DevOps / SRE - Top Links Last Week
Week 2 - Issue #61
Week 2 - Issue #61
Store Secrets in Repositories (Safely), and Deploy them with Terraform
SOPS is a tool developed and maintained by Mozilla that lets us encrypt YAML/JAML files using different types of keys, like AWS KMS, GCP, age, and PGP. It was designed with simplicity in mind, and it comes with a CLI that you can use to encrypt and decrypt files. We use the AWS SSM parameter store to share the secrets with apps. When we run "terraform apply" the provider decrypts the secrets during the deployment.
5 Best Practices for Infrastructure As Code
Infrastructure as Code allows IT resources and configuration parameters to be treated as programmable objects and to be able to control them via code. IaC has numerous benefits — it can boost the speed, efficiency, consistency, and security of IT operations while minimizing the risk of human error. DevOps professionals can implement infrastructure as a Code across various environments — multi-cloud and hybrid cloud deployments to multiple pipelines. However, it's not something that should be approached lightly, with insufficient resources or a lack of guidance.
Large-scale, semi-automated Go GC tuning
Uber engineering's tech stack comprises thousands of microservices, backed by a cloud-native, scheduler-based infrastructure. Uber engineering was focused on reducing the cost of Compute capacity by improving efficiency. This blog will share our experience with a highly effective, low-risk, large-scale, semi-automated Go GC tuning mechanism. The GOGCTuner library is a library that simplifies the process of tuning garbage collection for service owners and adds a reliability layer on top of it.
What NPM should do to stop a new colors attack
A developer named Marak Squires intentionally sabotaged his popular NPM package colors and his less popular package faker. NPM's design means that as soon as the vandalized version of colors was published, fresh installs of command-line tools depending on colors started using it. When Marak updated colors, installs of aws-cdk and the other tools started breaking, and the bug reports started rolling in. The right path forward is to stop preferring the latest possible version of all dependencies when installing a new package.
BreakingFormation: AWS CloudFormation Vulnerability
Orca Security's vulnerability researcher, Tzah Pahima, discovered a vulnerability in AWS allowing file and credential disclosure of an AWS internal service. This zero-day, which AWS completely mitigated within six days of submission, was an XXE (XML External Entity) vulnerability found in the CloudFormation service. An attacker could have used the exposure to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to the unauthorized disclosure of credentials.