I’ve been using terraform for a while and what I’ve discovered is that there doesn’t seem to be a whole wealth of information about what to do when cold hard reality smacks your utopian infrastructure as code in the face. A classic example might be a support engineer adding LOG_LEVEL=super-verbose as an environment variable via the AWS console to some particular runtime because they’re getting reports that something blahblahblah doesn’t work.

If the first thought in your head is “That’ll never happen because IaC means they just have to modify some file; raise a PR; and then it’ll get auto deployed after going through the appropriate approval gates”; this blog post is not for you.

I rely a lot on dependabot to keep my projects up to date; however, there are some things that dependabot doesn’t yet know about. In any project there is a bunch of additional tooling that makes our lives easier, those tools all deserve to be updated to latest and greatest too! We’ve been using updatecli for that and it’s been very useful in managing updates to things that don’t get revisited that often (like pre-commit hook versions via the yaml plugin)

The github terraform provider is ace; I’ve been using it to manage my personal github repos and also my organisation ones (well, the ones I have sufficient rights to manage at least), however, one thing did strike me as I was down the rabbit hole - I can’t easily change the permissions model for workflow actions on an individual basis; I can cascade them from an organisational perspective, but not on an individual repository basis (this is true as of the github terraform provider 5.28.1). That’s something I wanted to do and since terraform is infinitely flexible I was sure that I could do something tricksy with one of the other providers without having to write my own.

GNU Make has been around for an awfully long time, and I’ve recently starting reverting back to it because I’ve been doing a lot of terraform. It’s still incredibly useful even though I’m not actually building anything locally. I hadn’t really thought about make for a long time (since not writing any C in anger), and I’ve forgotten everything that I ever knew about make. It’s a bit like riding a bike though, you’re not better than the next person, but what you are is just quicker at constructing the right search term and understanding the results because you have the memory trigger from a different era.

CodeQL is the successor to LGTM; I was hoping for a seamless transition to CodeQL, but sadly that wasn’t to be. A lot of the things that I had been previously been doing like @SuppressWarnings("lgtm[ignore-this-weak-crypto]") were being ignored, and I’ve been ignoring the security code scanning alerts as well. It’s taken a while, but now I’ve actually embarked on a journey where I am in the process of using it for some additional projects and I wanted to make sure that I have the feature set that I’m used to :- being able to suppress alerts in the code, not in an external tool. This is important because the code will always exist for the lifetime of the product but tools come and go.