Hacker News new | ask | show | jobs
by fixIt83 1913 days ago
An interesting idea for open source security to tackle:

What I don’t get is why everyone rolls their own infrastructure scripts still?

Where is a mono repo for Terraform or SDK based code that is openly vetted? The same goes for Kubernetes, Helm, Ansible...

Very few web tech problems are so Byzantine they need humans to write bespoke config
4 comments
paulryanrogers 1913 days ago
Probably because needs--and therefore tooling--is constantly evolving. IME the subtle differences add up too. Trying to maintain conformance to convention is itself something of a rat race.
link
void_mint 1913 days ago
My experience over the past year mirrors this. I'm regularly surprised that there aren't more generally-accepted and boosted solutions to lots of the minutiae that comes with DevOps/cloud config. CloudFormation and Terraform are both pretty bare bones - they give you tools to describe any cloud resource and the way they relate to eachother. That's great! But I'd rather not be left in charge of defining how cloud resources can securely communicate - I'd rather include an AWS/HashiCorp-supported module that predefines configuration for adding a Redis cache to something, or letting only certain resources connect to a database.

Terraform modules were a nice start, but I've pretty much never seen a module I would trust using. It may just be my own bad luck, but the vast majority of the TF Modules I've looked at are A.) A single maintainer, B.) 10 stars or less, C.) Haven't been updated in 6 months. The combination of the above 3 do not leave me feeling confident in including a library. I wish that there was an easier way to tread the paths of those that have done the work.

link
drybjed 1910 days ago
I can offer one, DebOps[1]. It's a git monorepo that contains a set of Ansible roles and playbooks that can be used to manage Debian-based servers, VMs or containers. It's designed in such a way that almost every configuration option can be overridden from the Ansible inventory - you are not expected to modify the monorepo itself, so that you can get updates over time, but you can still customize the result to your needs. Playbooks and roles are developed in the open, all the secrets and inventory configuration is private.

[1]: https://debops.org/

link
SpicyLemonZest 1913 days ago
I don't know how related this is to the OP, but I do agree, and I think a big part of the answer is just how young all these tools are. I wouldn't be surprised if 5 or 10 years from now, infrastructure and software deployments are "solved" to the same degree as IDEs or web browsers are today.
link