bucket
gsutil label get/set …
gsutil label ch -l “label:value” gs://somebucket
gsutil versioning get gs://somebucket
gsutil versioning set on gs://somebucket
Use ls -a to see versioning
-a Includes non-current object versions / generations in the listing (only useful with a versioning-enabled bucket). If combined with -l option also prints metageneration for each listed object.
gsutil ls -a
gsutil acl ch -u AllUsers:R gs://somebucket/someobject
gcloud
gcloud compute machine-types list –filter f1-micro
gcloud config get-value project
gcloud services list
gcloud compute instances list
gcloud compute instances create somevm
gcloud compute instances delete somevm
gcloud config init
gcloud config list
gcloud config configurations create SOMECONFIG
gcloud config configurations activate SOMECONFIG
gcloud config set|unset
gcloud config get-value
gcloud compute machine-types list –filter=“NAME:f1-micro”
gcloud compute machine-types list –filter=“NAME:f1-micro AND ZONE:us-east*”
gcloud compute instances list
gcloud compute ssh myhappyvm
curl -H “Metadata-Flavor:Google” metadata.google.internal/computeMetadata/v1/
curl -H “Metadata-Flavor:Google” metadata.google.internal/computeMetadata/v1/instance
gcloud config get project
gcloud config set compute/region us-east
gcloud config set compute/zone us-east1-b
gsutil mb -p playground-someproject -c Standard -l us -b on gs://challengevmbucket
gcloud compute instances create challengevm --preemptible --no-restart-on-failure --maintenance-policy=terminate --machine-type=f1-micro
AAA Data flow
-> AuthN authen
-> AuthZ authorization, IAM Identity and Access Management
authz hierarchy
organization
folders
project
-> Acct accounting system records failed logins, GCS Object Lifecycle management
Least Privelege
defense in depth
fail securely
https://owasp.org/Top10/A04_2021-Insecure_Design/#secure-design
primitive roles
- viewer ro
- editor view + change
- owner view + editor + access and billing
predefined roles - used for specific GCP resources
custom role
project or organization level
- user
- serviceAccount
- group
- domain
- allAutheticatedUsers - *resource public to any gmail account DONT USE
- allUsers - anon
collection of accounts and service accounts
every group has a email addr
* this should be default, use it for most situations *
binds members to roles
attach policies to resource
Managing policies
gcloud [GROUP] add-iam-policy-binding [RESOURCE-NAME] --role [ROLE-ID-TO-GRANT] --member user: [USER-EMAIL]
gcloud [GROUP] remove-iam-policy-binding [RESOURCE-NAME] --role [ROLE-ID-TO-REVOKE] --member user: [USER-EMAIL]
commands missing
atuscaling
firewall ruls
service accounts