Cloud-based DevOps

In November 2021, AWS announced Response Headers Policies — native support of response headers in CloudFront. You can read the full announcement here: Amazon CloudFront introduces Response Headers Policies I said “native” because previously you could set response headers either using CloudFront Functions or Lambda@Edge. And one of the common use cases for that was to set security headers. Now you don’t need to add intermediate requests processing to modify the headers: CloudFront does that for you with no additional fee....

It’s been almost a year since I started using macOS EC2 instances on AWS: there were ups and downs in service offerings and a lot of discoveries with macOS AMI build automation. And I like this small but so helpful update of EC2 service very much: with mac1.metal instances, seamless integration of Apple-oriented CI/CD with other AWS infrastructure could finally happen. While management of a single mac1.metal node (or a tiny number of ones) is not a big deal (especially when Dedicated Host support was added to Terraform provider), governing the fleet of instances is still complicated....

With a multi-account approach of building the infrastructure, there is always a challenge of provision and governance of the resources to subordinate accounts within the Organization. Provision resources, keep them up to date, and decommission them properly — that’s only a part of them. AWS has numerous solutions that help make this process reliable and secure, and the Resource Access Manager (RAM) is one of them. In a nutshell, the RAM service allows you to share the AWS resources you create in one AWS account with other AWS accounts....

In days of containers and serverless applications, Ansible looks not such a trendy thing. But still, there are cases when it helps, and there are cases when it combines very well with brand new product offerings, such as EC2 Mac instances. The more I use mac1.metal in AWS, the more I see that Ansible becomes a bedrock of software customization in my case. And when you have a large instances fleet, the AWS Systems Manager becomes your best friend (the sooner you get along together, the better)....

In November 2021, AWS has added this functionality as a native CloudFront feature. I suggest switching to the native implementation. I have described how to configure Security Response Headers for CloudFront in the following article: Apply Cloudfront Security Headers With Terraform A couple of weeks ago, AWS released CloudFront Functions — a “true edge” compute capability for the CloudFront. It is “true edge” because Functions work on 200+ edge locations (link to doc) while its predecessor, the Lambda@Edge, runs on a small number of regional edge caches....

I guess macOS was designed for a user, not for the ops or engineers, so this is why its customization and usage for CI/CD are not trivial (compared to something Linux-based). A smart guess, huh? Configuration Management Native Apple’s Mobile device management (a.k.a MDM) and Jamf is probably the most potent combination for macOS configuration. But as much as it’s mighty, it is a cumbersome combination, and Jamf is not free....

Updated on the 23rd of October, 2021: Terraform AWS provider now supports Dedicated Hosts natively In November 2021, AWS announced the support for Mac mini instances. I believe this is huge, even despite the number of constraints this solution has. This offering opens the door to seamless macOS CI/CD integration into existing AWS infrastructure. So here is a quick-start example of creating the dedicated host and the instance altogether using Terraform....

Amazon EC2 Mac Instances Something cool and powerful with inevitable trade-offs. As everything in this world. AWS announced EC2 macOS-based instances on the 30th of November 2020, and after more than a month of tests, I would like to share some findings and impressions about it. First of all, the things you can easily find, but it’s still worth to say: The new instance family is called mac1.metal. Guess we should expect mac2 or mac3; otherwise, why did they put a number in the name?...

Here is some CLI shortcuts I use day-to-day to simplify and speed-up my Terraform workflow. Requirements — bash-compatible interpreter, because aliases and functions described below will work with bash, zsh and ohmyzsh. In order to use any of described aliases of functions, you need to place it in your ~/.bashrc or ~/.zshrc file (or any other configuration file you have for your shell). Then just source this file, for example: source ~/....

Lookup plugins for Ansible allow you to do a lot of cool things. One of them is to securely pass sensitive information to your playbooks. If you manage some apps in AWS with Ansible, then using Parameter Store or Secrets Manager along with it might greatly improve your security. Variables with SSM Parameter Store Let’s say you have some variables defined in ‘defaults/main.yaml’ file of your role or maybe in group_vars....