ecallen

DevOps

AntiPattern

nanoservices - a service whose overhead outweighs it’s utility

Terraform

Blocks

block template:


block_type label_one label_two {
    key = value
    embedded_block {
        key = value
    }
}

object types:

Keyword references

var.somevariable

local.someobject.somevar

module.someobject.somevar

Provisioners

last resort prefer puppet,chef, ansible

local - executes on local server

remote - executes on remote server

can happen at creation or destruction

example file provisioner with heredoc syntax:


provisioner "file" {
  content = <<EOF
access_key = 
secret_key = 
EOF
  destination = "/home/aws-user/.s3cfg"
}

Resources

example random int


resource "random_integer" "rand"{
    min = 10000
    max = 99999
}

Functions

merge() - takes two maps and merges them.

CLI

terraform init

terraform plan

terraform apply

variables

precedence: env, file, command line

Environments

use workspaces as recommended by Hasihcorp


terraform workspace new Developement

terrform plan -out dev.tfplan

terrform apply "dev.tfpaln"

use vars from workspace


locals {
    env_name = lower(terrform.workspace)

    common_tags = {
        Environment = local.env_name
    }
}

Secrets

3 options: varibales file, env var, secrets management

use env vars for credentials by simply exporting and referencing them

Modules


module "bucket" {
    name = "some-bucket"
    source = ".\\Modules\somefiles"
}

resource "aws_s3_bucket_object" {
    bucket = module.bucket.bucket_id
    [...]
}

registry.terraform.io

GCP

Serverless/Compute Services

code and deploy without need to worry about infra and scale

only available for node.js and python as of 4/7/22

App Engine

PAAS - good for web apps

supports more languages than Compute Services

Cloud SQL

Postgres and MySQL

Persistent Disks

== s3

block storage

16 persistent disks

File store

== NAS

Bigtable

Cloud Storage

blob storage

Cloud Spanner

dist transaction support

depends on true time, 200ms clock drift globally

GCP

Logging

Data Flow

M.P.R. or N.C.S.

Moving -> Network

Processing -> Compute

Remembering -> Storage

Storage

working with buckets

gsutil

gsutil ls gs://some_bucket

gsutil mb -l somelocation gs://some_bucket

gsutil label get gs://some_bucket

gsutil label get/set …

gsutil label ch -l “label:value” gs://somebucket

Versioning

gsutil versioning get gs://somebucket

gsutil versioning set on gs://somebucket

Use ls -a to see versioning

-a Includes non-current object versions / generations in the listing (only useful with a versioning-enabled bucket). If combined with -l option also prints metageneration for each listed object.

gsutil ls -a

Access

gsutil acl ch -u AllUsers:R gs://somebucket/someobject

Compute

gcloud

gcloud compute machine-types list –filter f1-micro

gcloud config get-value project

gcloud services list

gcloud compute instances list

gcloud compute instances create somevm

gcloud compute instances delete somevm

gcloud config init

gcloud config list

gcloud config configurations create SOMECONFIG

gcloud config configurations activate SOMECONFIG

gcloud config set|unset

gcloud config get-value

gcloud compute machine-types list –filter=“NAME:f1-micro”

gcloud compute machine-types list –filter=“NAME:f1-micro AND ZONE:us-east*”

gcloud compute instances list

gcloud compute ssh myhappyvm

REST metadata API

curl -H “Metadata-Flavor:Google” metadata.google.internal/computeMetadata/v1/

curl -H “Metadata-Flavor:Google” metadata.google.internal/computeMetadata/v1/instance


gcloud config get project

gcloud config set compute/region us-east 

gcloud config set compute/zone us-east1-b 

gsutil mb -p playground-someproject -c Standard -l us -b on gs://challengevmbucket
 
gcloud compute instances create challengevm --preemptible --no-restart-on-failure --maintenance-policy=terminate --machine-type=f1-micro

Security

AAA Data flow

-> AuthN authen

-> AuthZ authorization, IAM Identity and Access Management

authz hierarchy 

organization 

folders

project

-> Acct accounting system records failed logins, GCS Object Lifecycle management

Least Privelege

defense in depth

fail securely

https://owasp.org/Top10/A04_2021-Insecure_Design/#secure-design

IAM
Roles
primitive roles

    - viewer ro

    - editor view + change

    - owner view + editor + access and billing

predefined roles - used for specific GCP resources

custom role

    project or organization level
Members
- user 

- serviceAccount

- group 

- domain

- allAutheticatedUsers - *resource public to any gmail account DONT USE

- allUsers - anon
Groups
collection of accounts and service accounts

every group has a email addr

* this should be default, use it for most situations *
Policies
binds members to roles

attach policies to resource

Managing policies

        gcloud [GROUP] add-iam-policy-binding [RESOURCE-NAME] --role [ROLE-ID-TO-GRANT] --member user: [USER-EMAIL]

        gcloud [GROUP] remove-iam-policy-binding [RESOURCE-NAME] --role [ROLE-ID-TO-REVOKE] --member user: [USER-EMAIL]

commands missing

atuscaling

firewall ruls

service accounts




Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.